Examination of Witnesses (Questions 80-88)
Professor Graham Greenleaf
28 NOVEMBER 2007
Q80 Lord Lyell of Markyate: That
leads very well onto Article 8 of the European Convention on Human
Rights which gives everybody the entitlement to respect to their
private and family life and that seems to come pretty close to
what you are saying and might be built on. Bearing in mind the
very rapid change in technology and the ability of those involved
in surveillance or data collection to be much more intrusive than
they are today, how do you think that our regulators should respond?
Do they have the necessary powers and resources?
Professor Greenleaf: No, I do not think
that they have either here or in most other countries although,
if you pick and choose from the best of what various other countries
offer, you can usually anywhere come up with a good set of improvements.
I have already mentioned that I think that the Information Commissioner
should have a role in producing an annual report on surveillance.
When he gave evidence to this Committee, he mentioned that it
would be good if he could help increase the effectiveness of parliamentary
scrutiny by having a better ability to warn Parliament without
having to be invited even to answer questions and the like. I
would suggest going further than that and to give the Information
Commissioner a statutory obligation to warn Parliament of any
significant privacy dangers that he perceives in legislation or
regulation. So, draw the line at "significant" so that
he does not have to report every minor thing. In that way, he
avoids having to justify why he intervened on a particular issue
if he has a statutory obligation to do so and he cannot really
be seen to be playing any partisan games in coming in on particular
issues if that is his obligation. I think that it would be useful
to give him that obligation and then it would be his responsibility
if he did not do it properly. In his evidence, the Commissioner
said that he may not have shouted loud enough about the DNA database.
There would be some comeback against him for not shouting loud
enough about the DNA database to Parliament. May I mention a couple
of other possible things or do you want me to stop?
Q81 Chairman: Very briefly because
we have a great deal of material to cover in the next ten minutes.
Professor Greenleaf: Then perhaps it
is more sensible for us to go on with further questions.
Q82 Viscount Bledisloe: You have
very largely answered my question already when you were answering
the questions of Lord Woolf. Am I right in understanding from
you that you think there should be a comprehensive single statute
on the right to privacy and that the onus should be on the person
wishing to use your information or collect your information to
justify that within defined grounds?
Professor Greenleaf: Yes, that is right,
that is what I think. You could do that by not having just one
statute but by having, say, a surveillance practices statute which
effectively locked in with the information and privacy statute,
but it might be more sensible to put it all in the one. I would
like to say one further thing on that. On the question of privacy
torts, I do not think that, in light of the case law in this country,
there is any likelihood that a privacy tort will be developed
by the courts. Although there are some developments in the area
of breach of confidence that are useful, they will not cover other
areas like surveillance. However, statutory tort provisions like
those suggested by the Hong Kong Law Reform Commission in a very
detailed report have been recommended by the Australian Law Reform
Commission in its draft report and considered by the New South
Wales Law Reform Commission. They could well just be included
in an overall privacy statute.
Q83 Baroness O'Cathain: What are
the limitations upon the exercise of individuals' consent to data
collection and further processing and are they insuperable?
Professor Greenleaf: I think that consent
is an instrument of limited value in privacy statutes and it has
been somewhat abused by consent not being clearly enough defined.
It easily becomes a question whether there is implied consent
in circumstances where there is hardly any consent at all. Where
genuine fully informed consent (where the individual really has
the alternative to consent or not consent without being denied
valuable services) is possible, of course it is one of the reasons
that do justify what would otherwise be interferences with privacy.
But where that fully genuine consent does not exist, it is better
just to accept that the requirements should be first that there
is justification for the interference and then notice that the
interference is going to take place. I know that is a long way
round to answer your question but what I am saying is that I think
we should put consent in its proper place and not exaggerate its
relevance to privacy laws.
Q84 Viscount Bledisloe: Are you really
saying that every time one is required to fill in a form compulsorily,
there should be a box at the bottom saying, "Do you consent
to this being given to other departments" or "given
to other people"?
Professor Greenleaf: No. What I am saying
is that if you really do not have any choice but to consent, then
let us not go through the charade of asking people to consent.
Q85 Viscount Bledisloe: Surely you
always do. You have no choice but to fill in the form, but surely
you should be given a choice as to whether it is then disseminated.
Professor Greenleaf: Yes, you should
be given that choice unless there are very serious other social
interests that mean that the information must be disseminated
to others. Where those serious reasons exist and you are not going
to get some social service or you are not going to get some private
sector benefit unless you tick that box, then we should not be
calling that consent.
Q86 Lord Rowlands: Is there sufficient
international coordination in this whole field and is it possible
or valuable to establish some kind of international standards
of personal data practices and surveillance?
Professor Greenleaf: I do not think there
is sufficient international coordination as yet. The shining example
of good international coordination is the Article 29 Committee
under the EU Directive where the Data Protection Commissioners
of Europe have genuinely provided policy leadership for the whole
of Europe. In the Asia Pacific region, our Privacy Commissioners,
although they have a collective Asia Pacific Privacy Association,
have not done that. They have not taken a policy development or
a warning role at all, partly because there is no glue like the
Directive to hold those countries' policies together. As a result,
at a global level, commissioners are still rather hamstrung on
reaching agreement about policy issues and have been very mild
in their collective statements. To move on to the second part
of your question, I think that there is still a very serious need
to establish a standard for exports of personal data between countries.
That is still a pressing issue and, as yet, the policy instruments
that have been tried have not succeeded in delivering that. The
adequacy decisions under the EU Directive which, if properly handled,
might have forced an international standard on the world, if you
like, have not done that because the EU has lost credibility by
caving into the USA and also because
Q87 Lord Rowlands: How did they cave
in?
Professor Greenleaf: They approved a
proposal by the USA for its "safe harbour" proposals
which, in most people's opinion, did not satisfy the adequacy
tests under the EU Directive. However, for political reasons,
the EU decided to let the USA go and the adequacy test lost a
lot of its credibility as a result. They have also failed to reach
decisions even about the most obvious jurisdictions to which they
could have granted an adequacy finding like New Zealand or Hong
Kong. The whole process, if it keeps going, will take to about
the year 2099 before they get through most of the world.
Q88 Lord Rowlands: I am not sure
that I understand what adequacy means.
Professor Greenleaf: For the purposes
of EU countries under the Directive wishing to export personal
data to countries outside the EU, it means that exports must be
to a country that provides "adequate" data protection
standards. But the EU Commission and the Council of Ministers
make the decisionI should not go into EU Government mattersas
to which countries meet that adequacy standard. So far they have
only made a handful of decisions and the process is just bogged
down and been discredited. The APEC Privacy Framework in my part
of the world has contributed to undermining a search for a global
standard. No UN conventions are really possible. The International
Standards Organisation is not the right place to start for global
policy. Surprisingly, I think that the only credible contender
for the development of a global policy standard is to follow the
direction or the lead of the Council of Europe Cybercrime Convention
and consider using the Council of Europe Convention concerning
data protection (Convention 108) as a way of bringing non-European
countries into what could become a global standard. There are
provisions in the Council of Europe Convention allowing this which
have never been utilised. The Council of Europe can invite countries
like, say, New Zealand to become a party to that convention. It
is the only agreement I can see that could possibly turn into
a global privacy standard which would not be too high a standard
or too low a standard but somewhere in the middle.
Chairman: Professor Greenleaf, thank you very
much indeed for being with us and thank you very much for your
evidence.
|