Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age.[1]

Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties. Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.

Defining Privacy

Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define.[2] Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information.

Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs.[3] The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."[4]

Some viewpoints on privacy:

In the 1890s, future United States Supreme Court Justice Louis Brandeis articulated a concept of privacy that urged that it was the individual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms in a democracy, and he was concerned that it should be reflected in the Constitution.[5]

Robert Ellis Smith, editor of the Privacy Journal, defined privacy as "the desire by each of us for physical space where we can be free of interruption, intrusion, embarrassment, or accountability and the attempt to control the time and manner of disclosures of personal information about ourselves."[6]

According to Edward Bloustein, privacy is an interest of the human personality. It protects the inviolate personality, the individual's independence, dignity and integrity.[7]

According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person.[8]

The Calcutt Committee in the United Kingdom said, "nowhere have we found a wholly satisfactory statutory definition of privacy." But the committee was satisfied that it would be possible to define it legally and adopted this definition in its first report on privacy:

The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.[9]

The Preamble to the Australian Privacy Charter provides, "A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy . . . Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech. . . . Privacy is a basic human right and the reasonable expectation of every person."[10]

Aspects of Privacy

Privacy can be divided into the following separate but related concepts:

Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. It is also known as "data protection";

Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches;

Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication; and

Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks.

Models of Privacy Protection

There are four major models for privacy protection. Depending on their application, these models can be complementary or contradictory. In most countries reviewed in the survey, several models are used simultaneously. In the countries that protect privacy most effectively, all of the models are used together to ensure privacy protection.

Comprehensive Laws

In many countries around the world, there is a general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body then ensures compliance. This is the preferred model for most countries adopting data protection laws and was adopted by the European Union to ensure compliance with its data protection regime. A variation of these laws, which is described as a "co-regulatory model," was adopted in Canada and Australia. Under this approach, industry develops rules for the protection of privacy that are enforced by the industry and overseen by the privacy agency.

Sectoral Laws

Some countries, such as the United States, have avoided enacting general data protection rules in favor of specific sectoral laws governing, for example, video rental records and financial privacy. In such cases, enforcement is achieved through a range of mechanisms. A major drawback with this approach is that it requires that new legislation be introduced with each new technology so protections frequently lag behind. The lack of legal protections for individual's privacy on the Internet in the United States is a striking example of its limitations. There is also the problem of a lack of an oversight agency. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protections for certain categories of information, such as telecommunications, police files or consumer credit records.

Self-Regulation

Data protection can also be achieved, at least in theory, through various forms of self-regulation, in which companies and industry bodies establish codes of practice and engage in self-policing. However, in many countries, especially the United States, these efforts have been disappointing, with little evidence that the aims of the codes are regularly fulfilled. Adequacy and enforcement are the major problem with these approaches. Industry codes in many countries have tended to provide only weak protections and lack enforcement.

Technologies of Privacy

With the recent development of commercially available technology-based systems, privacy protection has also moved into the hands of individual users. Users of the Internet and of some physical applications can employ a range of programs and systems that provide varying degrees of privacy and security of communications. These include encryption, anonymous remailers, proxy servers and digital cash.[11] Users should be aware that not all tools effectively protect privacy. Some are poorly designed while others may be designed to facilitate law enforcement access. (For more discussion of this subject, see the sub-section on Privacy Enhancing Technologies).

The Right to Privacy

The recognition of privacy is deeply rooted in history. There is recognition of privacy in the Qur'an[12] and in the sayings of Mohammed.[13] The Bible has numerous references to privacy.[14] Jewish law has long recognized the concept of being free from being watched.[15] There were also protections in classical Greece and ancient China.[16]

Legal protections have existed in Western countries for hundreds of years. In 1361, the Justices of the Peace Act in England provided for the arrest of peeping toms and eavesdroppers.[17] In 1765, British Lord Camden, striking down a warrant to enter a house and seize papers wrote, "We can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society, for papers are often the dearest property any man can have."[18] Parliamentarian William Pitt wrote, "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter; the rain may enter – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement."[19]

Various countries developed specific protections for privacy in the centuries that followed. In 1776, the Swedish Parliament enacted the Access to Public Records Act that required that all government-held information be used for legitimate purposes. France prohibited the publication of private facts and set stiff fines for violators in 1858.[20] The Norwegian Criminal Code prohibited the publication of information relating to "personal or domestic affairs" in 1889.[21]

In 1890, American lawyers Samuel Warren and Louis Brandeis wrote a seminal piece on the right to privacy as a tort action, describing privacy as "the right to be left alone."[22] Following the publication, this concept of the privacy tort was gradually picked up across the United States as part of the common law.

The modern privacy benchmark at an international level can be found in the 1948 Universal Declaration of Human Rights, which specifically protects territorial and communications privacy.[23] Article 12 states:

No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.

Numerous international human rights treaties specifically recognize privacy as a right.[24] The International Covenant on Civil and Political Rights (ICCPR), Article 17,[25] the United Nations (UN) Convention on Migrant Workers, Article 14,[26] and the UN Convention on Protection of the Child, Article 16[27] adopt the same language.[28]

On the regional level, various treaties make these rights legally enforceable. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (ECHR) states:

(1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others. [29]

The Convention created the European Commission of Human Rights and the European Court of Human Rights to oversee enforcement. Both have been active in the enforcement of privacy rights and have consistently viewed Article 8's protections expansively and interpreted the restrictions narrowly.[30] The Commission found in 1976:

For numerous Anglo-Saxon and French authors, the right to respect "private life" is the right to privacy, the right to live, as far as one wishes, protected from publicity. . . . In the opinion of the Commission, however, the right to respect for private life does not end there. It comprises also, to a certain degree, the right to establish and develop relationships with other human beings, especially in the emotional field for the development and fulfillment of one's own personality.[31]

The Court has reviewed member states' laws and imposed sanctions on numerous countries for failing to regulate wiretapping by governments and private individuals.[32] It has also reviewed cases of individuals' access to their personal information in government files to ensure that adequate procedures exist.[33] It has expanded the protections of Article 8 beyond government actions to those of private persons where it appears that the government should have prohibited those actions.[34]

Other regional treaties are also beginning to be used to protect privacy. Article 11 of the American Convention on Human Rights sets out the right to privacy in terms similar to the Universal Declaration.[35] In 1965, the Organization of American States proclaimed the American Declaration of the Rights and Duties of Man, which called for the protection of numerous human rights, including privacy.[36] The Inter-American Court of Human Rights has begun to address privacy issues in its cases.

The Evolution of Data Protection

Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978).[37]

Two crucial international instruments evolved from these laws. The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data[38] and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data[39] set out specific rules covering the handling of electronic data. These rules describe personal information as data that are afforded protection at every step from collection to storage and dissemination.

The expression of data protection in various declarations and laws varies. All require that personal information must be:

• obtained fairly and lawfully;

• used only for the original specified purpose;

• adequate, relevant and not excessive to purpose;

• accurate and up to date;

• accessible to the subject;

• kept secure; and

• destroyed after its purpose is completed.

These two agreements have had a profound effect on the enactment of laws around the world. Nearly thirty countries have signed the CoE convention and several others are planning to do so shortly. The OECD guidelines have also been widely used in national legislation, even outside the OECD member countries.

Rationales for Adopting Comprehensive Laws

There are three major reasons for the movement towards comprehensive privacy and data protection laws. Many countries are adopting these laws for one or more reasons.

To remedy past injustices. Many countries, especially in Central Europe, South America and South Africa, are adopting laws to remedy privacy violations that occurred under previous authoritarian regimes.

To promote electronic commerce. Many countries, especially in Asia, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules.

To ensure laws are consistent with Pan-European laws. Most countries in Central and Eastern Europe are adopting new laws based on the Council of Europe Convention No. 108 and the EU Data Protection Directive. Many of these countries hope to join the European Union in the near future. Countries in other regions are adopting new laws or updating older laws to ensure that trade will not be affected by the requirements of the European Union Directive.

The European Union Data Protection Directives

In 1995, the European Union enacted the Data Protection Directive in order to harmonize member states' laws in providing consistent levels of protections for citizens and ensuring the free flow of personal data within the European Union. The directive sets a baseline common level of privacy that not only reinforces current data protection law, but also establishes a range of new rights. It applies to the processing of personal information in electronic and manual files.[40]

A key concept in the European data protection model is "enforceability." Data subjects have rights established in explicit rules. Every European Union country has a data protection commissioner or agency that enforces the rules. It is expected that the countries with which Europe does business will need to provide a similar level of oversight.

The basic principles established by the Directive are: the right to know where the data originated; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from being sent direct marketing material. The Directive contains strengthened protections over the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs. In the future, the commercial and government use of such information will generally require "explicit and unambiguous" consent of the data subject.

The 1995 Directive imposes an obligation on member states to ensure that the personal information relating to European citizens has the same level of protection when it is exported to, and processed in, countries outside the European Union. This requirement has resulted in growing pressure outside Europe for the passage of privacy laws. Those countries that refuse to adopt adequate privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data.

In 1997, the European Union supplemented the 1995 directive by introducing the Telecommunications Privacy Directive.[41] This directive established specific protections covering telephone, digital television, mobile networks and other telecommunications systems.[42] It imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users' communications, including Internet-related activities. It covered areas that, until then, had fallen between the cracks of data protection laws. Access to billing data was severely restricted, as was marketing activity. Caller ID technology was required to incorporate an option for per-line blocking of number transmission. Information collected in the delivery of a communication was required to be purged once the call was completed.

In July 2000, the European Commission issued a proposal for a new directive on privacy in the electronic communications sector.[43] The proposal was introduced as a part of a larger package of telecommunications directives aimed at strengthening competition within the European electronic communications markets. As originally proposed, the new directive would have strengthened privacy rights for individuals by extending the protections that were already in place for telecommunications to a broader, more technology-neutral category of "electronic communications." During the process, however, the Council of Ministers began to push for the inclusion of data retention provisions, requiring Internet Service Providers and telecommunications operators to store logs of all telephone calls, e-mails, faxes, and Internet activity for law enforcement purposes. These proposals were strongly opposed by most members of the Parliament. In July 2001, the European Parliament's Civil Liberties Committee approved the draft directive without data retention, stating:

The Civil Liberties Committee (LIBE Committee) expressed itself in favour of a strict regulation of law enforcement authorities' access to personal data of citizens, such as communication traffic and location data. This decision is fundamental because in this way the EP blocks European Union States' efforts underway in the Council to put their citizens under generalised and pervasive surveillance, following the Echelon model.

Following the events of September 11, however, the political climate changed and the Parliament came under increasing pressure from member states to adopt the Council's proposal for data retention. The United Kingdom and the Netherlands, in particular, questioned whether the proposed privacy rules still struck "the right balance between privacy and the needs of the law enforcement agencies in the light of the battle against terrorism."[44] The Parliament stood firm and up to a few weeks before the final vote on May 30, 2002, the majority of the Members of Parliament opposed any form of data retention. Finally, after much pressure by the European Council and European Union governments, and well organized lobbying by two Spanish MEPs,[45] the two main political parties (PPE and PSE, the center-left and center-right parties) reached a deal to vote in favor of the Council's position.

On June 25, 2002 the European Union Council adopted the new Privacy and Electronic Communications Directive as voted in the Parliament.[46] Under the terms of the new Directive, member states may now pass laws mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication device. Such requirements can be implemented for purposes varying from national security to the prevention, investigation and prosecution of criminal offences.

In other areas, the Privacy and Electronic Communications Directive had a more favorable outcome. For example, it adds new definitions and protections for "calls," "communications," "traffic data" and "location data" in order to enhance the consumer's right to privacy and control in all kinds of data processing. These new provisions ensure the protection of all information ("traffic") transmitted across the Internet, prohibit unsolicited commercial marketing by e-mail ("spam") without consent, and protect mobile phone users from precise location tracking and surveillance. The directive also gives subscribers to all electronic communications services (such as GSM and e-mail) the right to choose whether they are listed in a public directory.

The Directive will enter into force from the date of publication in the official journal. After that time member states will have 15 months to implement its provisions.

The APEC privacy initiative

The 21 APEC economies (Asia-Pacific Economic Cooperation) commenced development in 2003 of an Asia-Pacific privacy standard, and in 2004 may develop a procedure for handling data export limitation issues.[47] This may become the most significant international privacy initiative since the European Union's Data Protection Directive of the mid-1990s. In February 2003, Australia put forward a proposal for the development of APEC Privacy Principles, using the 20-year old OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)[48] as a starting point.[49] A Privacy Sub Group was set up comprising Australia, Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand and the United States. In March 2004, Version 9 of the APEC Privacy Principles was released as a public consultation draft.[50] Implementation mechanisms, including mechanisms relating to trans-border data flows are now under consideration but no drafts have yet been made public.

The positive side of the APEC privacy initiative is that it has the potential to encourage the development of stronger privacy laws in those APEC economies that at present provide little privacy protection (the majority), and to help find a regional balance between the protection of privacy and the economic benefits of trade involving personal data. The negative side is that it also presents considerable potential dangers to long-term regional privacy protection if it becomes a means by which the APEC economies accept a second-rate standard. Globally, a high APEC standard could be a means of resolving international data export issues, but low APEC standards could entrench a privacy confrontation between Europe and the Asia-Pacific. The history to date of the APEC initiative shows that the dangers are as great as the potential benefits, but a valuable outcome for privacy protection is still possible.

Criticisms of the APEC Principles emphasize that they do not even meet the 20 year-old OECD standard, whereas they should include some significant strengthening where the OECD guidelines are now too weak.[51] The Australian Privacy Foundation (APF) and the Asia-Pacific Privacy Charter Council (APPCC)[52] have both identified[53]several key weaknesses.[54]

The Privacy Sub-group is also considering draft Implementation Mechanisms, which in the early drafts (Version 3) have major weaknesses in comparison with prior international privacy instruments.[55] These initial proposals raise doubts as to whether the APEC process will be able to adequately protect human rights across the Asia-Pacific.

Oversight and Privacy and Data Protection Commissioners

An essential aspect of any privacy protection regime is oversight. In most countries with an omnibus data protection or privacy act, there is an official or agency that oversees enforcement of the act. The powers of these officials, Commissioner, Ombudsman or Registrar, vary widely by country. Several countries, including Germany and Canada, also have officials or offices on a state or provincial level.

Under Article 28 of the EU Data Protection Directive, all European Union countries must have an independent enforcement body. Under the Directive, these agencies are given considerable power: governments must consult the body when the government draws up legislation relating to the processing of personal information; the bodies also have the power to conduct investigations and have a right to access information relevant to their investigations; impose remedies such as ordering the destruction of information or ban processing, and start legal proceedings, hear complaints and issue reports. The official is also generally responsible for public education and international liaison in data protection and data transfer. Many authorities also maintain the register of data controllers and databases. They must approve licensing for data controllers.

Several countries that do not have a comprehensive act still have a commissioner. A major power of these officials is to focus public attention on problem areas, even when they do not have any authority to fix the problem. They can do this by promoting codes of practice and encouraging industry associations to adopt them. They also can use their annual reports to point out problems. For example, in Canada, the Federal Privacy Commissioner announced in his 2000 report the existence of an extensive database maintained by the federal government. Once the issue became public, the Ministry disbanded the database.

In several countries, this official also serves as the enforcer of the jurisdiction's Freedom of Information Act. These include Hungary, Estonia, Thailand and the United Kingdom. On the sub-national level, many of the German Lund Commissioners have recently been given the power of information commissioner, and most of the Canadian provincial agencies handle both data protection and freedom of information.

A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Many are burdened with licensing systems, which use much of their resources. Others have large backlogs of complaints or are unable to conduct significant number of investigations. Many that started out with adequate funding find their budgets cut a few years later.

Independence is also a problem. In many countries, the agency is under the control of the political arm of the government or part of the Ministry of Justice and lacks the power or will to advance privacy or criticize privacy invasive proposals. In Japan and Thailand, the oversight agency is under the control of the Prime Minister's Office. In Thailand, the director was transferred in 2000 after conflicts with the Prime Minister's Office. In 2001, Slovenia amended its Data Protection Act in order to establish an independent supervisory authority and thereby ensure compliance with the Data Protection Directive. This was previously the responsibility of the Ministry of Justice.

Finally, in some countries that do not have a separate office, the role of investigating and enforcing the laws is done by a human rights ombudsman or by a parliamentary official.

Transborder Data Flows and Data Havens

The ease with which electronic data flows across borders leads to a concern that data protection laws could be circumvented by simply transferring personal information to third countries, where the national law of the country of origin does not apply. This data could then be processed in those countries, frequently called "data havens," without any limitations.

For this reason, most data protection laws include restrictions on the transfer of information to third countries unless the information is protected in the destination country. For example, Article 12 of the Council of Europe's 1981 Convention places restrictions on the transborder flows of personal data.[56] Similarly, Article 25 of the European Directive imposes an obligation on member States to ensure that any personal information relating to European citizens is protected by law when it is exported to, and processed in, countries outside Europe. It states:

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.

This requirement has resulted in growing pressure outside Europe for the passage of strong data protection laws. Those countries that refuse to adopt meaningful privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data. Determination of a third country's system for protecting privacy is made by the European Commission. The overarching principle in this determination process is that the level of protection in the receiving country must be "adequate" rather than "equivalent." Therefore, a reasonably high standard of protection is expected from the third party, although the precise dictates of the Directive need not be followed.

On July 26, 2000, the European Commission ruled that both Switzerland and Hungary provide "adequate" protection for personal information and therefore all transfers of personal data to these countries could continue. [57] In January 2002, the European Commission recognized that the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) provides adequate protection for certain personal data transferred from the European Union to Canada. The Commission's decision of adequacy does not cover any personal data held by federal sector or provincial bodies or information held by personal organizations and used for non-commercial purposes, such as data handled by charities or collected in the context of an employment relationship.[58] The Commission is currently looking into the privacy protection schemes in several other non-European Union countries, including New Zealand, Australia, and Hong-Kong.

Another possible way to protect the privacy of information transferred to countries that do not provide "adequate protection" is to rely on a private contract containing standard data protection contractual clauses. This kind of contract would bind the data processor to respect fair information practices such as the right to notice, consent, access and legal remedies. In the case of data transferred from the European Union, the contract would have to meet the standard "adequacy" test, in order to satisfy the Data Protection Directive.[59] Several model clauses that could be included in such a contract were outlined in a 1992 joint study by the Council of Europe, the European Commission and the International Chamber of Commerce.[60] In a June 2000 report (see below), the European Parliament accused the European Commission of a "serious omission" in failing to draft standard contractual clauses that European citizens could invoke in the courts of third countries before the Data Directive came into force.[61] It recommended that they do so before September 30, 2000.[62] In July 2001, the Commission issued a final decision approving the standard contractual clauses.[63] During the drafting process, the United States criticized the standard contacts as "unduly burdensome" and "incompatible with real world operations."[64]

European Union-United States Safe Harbor Arrangement

Although the Commission never issued a formal opinion on the adequacy of privacy protection in the United States, there were serious doubts whether the United States' sectoral and self-regulatory approach to privacy protection would pass the adequacy standard set out in the Directive. The European Union commissioned two prominent United States law professors, who wrote a detailed report on the state of United States privacy protections and pointed out the many gaps in United States protection.[65]

The United States strongly lobbied the European Union and its member countries to find the United States system adequate. In 1998, the United States began negotiating a "Safe Harbor" agreement with the European Union in order to ensure the continued transborder flows of personal data. The idea of the "Safe Harbor" was that United States companies would voluntarily self-certify to adhere to a set of privacy principles worked out by the United States Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and they could continue to receive personal data from the European Union. Negotiations on the drafting of the Safe Harbor principles lasted nearly two years and were the subject of bitter criticism by privacy and consumer advocates.[66] In early July, the European Parliament approved a forceful resolution that the agreement needed to be re-negotiated in order to provide adequate protection.[67]

On July 26, 2000, the Commission approved the agreement.[68] The Commission did, however, promise to re-open negotiations on the arrangement if the remedies available to European citizens proved inadequate. European Union member states were given 90 days to put the Commission's decision into effect and United States companies began joining Safe Harbor in November 2000. There is an open-ended grace period for United States signatory companies to implement the principles.

The principles require all signatory organizations to provide individuals with "clear and conspicuous" notice of the kind of information they collect, the purposes for which it may be used, and any third parties to whom it may be disclosed. This notice must be given at the time of the collection of any personal information or "as soon thereafter as is practicable." Individuals must be given the ability to choose (opt-out of) the collection of data where the information is either going to be disclosed to a third party or used for an incompatible purpose. In the case of sensitive information, individuals must expressly consent (opt-in) to the collection. Organizations wishing to transfer data to a third party may do so if the third party subscribes to Safe Harbor or if that third party signs an agreement to protect the data. Organizations must take reasonable precautions to protect the security of information against loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations must provide individuals with access to any personal information held about them, and with the opportunity to correct, amend, or delete that information where it is inaccurate. This right is to be granted only if the burden or expense of providing access would not be disproportionate to the risks to the individual's privacy or where the rights of persons other than the individual would not be violated. In terms of enforcement, organizations must provide access to readily available and affordable independent recourse mechanisms that may investigate complaints and award damages. They must issue follow up compliance procedures and must adhere to sanctions for failing to comply with the principles.

Privacy advocates and consumer groups both in the United States and Europe are highly critical of the European Commission's decision to approve the agreement, which they say will fail to provide European citizens with adequate protection for their personal data.[69] The agreement rests on a self-regulatory system whereby companies merely promise not to violate their declared privacy practices. There is little enforcement or systematic review of compliance. The Safe Harbor status is granted at the time of self-certification. There is no individual right to appeal or right to compensation for privacy infringements. There is an open-ended grace period for United States signatory companies to implement the principles. The agreement will only apply to companies overseen by the Federal Trade Commission and Department of Transportation (excluding the financial and telecommunications sectors) and there are special exceptions granted for public records information protected by European Union law.

In February 2002, the European Commission issued a report on the practical operation of the European Union-United States Safe Harbor Agreement.[70] This was the first report to evaluate the success of the agreement. It concluded that all the essential elements of the agreement are in place and that a structure exists for individuals to lodge complaints if they feel their rights have been infringed. It did find, however, that there is not sufficient transparency among the organizations that have signed up to Safe Harbor and that not all dispute resolution providers relied on to enforce Safe Harbor actually comply with the privacy principles in the agreement itself. The Commission was expeted to issue a full evaluation of the agreement in 2003, but the report has not yet been issued.

In July 2002, the Article 29 Data Protection Working Party issued a working paper on the functioning of the agreement. In it, the Working Party expressed its intention to study the agreement in further detail with particular regard to "possible gaps between the principles…and the implementing practices" and also "the transparency requirements to be met by organizations." The Working Party called on all authorities, organizations and companies concerned to enhance compliance and awareness of the Agreement.[71]

[1] Marc Rotenberg, Protecting Human Dignity in the Digital Age (UNESCO 2000).

[2] James Michael, Privacy and Human Rights 1 (UNESCO 1994).

[3] Simon Davies, Big Brother: Britain's Web of Surveillance and the New Technological Order 23 (Pan 1996).

[4] Volio, Fernando, "Legal Pesonality, Privacy and the Family" in Henkin (ed), The International Bill of Rights (Columbia University Press 1981).

[5] Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harvard Law Review 193-220 (1890).

[6] Robert Ellis Smith, Ben Franklin's Web Site 6 (Sheridan Books 2000).

[7] Privacy as an Aspect of Human Dignity, 39 New York University Law Review 971 (1964).

[8] Privacy and the Limits of Law, 89 Yale Law Journal 421, 428 (1980).

[9] Report of the Committee on Privacy and Related Matters, Chairman David Calcutt QC, 1990, Cmnd. 1102, London: HMSO, at 7.

[10] "The Australian Privacy Charter," published by the Australian Privacy Charter Group, Law School, University of New South Wales, Sydney (1994).

[11] EPIC maintains a list of privacy tools at <http://www.epic.org/privacy/tools.htm>.

[12] an-Noor 24:27-28 (Yusufali); al-Hujraat 49:11-12 (Yusufali).

[13] Volume 1, Book 10, Number 509 (Sahih Bukhari); Book 020, Number 4727 (Sahih Muslim); Book 31, Number 4003 (Sunan Abu Dawud).

[14] Richard Hixson, Privacy in a Public Society: Human Rights in Conflict 3 (1987). See also, Barrington Moore, Privacy: Studies in Social and Cultural History (1984).

[15] See Jeffrey Rosen, The Unwanted Gaze (Random House 2000).

[16] Id. at 5.

[17] James Michael, supra, at 15. Justices of the Peace Act, 1361 (Eng.), 34 Edw. 3, c. 1.

[18] Entick v. Carrington, 1558-1774 All E.R. Rep. 45.

[19] Speech on the Excise Bill, 1763.

[20] The Rachel affaire. Judgment of June 16, 1858, Trib. pr. inst. de la Seine, 1858 D.P. III 62. See Jeanne M. Hauch, Protecting Private Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris, 68 Tulane Law Review 1219 (May 1994).

[21] See Prof. Dr. Juris Jon Bing, Data Protection in Norway, 1996, available at

<http://www.jus.uio.no/iri/forskning/lib/papers/dp_norway/dp_norway.html>.

[22] Warren and Brandeis, supra.

[23] Universal Declaration of Human Rights, adopted and proclaimed by General Assembly resolution 217 A (III) of December 10, 1948, available at <http://www.un.org/Overview/rights.html>.

[24] See generally, Marc Rotenberg, ed., The Privacy Law Sourcebook: United States Law, International Law and Recent Developments (EPIC 2003).

[25] International Covenant on Civil and Political Rights, adopted and opened for signature, ratification and accession by General Assembly resolution 2200A (XXI) of December 16, 1966, entry into force March 23 1976, available at <http://www.unhchr.ch/html/menu3/b/a_ccpr.htm>.

[26] International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, adopted by General Assembly resolution 45/158 of December 18, 1990, available at <http://www.unhchr.ch/html/menu3/b/m_mwctoc.htm>.

[27] Convention on the Rights of the Child, adopted and opened for signature, ratification and accession by General Assembly resolution 44/25 of November 20, 1989, entry into force September 2, 1990, available at <http://www.unhchr.ch/html/menu3/b/k2crc.htm>.

[28] See generally, Lee Bygrave, Data Protection Pursuant to the Right of Privacy in Human Rights Treaties, 6 International Journal of Law and Information Technology 247-284 (1998), available at <http://folk.uio.no/lee/publications>.

[29] Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, (ETS No: 005) open for signature November 4, 1950, entry into force September 3, 1950, available at <http://conventions.coe.int/Treaty/EN/cadreprincipal.htm>.

[30] Nadine Strossen, Recent United States and International Judicial Protection of Individual Rights: A Coparative Legal Process Analysis and Proposed Synthesis, 41 Hastings Law Journal 805 (1990).

[31] X v. Iceland, 5 Eur. Comm'n H.R. 86.87 (1976).

[32] European Court of Human Rights, Case of Klass and Others: Judgement of 6 September 1978, Series A No. 28 (1979). Malone v. Commissioner of Police, 2 All E.R. 620 (1979). See Note, Secret Surveillance and the European Convention on Human Rights, 33 Stanford Law Review 1113, 1122 (1981).

[33] Judgement of 26 March 1987 (Leander Case).

[34] Id. at 848-49.

[35] Signed November 22, 1969, entered into force July 18, 1978, O.A.S. Treaty Series No. 36, at 1, O.A.S. Off. Rec. OEA/Ser. L/V/II.23 dec rev. 2, available at <http://www.oas.org/juridico/english/Treaties/b-32.htm>.

[36] O.A.S. Res XXX, adopted by the Ninth Conference of American States, 1948 OEA/Ser/. L./V/I.4 Rev (1965).

[37] An excellent analysis of these laws is found in David Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press 1989).

[38] ETS No. 108, Strasbourg, 1981, available at <htp://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.

[39] OECD, Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data" (1981), available at <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM>.

[40] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/law/index.htm>.

[41] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (Directive), available at <http://www.ispo.cec.be/legal/en/dataprot/protection.html>.

[42] European Union member countries were required to enact implementing legislation by October 1998. As of the summer 2002, however, several are still pending.

[43] European Commission, Proposal for a directive of the European Parliament and of the Council Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, available at <http://europa.eu.int/comm/information_society/policy/framework/pdf/com2000385_en.pdf>.

[44] Jelle van Buuren, "Telecommunication Council Wants New Investigation Into Privacy Rules," Heise Online, October 17, 2001.

[45] Respectively, MEPs Ana Palacio Vallelersundi and Elena Paciotti, members of the PPE (European Peoples' Party/Christian Democrats) and PSE (Social Democrats) political parties.

[46] 2439th Council meeting, Luxembourg, June 25, 2002. Transcripts of proceedings available at <http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=PRES/02/180|0|AGED&lg=EN>.

[47] For information on APEC and its 21 member economies, see the APEC Secretariat home page <http://www.apecsec.org.sg/> and <http://www.cba.hawaii.edu/apec/home.htmhttp://www.cba.hawaii.edu/apec/home.htm>.

[48] OECD, Paris, 1980 <http://www1.oecd.org/publications/e-book/9302011E.PDF>.

[49] These documents can be obtained at <http://www.apecsec.org.sg/> in the directory Publications / Publications and Library / E-Commerce.

[50] <http://www.export.gov/apececommerce/privacy/consultation-draft.pdf>. See generally <http://www.export.gov/apececommerce/>.

[51] See the series of articles by Graham Greenleaf at <http://www.bakercyberlawcentre.org/appcc/> which trace these criticisms through successive versions of the APEC principles.

[52] The APPCC is a regional expert group formed in 2003 to develop independent standards for privacy protection in the Asia-Pacific region, in order to influence the enactment of privacy laws and international agreements in the region in accordance with those standards. See <http://www.bakercyberlawcentre.org/appcc/>.

[53] See <http://www.privacy.org.au/Papers/APEC0403.html> (APF) and <http://www.bakercyberlawcentre.org/appcc/APEC_APPCCsub.htm> (APPCC).

[54] The categories of "national exceptions" are open-ended, and should at least be identified in general terms; there are ineffective controls on the scope of any particular "national exception;" notice is not clearly required to be given to individuals from whom information is collected; collection is not limited to the minimum information necessary for purpose; secondary uses are allowed for "compatible" purposes, a very weak test; the elevation of "choice" (or consent) to a separate Principle facilitates the commodification of privacy; "commercial proprietary" reasons should not be an exception to access and correction; "Maximising Benefits" should not become a Principle; the OECD Principles of Purpose Specification, Openness and Data Export Limitation are missing and their content should be reinstated; at least an additional Deletion Principle should be added for a minimum set of Principles.

[55] National implementation by legislation is not required, with economies allowed to choose what implementation options are sufficient to give effect to the substance of the Principles. There is no identification of the circumstances in which personal data export restrictions may be legitimate (contra OECD). The strongest method of assessment of national non-compliance under consideration is "self-assessment by economies coupled with peer review."

[56] Council of Europe, Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data 1981, available at <http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.

[57] See European Commission Press Release, "Data protection: Commission adopts decisions recognising adequacy of regimes in United States, Switzerland and Hungary," July 27, 2000, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm>.

[58] Commission Decision of December 20, 2001, Official Journal of the European Communities L 2/13, available at <http://www.europa.eu.int/comm/internal_market/dataprot/adequacy/canada-faq_en.htm>

[59] See European Union, Internal Market Directorate, Background Information: Transfer of data to non-European Union countries – FAQ, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/backinfo/info.htm>.

[60] Joint Study of the Council of Europe and the Commission of the European Communities (1992), available at <http://www.coe.fr/dataprotection/Etudes_Rapports/ectype.htm >.

[61] European Parliament Resolution on the Draft Commission Decision on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the United States Department of Commerce, available at <http://www.epic.org/privacy/intl/EP_SH_resolution_0700.html>.

[62] For general guidance on the role of contracts see European Union Article 29 Data Protection Working Group, "Transfers of personal data to third countries: Applying Articles 25 and 26 of the European Union data protection directive," July 24, 1998, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp12en.htm>.

[63] Commission Approves Standard Contractual Clauses For Data Transfers To Non-European Union Countries, Press Release of the Internal Market Directorate, July 18, 2001, available at <http://europa.eu.int/comm/internal_market/en/dataprot/news/clauses2.htm>.

[64] "Bush Administration Criticizes European Union Privacy Rules," EPIC Alert 8.06, March 29, 2001 <http://www.epic.org/alert/EPIC_Alert_8.06.html>.

[65] Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law (Michie 1996).

[66] See, e.g., Public Comments Received by the United States Department of Commerce in Response to the Safe Harbor Documents April 5, 2000, available at <http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html>.

[67] European Parliament Resolution, supra, n.50.

[68] Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the United States Department of Commerce, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/decision.pdf>.

[69] See, e.g.the earlier Statement of the Transatlantic Consumer Protection Dialogue on United States Department of Commerce Draft International Safe Harbor Privacy Principles and FAQs

March 30, 2000, available at <http://www.tacd.org/ecommercef.html#usdraft>.

[70] European Commission Staff Working Paper, February 2002, available at <http://europa.eu.int/comm/internal_market/en/dataprot/news/02-196_en.pdf>.

[71] "Working Document on the Functioning of the Safe Harbor Agreement," Article 29 Data Protection Working Party, 11194/02/EN, July 2, 2002, available at <http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp62_en.pdf>