Surveillance: Citizens and the State - Constitution Committee Contents


Examination of Witnesses (Questions 80-88)

Professor Graham Greenleaf

28 NOVEMBER 2007

  Q80  Lord Lyell of Markyate: That leads very well onto Article 8 of the European Convention on Human Rights which gives everybody the entitlement to respect to their private and family life and that seems to come pretty close to what you are saying and might be built on. Bearing in mind the very rapid change in technology and the ability of those involved in surveillance or data collection to be much more intrusive than they are today, how do you think that our regulators should respond? Do they have the necessary powers and resources?

  Professor Greenleaf: No, I do not think that they have either here or in most other countries although, if you pick and choose from the best of what various other countries offer, you can usually anywhere come up with a good set of improvements. I have already mentioned that I think that the Information Commissioner should have a role in producing an annual report on surveillance. When he gave evidence to this Committee, he mentioned that it would be good if he could help increase the effectiveness of parliamentary scrutiny by having a better ability to warn Parliament without having to be invited even to answer questions and the like. I would suggest going further than that and to give the Information Commissioner a statutory obligation to warn Parliament of any significant privacy dangers that he perceives in legislation or regulation. So, draw the line at "significant" so that he does not have to report every minor thing. In that way, he avoids having to justify why he intervened on a particular issue if he has a statutory obligation to do so and he cannot really be seen to be playing any partisan games in coming in on particular issues if that is his obligation. I think that it would be useful to give him that obligation and then it would be his responsibility if he did not do it properly. In his evidence, the Commissioner said that he may not have shouted loud enough about the DNA database. There would be some comeback against him for not shouting loud enough about the DNA database to Parliament. May I mention a couple of other possible things or do you want me to stop?

  Q81  Chairman: Very briefly because we have a great deal of material to cover in the next ten minutes.

  Professor Greenleaf: Then perhaps it is more sensible for us to go on with further questions.

  Q82  Viscount Bledisloe: You have very largely answered my question already when you were answering the questions of Lord Woolf. Am I right in understanding from you that you think there should be a comprehensive single statute on the right to privacy and that the onus should be on the person wishing to use your information or collect your information to justify that within defined grounds?

  Professor Greenleaf: Yes, that is right, that is what I think. You could do that by not having just one statute but by having, say, a surveillance practices statute which effectively locked in with the information and privacy statute, but it might be more sensible to put it all in the one. I would like to say one further thing on that. On the question of privacy torts, I do not think that, in light of the case law in this country, there is any likelihood that a privacy tort will be developed by the courts. Although there are some developments in the area of breach of confidence that are useful, they will not cover other areas like surveillance. However, statutory tort provisions like those suggested by the Hong Kong Law Reform Commission in a very detailed report have been recommended by the Australian Law Reform Commission in its draft report and considered by the New South Wales Law Reform Commission. They could well just be included in an overall privacy statute.

  Q83  Baroness O'Cathain: What are the limitations upon the exercise of individuals' consent to data collection and further processing and are they insuperable?

  Professor Greenleaf: I think that consent is an instrument of limited value in privacy statutes and it has been somewhat abused by consent not being clearly enough defined. It easily becomes a question whether there is implied consent in circumstances where there is hardly any consent at all. Where genuine fully informed consent (where the individual really has the alternative to consent or not consent without being denied valuable services) is possible, of course it is one of the reasons that do justify what would otherwise be interferences with privacy. But where that fully genuine consent does not exist, it is better just to accept that the requirements should be first that there is justification for the interference and then notice that the interference is going to take place. I know that is a long way round to answer your question but what I am saying is that I think we should put consent in its proper place and not exaggerate its relevance to privacy laws.

  Q84  Viscount Bledisloe: Are you really saying that every time one is required to fill in a form compulsorily, there should be a box at the bottom saying, "Do you consent to this being given to other departments" or "given to other people"?

  Professor Greenleaf: No. What I am saying is that if you really do not have any choice but to consent, then let us not go through the charade of asking people to consent.

  Q85  Viscount Bledisloe: Surely you always do. You have no choice but to fill in the form, but surely you should be given a choice as to whether it is then disseminated.

  Professor Greenleaf: Yes, you should be given that choice unless there are very serious other social interests that mean that the information must be disseminated to others. Where those serious reasons exist and you are not going to get some social service or you are not going to get some private sector benefit unless you tick that box, then we should not be calling that consent.

  Q86  Lord Rowlands: Is there sufficient international coordination in this whole field and is it possible or valuable to establish some kind of international standards of personal data practices and surveillance?

  Professor Greenleaf: I do not think there is sufficient international coordination as yet. The shining example of good international coordination is the Article 29 Committee under the EU Directive where the Data Protection Commissioners of Europe have genuinely provided policy leadership for the whole of Europe. In the Asia Pacific region, our Privacy Commissioners, although they have a collective Asia Pacific Privacy Association, have not done that. They have not taken a policy development or a warning role at all, partly because there is no glue like the Directive to hold those countries' policies together. As a result, at a global level, commissioners are still rather hamstrung on reaching agreement about policy issues and have been very mild in their collective statements. To move on to the second part of your question, I think that there is still a very serious need to establish a standard for exports of personal data between countries. That is still a pressing issue and, as yet, the policy instruments that have been tried have not succeeded in delivering that. The adequacy decisions under the EU Directive which, if properly handled, might have forced an international standard on the world, if you like, have not done that because the EU has lost credibility by caving into the USA and also because—

  Q87  Lord Rowlands: How did they cave in?

  Professor Greenleaf: They approved a proposal by the USA for its "safe harbour" proposals which, in most people's opinion, did not satisfy the adequacy tests under the EU Directive. However, for political reasons, the EU decided to let the USA go and the adequacy test lost a lot of its credibility as a result. They have also failed to reach decisions even about the most obvious jurisdictions to which they could have granted an adequacy finding like New Zealand or Hong Kong. The whole process, if it keeps going, will take to about the year 2099 before they get through most of the world.

  Q88  Lord Rowlands: I am not sure that I understand what adequacy means.

  Professor Greenleaf: For the purposes of EU countries under the Directive wishing to export personal data to countries outside the EU, it means that exports must be to a country that provides "adequate" data protection standards. But the EU Commission and the Council of Ministers make the decision—I should not go into EU Government matters—as to which countries meet that adequacy standard. So far they have only made a handful of decisions and the process is just bogged down and been discredited. The APEC Privacy Framework in my part of the world has contributed to undermining a search for a global standard. No UN conventions are really possible. The International Standards Organisation is not the right place to start for global policy. Surprisingly, I think that the only credible contender for the development of a global policy standard is to follow the direction or the lead of the Council of Europe Cybercrime Convention and consider using the Council of Europe Convention concerning data protection (Convention 108) as a way of bringing non-European countries into what could become a global standard. There are provisions in the Council of Europe Convention allowing this which have never been utilised. The Council of Europe can invite countries like, say, New Zealand to become a party to that convention. It is the only agreement I can see that could possibly turn into a global privacy standard which would not be too high a standard or too low a standard but somewhere in the middle.

  Chairman: Professor Greenleaf, thank you very much indeed for being with us and thank you very much for your evidence.





 
previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009