Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Adequacy: the case of Canada, New Zealand and Australia [1999] PLBIRp 29; (1999) 49 Privacy Laws and Business International Report 10

Australia, New Zealand and Canada hope to satisfy the adequacy requirement

SEVERAL COUNTRIES OUTSIDE OF THE EU wish to demonstrate to the European Union that they provide adequate protection for personal data. Australia, Canada and New Zealand all hope that the judgement on their laws will be a positive one.

The Privacy Laws & Business 12th Annual International Conference provided a unique chance to hear from some of the so called "third countries" the extent to which they regard their data protection laws as adequate. The conference was held 28-30th June, just a week after the EU had announced that the deadline on 21st of June for reaching a solution with regard to transfers to the US had not been met. The discussions would continue.

The European Commission and its Data Protection Working Party have simultaneously evaluated other third countries' level of data protection. At the time of the conference, there were no decisions, but the speakers were able to point out the strong and weak aspects in their countries' laws.

CANADA HOPES TO PASS THE ADEQUACY TEST

The Canadian Federal Privacy Commissioner, Bruce Phillips, started the session by outlining the Canadian situation. The existing federal data protection law applies only to the public sector, with the exception of Quebec, where private sector organisations also have to comply with the provincial data protection law. Canada currently has a Bill before the Parliament (PL&B Sept '98 p.16-17, and Dec '99 p.22) which is scheduled for third reading in the autumn. Bruce Phillips expected the Bill to become a law before the end of the year, unless it is delayed by strong lobbying.

The new law will cover the federally regulated private sector including banking, transportation, and telecommunications. It is based on the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, which has been a national standard since 1996, and the OECD Privacy Principles.

"The Bill essentially makes compliance with the CSA code a legal requirement," Bruce Phillips said. Oddly, some of the very people that were behind the code when it was voluntary, are now finding faults in it," he told the conference.

The Federal Privacy Commissioner will enforce the new law. Currently, the Commissioner acts as an Ombudsman, whose main task is to find solutions, not faults. "In my eight and half years as Commissioner, I have found this a highly successful approach," Bruce Phillips said.

As Canada is a federal jurisdiction, further action is required to extend private sector privacy protection to the provinces. The new law will allow the provinces another three years, from coming into force of the new law, to pass harmonising legislation. However, personal data crossing provincial boundaries will be caught from day one, unless it is company's internal data.

The Bill includes several aspects that are new in Canada. Companies will have inform data subjects about their data processing, and to nominate a person responsible for data protection.

"When all this is in place, the Canadian law, should, in my view, pass the EU adequacy test. We have received some encouraging comments, but no decision has been made yet," Bruce Phillips summarised.

AUSTRALIA PREPARES NEW LEGISLATION

David Main, Manager, Promotion and Education at the Australian Privacy Commissioner's office, told the conference about the proposed new Australian law and its timetable. The current Federal Privacy Act of 1988 applies only to federal government agencies. The Australian Government decided, in December 1998, to introduce federal private sector legislation (PL&B Feb '99 p.12-13). The new law will be based on the voluntary National Principles for the Fair Handling of Personal Information, which were issued by the then Privacy Commissioner Moira Scollay in February 1998.

"These are quite a good set of principles. They add to the existing principles reflecting the requirements of the EU Data Protection Directive's provisions on, for example, sensitive data. They also have some novel elements, such as the principle of anonymity," David Main said.

"The Government is now working on the legislation. There is no draft bill yet, and the Government describes the future regime as 'light touch legislation'. It will give self-regulatory codes a formal role. These will not implement the law as usually is the case, but the Government plans to put the codes first, if you like. In other words, if you comply with a code, you are outside of the scope of the legislation," David Main explained.

Three main exemptions from the new law are predicted. Firstly, domestic purposes, secondly, journalistic purposes, and thirdly employee records. David Main expressed his personal concern whether it is possible to exempt employee records.

It is hoped that a Bill will be submitted to the Parliament in September. Therefore, the earliest a new law can be adopted is 1st July 2000. This would allow the law to take effect from 1st July 2001.

NEW ZEALAND SURE ABOUT ITS CASE

The New Zealand Assistant Privacy Commissioner, Blair Stewart, went straight to the point by declaring that, unlike Australia and Canada, New Zealand has a first class privacy law.

"The law (1993 Privacy Act) is superior to most European laws due to the constructive approach to manual data. It is also the only omnibus privacy law outside Europe which applies both to the public and private sectors," Blair Stewart said. "It is therefore somewhat of a paradox that our law may be judged inadequate," he continued.

Blair Stewart outlined the main features of the Privacy Act and the small details that need further attention due to the adequacy debate (PL&B Feb '99 p.22). One of these issues is access rights. At the moment, the Act gives broad rights of access, but only if the individual is in the country. Therefore, a European Union citizen, whose personal data is processed in New Zealand, does not automatically have the right to access his data. However, in reality many companies provide access anyway.

The Privacy Commissioner has recommended that the law should be amended to extend access.

Another detail that may become a stumbling block on New Zealand's way to be listed as "adequate", are delays in investigating complaints. There is a 15 months backlog due to inadequate resources.

"If the EU were to regard this aspect as harmful in their evaluation, one would have to ask what are acceptable delays in EU countries," Blair Stewart said. He also pointed out that individuals' rights are more extensive in New Zealand, and this was part of the reason for long investigation times.

The New Zealand Privacy Act lacks any data export controls, which, on the other hand, is an essential part of the EU Data Protection Directive. Blair Stewart explained that any personal data from Europe transmitted to New Zealand must, however, be processed in accordance with the information privacy principles. Re-exporting data to another country would generally only be allowed if that were to be consistent with the original purpose. Blair Stewart said that it is unlikely that the New Zealand Government will decide to include export controls in the legislation.

To sum up, Blair Stewart expressed his concern on the possibility that a small issue, lack of export controls, may be a factor negatively affecting the EU's decision on whether New Zealand offers adequate protection. "In my opinion, European officials should be slow to harshly judge the New Zealand law as inadequate based on certain particular features. Instead, they should look at the Privacy Act in its totality. On that basis I believe New Zealand's law should be assessed as offering adequate protection subject only to the need to remove the standing requirement of individuals to be in the country to be able to access their personal data."

This report is based on presentations at the Privacy Laws & Business 12th International Annual Conference in Cambridge, 28-30th June. Papers are available from Privacy Laws & Business, Tel: + 44 (0)181 423 1300.