Following the Peoples’ Republic of China’s resumption of sovereignty over Hong Kong on July 1, 1997, the constitutional protections of privacy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Article 29 provides "The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited." Article 30 provides "The freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses." Also relevant is Article 17 of the International Covenant on Civil and Political Rights, which was incorporated into Hong Kong’s domestic law with the enactment of the Bill of Rights Ordinance. [1] Article 39 of the Basic Law provides that the Covenant as applied to Hong Kong shall remain in force and implemented through the laws of Hong Kong.

In 1995, Hong Kong enacted its Personal Data (Privacy) Ordinance, [2] and most of its provisions took effect in December 1996. The legislation enacts most of the recommendations made by the Hong Kong Law Reform Commission following its six-year comparative study. [3] The statutory provisions adopt features of a variety of existing data protection laws and the draft version of the E.U. Directive is also reflected in several provisions. The Ordinance does not differentiate between the public and private sectors, although many of the exemptions will more readily apply to the former. A broad definition of "personal data" is adopted so as to encompass all readily retrievable data recorded in all media that relates to an identifiable individual. The Ordinance does not attempt to differentiate personal data according to its sensitivity. The processing of personal data must conform to data protection principles based on those of the OECD. The six principles regulate the collection, accuracy, use and security of personal data as well as requiring data users to be open about data processing and conferring on data subjects the right to be provided a copy of their personal data and to effect corrections. The Ordinance imposes additional restrictions on certain processing, namely data matching, transborder data transfers, and direct marketing. Data matching requires the prior approval of the Privacy Commissioner. The transfer of data to other jurisdictions is subject to restrictions that mirror those of the E.U. Directive. Also based on the directive is the requirement that upon first use of personal data for direct marketing purposes, a data user must inform the data subject of the opportunity to opt-out from further approaches.

The Ordinance establishes the Office of the Privacy Commissioner to promote and enforce compliance with statutory requirements. [4] The Commissioner is given strong enforcement powers based on those contained in the UK Data Protection Act. In addition to investigating complaints, the commissioner may initiate his own investigations of reasonably suspected contraventions. He may also conduct audits of selected data users. A contravention of any provision other than a data protection principle is a criminal offense. A contravention causing the data subject damage (including injured feelings) is a basis for claiming compensation. The Commissioner is empowered to designate classes of data users required to publicly register the main features of their data processing. The Commissioner may issue codes of conduct to provide guidance on compliance with the Ordinance’s necessarily general provisions. The provisions of a code are legally subordinate but have evidential relevance in determining whether a contravention of the Ordinance has occurred. To date the Commissioner has issued two codes: The code on the use of personal identifiers [5] and of credit information. [6] As of March 31, 1999, the Office has received 35,968 inquiries (19,994 in 1998-1999), heard 723 complaints (418 in 1998-1999) and conducted 119 formal investigations, ruling in 62 cases that there was a violation of the Act. The Office has also issued 147 advisory/warning notices, 14 enforcement notices and has referred 18 cases to the police for prosecution. [7]

A Hong Kong court ruled in June 1999 against attempts to subject Xinhua, the Chinese News agency, which acted as the Chinese government representative in Hong Hong, to the Privacy Ordinance. In December 1996, pro-democracy legislator Emily Lao demanded access to the secret dossier that Xinhua maintained on her. Xinhua refused to respond and the HK government declined to take action. She filed suit but the court quashed her attempt to subpoena the director. [8]

The interception of communications is presently regulated by the Telecommunications Ordinance [9] and the Post Office Ordinance. [10] These enactments provide sweeping powers of interception upon public interest grounds. The vagueness of the powers and the lack of procedural safeguards are inconsistent with the International Covenant of Civil and Political Rights and the Basic Law. No official figures are released on the number of intercepts, which are believed to be widespread and efforts to make the numbers public have been rebuffed in the name of confidentiality. [11] A detailed set of reform proposals released by the Hong Kong Law Reform Commission [12] in 1996 resulted in two legislative initiatives. In early 1997, the government released a draft bill for public consultation regulating the interception of communications. When that initiative stalled, James To, an independent legislator, introduced a private members bill, the last enactment to be passed by the colonial legislature prior to July 1, 1997. That enactment has yet to be brought into force and to date the government has declined to indicate when any legislation regulating the interception of communications will take effect. In January 1999, Mr. To introduced another bill to force the ordinance to go into effect.

The Code on Access to Information [13] requires civil servants to provide records held by government departments unless there are specific reasons for not doing so. Departments can withhold information if it relates to 16 different categories including defense, external affairs, law enforcement and personal privacy. Formal complaints of denials can be filed with the Ombudsman.

Article 59 of the Constitution of the Republic of Hungary reads, "Everyone in the Republic of Hungary shall have the right to good reputation, the inviolability of the privacy of his home and correspondence, and the protection of his personal data." [14] In 1991, the Supreme Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy. [15]

Act No. LXIII of 1992 on the Protection of Personal Data and Disclosure of Data of Public Interest covers the collection and use of personal information in both the public sector and private sector. It is a combined Data Protection and Freedom of Information Act. Its basic principle is informational self-determination. [16] Hungary is an applicant for E.U. membership and it is anticipated that only minor changes are required to make the Act compliant with the E.U. Directive. In June 1999, the Parliament amended the Act to treat "data controllers" and "data processors" differently like in the E.U. Directive. In the year 2000, the whole Act will be revised and made consistent with the Directive.

The Parliamentary Commissioner for Data Protection and Freedom of Information oversees the 1992 Act. [17] Besides acting as an ombudsman for both data protection and freedom of information, the Commissioner's tasks include: maintaining the Data Protection Register, and providing opinions on DP and FOI-related draft legislation as well as each category of official secrets. Under the Secrecy Act of 1995, the Commissioner is entitled to change the classification of state and official secrets as well. The Commissioner (along with the two other Parliamentary Commissioners – one for human rights in general, the other for the ethnic minorities) was elected for the first time on June 30, 1995, for a six year term.

The Commission has been very active reviewing cases involving personal information. [18] When reviewing unlawful national security controls in 1995, in 797 cases, unlawful information gathering practices were found and files had to be destroyed. In 1995, the names and addresses of the winners of the largest lottery jackpot were broadcast on television against the will of the individuals. In a case involving unlawful gathering of personal data of patients of voluntary drug treatment institutions in 1997, the police had to return the lists to the hospital. The Commission has registered 19,376 databases and conducts about 1,000 examinations each year. [19]

Surveillance by police requires a court order and is limited to cases investigating crimes punishable by more than five years imprisonment. [20] Surveillance by national security services requires the permission of a specially appointed judge or the Minister of Justice who can authorize surveillance for up to 90 days. [21] There have been a number of scandals involving secret service spying on political opponents, environmental activists and ethnic minorities. The Parliamentary National Security Committee is currently investigating the illegal surveillance of members of the political party Fidesz, after documents were found by the government. Prime Minister Viktor Orbán said the surveillance was conducted by former members of the secret service now employed by private companies. [22] In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF10 billion. [23]

Many laws contain rules for handling personal data including addresses, [24] marketing records, [25] universal identifiers, [26] medical information, [27] police information, [28] public records, [29] employment, [30] telecommunications, [31] and national security services. [32] The Criminal Code also has provisions on privacy. [33]

Hungary is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [34] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [35] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Section 72 of the Constitution states, "The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute." [36]

The Act on the Registration and Handling on Personal Data applies to government agencies and the private sector for physical and electronic files. [37] All persons wishing to process personal data must register. There are limitations on processing sensitive data, disclosing information and linking databases. Individuals have a right to access and correct information. There are additional rules for credit information and marketing. Video surveillance and recording is also covered under the act. A government commission headed by the Minister of Industry and Commerce released a report in 1997 calling for an update of the current legislation to make it consistent with the E.U. Directive. The report also suggested that the legislation should address issues raised by digital identity cards and sharing of government information. [38] In June 1999, there was a formal decision to incorporate the E.U. Data Protection Directive into European Economic Area. Legislation to amend the Icelandic law is expected to be introduced into the Parliament in October 1999.

The Act is enforced by the Icelandic Data Protection Commission. The Commission maintains the registry of activities and can investigate and issue rulings. In 1998, the Commission registered 509 activities.

In December 1998, the Parliament approved a bill that would allow the creation of a nationwide centralized health database. [39] The Government plans give an exclusive 12-year license for the database to American bio-tech company deCODE Genetics which will create a nationwide genetic database of the entire Icelandic population based on 30 years of patients records. The company is spending $200 million over the next five years for research. Patients were required to opt out of the database by June 1999. After that date, their information could not be removed. The Privacy Commission is currently drafting requirements on technical, security and organizational requirements and will be maintaining the keys to identify individuals. [40] This proposal has been very controversial both in Iceland and with medical and privacy experts around the world. The Icelandic Medical Association is opposing the effort and many doctors are refusing to hand over their patients’ records without consent. The World Medical Association in April 1999 supported the Icelandic Medical Association’s opposition to the database. [41] Security experts have examined the database and have found that the encryption does not protect the identity of the individuals. [42] At their annual meeting in Santiago de Compostela, Spain in September 1998, the other European Data Protection Commissioners recommended that the Icelandic authorities reconsider the project in light of the fundamental principles laid down in the European Convention on Human Rights, the Council of Europe Convention and Recommendation (97)5 on medical data, and the EC Directive.

Under the Law on Criminal Procedure, wiretapping, tape recording or photographing without consent requires a court order and must be limited to a short time. After the recording is complete, the target must be informed and the recordings must be destroyed after they are no longer needed. [43] There were 42 wiretaps authorized between 1992 and February 1996. [44] Complaints against the orders can be submitted to the Supreme Court. Chapter XXV of the Penal Code also penalizes violations of privacy such as violating the secrecy of letters and revealing secrets to the public.

Iceland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[45] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [46] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Iceland is not a E.U. member state but has been granted associate status.

The Constitution of 1950 does not expressly recognize the right to privacy. [47] However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the Constitution which states, "No person shall be deprived of his life or personal liberty except according to procedure established by law." [48]

There is also a right of privacy guaranteed by Indian laws. Unlawful attacks on the honor and reputation of a person can invite an action in tort and/or criminal law. [49] The Public Financial Institutions Act of 1993 codifies India's tradition of maintaining confidentiality in bank transactions.

There is no general data protection law in India. The National Task Force on IT and Software Development, set up by the Prime Minster's Office in May 1998, submitted an "IT Action Plan" to Prime Minister Vajpayee in July 1998 calling for the creation of a "National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data." It examined the UK Data Protection Act as a model and recommended a number of cyber laws including ones on privacy and encryption. [50] The Act was expected to be drafted by the end of 1998. [51]

Wiretapping is regulated under the Indian Telegraph Act of 1885. An order for a tap can be issued only by the Union home secretary or his counterparts in the states. A copy of the order must be sent to a review committee directed to be set up by the high court. Tapped phone calls are not accepted as primary evidence in India's courts. There have been numerous phone tap scandals in India, resulting in the 1996 decision by the Supreme Court which required the government to promulgate rules regulating taps. The Court ruled in 1996 that wiretaps are a "serious invasion of an individual's privacy." [52] However, illegal wiretapping by government agencies appears to be continuing. According to prominent Non-Government Organizations, the mail of many NGOs in Delhi and in strife-torn areas continues to be subjected to interception and censorship. [53] There has been considerable discussion about a rumored new government proposal on Internet surveillance. The plan would require Internet service providers to connect their routers to state security agencies such as the Intelligence Bureau and the Research and Analysis Wing so their traffic can be monitored. [54]

The Supreme Court ruled in 1982 that access to government information was an essential part of the fundamental right to freedom of speech and expression [55] In 1997, the state of Tamil Nadu adopted the Act for Right to Information and the states of Gujarat, Rajasthan and Madhya Pradesh have administratively provided access to records. There has been debate for several years about adopting a national Freedom of Information law and the government working group drafted a bill in 1997. The draft bill would provide a general right to access information and create a National Council for Freedom of Information and State Councils. In February 1999, President K.R. Narayanan announced that the government plans to bring forward the Freedom of Information Bill this year. [56]

The Constitution of Ireland does not explicitly protect the right to privacy. [57] The High and Supreme Courts have ruled that privacy is protected under Article 40.3.1 which states that "The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizen” and other provisions. [58] The Supreme Court ruled in 1987 that the warrantless wiretapping of two journalists was a violation of the Constitution, finding "The right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State . . . The nature of the right to privacy is such that it must ensure the dignity and freedom of the individual in a democratic society. This cannot be insured if his private communications, whether written or telephonic, are deliberately and unjustifiably interfered with." [59]

The Data Protection Act of 1988 covers both the private and public sectors. It regulates the collection, processing, keeping, use and disclosure of personal information that is processed automatically. Individuals have a right to access and correct incorrect information. Information can only be used for specified and lawful purposes and cannot be used or disclosed. Additional protections can be ordered for sensitive data. Criminal penalties can be imposed for violations. There are broad exemptions for national security, tax, and criminal purposes. A draft bill is currently being reviewed by the Attorney General that would revise the Act to make it consistent with the E.U. Directive. The Ministry of Justice has announced that they are delaying the introduction of the bill until the fall of 1999. [60] Misuse of data is also criminalized by the Criminal Damage Act 1991.

The Act is enforced by the Data Protection Commissioner. The Commission can investigate complaints, prosecute offenders, sponsor codes of practice, and supervise the registration process. The Commission generally receives about 1,700 inquiries each year and reviews between 20 and 30 complaints. [61] In 1996, the Commissioner criticized a proposal to introduce a social services card to all citizens that could become a national ID card. [62]

Wiretapping and electronic surveillance is regulated under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act. The Act followed a 1987 decision of the Supreme Court ruling that wiretaps of journalists violated the constitution (see above). In April 1998, the Garda investigated allegations that several journalists who had uncovered a scandal at the National Irish Bank had their cellular phone conversations intercepted. [63] The Law Reform Commission recommended a new bill in July 1998 that would make illegal the invasion of a person's privacy through secret filming, taping and eavesdropping and the publication of information received from the surveillance. [64] There were protests in the Irish Parliament in June 1999 after reports that the British government tapped all telephone calls, email, telexes and faxes between Ireland and Britain from a 13-storey tower in Capenhurst, Cheshire, from 1989 until 1999. The Irish government asked its ambassador in the UK to demand more information on the acts. [65]

The Freedom of Information Act was approved in 1997 and went into effect in April 1998. [66] The act creates a presumption that the public can access documents created by government agencies and requires that government agencies make internal information on their rules and activities available. The Office of the Information Commissioner enforces the act. [67] As of April 1999, there were 6,200 requests to government agencies of which twenty percent were refused. The Commissioner reviewed 330 cases. [68]

Ireland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [69] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [70] It is also a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Section 7 of The Basic Law: Human Dignity and Freedom (1992) states, "(a) All persons have the right to privacy and to intimacy. (b) There shall be no entry into the private premises of a person who has not consented thereto. (c) No search shall be conducted on the private premises or body of a person, nor in the body or belongings of a person. (d) There shall be no violation of the secrecy of the spoken utterances, writings or records of a person." [71] According to Supreme Court Justice Mishael Cheshin, this elevated the right of privacy to the level of a basic right. [72]

The Protection of Privacy Law regulates the processing of personal information in computer data banks. [73] The law set out 11 types of activities that violated the law and could subject the personal to criminal or civil penalties. Holders of data banks of over 10,000 names must register. Information in the database is limited to purposes for which it was intended and must provide access to the subject. There are broad exceptions for police and security services. It also sets up basic privacy laws relating to spying, publication of photographs and other traditional privacy features. The law was amended in 1996 to broaden the databases covered such as those used for direct marketing purposes and also increases penalties. [74]

The Act is enforced by the Registrar of Databases within the Ministry of Justice. The Registrar maintains the register of data bases and can deny registration if he believes that it is used for illegal activities. The registrar can also investigate and enforce the Act. [75] As of mid-1998, 5,200 databases were registered. [76] A public council for the protection of privacy has also been set up to advise the Justice Minister on legislative matters related to the Protection of Privacy Law and its subsidiary regulations and orders, sets guidelines for the protection of computerized databases, and guides the Registrar of Databases in his work. Under the 1996 amendments, a more independent supervisory authority is being created.

Interception of communications is governed by the Secret Monitoring Law of 1979, which was amended in 1995 to tighten procedures and the cover new technologies such as cellular phones and email. It also increased penalties for illegal taps and allowed interception of privileged communications such as with a lawyer or doctor. [77] The police must receive permission from the President of the District Court in order to intercept any form of wire or electronic communications or plant microphones for a period up to three months, which can be renewed. According to the Israeli government, “The number of wiretap permits given to the Police has averaged roughly 1,000 - 1,100 annually over the last several years. Roughly half of these wiretap permits are given in connection with drug-related offences.” [78] Intelligence agencies may wiretap people suspected of endangering national security, after receiving written permission from the Prime Minister or Defense Minister. The agencies must present an annual report to the Knesset. The Chief Military Censor may also intercept international conversations to or from Israel for purposes of censorship. A 1991 report by the State Comptroller found that the police were abusing the procedures and that led to the 1995 amendments. In 1996 a Defense Forces employee was tried for misusing the phone records of a journalist. [79] Several people, including Ma'ariv publisher Opher Nimrodi, were convicted in 1998 of ordering wiretaps on business people and media personalities, including Science Minister Silvan Shalom in 1994. [80] In November 1998, wiretaps were discovered on the phone of Labor and Social Affairs Minister Eli Yishai. It was suspected that he was wiretapped by a rival political faction inside the Shas party. [81]

Unauthorized access to computers is punished by the 1995 Computer Law. [82] The Postal and Telegraph Censor, which operates as a civil department within the Ministry of Defence has the power to open any postal letter or package to prevent harm to state security or public order.[83] The 1996 Patient Rights Law imposes a duty of confidentiality on all medical personnel. [84] A Genetic Privacy Bill was approved for a first reading by the Knesset's subcommittee on science in March 1998. The bill would limit disclosure of private DNA information. The police are also demanding the creation of a national DNA data base. [85] The Health Ministry issued regulations on the use of video surveillance in hospitals in September 1989 after it was disclosed that cameras had been moved to watch patients undressing. [86] Criminal records are governed by the Criminal Register and Rehabilitation Law that allows 30 government agencies to access the records. [87]

Finance Minister Yaakov Ne'eman issued an authorization in March 1998 giving the director of the Bureau for Counterterrorism full access to the databases of all Israeli taxation authorities, including the Income Tax Authorities and Customs. It gives the Bureau access to the financial records of any citizen in Israel, including the status of their bank account "for urgent cases of preventing terrorist acts." [88]

The Freedom of Information Law was approved unanimously by the Knesset in May 1998. [89] It provides for broad access to records held by government offices, local councils and government-owned corporations. Requests for information must be processed within 30 days. A court can review decisions to withheld information. A Jerusalem Post in June 1999 found that many agencies had not began to prepare for the law. [90]

The 1948 Constitution has several provisions relating to privacy. Article 14 states, "(1) Personal domicile is inviolable. (2) Inspection and search may not be carried out save in cases and in the manner laid down by law in conformity with guarantees prescribed for safeguarding personal freedom. (3) Special laws regulate verifications and inspections for reasons of public health and safety, or for economic and fiscal purposes." Article 15 states, "(1) The liberty and secrecy of correspondence and of every form of communication are inviolable. (2) Limitations upon them may only be enforced by decision, for which motives must be given, of the judicial authorities with the guarantees laid down by law." [91]

The Italian Data Protection Act was enacted in 1996 after twenty years of debate. [92] The Act is intended to fully implement the E.U. Data Protection Directive. It covers both electronic and manual files for both government agencies and the private sector. Italy first attempted to enact data protection legislation in 1981.

The Act is enforced by the Supervisory Authority "Garante" for Personal Data Protection. The Garante maintains a register, conducts audits and enforces the laws and can also audit databanks not under its jurisdiction such as those relating to intelligence activities. The Decree on the internal organization of the Authority was published in the Official Journal on February 1, 1999, a year after it was submitted. The decree establishes the procedures for keeping the Register of Data Processes, access to the register by citizens, investigations, registrations and inspections. [93] The Garante ruled in October 1998 that phone companies need not mask the phone numbers on bills and that phone companies should allow for anonymous phone cards to protect privacy. [94]

Wiretapping is regulated under the penal procedure code and penal code. [95] It requires a court order that can last for 15 days in most cases. There are more lenient procedures for anti-Mafia cases. Some 44,000 orders were approved in 1996, up from 15,000 in 1992. [96] The law on computer crime includes penalties on interception of electronic communications. [97] In March 1998, the Parliament issued a legislative decree adopting the provisions of the E.U. Telecommunications Privacy Directive. [98]

There are also sectoral laws relating to workplace surveillance, [99] statistical information, and electronic files and digital signatures. [100] The Workers Charter prohibits employers from investigating the political, religious or trade union opinions of their workers, and in general on any matter which is irrelevant for the purposes of assessing their professional skills and aptitudes. [101] The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications. [102]

The Act of 241/7.8.1990 provides for general access to government documents.

Italy is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [103] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [104] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 21 of the 1946 Constitution states, "Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated." Article 35 states, "The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized . . . 2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer." [105]

The 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs governs the use of personal information in computerized files held by government agencies. [106] It is based on the OECD guidelines and imposes duties of security, access, and correction. Agencies must limit their collection to relevant information and publish a public notice listing their files systems. Information collected for one purpose cannot be used for a purpose "other than the file holding purpose." The Act is enforced by the Government Information Systems Planning Division of the Management and Coordination Agency. The Prefecture of Kanagawa also has legislation that protects privacy in both the public and private sectors. [107]

The Japanese government has followed a policy of self-regulation for the private sector, especially relating to electronic commerce. In June 1998, former Prime Minister Ryutaro Hashimoto announced that he had signed an agreement with U.S. President Clinton for self-regulation for privacy measures on the Internet except for certain sensitive data. "If data in a certain industry is highly confidential, legal methods can be considered for that industry." [108] On March 4, 1997, the Ministry of International Trade and Industry (MITI) issued Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector. In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the granting of "privacy marks" to businesses committing to the handling of the personal data in accordance with the MITI guidelines, and to promote awareness of privacy protection for consumers. The "privacy mark" system was introduced on April 1, and is administered by the Japan Information Processing Development Center (JIPDEC) – a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy protection mark. It is assumed that they will then be penalized by market forces. However, in addition, the new Supervisory Authority will investigate violations and make suggestions as necessary to the relevant administrative authorities. [109] An analysis of the marks done for the European Union by four academic experts in privacy found that there were serious shortcomings in the system. [110]

Wiretapping is considered a violation of the Constitution's right of privacy and has only been authorized a few times. Wiretapping is also prohibited under article 104 of the Telecommunications Business Law and article14 of the Wire Telecommunications Law. [111] A bill to authorize wiretapping for narcotics, guns, gang-related murders and large-scale smuggling of foreigners cases was approved by the Diet in July 1999 following strong pressure by the United States government. [112] A public poll taken in early June found that 45 percent of the public opposed the bill and 44 percent supported it [113] and over 8,000 people attended anti-wiretap rally organized by the Democratic Party of Japan, Japanese Communist Party and Social Democratic Party. [114] Nobuto Hosaka, a Social Democratic Party lawmaker filed a suit in July 1999 alleging that the police had intercepted his phone calls after a transcript of a conversation he had with a TV reporter about the wiretap bill was delivered anonymously to two newspapers by a personal claiming to have tapped the phone from the police facilities. [115] In June 1997, the Tokyo High Court upheld a lower court's finding that the Kanagawa Prefectural Police had illegally wiretapped the telephone at the home of a senior member of the Japanese Communist Party. The court imposed a fine of four million yen. [116] A number of NTT employees have also been caught recently selling information about customers. [117]

A bill which would create a 10 digit number for all residents was approved the Diet in July 1999[118] The law will allow centralized control by the Ministry of Home Affairs of information on residents currently held by local governments. The bill was held up for a year but in June 1999 the opposition New Komeito party agreed to support the bill if a law a new law on privacy protection was enacted. A committee has been set up to develop a bill to be introduced within three years. [119]

The Ministry of Finance and Ministry of International Trade and Industry announced plans to introduce legislation to protect individuals credit data in the next Parliament after a task force issues proposals. [120] Japan's Ministry of Posts and Telecommunications (MPT) announced plans in June 1998 to study privacy in telecommunications services, establishing a study group to look into the matter. [121]

The Ministry of Transportation announced in June a plan to issue “Smart Plates” license plates with embedded IC chips by 2001. The chips will contain driver and vehicle information and be used for road tolls and traffic control. [122] The National Police Agency has operated a comprehensive video surveillance system called the "N-system" with 400 locations on expressways and major highways throughout the country, which has been automatically recording the license plate number of every passing car for the last 11 years. Whenever a "wanted" car is detected, the system immediately issues a notice to police. [123] Eleven motorists filed a lawsuit challenging the system in 1997.

The Disclosure of Information Act was approved by the Diet in May 1999 after 20 years of debate. The law allows any individual or company to request government information in electronic or printed form. A nine-person committee in the Office of the Prime Minster will receive complaints about information which the government refuses to make public and will examine whether the decisions made by the ministries and agencies were appropriate. Government officials will still have broad discretion to refuse requests but requestors will be able to appeal decisions to withhold documents to one of eight different district courts. The law goes into effect in 2001. A survey by Kyodo News in May 1999 found that 31 city and prefectural governments are in the process of adopting legislation consistent with the new law. Sixteen of them are including a principle of “right to know.”[124]

Japan is a member of the Organization for Economic Cooperation and Development and a signatory to the OECD Guidelines on Privacy and Transborder Dataflows.

The Constitution provides for protection of privacy and secrecy of communications. Article 16 states, "All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented." Article 17 states, "The privacy of no citizen may be infringed." Article 18 states, "The privacy of correspondence of no citizen shall be infringed." [125]

The Act on the Protection of Personal Information Managed by Public Agencies of 1994 sets rules for the management of computer-based personal information held by government agencies and is based on the OECD privacy guidelines.[126] Under the Act, government agencies must limit data collected, ensure their accuracy, keep a public register of files, ensure the security of the information, and limit its use to the purposes for which it was collected. The Act is enforced by the Minister of Government Administration.

Interest in promotion of electronic commerce has been a major impetus for recent developments. In May 1998 the Ministry of Commerce, Industry and Energy (MoCIE) proposed a set of guidelines for electronic commerce legislation, including protecting privacy in the digital trade environment. [127] The Basic Act on Electronic Commerce was approved in January 1999. Chapter III of the Act requires that “electronic traders shall not use, nor provide to any third party, the personal information collected through electronic commerce beyond the alleged purpose for collection thereof without prior consent of the person of such information or except as specifically provided in any other law.” Individuals also have rights of access, correction and deletion and data holders have a duty of security. [128] In March 1999 the Ministry of Information and Communications announced that it was planning to introduce a bill that regulates password systems to activate electronic commerce and safe documents transfer on the Internet and other bills to regulate privacy and electronic money transfers. [129] The Ministry also announced that it had enacted a digital signature ordinance.

The cabinet approved a bill in March 1999 creating an National Human Rights Commission which would, among its powers, investigate illegal wiretapping. The proposal was criticized by Amnesty International and local groups who held a week-long hunger strike to protest the bill. Amnesty said that the bill “seems designed to set up a commission which lacks independence and has weak investigative powers over a limited range of violations.” [130]

Wiretapping is regulated by the Law on Protection of Privacy of Communications. That Law requires a court order to place a tap. Intelligence agencies are required to obtain permission from the Chief Judge of the High Court or approval from the President for national security cases. [131] Article 54 of the Telecommunication Business Act, prohibits persons who are or have been engaged in telecommunication services, from releasing private correspondence. There were 6,638 taps authorized in 1998, 1,073 of those were “emergency taps” which are done without prior court permission. In 1997, there were a reported 6,002 legal taps up from 2,067 in 1996. [132] Rep. Kim Hyong-o of the opposition Grand National Party (GNP) stated that he believed that over 10,000 taps were actually placed in 1998. [133] Under previous administrations, there were widespread surveillance and wiretapping abuses by intelligence and police officials. In October 1998, President Kim Dae-jung ordered a full-scale probe into illegal wiretapping. The wiretap law was amended in December 1998. The revisions limit the time frame that a tap can be placed before getting permission from a court and places additional procedural requirements but it allows taps to be placed without court permission for investigations of “gangs and criminal organizations.”

Credit reports are protected by the Act Relating to Use and Protection of Credit Information of 1995. [134] Postal privacy is protected by the Postal Services Act. [135]

In 1997, the government announced the creation of an "Electronic National Identification Card Project." The plan was based on a smart card system and according to a local human rights group would "include universal ID card, driver's license, medical insurance card, national pension card, proof of residence, and a scanned fingerprint, among other things." [136] The government was scheduled to issue cards to all citizens by 1999. [137] On November 17, a law on the ID card project passed the National Assembly. In December 1997, Kim Dae Jung won the Presidential election. He had publicly opposed the ID card project in his campaign and it appears to have stopped. However, activists believe that government agencies are continuing to quietly develop the proposals.

The Act on Disclosure of Information by Public Agencies is a freedom of information act that allows Koreans to demand access to government records. It was enacted in 1996 and went into effect in 1998. The Supreme Court ruled in 1989 that there is a constitutional right to information “as an aspect of the right of freedom of expression, and specific implementing legislation to define the contours of the right was not a prerequisite to its enforcement.” [138]

South Korea is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 17 of the Constitutional Law on Rights and Obligations of a Citizen and a Person states, "(1) The State guarantees the confidentiality of correspondence, telephone conversations, telegraph and other communications. (2) These rights may be restricted by a judge’s order for the investigation of serious crimes." [139]

Legislation on the protection of personal data is being prepared by a working group operating under the Department of Informatics, Ministry of Transportation. Another working group operating under the Ministry of Culture is preparing legislation on the protection of databases maintained by the government sector. [140]

The Law on Freedom of Information was adopted by the Saiema in October 1998 and signed into law by the State President in November 1998. [141] It guarantees public access to all information in “any technically feasible form” not specifically restricted by law. Individuals may use it to obtain their own records. Information can only be limited if there is a law; the information is for internal use of an institution; trade secrets; information about the private life of an individual, and certification, examination, project, tender and similar evaluation procedures.

In January 1999, the National Human Rights Office (NHRO) threatened to sue the National Compulsory Health Insurance Central Fund (NCHI CF) about the mandatory use of personal identification codes by doctors as a violation of the right to privacy in the European Convention on Human Rights. [142]

Under the new Penal Code, it is unlawful to interfere with correspondence. [143] Wiretapping or interception of postal communications requires the permission of a court. [144] On November 16, 1995, it was reported that telephones in the Latvian Defense Ministry were tapped. The Latvian Defense Ministry responded by stating Latvia's "military counterintelligence service reserves the right to ensure the security of communications at the Ministry of Defense and structures of the national armed forces." [145] In April 1994, a bugging device was found on the switchboard of the "Dienas Bizness" newspaper. [146]

Latvia is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [147] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [148]

Article 22 of the Constitution states, "The private life of an individual shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other intercommunications shall be inviolable. Information concerning the private life of an individual may be collected only upon a justified court order and in accordance with the law. The law and the court shall protect individuals from arbitrary or unlawful interference in their private or family life, and from encroachment upon their honor and dignity." [149]

Lithuania enacted its Law on Legal Protection of Personal Data in 1996 [150] and amended it in March 1998 to harmonize it with E.U. Data Protection Directive. [151] The Law regulates the processing of all types of personal data, not just in state information systems. It defines the time and the general means of protecting personal data and sets rights of access and correction. It also sets rules on the collecting, processing, transferring and using of data. The Administrative Code defines various monetary penalties in cases of the infringement of the processing and use of data. [152] There is also a Law on State Registers [153] which governs the use and legitimacy of state data registers that contain personal information. The law also mandates that data registers may only be erased or destroyed in cooperation with the State Data Protection Inspectorate.

The State Data Protection Inspectorate was established in 1996 to enforce the provisions of the Law on Legal Protection of Personal Data and the Law on State Registers. [154] Under the 1998 Law, it is subordinated to the Minister of Public Administration Reforms and Local Authorities from July 1998. There are efforts to make it an independent agency.

Wiretapping requires a warrant issued by the Prosecutor General. [155] On October 27, 1995, the Lithuanian State Security Department Chief, Jurgis Jurgialis, denied opposition charges that his department bugged telephones for political reasons. He said, "we resort to such actions only on the basis of the law and after receiving the prosecutor's authorization in each particular case." Jurgialis denied that his department was involved in widespread bugging but conceded such activities were conducted throughout Lithuania "by quite different structures, including foreign intelligence services." [156] In May 1998, Lietuvos rytas, the country's largest daily, revealed that a top-secret surveillance unit was monitoring the media, the prosecutor general, cabinet ministers, the Prime Minister, and the President. The unit was shut down after the revelations. [157] The International Helsinki Committee raised concerns about the prosecution of Audrius Butkevicius, a member of the Lithuanian parliament, on corruption charges in 1997 based on wiretaps conducted without a court order. [158]

There are specific privacy protections in laws relating to telecommunications, [159] radio communications, [160] statistics, [161] the population register, [162] and health information. [163] The Penal Code of the Republic of Lithuania provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves and impact on computer information. Civil laws provide for compensation for moral damage because of dissemination of unlawful or false information demeaning the honor and dignity of a person in the mass media. [164]

Lithuania is in the process of preparing for membership in the E.U. and has a National Program for the Adoption of E.U. Regulations. It is a member of the Council of Europe but has not yet signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [165] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [166]

Article 28 of the Constitution states, "(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams." [167]

Luxembourg's Act Concerning the Use of Nominal Data in Computer Processing was adopted in 1979. [168] The law pertains to individually identifiable data in both public and private computer files. It also requires licensing of systems used for the processing of personal data. The law considers all personal data to be sensitive, although special provisions may be applied to medical and criminal information. For personal data processing by the private sector, an application must first be made to the Minister for Justice who thereafter issues an authorization for such processing to take place. The Commission à la Protection des Données Nominatives, under the Ministry of Justice, oversees the law. If an application for personal data processing is granted, and there is an objection raised or if the application is refused or the original authorization is withdrawn for some reason, an appeal can be made to the Disputes Committee of the Council of State. A national register of all systems containing personal information is maintained by the Minister for Justice. Public sector personal data systems can only be established upon the issuance of a special law or regulation. Such proposed laws or regulations are reviewed by the Advisory Board. In 1992, the law was amended to include special protection requirements for police and medical data.

A bill that would make the law consistent with the E.U. Directive was introduced in the Parliament in 1997 but withdrawn in 1998 and has not yet been reintroduced due to Parliamentary elections. [169] A project on electronic commerce that will implement the E.U. Telecommunications Privacy Directive is currently pending. [170]

Telephone tapping is regulated by the Criminal Code. [171] Under the law, a tribunal selected by the president authorizes wiretaps. There are also sectoral laws on privacy relating to telecommunications, [172] identity numbers, [173] and banking secrecy. Luxembourg’s status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.

There is no general freedom of information law in Luxembourg. Under the 1960 decree on state archives, the archives are to be open to the public but citizens must make a written request explaining why they want access and ministers have broad discretion to deny requests. [174]

Luxembourg is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [175] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [176] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Constitution of Malaysia does not specifically recognize the right to privacy. [177]

The Ministry of Energy, Communications and Multimedia is drafting a Personal Data Protection Act that will create legal protections for personal data as part of the “National Electronic Commerce Master Plan.” Secretary-general Datuk Nuraizah Abdul Hamid said the purpose of the Bill was to ensure secrecy and integrity in the collection, processing and utilization of data transmitted through the electronic network. [178] The Ministry is looking at the OECD Guidelines, E.U. Directive, UK, Hong Kong and New Zealand Acts as models for the act. The bill is expected to be introduced into Parliament in 1999.

In 1998, the Parliament approved the Communications and Multimedia Act, which has several sections on telecommunications privacy. Section 234 prohibits unlawful interception of communications. Section 249 sets rules for searches of computers and includes access to encryption keys. Section 252 authorizes police to intercept communications without a warrant if a public prosecutor considers that a communications is likely to contain information that is relevant to an investigation. [179] There are regular reports of illegal wiretapping, including on the former deputy premier Anwar Ibrahim. Police detained four people under the Internal Security Act on suspicion of spreading rumors of disturbances in Kuala Lumpur in August 1998. Inspector-General of Police Tan Sri Abdul Rahim Noorsaid told the media then that the suspects were detained after police tracked their activities on the Internet with the assistance of Internet service provider Mimos Berhad. [180] The provider said later that it did not screen private email. [181]

Several other laws relating to technology have recently been approved, including The Digital Signature Act 1997 [182] and the Computer Crime Act, 1997. [183] Section 8 of the Computer Crime Act allows police to inspect and seize computing equipment of suspects without a warrant or any notice. The suspect is also required to turn over all encryption keys for any encrypted data on his equipment. Malaysia's Banking and Financial Institutions Act 1989, Pt XIII, also has provisions on privacy.

Malaysia has started a pilot program for a Government Multi-Purpose Card to be ready by August 2000 for two million residents in the Multimedia Super Corridor. [184] The card will be used as a national identity card, drivers license, hold immigration, passport information,, medical records, and eventually be usable as a debit card. It will contain both a photo and a thumbprint. The government signed a contract in June 1999 with several companies including Unisys and Iris Technologies. Malaysians were told in 1998 that if they do not carry their cards, they risked being detained by immigration police. [185] In January, it was announced that Muslim couples married in the Malaysian capital will be issued cards with computer chips so Islamic police can instantly verify their vows and the police will be equipped with portable card readers. In December 1998, the government began requiring that cybercafes obtain name, address, and identity card information from patrons but lifted the requirement in March 1999. [186]

Article 16 of the 1917 Mexican Constitution provides in part: "One’s person, family, home, papers or possessions may not be molested, except by virtue of a written order by a proper authority, based on and motivated by legal proceedings. The administrative authority may make home visits only to certify compliance with sanitary and police rules; the presentation of books and papers indispensable to verify compliance with the fiscal laws may be required in compliance with the respective laws and the formalities proscribed for their inspection. Correspondence, under the protective circle of the mail, will be free from all inspection, and its violation will be punishable by law." [187]

Article 214 of the Penal Code protects against the disclosure of personal information held by government agencies. [188] The General Population Act regulates the National Registry of Population and Personal Identification. The Registry's purpose is to register all persons making up the country's population using data enabling their identity to be certified or attested reliably. The aim of this is ultimately to issue the citizen's identity card, which will be the official document of identification, fully endorsing the data contained in it concerning the holder. [189]

Chapter 6 of Mexico’s Postal Code, in effect since 1888, recognizes the inviolability of correspondence and guarantees the privacy of correspondence. [190] The 1939 General Communication Law provides penalties for interrupting communications and divulging secrets. [191] The Federal Penal Code establishes penalties for the crime of revealing personal secrets by any means, including personal mail. [192] In 1981, the Penal Code was amended to include the interception of telephone calls by a third person. [193] The Law Against Organized Crime, passed in November 1996, allows for electronic surveillance with a judicial order. [194] The law prohibits electronic surveillance in cases of electoral, civil, commercial, labor, or administrative matters and expands protection against unauthorized surveillance to cover all private means of communications, not merely telephone calls. [195] The Law has been widely criticized by Mexican human rights organizations as violating Article 16 of the Constitution. [196] They noted that telephone espionage had historically been used by the ruling PRI party "to keep the opposition in check." [197] In 1997, the telephones of the Jalisco State Supreme Court were found to have been wiretapped. [198] In March 1998, a large cache of government electronic eavesdropping equipment which had been used since 1991 to spy on members of opposition political parties, human rights groups and journalists was discovered in Campeche. [199] Thousands of pages of transcripts of telephone conversations were uncovered along with receipts for $1.2 million in Israeli surveillance equipment. More than a dozen other cases of government espionage in four other states were exposed, ranging from hidden microphones and cameras found in government offices in Mexico City, to tapes of a state governor‘s telephone calls. Every government agency identified with the electronic surveillance operations – the federal attorney general and interior ministry, the military, the national security agency and a plethora of state institutions – denied knowing anything about them. [200]

The U.S.-Mexican border has been an area of increased surveillance. Mexican authorities now routinely perform "security sweeps" of homes in areas bordering the United States. [201] On the U.S. side, biometric facial feature recognition systems have been implemented by the Immigration and Naturalization Service at the Otay Mesa border crossing (San Diego-Tijuana) for frequent U.S. commuters to Mexican maquiladora factories. The biometric data is stored with driver's license number, vehicle registration number and passport status in an INS database. When a commuter in the program approaches the U.S. border, a transponder under his vehicle sends a signal to the checkpoint booth, activating the database and displaying the driver's image. Other commuters use a voice-activated device in addition to the facial scan. [202]

Mexico is a member of the Organization for Economic Cooperation and Development but does not appear to have adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Mexico has also signed the American Convention on Human Rights.

The Constitution grants citizens an explicit right to privacy. [203] Article 10 states, "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them and of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 13 states, "(1) The privacy of correspondence shall not be violated except, in the cases laid down by Act of Parliament, by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorization of those designated for the purpose by Act of Parliament."

The Data Registration Act 1988 [204] establishes a code of fair information practices which applies to the handling of personal data files. The Act defines "personal data file" as "any organized collection of personal data relating to different persons which is operated by automated means or is systematically disposed in such a way as to facilitate access to the data therein contained." The Act generally stipulates that a personal data file must be set up only for a specific purpose that is relevant to the interests of the party controlling the personal data file. Personal data must be obtained legitimately and in accordance with the purpose for which the file was set up. There is a duty on the party collecting data to ensure that the data is accurate and complete. Use of the personal data must be compatible with the purpose of the data file. The party controlling the data must take appropriate measures to ensure data is secure, and can be held liable for any loss or damage resulting from failure to comply with the Act. Data can only be disclosed if the disclosure is compatible with the purpose of the data file, is required by statute, or if the data subject consents to the disclosure. Controllers of personal data files must notify every person about whom personal data has been recorded. Provisions allow data subjects to have access to their data files and to request correction of their personal data. The data subject can apply to the district court for enforcement of these provisions.

The Data Registration Act establishes the Registration Chamber (Registratiekamer). [205] The Registration Chamber, which serves as the Data Protection Authority, exercises supervision of the operation of personal data files in accordance with the Data Registration Act. The Chamber advises the government, deals with complaints submitted by data subjects, institutes investigations and makes recommendations to controllers of personal data files. The Chamber receives around 6,000 inquiries and 300 complaints each year. There are presently over 60,000 databases registered with the Chamber. It has also released several reports on privacy enhancing technologies jointly produced with the Office of the Information and Privacy Commissioner of Ontario, Canada.

Two decrees have been issued under the Data Registration Act. The Decree on Sensitive Data [206] sets out the limited circumstances when personal data on an individual's religious beliefs, race, political persuasion, sexuality, medical, psychological and criminal history may be included in a personal data file. The Decree on Regulated Exemption [207] exempts certain organizations from the registration requirements of the Data Registration Act.

The Data Registration Bill 1998 [208] was introduced in the Lower House of the Dutch Parliament in June 1998. This bill is a revised and expanded version of the 1988 Data Registration Act that will bring Dutch law in line with the European Data Protection Directive and will regulate the disclosure of personal data to countries outside of the European Union. Since June 1998, many questions have arisen from members of Parliament concerning the new bill, and those questions are currently being investigated and answered by the Minister of Justice. The Lower House began discussion of the bill in March but has delayed for different reasons. The Minister of Justice has promised that the bill will be one of the first debated when Parliament returns in September. Passage by Parliament and entry into force is not expected before January 2000.

Interception of communications is regulated by the criminal code and requires a court order. [209] A new Telecommunications Act was approved in December 1998 which requires that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months. [210] In November 1997, XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of their subscribers

A survey by the Dutch Ministry of Justice in 1996 found that police in the Netherlands intercept more telephone calls than their counterparts in the United States, Germany or Britain. [211] The Parliamentary Investigations Commission into police methods released a 4,700-page report in 1996. The report was critical of legal controls on police surveillance [212] and found that there was a failure among judges, prosecutors and other officials to limit police abuses. The new Telecommunications Act also implements the E.U. Telecommunications Privacy Directive.

There are sectoral laws dealing with the Dutch police [213], medical exams [214], medical treatment, [215] social security [216], entering private homes [217] and the employment of minorities. [218]

The Government Information (Public Access) Act of 1991 [219] is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the “economic or financial interest of the state”, investigation of criminal offenses, inspections by public authorities or personal privacy. However this must be balanced against the importance of the disclosure. Requestors can appeal denials to an administrative court which has the final decision.

The Netherlands is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [220] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [221] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 21 of the Bill of Rights Act 1990 states, "Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise." [222] The Human Rights Act 1994 prohibits discrimination. [223]

New Zealand's Privacy Act was enacted in 1993 and has been amended several times. [224] It regulates the collection, use and dissemination of personal information in both the public and private sectors. It also grants to individuals the right to have access to personal information held about them by any agency. The Privacy Act applies to "personal information," which is any information about an identifiable individual, whether automatically or manually processed. Recent case law has held that the definition also applies to mentally processed information. [225] The news media are exempt from the Privacy Act in relation to their news activities.

The Act creates twelve Information Privacy Principles generally based on the 1980 OECD guidelines and the information privacy principles in Australia's Privacy Act 1988. In addition, the legislation includes a new principle that deals with the assignment and use of unique identifiers. The Information Privacy Principles can be individually or collectively replaced by enforceable codes of practice for particular sectors or classes of information. At present, there is only one complete sectoral code of practice in force, the Health Information Privacy Code 1994. There are several codes of practice that alter the application of single information privacy principles: the Superannuation Schemes Unique Identifier Code 1995, the EDS Information Privacy Code 1997, and the Justice Sector Unique Identifier Code 1998.

In addition to the information privacy principles, the legislation contains principles relating to information held on public registers; it sets out guidelines and procedures in respect to information matching programs run by government agencies, and it makes special provision for the sharing of law enforcement information among specialized agencies.

The Office of the Privacy Commissioner is an independent oversight authority that was created prior to the Privacy Act by the 1991 Privacy Commissioner Act. [226] The Privacy Commissioner oversees compliance with the Act, but does not function as a central data registration or notification authority. The Privacy Commissioner's principal powers and functions include promoting the objects of the Act, monitoring proposed legislation and government policies, dealing with complaints at first instance, approving and issuing codes of practice and authorizing special one-off exemptions from the information privacy principles, and reviewing public sector information matching programs.

Complaints by individuals are initially filed with the Privacy Commissioner who attempts to conciliate the matter. The office received 11,141 inquiries and 1,082 complaints in the year ending June 1998 and completed 804 of the complaints. In 121 cases, a final opinion was granted. [227] If conciliation fails, the Proceedings Commissioner [228] or the complainant (if the Proceedings Commissioner is unwilling) can bring the matter before the Complaints Review Tribunal, which can issue decisions and award declaratory relief, issue restraining or remedial orders, and award special and general damages up to NZ $200,000.

The Privacy Commissioner conducted a five-year review in 1998 and recommended over 150 changes to the act, mostly minor. These included limiting use of information on public registers, creating a right to be taken off direct marketing lists, restricting requests by employers for criminal and medical records, limiting exceptions to the act, and providing for more funding for the Office of the Commissioner to enforce the act. [229]

The New Zealand Crimes Act and Misuse of Drugs Act govern the use of evidence obtained by listening devices. [230] Judicial warrants may be granted for bugging premises or interception of telephonic communications. Emergency permits may be granted for the bugging of premises and, following the 1997 repeal of a prohibition, for telephonic interceptions. There were 22 authorizations for interceptions in the 1994-1995 year. The average duration was four days. Those who illegally disclose the contents of private communications illegally intercepted face two years in prison. However, those who illegally disclose the contents of private communications lawfully intercepted are merely liable for a NZ$500 fine. The New Zealand Security Intelligence Service (NZSIS) is also permitted to carry out electronic interceptions under the New Zealand Security Intelligence Service Act 1969. Under the provisions of this act, the Minister in Charge of the NZSIS is required to submit an annual report to the House of Representatives. In 1998, the minister reported 3 warrants issued to the NZSIS for intercepts. The average length of time for which these warrants were in force was 4 months and 8 days. The report further states that "the methods for interception and seizure used were listening devices and the copying of documents." [231]

One agency not governed by the restrictions imposed on law enforcement and the NZSIS is the Government Communications Security Bureau (GCSB), the signals intelligence (SIGINT) agency for New Zealand. Operating as a virtual branch of the U.S. National Security Agency, this agency maintains two intercept stations at Waihopai and Tangimoana. The Waihopai station routinely intercepts trans-Pacific and intra-Pacific communications and passes the collected intelligence to NSA headquarters. David Lange, a former Prime Minister of New Zealand, said he and other ministers were told very little about the operations of GCSB while they were in power. Of particular interest to GCSB and NSA are the communications of the governments of neighboring Pacific island states. [232] GCSB was specifically exempted from the provisions of the Crimes Act in 1997. [233]

The Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987 are freedom of information legislation governing the public sector. Enforcement is supervised by the Office of the Ombudsman. There are significant interconnections between this freedom of information legislation and the Privacy Act in subject matter, administration, and jurisprudence, so much so that the three enactments may be viewed, in relation to access to information, as complementary components of one overall statutory scheme.

New Zealand is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. New Zealand is one of six countries involved in a European Commission study of methods of assessing whether laws of "third countries" meet the provisions of the E.U. data protection directive. [234]

The Privacy Act does not apply to self-governing territories associated with New Zealand, the Cook Islands and Niue. Neither does it apply to the soon-to-be self-governing territory of Tokelau.

There is no provision in the Norwegian Constitution of 1814 dealing specifically with the protection of privacy. [235] The closest provision is section 102, which prohibits searches of private homes except in "criminal cases." More generally, section 110c of the Constitution places state authorities under an express duty to "respect and secure human rights." The Norwegian Supreme Court has held that there exists in Norwegian law a general legal protection of "personality" which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis. This protection was first recognized in 1952. [236]

Norway’s primary data protection statute is the Personal Data Registers Act of 1978. [237] The Act regulates the establishment and use, in the public and private sectors, of automated and physical data files on both physical/natural persons and legal persons (i.e., corporations). A person wishing to set up a computerized database of personal information must apply for a license. There are stricter controls on sensitive information. In 1994, the act was amended to also cover video surveillance. [238] The Act is in the process of being overhauled. This is partly to update the legislation in the light of new technological developments, and partly to bring Norwegian law into conformity with the requirements of the EC Directive on data protection. A preliminary proposal for new data protection legislation has been issued. [239] A bill based on this proposal will be introduced into the Norwegian Parliament in the summer of 1999. The proposal follows closely the EC Directive and is expected to be enacted by the Parliament before the end of 1999.

The Data Inspectorate (Datatilsynet) is an independent administration body set up under the Ministry of Justice in 1980. [240] The Inspectorate accepts applications for licenses for data registers and evaluates the licenses, enforces the privacy laws and regulations, and provides information. The Inspectorate can conduct inspections and impose sanctions. As of 1996, the Inspectorate had issued 65,000 licenses. Decisions of the Inspectorate can be appealed to the Ministry of Justice.

Wiretapping requires the permission of a tribunal and is initially limited to four weeks. [241] The total number of telephones monitored was 360 in 1990, 467 in 1991, 426 in 1992, 402 in 1993, 541 in 1994 and 534 in 1995. [242] A Supervisory Board reviews the warrants to ensure the adequacy of the protections. A Parliamentary Commission of Inquiry (The Lund Commission) was set up in 1994 to investigate the post-World War II surveillance practices of Norwegian police and security services. The Commission delivered a 600 page report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices including illegal wiretapping of left wing political groups up to 1989 had been instituted and/or conducted illegally and that the courts had not generally been strong enough in their oversight. A new act to monitor the secret services was approved in 1995 following the Commissions recommendations. [243] It created a new Control Committee to monitor the activities of the Police Security Services, the Defence Security Services and the Defence Intelligence Services. The former Minister of Justice and the head of the Norwegian security police (POT) were forced to resign from the government in 1996 after it was revealed that the POT had placed a member of the Lund Commission under surveillance and requested a copy of her Stasi file from the German authorities four times. [244] In 1997, the Parliament agreed to allow people who were under surveillance by the POT to review their records and to obtain compensation if the surveillance was unlawful. The POT has records on over 50,000 people. [245]

A large number of other pieces of legislation contain provisions relevant to privacy and data protection. These include the Administrative Procedures Act of 1967, [246] and the Criminal Code of 1902. [247] The criminal code first prohibited the publication of information relating to the "personal or domestic affairs" in 1889. [248]

The Public Access to Documents in the (Public) Administration provides for public access to government records. [249] Under the Act, there is a broad right of access to records. If denied, individuals can appeal to a higher authority under the act and then to a Court.

Norway is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [250] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [251] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Norway is a party to the 1992 Agreement on the European Economic Area (EEA). As such, it is required to comply with the E.U. Directive before it is formally incorporated into the EEA.

[1]. Chapter of Laws (Cap) 383: 288: http://www.justice.gov.hk

[2]. Chapter of Laws (Cap) 486: http://www.justice.gov.hk See generally Berthold M. & Wacks R., Data Privacy Law in Hong Kong (FT Law & Tax, 1997).

[3]. Hong Kong Law Reform Commission, 1994 Report on the Law Relating To The Protection Of Personal Data. Website information on the Hong Kong Law Reform Commission is available at http://www.info.gov.hk.

[4]. The Office of the Privacy Commissioner was established with a very small staff with only four officers investigating complaints and compliance issues under the direction of the assistant commissioner: see first Annual Report 1996-97. In the first 6 months of operation, the Commissioner received 52 complaints and had publicly expressed concern that his staff may be unable to cope: see South China Morning Post 15-1-1997.

[5]. The Code of Practice on the Identity Card Number and other Personal Identifiers was gazetted on 19 December 1997. With the exception of the requirement restricting the issue of a card with an identity card number printed on it (which will take effect on 19 December 1998), the requirements of the code will take effect on 19 June 1998.

[6]. The Code of Practice on Consumer Credit Data was issued on 27 February 1998 and will take effect on 27 November 1998. A summary is available at the commissioner’s website at http://www.pco.org.hk.

[7]. Operations Division, Office of the Privacy Commissioner for Personal Data, May 1999.

[8]. “HK Court Blocks Lawsuit Against China News Agency,” Reuters, Jun 8, 1999.

[9]. Section 33, Chapter of Laws (Cap) 106.

[10]. Section 13 Chapter of Laws (Cap) 98.

[11]. “Phone tap figures to remain secret,” South China Morning Post, October 1, 1998.

[12]. Hong Kong Law Reform Commission, Hong Kong Law Reform Commission’s 1996 Report on Privacy: Regulating the Interception of Communications. Website information on the Hong Kong Law Reform Commission is available at http://www.info.gov.hk

[13]. Code on Access to Information, March 1995 http://www.info.gov.hk/access/code.htm

[14]. Constitution of the Republic of Hungary, http://centraleurope.com/ceo/country/hungary/constit/hucons01.html

[15]. Constitutional Court Decision No. 15-AB of 13 April 1991. http://www.privacy.org/pi/countries/hungary/hungarian_id_decision_1991.html

[16]. ACT LXIII OF 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest, http://www.privacy.org/pi/countries/hungary/hungary_privacy_law_1992.html.

[17]. Web Site: http://www.obh.hu

[18]. See Hungarian Civil Liberties Union, Data Protection and Freedom of Information, 1997.

[19]. Letter from László Majtényi, Parliamentary Commissioner for Data Protection and Freedom of Information, August 4, 1999.

[20]. Act XXXIV of 1994 on Police.

[21]. Act LXXV of 1995 on the National Security Services.

[22]. “Fidesz 'bugging' probe underway, The Budapest Sun,” September 3, 1998.

[23]. “Technical costs of phone tapping estimated at HUF 10bn,” MTI Econews, April 17, 1998.

[24]. Act No. LXVI of 1992 on the register of personal data and addresses of citizens.

[25]. Act No. CXIX of 1995 on the use of name and address information serving the purposes of research and direct marketing.

[26]. Act No. XX of 1996 on the identification methods replacing the universal personal identification number, and on the use of identification codes.

[27]. Act XLVII of 1997 on the use and protection of medical and related data.

[28]. Act No. XXXIV of 1994 on the Police (Chapter VIII: "Data handling by the Police").

[29]. Act No. LXVI of 1995 on public records, public archives, and the protection of private archives (restricting rules on the publicity of documents containing personal data).

[30]. Act No. IV of 1991 on furthering employment and provisions for the unemployed.

[31]. Act No. LXXII of 1992 on telecommunications.

[32]. Act No. CXXV of 1995 on the National Security Services etc.

[33]. Criminal Code, Sections 177-178. http://www.privacy.org/pi/countries/hungary/hungary_criminal_code.html

[34]. Signed 13/05/93, Enacted 08/10/97, Entered into Force 01/02/98, http://www.coe.fr/tablconv/108t.htm

[35]. Signed 06/11/90, Enacted 05/11/92, Entered into Force 05/11/92, http://www.coe.fr/tablconv/5t.htm

[36]. Constitution of the Kingdom of Iceland, Adopted: 5 June 1953. http://www.uni-wuerzburg.de/law/da00t___.html

[37]. Act on the Registration and Handling on Personal Data, No. 121, 28 December 1989. The law was originally introduced in 1979 and renewed in 1984 and 1989 after the law automatically expired after five years because of the 'sunset' provisions attached to laws by Iceland's Parliament.

[38]. Icelandic Government’s Vision of the Information Society, Feb 1997. http://eldur.stjr.is/framt/vision00.htm

[39]. Act on a Health Sector Database no. 139/1998, 17 December 1998. http://brunnur.stjr.is/interpro/htr/htr.nsf/pages/gagngr-log-ensk

[40]. See MANNVERND - Association for Ethics in Science and Medicine, http://simnet.is/mannvernd/english/home.html ; “Iceland's Blond Ambition: A Nordic country cashes in on its isolated gene pool,” Mother Jones, May/June 1998. http://www.motherjones.com/mother_jones/MJ98/marshall.html .

[41]. World Medical Association Opposes Icelantic Gene Database,EBMJ, 24 April 1999.

[42]. Dr. Ross Anderson, Icelantic Database is Insecure, EBMJ, 18 May 1999.

[43]. Articles 86-87, Law on Criminal Procedure

[44]. http://www.icenews.is/daily/1996/09feb96.html

[45]. Signed 27/09/82, Enacted 25/03/91, Entered into Force 01/07/91, http://www.coe.fr/tablconv/108t.htm

[46]. Signed 04/11/50, Enacted 29/06/53, Entered into Force 03/09/53, http://www.coe.fr/tablconv/5t.htm

[47]. Constitution of India, November 1949. http://www.commercenetindia.com/constitution

[48]. Kharak Singh vs State of UP, 1 SCR 332 (1964); See Mr. R.C. Jain, National Human Rights Commission, India, Indian Supreme Court on Right to Privacy, July 1997.

[49]. United Nations, Human Rights Committee, Consideration of Reports Submitted by States Parties Under Article 40 of the Covenant, Third periodic reports of States parties due in 1992 Addendum -India /1, 17 June 1996.

[50]. National Task Force on IT & SD, Basic Background Report, 9th June 1998. http://it-taskforce.nic.in/it-taskforce/bg.htm.

[51]. “India: Taskforce suggests slew of measures,” The Hindu, July 7, 1998.

[52]. Peoples Union for Civil Liberties (PUCL) vs. The Union of India & Another, 18 December 1996, on Writ Petition (C) No. 256 of 1991, http://www.wired.com/news/story/1128.html

[53]. South Asia Human Rights Documentation Centre, Alternate Report and Commentary to the United Nations Human Rights Committee on India's Third Periodic Report under Article 40 of the International Covenant on Civil and Political Rights, July 1997. http://www.hri.ca/partners/sahrdc/alternate/fulltext.shtml

[54]. "New Law to let Govt Intercept Net Mail": Internet Edition of "Indian Express" (December 14, 1998).

[55]. S.P. Gupta vs. Union of India (AIR 1982 SC 149); See Government of India, Report of the Working Group on Right to Information and Promotion of Open and Transparent Government, May 1997.

[56]. Indian President Addresses Parliament, BBC Monitoring South Asia, February 23, 1999.

[57]. Constitution of Ireland, http://www.maths.tcd.ie/pub/Constitution/index.html

[58]. See The Law Reform Commission of Ireland, “Consultation Paper on Privacy: Surveillance and the Interception of Communications,” September 1996.

[59]. Kennedy and Arnold v. Ireland 1987 IR 587; 1988 ILRM 472.

[60]. “Data protection law to be delayed until autumn,” The Irish Times, July 19, 1999.

[61]. The Irish Times, July 17, 1998.

[62]. “Social services card opposed by data commissioner,” The Irish Times, October 1, 1996.

[63]. “Garda to investigate surveillance allegations,” The Irish Times, April 18, 1998.

[64]. “Report recommends outlawing secret filming and surveillance,” The Irish Times, July 30, 1998.

[65]. The Independent, July 17, 1999.

[66]. Freedom of Information Act, 1997. http://www.irlgov.ie/finance/free1.htm

[67] Office of Information Commissioner Web Page http://www.irlgov.ie/oic/

[68]. FOI - The Commissioner's Experience of the First Year, Speech given at "One year on"

conference, Dublin Castle 23/4/99 http://www.irlgov.ie/oic/22be_19a.htm

[69]. Signed 18/12/86, Enacted 25/05/90, Entered into Force 01/08/90, http://www.coe.fr/tablconv/108t.htm

[70]. Signed 04/11/50, Enacted 25/02/53, Entered into Force 03/09/53, http://www.coe.fr/tablconv/5t.htm

[71]. The Basic Law: Human Dignity and Freedom (5752 - 1992). Passed by the Knesset on the 21st Adar, 5754 (9th March, 1994). http://www.israel-mfa.gov.il/gov/laws/dignity.html

[72]. Israeli Business Law An Essential Guide @ 30.01.

[73]. The Protection of Privacy Law 5741-1981, 1011 Laws of the State of Israel 128. Amended by the Protection of Privacy Law (Amendment) 5745-1985.

[74]. Law of April 11, 1996.

[75]. See http://israel.org/gov/justice.html

[76]. United Nations Human Rights Committee, Initial report of States parties due in 1993 : Israel. 09/04/98. CCPR/C/81/Add.13. (State Party Report), 9 April 1998. P. 509.

[77]. The Secret Monitoring Law, 5739-1979, Laws of the State of Israel, vol. 33, pp. 141-146.

[78]. United Nations Human Rights Committee, Initial report of States parties due in 1993 : Israel. 09/04/98. CCPR/C/81/Add.13. (State Party Report), 9 April 1998.

[79]. The Jerusalem Post, IDF officer involved in phone record scandal accuses others of involvement, July 11, 1996.

[80]. Media wiretapper found guilty, The Jerusalem Post, September 4, 1998.

[81]. Shas disputes linking wiretap to Yishai-Deri rivalry, The Jerusalem Post, November 27, 1998.

[82]. The Computer Law (5755-1995), 1534 Laws of the State of Israel 366, See Miguel Deutch, Computer Legislation: Israel's New Codified Approach, 14 J. Marshall J. Computer & Info. L. 461 (Spring 1996).

[83]. Regulation 89 of the Mandatory Defence (Emergency) Regulations, 1945.

[84]. Patient's Rights Law, 5756-1996.

[85]. Ha'aretz, Knesset panel debates 'genetic privacy' bill, March 15, 1998.

[86]. Embarrassed by Ichilov disclosure: Ministry issues regulations for hospital cameras, The Jerusalem Post, September 10, 1998.

[87]. Criminal Register and Rehabilitation Law, 5741-1981.

[88]. “Anti-terror chief to see all tax files,” Ha'aritz, May 29, 1998.

[89]. See The Coalition for Freedom of Information, http://www.nif.org/cfi/foipeng.html

[90]. “Ministries not ready for info law,” The Jerusalem Post, June 25, 1999.

[91]. Constitution of the Republic of Italy, Adopted 22 Dec 1947. http://www.uni-wuerzburg.de/law/it00t___.html

[92]. Legge ´31 dicembre 1996 n. 675, Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali. Amended by Legislative Decree No. 123 of 09.05.97 and 255 of 28.07.97. http://elj.strath.ac.uk/jilt/dp/material/l675-eng.htm (Unofficial translation). LEGGE 31 DICEMBRE 1996, N. 676, Delega al Governo in materia di tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali. http://www.privacy.it/legge96676.html . See http://www.privacy.it/normativ.html for list of decrees.

[93]. DECRETO DEL PRESIDENTE DELLA REPUBBLICA 31 marzo 1998, n.501 Regolamento recante norme per l'organizzazione ed il funzionamento dell'Ufficio del Garante per la protezione dei dati personali, a norma dell'articolo 33, comma 3, della legge 31 dicembre 1996, n. 675. (GU n. 25 del 1-2-1999) http://193.207.119.193/MV/gazzette_ufficiali/25/2.htm

[94]. http://www.privacy.it/garantes981006.html

[95]. Intercettazioni di conversoni o comunicazioni, Art 266-271, Codice di Procedura Penale, and Art 614-623, Codice di Penale.

[96]. French Commission National de Control des Interceptions de securite, Annual Report 1996.

[97]. Legge 23 dicembre 1993 n 547.

[98]. DECRETO LEGISLATIVO 13 maggio 1998, n. 171. Disposizioni in materia di tutela della vita privata nel settore delle telecomunicazioni, in attuazione della direttiva 97/66/CE del Parlamento europeo e del Consiglio, ed in tema di attività giornalistica http://www.privacy.it/dl98171.html

[99]. Legge 29 marzo 1983, n. 93 - Legge quadro sul pubblico, ITNTDI, p. 296, § 1114.

[100]. Presidential Decree No. 513 of 10 November 1997, "Regulations establishing criteria and means for implementing Section 15(2) of Law No. 59 of 15 March 1997 concerning the creation, storage and transmission of documents by means of computer-based or telematic systems", http://www.aipa.it/english/law2/pdecree51397.asp

[101]. Section 8 of Law No. 300 of 20 May 1970.

[102]. Law No. 547 of 23 December 1993

[103]. Signed 02/02/83, Ratified 29/03/97, Entered into force 01/07/97. http://www.coe.fr/tablconv/108t.htm

[104]. Signed 04/11/50, Ratified 26/10/55, Entered into force 26/10/55. http://www.coe.fr/tablconv/5t.htm

[105]. Constitution of Japan, November 3, 1946. http://www.ntt.co.jp/japan/constitution/english-Constitution.html

[106]. The Act for the Protection of Computer Processed Personal Data held by Administrative Organs, Act No. 95, 16 December 1988 (Kampoo, 16 December 1988). For the text, see Wayne Madsen, Handbook of Personal Data Protection, McMillian Publishers Ltd., 1992.

[107]. Kanagawa Prefecture Ordinance on the Protection of Personal Data, Ordinance No. 6, dated 30 March 1990.

[108]. U.S. Japan Joint Statement on Electronic Commerce, May 15, 1998. http://www.ecommerce.gov/usjapan.htm

[109]. Nigel Waters, 'Reviewing the adequacy of privacy protection in the Asia Pacific Region, IIR Conference Information Privacy - Data Protection, 15 June 1998, Sydney; see also Ministry of International Trade and Industry (MITI) 'Japan's views on the protection of personal data' (April 1998).

[110]. Raab, Bennett, Gellman & Waters, European Commission Tender No XV/97/18/D, Application of a Methodology Designed to Assess the Adequacy of the Level of Protection of Individuals with Regard to Processing Personal Data: Test of the Method on Several Categories of Transfer, September 1998.

[111]. Telecommunications Business Law, LAW No. 86 of 25 December 1984) As amended last by Law No. 97 of 20 June 1997 http://www.mpt.go.jp/policyreports/english/laws/Tb_index.html

[112]. Reuters, June 1, 1999. Also see http://www.jca.ax.apc.org/~toshi/cen/wiretap.intr.html

[113]. “Public split on wiretapping, Mainichi Daily News,” June 17, 1999.

[114]. “Opposition chiefs in wiretap protest,” The Japan Times, June 25, 1999.

[115]. “Lawmaker files complaint over alleged illegal wiretap,” The Daily Yomiuri, July 8, 1999.

[116]. Police wiretapping, Mainichi Daily News, June 29, 1997.

[117]. NTT Staffers Leaking Customer Information, Newsbytes, July 2, 1999.

[118]. “Gov't planning new ID system for all residents,” Mainichi Daily News, January 5, 1998.

[119]. Kyodo News Wire, June 3, 1999.

[120]. “Japan Ministries To Compile Credit Data Protection Bill,” Nikkei, July 4, 1999.

[121]. Newsbytes, June 1, 1998.

[122]. “License Plates to Bear IC Chips with Driver, Auto Info,” Comline, June 09, 1999.

[123]. Christian Science Monitor, April 8, 1997.

[124]. Kyodo News, May 22, 1999.

[125]. Constitution of the Republic of Korea, Adopted: 17 July 1948. http://www.ccourt.go.kr/english/et.html

[126]. Act of 7 January 1994.

[127]. Nikkei BP AsiaBizTech - 29-Jun-98.

[128]. Basic Law on Electronic Commerce, 1999 http://www.mbc.com/legis/south_korea.html

[129]. “Bill Due to Regulate Password for E-Commerce,” Korea Times, Mar. 3, 1999.

[130]. Amnesty International, “South Korea - Govt proposal will set up a weak National Human Rights Commission,” April 12, 1999.

[131]. Communications Privacy Act, December 27, 1993, Revised December 13, 1997. A list of all telecommunications laws in Korea is available at: http://www.kisdi.re.kr/kisdi/event/acts.htm

[132]. “Wiretappings Number 6,638 Last Yr.,” Korea Times, February 10, 1999.

[133]. “Kim Hyong-o Says More Than 10,000 May Be Exposed to Gov't Taps,” Korea Times, February 13, 1999.

[134]. Act Relating to Use and Protection of Credit Information, Law No. 4866, Jan. 5, 1995. http://www.visas-usa.com/korealaw/library/cinfo-a-trn.htm . Enforcement Decree for the Act Relating to Use and Protection of Credit Information. http://www.visas-usa.com/korealaw/library/cinfo-d-trn.htm

[135]. Amended by Law No. 2372, Dec.16, 1972; Law No.3602, Dec. 31,1982. http://www.mic.go.kr/english/intro/rule/post12.htm

[136]. http://kpd.sing-kr.org/idcard/main-e.html

[137]. Joohoan Kim, Ph.D., Digitized Personal Information and the Crisis of Privacy: The Problems of Electronic National Identification Card Project and Land Registry Project in South Korea, http://kpd.sing-kr.org/idcard/joohoan2.html

[138]. Right to Information(1 KCCR 176, 88 HunMa 22, Sep. 4, 1989) http://www.ccourt.go.kr/english/case4.html

[139]. Constitutional Law: The Rights and Obligations of a Citizen and a Person, 1991. http://www.uni-wuerzburg.de/law/lg03000_.html

[140]. Janis Bicevskis and Girts Karnitis, "Problems in the Integration of Registers of State Significance in Latvia," Baltic IT Review, No. 8, p. 77.

[141]. Law on Freedom of Information, Adopted 29 October 1998, Signed 6 November 1998.

[142]. Baltic News Service, January 5, 1999.

[143]. Criminal Code of Latvia, art. 132

[144]. Criminal Procedure Code of Latvia, arts. 168, 176, 176.1

[145]. Defense Ministry issues a statement in response to reports of bugging, Latvian Radio, Riga, November 16, 1995, BBC Summary of World Broadcasts, November 20, 1995.

[146]. BBC Summary of World Broadcasts, April 16, 1994.

[147]. See http://www.coe.fr/tablconv/108t.htm

[148]. Signed 10/2/95, Ratified 26/7/96, Entered into force 26/7/96, http://www.coe.fr/tablconv/5t.htm

[149]. Constitution of the Republic of Lithuania. http://www.litlex.lt/Litlex/Eng/Frames/Laws/Documents/CONSTITU.HTM

[150]. The Law on Legal Protection of Personal Data (No 63-1479, 1996).

[151]. Law No.VII-662, March 12, 1998.

[152]. See Ona Jakstaite, "Regulating Data Security in Lithuania," Baltic IT Review.

[153]. The Law on the Public Registers (13 August 1996, No. I-1490).

[154]. Resolution No. 1185 "On establishing the State Data Protection Inspectorate, 10 October 1996 (No 100-2293).

[155]. Law on Operative Activities, 1991.

[156]. Vladas Burbulis, "Lithuania Security Chief Refutes Any Telephone Bugging," ITAR- TASS, October 27, 1995.

[157]. “Keeping an Eye on Politicians,” Transitions, August 1998.

[158]. International Helsinki Federation for Human Rights, Annual Report 1999 http://www.ihf-hr.org/reports/ar99/ar99lit.htm

[159]. The Law on Telecommunications, 30 November 1995, No. I-1109.

[160]. Law on Radio Communication, 7 November 1995, No.I-1086. http://www.litlex.lt/Litlex/Eng/Frames/Laws/Documents/366.HTM

[161]. The Law on Statistics, 12 October 1993, No.I-270.

[162]. Law on the Population Register, January 23, 1992, No. I-2237.

[163]. Law on the Health System, 19 July 1994, No.I-552.

[164]. United Nations Human Rights Committee, Consideration of Reports Submitted by States Parties Under Article 40 of the Covenant, Initial reports of States parties due in 1993, Addendum, Lithuania, 1996. http://www.hri.ca/fortherecord1997/documentation/tbodies/ccpr-c-81-add10.htm

[165]. http://www.coe.fr/tablconv/108t.htm

[166]. Signed 14/05/93, Ratified 20/06/95, Entered into force 20/06/95, http://www.coe.fr/tablconv/5t.htm

[167]. Constitution of the Grand Duchy of Luxembourg. http://www.uni-wuerzburg.de/law/lu00t___.html

[168]. Act on the Use of Nomative Data in Computer Processing, 31 March 1979.

[169]. Act on the protection of individuals with regard to the processing of their personal data, no. 4357.

[170]. Projet de loi relatif au commerce électronique, document parlementaire N° 4554 http://www.etat.lu/ECO/coel.htm

[171]. Art 88-1 - 88-4 of the Criminal Code, Law of 26 November 1982, modified by the law of 7 July 1989.

[172]. Loi du 21 mars 1997 sur les télécommunications. http://www.etat.lu/ILT/co/legal/loi-t.htm , Règlement grand-ducal du 22 décembre 1997 fixant les conditions du cahier des charges pour l'établissement et l'exploitation de réseaux fixes de télécommunications. http://www.etat.lu/ILT/co/legal/lic-b.htm .

[173]. Loi du 30 mars 1979 organisant l'identification numérique des personnes physiques et morales http://www.etat.lu/ECP/30-3-79.doc . Règlement grand-ducal du 7 juin 1979 déterminant les actes, documents et fichiers autorisés à utiliser le numéro d'identité des personnes physiques et morales. http://www.etat.lu/ECP/7-6-79.doc , Règlement grand-ducal modifié du 21 décembre 1987 fixant les modalités d'application de la loi du 30 mars 1979, http://www.etat.lu/ECP/21-12-87.doc .

[174]. Arrété grand-ducal fixant l’organisation et les conditions de fonctionnement des Archives de l’Etat.

[175]. Signed 28/01/81. Ratified 10/02/88. Entered into force 01/06/88. http://www.coe.fr/tablconv/108t.htm.

[176]. Signed 04/11/50. Ratified 03/09/53. Entered into force 03/09/53. http://www.coe.fr/tablconv/5t.htm .

[177]. Constitution of Malaysia, http://star.hsrc.ac.za/constitutions/constmalcont.html.

[178]. Draft of Bill on Personal Data Protection ready by year-end, New Straits Times. October 2, 1998.

[179]. Communications and Multimedia Bill 1998 http://www.kttp.gov.my/mm/multimedia.htm .

[180]. Rumours over Internet: Four to be charged soon, NST, September 24, 1998.

[181]. E-mail not screened, says service provider, The Straits Times, August 17, 1998.

[182]. Digital Signature Bill 1997, http://www.cert.org.my/digital.html .

[183]. Computer Crimes Bill 1997, http://www.cert.org.my/crime.html .

[184]. Klang Valley residents will be first to use Multi-Purpose Card, New Straits Times, June 1, 1999.

[185]. Malaysians told: Carry ICs or risk detention, New Straits Times, May 14, 1998.

[186]. Cabinet: Cybercafes not subjected to restrictions, New Straits Times, March 18, 1999.

[187]. Constitucion Politica de los Estados Unidos Mexicanos, http://info.juridicas.unam.mx/cnsinfo/fed00.htm .

[188]. Código Penal Federal, Art. 214.

[189]. See United Nations Commission on Human Rights, Question of the follow-up to the guidelines for the regulation of computerized personal data files: report of the Secretary-General prepared pursuant to Commission decision 1995/114 http://www.hri.ca/fortherecord1997/documentation/commission/e-cn4-1997-67.htm .

[190]. El Código Postal de los Estados Unidos Mexicanos (1884).

[191]. Ley de Vías Generales de Comunicación de 30 de diciembre de 1939, Arts 571. 576, 578.

[192]. Código Penal Federal, Art 210.

[193]. Id., Art. 167, part 9.

[194]. Ley Federal Contra la Delincuencia Organizada, 7 de noviembre de 1996, http://info1.juridicas.unam.mx/legfed/247/1.htm .

[195]. “Zedillo to sign sweeping organized crime package,” The Los Angeles Times, October 30, 1996.

[196]. “Exigen siete ONG la renuncia del titular de Seguridad Publica,” La Jornada, October 7, 1997.

[197]. “Con la reforma anticrimen, el espionaje entraría a la Constitución,” La Jornada, 28 de abril de 1996.

[198]. AP, January 18, 1997.

[199]. “Spy Network Stuns Mexicans, Raid Opens Door to Exposure of Government Snooping,” The Washington Post, April 13, 1998.

[200]. “Anger as Big Brother spy tactics exposed,” The Guardian (London), April 14, 1998.

[201]. “En marcha, amplia operacion anticrimen en la frontera con E.U.,” La Jornada, November 5, 1996.

[202]. “Human bar codes, The San Diego Union-Tribune,” May 13, 1998.

[203]. Constitution of the Kingdom of the Netherlands 1987,

http://www.uni-wuerzburg.de/law/nl00000_.html .

[204]. Wet van 28 december 1988, houdende regels ter bescherming van de persoonlijke

levenssfeer in verband met persoonsregistraties (Wet persoonsregistraties). Gepubliceerd

in het Staatsblad 1988, 655. http://www.unimaas.nl/~privacy/wpr.htm (in Dutch only) .

[205]. Homepage:http://www.registratiekamer.nl

[206]. March 5, 1993, http://www.unimaas.nl/~privacy/bgg.htm .

[207]. July 6, 1993, http://www.unimaas.nl/~privacy/bgv.htm .

[208]. http://www.unimaas.nl/~privacy/wbp.htm (in Dutch only).

[209]. Article 125i of the Code of Criminal Procedure.

[210]. Rules pertaining to telecommunications (Telecommunications Act), December 1998 http://www.minvenw.nl/hdtp/hdtp2/wetsite/engels/index.html

[211]. Ibid.

[212]. Statewatch bulletin, Vol. 6 no 1, January-February 1996.

[213]. Dutch Police Registers Act 1990, http://www.unimaas.nl/~privacy/wpolr.htm .

[214]. Dutch Medical Examinations Act 1997, http://www.unimaas.nl/~privacy/wmk.htm .

[215]. Dutch Medical Treatment Act 1997, http://www.unimaas.nl/~privacy/index.htm .

[216]. Dutch Social Security System Act 1997, http://www.unimaas.nl/~privacy/osv1997.htm , Compulsory Identification Act.

[217]. Dutch Act on the Entering of Buildings and Houses 1994, http://www.unimaas.nl/~privacy/awbt.htm .

[218]. Dutch Act on the Stimulation of Labor by Minorities 1994, http://www.unimaas.nl/~privacy/samen.htm .

[219]. Act of 31 October 1991, containing regulations governing public access to government information. This replaced the Act on Public Access to Information of 9 November 1978.

[220]. Signed 07/05/82, Ratified 28/05/93, Entered into Force 01/09/93. http://www.coe.fr/tablconv/108t.htm

[221]. http://www.coe.fr/tablconv/5t.htm .

[222]. Bill of Rights Act, 1990 http://www.uni-wuerzburg.de/law/nz01t___.html .

[223]. http://www.hrc.co.nz/welcome.htm .

[224]. The Privacy Act 1993, http://www.knowledge-basket.co.nz/privacy/legislation/1993028/toc.html; The Privacy Amendment Act 1993, http://www.knowledge-basket.co.nz/privacy/legislation/1993059/toc.html; The Privacy Amendment Act 1994, http://www.knowledge-basket.co.nz/privacy/legislation/1994070/toc.html .

[225]. See Re Application by L information stored in person's memory (1997) 3 HRNZ 716 (Complaints Review Tribunal).

[226]. Home Page: http://www.privacy.org.nz/.

[227]. NZ Privacy Commission, Annual Report for the year ended 30 June 1998.

[228]. The Proceedings Commissioner is a member of the Human Rights Commission, to which the Privacy Commissioner also belongs. The Proceedings Commissioner is empowered to take civil proceedings before the Complaints Review Tribunal on behalf of a complainant if conciliation fails.

[229]. Office of the Privacy Commissioner, Necessary and Desireable: Privacy Act 1993 Review, December 1998.

[230]. Part XIA, Crimes Act 1961; Misuse of Drugs Act 1978.

[231]. Appendix I, Report by the Privacy Commissioner to the Minister of Justice in relation to the New Zealand Security Intelligence Service Amendment Bill emphasising the inadequacy of public reporting obligations in relation to interception warrants, 9 February 1999. http://www.privacy.org.nz/people/nzsisab.html

[232]. Nicky Hager, Secret Power: New Zealand's Role in the International Spy Network (Nelson, MZ: Craig Potton, 1996).

[233]. Crimes (Exemption of Listening Device) Order 1997 (SR 1997/145)

[234]. http://www.knowledge-basket.co.nz/privacy/privword/eulooks.html.

[235]. The Constitution of the Kingdom of Norway, http://odin.dep.no/ud/nornytt/uda-121.html .

[236]. Supreme Court decision of 13 December 1952, reported in Rt. 1952, p. 1217.

[237]. Personal Data Registers Act of 1978 (lov om personregistre mm av 9 juni 1978 nr 48), in force 1 January 1980. http://www.datatilsynet.no/eksternweb/informasjon/engelsk/lov-eng.htm .

[238]. Act No. 78 of 11 June 1993. Regulations No. 536 of 1 July 1994.

[239]. Et bedre personvern -- forslag til lov om behandling av personopplysninger Better privacy protection -- proposal for an Act on processing of personal data, NOU 1997:19).

[240]. Home Page: http://www.datatilsynet.no/ .

[241]. Law of 17 December 1976., Law of 24 Juin 1915. Criminal Procedure Act, chapter 16 a, by Act No. 52 of 5 June 1992. See also Regulation No. 281 of 31 March 1995 on Telephone

Monitoring in Narcotics Cases.

[242]. Government of Norway report to the UN Human Rights Commission, CCPR/C/115/Add.2, 26 May 1997.

[243]. Act No. 7 of 3 February 1995 on the Control of the Secret Services.

[244]. “Minister resigns,” Statewatch bulletin, November-December 1996, vol 6 no 1.

[245]. “Parliament says people can see files,” Statewatch bulletin, May-June 1997, vol 7 no 3.

[246]. Administrative Procedures Act of 1967 (lov om behandlingsmåten i forvaltningssaker av 10 februar 1967).

[247]. Almindelig borgerlig Straffelov 22 mai 1902 nr 10.

[248]. See prof. dr. juris Jon Bing, Data Protection in Norway, 1996 http://www.jus.uio.no/iri/rettsinfo/lib/papers/dp_norway/dp_norway.html

[249]. The Freedom of Information Act of 1970 (lov om offentlighet i forvaltningen av 19 juni 1970 nr 69). Amended by Act No. 47 of 11 June 1982 and Act no. 86 of 17 December 1982.

[250]. Signed 13/03/81, Ratified 20/02/84, Entered into Force 01/10/85. http://www.coe.fr/tablconv/108t.htm.

[251]. http://www.coe.fr/tablconv/5t.htm .