EPIC/PI - Privacy & Human Rights 2000

Country Reports

Argentine Republic

Articles 18 and 19 of the Argentine Constitution provide (in part), “The home is inviolable as is personal correspondence and private papers; the law will determine what cases and what justifications may be relevant to their search or confiscation. The private actions of men that in no way offend order nor public morals, nor prejudice a third party, are reserved only to God’s judgment, and are free from judicial authority. No inhabitant of the Nation will be obligated to do that which is not required by law, nor be deprived of what is not prohibited.” Article 43, enacted in 1994, provides a right of habeas data: “Every person may file an action to obtain knowledge of the data about them and its purpose, whether contained in public or private registries or databases intended to provide information; and in the case of false data or discrimination, to suppress, rectify, make confidential, or update the data. The privacy of news information sources may not be affected.”[1] Habeas data is also included in the constitutions of many provinces of Argentina. Several cases of habeas data have dealt with correction of commercial information.

In 1999, the Supreme Court of Argentina ruled in two important cases on the scope of habeas data. The leading case is Urteaga v. Estado Nacional.[2] There, the Supreme Court allowed an individual access to personal information about his brother, who had disappeared during the military government, presumably in an armed conflict.[3] The lower courts dismissed the action of habeas data for lack of standing. The Court of Appeals reasoned that habeas data grants access only to personal information, and the claimant was trying to access data related to a third person. However, the Supreme Court reversed. The core of the judgment indicated an expanding approach to the interpretation of habeas data, granting a wide right of access to personal information. The other case is Ganora v. Estado Nacional,[4] where the Supreme Court of Argentina established that habeas data can be used against any kind of public database. The claim was initiated by two lawyers who were defending Adolfo Scilingo, an ex-navy official who confessed his participation in crimes during the military regime. Arguing investigation and surveillance from the Government, the lawyers requested access to data in official databases about them. The district court judge and the Court of Appeals refused access, even without hearing the government’s arguments based on a national security exception. The Supreme Court of Argentina restated its holding in Urteaga and the need to interpret habeas data in light of the international and foreign legislation.[5] They cited the European Human Rights case Leander[6] and also made a reference to Nixon v. US,[7] where the U.S. Supreme Court rejected the arguments of President Nixon, who alleged a confidential privilege over information. Finally they concluded that habeas data allowed access to government databases, and that an exception based on public interest should be subject to judicial review. This case shows the expanding interpretation of habeas data by the Supreme Court of Argentina.

In April 1999, the Civil Court of Appeals of Buenos Aires ruled that processing of personal information was unlawful unless the data subject has given “consent” or he has been notified. The Supreme Court is currently reviewing this case. Another case decided that credit report agencies must place limits on the duration of storage of personal information. This is the first case in Argentina to recognize the “right to forget.”

In November 1998, the Senate approved a Law for the Protection of Personal Data.[8] It is in conformance with Article 43 of the Constitution and based on the E.U. Data Protection Directive. The bill covers electronic and manual records. It requires express consent before information can be collected, stored, processed, or transferred. Collection of sensitive data is given additional protections and is prohibited unless authorized by law. International transfer of personal information is prohibited to countries without adequate protection. Individuals have an express right of habeas data to access information about themselves held by government or private entities. The bill sets up an independent commission within the Ministry of Justice to enforce the law. In July 2000, the bill was approved by two committees of the House of Representatives. It is expected that the Bill will be approved by the House of Representatives at the end of 2000.

Update: The House of Representatives approved the Habeas Data Bill on September 14, 2000. The Senate is now expected to approve the revised bill in the next few weeks.

The U.S. Direct Marketing Association launched a lobbying effort against the bill in December 1998 urging Argentinean companies to oppose the efforts to enact the law.[9] Previously, in December 1996, the Congress approved a data protection law.[10] However, upon request of the Central Bank, the law was subsequently vetoed by the President.[11]

Under the Code of Penal Procedure, “A judge may arrange, for the purposes of building a case, the intervention of telephone communications or whatever other means of communication.” The Penal Code provides penalties for publishing private communications.[12] The National Defense Law prohibits domestic surveillance by military personnel. In April 1999, the Criminal Court of Appeals in Buenos Aires recognized a right to privacy in electronic mail communications applying a section of the Penal Code related to the protection of secrets. Although the criminal provision was drafted in 1921, the Court had an open approach to the interpretation of the statute.[13] Under this case, data such as stored files and e-mail, is not to be examined by anyone else without the user’s permission.

The UN Human Rights Committee in 1995 expressed concern that the judicial authorization for wiretaps was too broad.[14] In Argentina the Penal Code, dating from the year 1921, does not punish wiretapping. Several cases of wiretapping were dismissed because of the lack of a criminal statute. Two Army colonels and two non-commissioned officers were relieved of duty in May 1999 after testifying that they conducted domestic surveillance on “orders from above” to interfere with investigations into human rights abuses during the dictatorship.[15] Illegal wiretapping has been common since the transition to civilian rule. In 1990, the entire telephone switchboard of the President’s official residence was extensively bugged and a major government scandal ensued.[16] In 1996, the telephones of the Archdiocese of Formosa were found to be wiretapped.[17] Also that year, former Economy Minister Domingo Cavallo accused Interior Minister Carlos Corach of ordering the telephone bugging of a federal prosecutor.[18] In 1998, the Mayor of Buenos Aires and 1999 presidential candidate Fernando de la Rua lodged a criminal complaint against two city councilors and another party member, accusing them of tapping his family’s telephone for years and recording 3000 hours of conversation.[19] He also accused the secret police, known as SIDE, of complicity with the wiretaps.[20] The same two city councilors have been wiretapping the Prosecutor Attorney of the Criminal Chamber of Appeals in 1996.

The Civil Code prohibits “that which arbitrarily interferes in another person’s life: publishing photos, divulging correspondence, mortifying another’s customs or sentiments or disturbing his privacy by whatever means.”[21] This article has been applied widely to protect the privacy of the home, private letters and a number of situations involving intrusive telephone calls, and neighbor’s intrusions into one’s private life.

In 1998, the Argentine Congress enacted the Credit Card Act.[22] The object of this bill is to regulate credit card contracts between consumers and financial institutions and specifically the interest rates that banks charge to consumer credit cards. Article 53 restricts the possibility of transferring information from banks or credit card companies to credit reporting agencies.[23] There is also a specific right of access to personal data of a financial character. The Central Bank of Argentina, whose jurisdiction includes the overview of the monetary policy in the Argentine financial market has authority to regulate banks. Under that authority it created a public debtor’s database,[24] requiring financial entities and banks to collect and classify debtors within a range of risk and to send the information to the database. Under Article 8.1 of the regulation[25] the data subject (a client of a bank) has a right of access to his information and to know the reason why she was included in the database.[26]

In 1996, the national government began a new crackdown on tax evaders. Measures included reviewing citizens’ credit cards, insurance, and tax records. One bill allowed citizens whose credit card records had been obtained to sue for invasion of privacy.[27] The same year, the Argentina Passport and Federal Police Identification System, developed by Raytheon E-Systems, was inaugurated at the Buenos Aires airport. The system combines personal data, color photos and fingerprints.[28]

In November 1998, the City of Buenos Aires approved a law on access to information. The law gives all persons the right to ask for and to receive information held by the local authorities and creates a right of judicial review. Individuals have the right under habeas data to updating, rectification, confidentiality or suppression of information.[29] But critics say that government agencies jealously keep public records and that it is very difficult to obtain information.[30]

In 1984, Argentina adopted the American Convention on Human Rights into domestic law. Since 1994, the Convention was “constitutionalized” and is used by the Argentine Supreme Court to determine domestic cases.[31]

Commonwealth of Australia

While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States contain any express provisions relating to privacy. There is periodic debate about the value of a Bill of Rights, but no current proposals.[32]http://www.republic.org.au/const/cconst.html

The principal federal statute is the Privacy Act of 1988.[33]http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/longtitle.html It creates a set of eleven Information Privacy Principles (IPPs), based on those in the OECD Guidelines, that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The origins of the Privacy Act were the protests in the mid-1980s against the Australia Card scheme – a proposal for a universal national identity card and number. The controversial proposal was dropped, but use of the tax file number was enhanced to match income from different sources with the Privacy Act providing some safeguards. The use of the tax file number has been further extended by law to include benefits administration as well as taxation. Some controls over this matching activity were introduced in 1990.[34]

After several policy reversals, the re-elected conservative government introduced legislation to extend privacy protection to the private sector in April 2000. The Privacy Amendment (Private Sector) Bill 2000 applies a set of National Privacy Principles developed by the Privacy Commissioner during 1997 and 1998, originally as a self-regulatory substitute for legislation. The National Principles impose a lower standard of protection in several areas than the EU Directive. For example, organizations are required to obtain consent from customers for secondary use of their personal information for marketing purposes where it is “practicable”; otherwise, they can initiate direct marketing contact, providing they give the individual the choice to opt out of further communications. Controls on the transfer of personal information overseas are also limited, requiring only that organizations take “reasonable steps” to ensure personal information will be protected, or “reasonably believes” that the information will be subject to similar protection as applied in the Australian law. Nevertheless, the Bill includes an innovative principle of anonymity. Principle 8 states that: “Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.”

The Government has described the Bill as a “light touch legislative regime” which establishes a minimum standard of privacy protection which can be substituted by approved industry codes, which must meet at least the minimum standards in the National Principles. The Bill attracted controversy and widespread debate, with privacy and consumer groups and some business groups expressing concern at its failure to meet international standards of privacy protection. For example, it appeared that the Bill would have a limited effect on the massive database being built by Acxiom Australia, a joint business of U.S.-based Acxiom and PBL, the media conglomerate owned by Australia’s richest man, Kerry Packer. When details of the Acxiom database became public in late 1999, a storm of protect ensued, with concerns heightened by the appointment of Andrew Robb as CEO of Acxiom. Robb was previously the Federal Director of the Liberal Party and was widely credited as playing a major role in the electoral success of the Liberals in the late 1990s with the use of sophisticated campaign techniques.

The Bill provided broad exemptions for employment-related use of employee records; small businesses (under $A3m annual turnover) that do not disclose personal information for a benefit; and media organizations, broadly defined to include organizations which provide information to the public and political parties. The Bill was also criticized for weaknesses in its enforcement regime, including allowing privacy complaints to be handled by an industry-appointed code authority with limited oversight by the Privacy Commissioner.

The House of Representative Legal and Constitutional Affairs Committee conducted an inquiry into the Bill and released its report in June 2000.[35] The Committee, the majority of which consisted of government members, acknowledged many of the criticisms and made 23 recommendations for amendments. The legislation is expected to reach the Senate, where government members are in a minority and opposition parties have indicated their plan to strengthen the legislation, by late 2000.

Public sector privacy issues continue to raise concerns. As part of reforms to the Australian tax system from July 2000, the Australian Taxation Office required all enterprises to obtain an Australian Business Number. The ATO collected registration details including address and email contact, and planned to make this available to the public through the Australian Business Register and through selling it to database companies. A storm of protest occurred in June 2000 when it was realized that the register would include the home address and other details of almost 2 million individuals, who were sole traders, contractors or even had just a minor income from a hobby or some other activity. The Government agreed to amend the legislation, limit the content of the Australian Business Register and allow individuals to suppress their details. At the same time, the Government was forced into another backdown after receiving legal advice that the Australian Electoral Commission had illegally disclosed information on around 10 million registered Australian voters, after the Prime Minister had asked for this information in order to conduct a targeted direct mailing campaign outlining the benefits of the tax reform package.

The Office of Privacy Commissioner[36]http://www.aph.gov.au/house/committee/laca/PrivacyBill/contents.htm>. has a wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters. The Commissioner’s office, which was initially well funded, suffered major budget cutbacks in 1997, at the same time as the Commissioner’s range of responsibilities under several laws and in response to government requests was expanding.

In the period of 1998-99, the Commissioners Office received 8,980 calls, of which 3,142 or 35 percent related to matters falling within the Privacy Commissioner’s jurisdiction. Of the remaining calls, 3,212 related to privacy issues outside of the scope of the Privacy Act. Some 718 written inquiries were received, of which 131 were formally investigated as complaints. Ninety-one complaints were closed and 11 audits conducted.[37] The Commissioner released a strategic plan in 2000 outlining his office’s role under forthcoming private sector legislation. Guidelines were also released for employee use of email and for government websites. The Commissioner also released a report on the application of the National Privacy Principles to personal health information in December 1999, proposing modifications to the National Privacy Principles to take account of specific issues relating to the handling of health care information. These suggestions were largely implemented in the Bill released in April 2000.

The Telecommunications (Interception) Act of 1979[38]<http://www.privacy.gov.au/pdf/99annrep.pdf>. http://www.austlii.edu.au/au/legis/cth/consol_act/ta1979350/ regulates the interception of telecommunications. A warrant is required under the Act, which also provides for detailed monitoring and reporting, but in 1997 the authority for issuing warrants was extended from federal court judges to designated members of the Administrative Appeals Tribunal, who are on term appointments rather than tenured. Significant loopholes exist within the legislation, such as section 6(2) which some experts argue allows the recording and monitoring of communications in specific circumstances such as when the equipment is provided by a telecommunications carrier. The Interception Act safeguards also need to be read alongside Part 15 of the Telecommunications Act of 1997, which places obligations on telecommunications providers to provide an interception capability and to positively assist law enforcement agencies with interception.

In November 1999, the Australian Security Intelligence Organisation Legislation Amendment Act 1999 was passed by the Commonwealth Parliament. The Act gives ASIO new powers to access e-mails and data inside computers, use tracking devices on vehicles, obtain tax and cash transaction information and intercept mail items carried by couriers. ASIO is authorized to modify private computer files as long as there is reasonable cause to believe that it is relevant to a security matter.[39]“

The Parliament approved the Telecommunications (Interception) Legislation Amendment Bill 2000 on June 7, 2000. The legislation will allow for the issuing of “named person” warrants based on a name of person only, not specifying the location of the tap to allow for the interception of multiple services without a new warrant. The bill also expands the use of wiretap information in other proceedings. Intelligence agencies can get a “foreign communications warrant” to “enable ASIO, operating ‘within Australia,’ to intercept communications ‘sent or received outside Australia’ for the purposes of collecting foreign intelligence.”

Taps increased substantially in the last year reported. In 1998-1999, there were 1,284 warrants issued, up from 675 warrants issued in the year 1997-1998.[40] This excludes an undisclosed number of interception warrants issued to the Australian Security Intelligence Organisation by the Attorney General.

The Crimes Act[41]http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s85zl.html also contains a range of other privacy related measures, such as offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications and the unauthorized disclosure of Commonwealth government information.[42] It also contains provisions relating to “spent” convictions, allowing individuals convicted of minor offenses to lawfully “deny” them in most circumstances after a period of time.

A mix of privacy standards apply to the telecommunications sector. Part 13 of the Telecommunications Act of 1997[43] contains a general prohibition on the disclosure of telecommunications-related personal information. However, this principle contains a detailed list of exceptions.[44]http://www.austlii.edu.au/au/legis/cth/consol_act/dpata1990349/ The telecommunications industry is regulated through voluntary codes of practice which are developed by the Australian Communication Industry Forum (ACIF), but, once they are registered by the Australian Communications Authority (ACA), the Authority can direct a company to comply with certain provisions of a code. Early in 2000 the ACA registered the Code of Practice for the Protection of the Personal Information of Customers of Telecommunications Providers[45]http://www.aca.gov.au/codes/abtem8.htm and Code of Practice on Calling Number Display.[46]http://www.aca.gov.au/codes/abtem9.htm

During 2000, Commonwealth and State governments have announced plans to move towards unique patient identifiers in the health sector, likely to be centered around a health smart card. Health services are primarily delivered by the public sector in Australia, with only around a third of the population having private health insurance. The responsibility for delivery of health services is shared between the Commonwealth Government, which is responsible for much of the funding of the health system, and the States, which operate hospitals and community health services. The Commonwealth’s proposal, HealthConnect, is intended as a voluntary national health information network under which health-related information about an individual would be collected in a standard, electronic format at the point of care.[47]http://www.health.gov.au/healthonline/connect.htm The New South Wales Government established a committee to review health privacy issues, which is intended to report at the end of 2000. The Victorian Government released a draft Health Records Bill in mid-2000.[48]

The Australian States and Territories have varying privacy laws. The New South Wales Privacy and Personal Information Protection Act of 1998 recently came into effect. It is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows government agencies to weaken the Information Protection Principles which form the foundation of the legislation.[49]http://www.dhs.vic.gov.au/ahs/healthrecords In Victoria, an information privacy bill was introduced in May 2000 and is expected to be enacted later in the year.[50] It covers the public sector with principles similar to the National Privacy Principles. The Australian Capital Territory (ACT) enacted a health privacy law in 1997,[51] and the Queensland government has committed to implement the April 1998 recommendation of a Parliamentary Committee for a public sector privacy law,[52] but with no timetable yet announced. Specific privacy provisions are also found in many State laws dealing with such diverse matters as health, adoption, drug controls and registration of births, deaths and marriages. Most States and Territories also have laws relating to listening devices, although these are generally recognized as being badly in need of updating to cope with new technologies.[53]http://www.lawlink.nsw.gov.au/lrc.nsf/pages/IP12TOC

The federal Freedom of Information Act of 1982[54] provides for access to government records. The Commonwealth Ombudsman promotes the Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the AGs Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring. All of the States and the ACT (but not the Northern Territory) also have Freedom of Information laws which include rights for individuals to access and correct personal information about themselves.[55]

Republic of Austria

The Austrian Constitution does not explicitly recognize the right of privacy.[56] Some sections of the data protection law (Datenschutzgesetz – DSG) have constitutional status. These rights may only be restricted under the conditions of Article 8 of the European Convention of Human Rights (ECHR). The entire ECHR has constitutional status and Article 8 is often cited by the constitutional court in privacy matters.

A new data protection bill (Datenschutzgesetz 2000)[57] which incorporates the EU Directive into Austrian law was approved in December 1999 and went into force in January 2000. However, experts criticize the new bill as being inadequate because it retains the cumbersome structure of the original 1978 Act[58] rather than replacing it.[59]

The Act is enforced by the Data Protection Commission. The Commission reports that there are 100,000 Data Controllers registered. It also handles around 85 formal complaints and 1,200 informal requests each year. The Commission has 21 staff members (six legal professionals, two IT experts and 13 support staff).

Wiretapping, electronic eavesdropping and computer searches are regulated by the code of criminal procedure.[60] Telephone wiretapping is permitted if it is needed for investigating a crime punishable by more than one year in prison. Electronic eavesdropping and computer searches are allowed if they are needed to investigate criminal organizations or crimes punishable by more than ten years in prison. The provision concerning electronic eavesdropping and computer searches became effective between October 1, 1997, and July 1, 1998. Due to long and intensive discussion, the provisions are in effect only until December 31, 2001. Criticism of the drafts for this law has led to a number of restrictions, but whether or not these provisions can effectively prevent eavesdropping on innocent persons remains unresolved.

There are also a number of specific laws relating to privacy. The telecommunication law contains special data protection provisions for telecommunication systems, particularly problems like phone directories, unsolicited calls or ISDN calling line identification.[61] The Genetic Engineering Act of 1994 requires prior written consent for information to be used for purposes other than the original purpose. Austrians can have an anonymous “Sparbuch” bank account. The Financial Action Task Force, an anti-money laundering group coordinated by the OECD, has been pressuring Austria to change its laws to require that each account be personally identified.[62] In June 2000, the First Chamber of the Parliament approved legislation to identify anyone who withdraws or deposits from an account by 2002.[63]

The Auskunftspflichtgesetz is a Freedom of Information law that obliges federal authorities to answer questions regarding their areas of responsibility.[64] However, it does not permit citizens to access documents, just to receive answers from the government on the content of information. The nine Austrian Provinces have laws that place similar obligations on their authorities.

Austria is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[65] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[66] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Kingdom of Belgium

The Belgian Constitution recognizes the right of privacy and private communications.[67]Article 22 states, “Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law. . . . The laws, decrees, and rulings alluded to in Article 134 guarantee the protection of this right.” Article 29 states, “The confidentiality of letters is inviolable. . . . The law determines which nominated representatives can violate the confidentiality of letters entrusted to the postal service.” Article 22 was added to the Belgian Constitution in 1994. Prior to the constitutional amendment, the Cour de Cassation ruled that Article 8 of the European Convention applied directly to the law and prohibited government infringement on the private life of individuals.[68]

The processing and use of personal information is governed by the Data Protection Act of 1992. Amending legislation to update this Act and make it consistent with the EU Directive was approved by the Parliament in December 1998.[69]A Royal Decree to implement the Act was approved in July 2000. There was concern among independent experts that the amended Act may not be fully consistent with the Directive, especially in areas relating to government files. The Decree may remedy some of the defects of the Act, including reducing exceptions in favor of the social security institutions. In September 1998, the state security office announced that it was “cleaning” the files on 570,000 individuals that it had been collecting since 1944 to bring the files into compliance with the 1992 law.[70] In 1995, the Belgian Government admitted spying on the peace and environmental movements.[71]

The Commission de la Protection de la Vie Privée oversees the law.[72] The Commission investigates complaints, issues opinions and maintains the registry of personal files. In 1999, the Commission answered approximately 6,000 complaints and requests for information. According to the Commission, this number is much larger than in previous years as now it is its policy to answer all complaints rather than only those which were “formally” filed. It is currently handling about 1,000 formal investigations.[73] The commission has also issued a number of recommendations relating to workplace privacy, and video surveillance.[74] Under the old law, there were 24,000 processings registered. As of July 2000, there are 21 permanent members on the staff.

Surveillance of communications is regulated under a 1994 law.[75] Prior to its enactment, there was no specific law. The law requires permission of a juge d’instruction before wiretapping can take place. Orders are limited to a period of one month. There were 114 orders issued in 1996.[76]The law was amended in 1997 to remove restrictions on encryption.[77] The Parliament also amended the law in 1998 to require greater assistance from telecommunications carriers.[78]

In spring 2000, the Chamber of Deputies of the Belgian Parliament approved a bill on computer-related crime.[79] The bill would amend the Criminal Procedure Code, adding a paragraph giving the Juge d’Instruction the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages which have been intercepted. The experts, network managers, etc. could not refuse providing cooperation; criminal sanctions would be possible in cases of refusal. The bill would also require that Internet Service Providers retain records for law enforcement purposes. The Bill is currently being debated in the Senate. In December 1999 the Commission de la Protection de la Vie Privée issued an opinion on the bill, in which it raised serious concerns about it’s potential impact on the privacy of personal data. It recommended certain amendments to the Bill including the establishment of a “police monitoring system,” which would report back to the Commission, and a three year review provision.[80]

There are also laws relating to consumer credit,[81] social security,[82] electoral rolls,[83]the national ID number,[84] professional secrets,[85] and employee rights.[86]There are Freedom of Information laws on the right of access to administrative documents on the national[87] and local and regional levels.[88] Each jurisdiction has a Commission d’accès aux documents administratifs which oversees the act.

Belgium is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[89] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[90] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Federative Republic of Brazil

Article 5 of the 1988 Constitution of Brazil provides, in part: “the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from the violation thereof is ensured; . . . the home is the inviolable asylum of the individual, and no one may enter it without the dweller’s consent, save in the case of ‘in flagrante delicto’ or disaster, or to give help, or, during the day, by court order; . . . the secrecy of correspondence and of telegraphic, data and telephone communications is inviolable, except, in the latter case, by court order, in the events and in the manner established by the law for purposes of criminal investigation or criminal procedural discovery; . . . access to information is ensured to everyone and confidentiality of the source is protected whenever necessary for the professional activity.”[91]

A bill promoting the privacy of personal data in conformance with the OECD guidelines, to affect both public and private sector databases, was proposed in the Senate in 1996 and has yet to be voted on. The bill provides that, “No personal data nor information shall be disclosed, communicated, or transmitted for purposes different than those that led to structuring such data registry or database, without express authorization of the owner, except in case of a court order, and for purposes of a criminal investigation or legal proceedings . . . It is forbidden to gather, register, archive, process, and transmit personal data referring to: ethnic origin, political or religious beliefs, physical or mental health, sexual life, police or penal records, family issues, except family relationship, civil status, and marriage system . . . Every citizen is entitled to, without any charge; access to his/her personal data, stored in data registries or databases, and correct, supplement, or eliminate such data, and be informed by data registry or database managers of the existence of data regarding his/her person.”[92] It is widely expected that the law will move forward following the approval of legislation in neighboring countries such as Argentina and Chile.

The 1990 Code of Consumer Protection and Defense[93] allows all consumers to “access any information derived from personal and consumer data stored in files, archives, registries, and databases, as well as to access their respective sources. Consumer files and data shall be objective, clear, true, and written in a manner easily understood, and shall not contain derogatory information for a period over five years. Whenever consumers find incorrect data and files concerning their person, they are entitled to require immediate correction, and the archivist shall communicate the due alterations to the incorrect information within five days. Consumer databases and registries, credit protection services, and similar institutions are considered entities of public nature. Once the consumer has settled his/her debts, Credit Protection Services shall not provide any information which may prevent or hinder further access to credit for this consumer.” The Informatics Law of 1984[94] protects the confidentiality of stored, processed and disclosed data, and the privacy and security of physical, legal, public, and private entities. Citizens are entitled to access and correct their personal information in private or public databases.

Individuals have a constitutional right of Habeas Data to access information about themselves held by public agencies which has been adopted into law.[95]

In 1996, a law regulating wiretapping was enacted.[96] Official wiretaps are permitted for 15 days, renewable on a judge’s order for another 15 days, and can only be resorted to in cases where police suspect serious crimes punishable by imprisonment, such as drug smuggling, corruption, contraband smuggling, murder and kidnapping. The granting of judicial eavesdropping permits by judges was previously an ad hoc process without any legal basis.[97] Illegal wiretapping by police and intelligence agencies is still ongoing. The Agencia Brasileira de Informacoes (Abin) was suspected of wiretapping President Cardoso after tapes of his conversations were leaked to the press in May 1999.[98] Several ministers resigned in 1998 after tapes of wiretapped conversation involving the Brazilian Development Bank were disclosed in what was called the “Telegate scandal.” In 1992, amid a scandal that toppled President Fernando Collor de Mello, it was discovered that Vice President Itamar Franco’s phones at his official residence in Brasilia and in a Rio de Janeiro hotel room had been tapped.[99] In 1996, Abin was put under military control with the task of evaluating the background of people appointed to government posts. According to the new director, “every instrument authorized by the courts will be used to keep the president well informed, including wiretapping of phones, opening of personal mail, and infiltration of Abin agents into social movements such as the Landless Peasant’s Movement (Movimento sem Terra).” Abin is the central body of an intelligence system that is spread out through federal, state, municipal and even private organizations. The intelligence system operates under the name of Sisbin (Brazilian Intelligence System).[100] The Agency’s guidelines prevent it from performing police operations, and require it to obtain a judicial order to perform wiretaps.[101] A computer crimes act was approved in July 2000.

A candidate for mayor of São Paulo, Celso Pitta, discovered wiretaps on two of his telephone lines in 1996.[102] A man with AIDS charged the city of Morretes, Paraná of discrimination and invasion of privacy after a city government proclamation identifying him and his HIV status was posted in public buildings.[103]

Brazil signed the American Convention on Human Rights on September 25, 1992.

Republic of Bulgaria

The Bulgarian Constitution of 1991 recognizes rights of privacy, secrecy of communications and access to information. Article 32 states, “(1) The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law.” Article 33 states, “(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant’s consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities’ permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity.” Article 34 states, “(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime.” Article 41 states, “(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others.”[104]

There are currently efforts to enact comprehensive data protection legislation in Bulgaria. In 1996, the government began developing data protection legislation in preparation for integration into the EU Internal Market under the Treaty for Association of Bulgaria to the EU. Data protection is also a key element of the information legislation which is a priority in the National Assembly’s legislative activities.

The draft Personal Data Protection Act closely follows the EU Data Protection Directive. It sets rules on the fair and responsible handling of personal information by the public and private sector. Entities collecting personal information must do the following: inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is securely held and cannot be tampered with, stolen or improperly used; and limit the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances. The draft law creates a the State Commission for the Protection of Personal Data to oversee the act.

The European Commission stated in 1997 that “considerable efforts are still needed to adopt and implement measures to meet Community requirements on data protection.”[105]

Electronic surveillance used in criminal investigations is regulated by the criminal code and requires a court order.[106] The Telecommunications Law also requires that agencies must ensure the secrecy of communications.[107] The 1997 Special Surveillance Means Act regulates the use of surveillance techniques by the Interior Ministry for investigating crime but also for loosely defined national security reasons. A court order is generally required but in cases of emergency, an order from the Interior Minister is sufficient.[108]

The U.S. State Department in its 1999 human rights report said, “One nongovernmental organization (NGO) complained that the Minister of Interior’s discretionary authority to authorize telephone wiretaps without judicial review is excessive, although it is unknown to what extent this authority is employed. It is also alleged that warrants to investigate suspects’ private financial records sometimes are abused to give police broad and openended authority to engage in far-ranging investigations of a suspect’s family and associates. There are regular, albeit not conclusive or systematic, reports of mail, especially foreign mail, being delayed and/or opened.”[109] In August 2000, listening devices were found in the apartment of the Prosecutor General Nikola Filchev and several politicians. Filchev blamed the bugs on the Interior Ministry’s Criminal Intelligence Service (CIS) and a Parliamentary session was held after 53 Democratic Left Parliamentarians demanded a hearing.[110] The head of the National Security Service, Col. Yuli Georgiev, resigned in February 1997 after allegations of wiretapping politicians.[111] Bulgaria’s military prosecutor filed a suit in December 1996 against an unidentified state official for illegally bugging telephones at the offices of the main opposition, Union of Democratic Forces (UDF), including those of president-elect Petar Stoyanov.[112]

In December 1998, the Bulgarian Committee for Post and Telecommunications issued an executive decree to license Internet Service Providers. The decree gave governmental employees the authorization to enter ISPs’ offices at any time and obtain any documentation, including user names and passwords, as well as other private information.[113] The decision was extensively crticized by Internet users, service providers and others, including German Chancellor Shroeder who said that licensing was not appropriate. The Bulgarian Internet Society (ISOC) chapter filed a case at the Supreme Administrative Court to stop the decree in January 1999.[114] The Court ordered a temporary restraint of the decree on June 17, 1999. In November 1999, the Bulgarian Prime Minister ordered the Minister of Telecommunications to negotiate an out of court agreement with ISOC. A few weeks later, the decree was changed, and the ISPs were removed from the licensing requirements and placed in the “free regime” category.

There are additional provisions relating to privacy in laws such as the Statistics Law, Tax Administration Law, Insurance Law,[115] and Social Assistance Law.[116] The Radio and Television Act sets limits[117] on broadcasting of personal information. In conjunction with the preparation of the Law on Protection of Citizens’ Personal Data, analyses of Bulgarian legal acts related to personal data of individuals are planned. Proposals of reforms and supplements in the relevant acts also can be made, if necessary.

The Law for Access to Information to provide access to government records was enacted in June 2000 and went into force in July.[118] The law allows for access to records except in cases of state security or personal privacy. Minor fines are anticipated against officials who unlawfully withhold documents.[119] The Bulgarian National Bank announced in July 1999 that it would be the first state institution to open up its archive of documents from the Communist era, starting in September.[120] The 1997 Access to Documents of the Former State Security Service Act regulates the access, proceedings of disclosure and use of information kept in the documents of the former State Security Service.

Bulgaria is a member of the Council of Europe and has signed but not ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[121] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[122]

Canada

There is no explicit right to privacy in Canada’s Constitution and Charter of Rights and Freedoms.[123] However, in interpreting Section 8 of the Charter, which grants the right to be secure against unreasonable search or seizure, Canada’s courts have recognized an individual’s right to a reasonable expectation of privacy.[124]

Senator Sheila Finestone proposed a “Charter of Privacy Rights” in March 2000.[125] The Charter would create a broad constitutional right of privacy for all Canadians in all spheres and prevail over acts of Parliament. According to Senator Finestone:

Under the bill, every individual would be given the right to privacy. This right would include, but not be limited to, personal privacy, which includes physical and psychological privacy; privacy of space, which includes freedom from surveillance; privacy of communication, which includes freedom from monitoring and interception; privacy of information, which includes freedom from collection, use and disclosure of their personal information by others. Any interference with an individual’s privacy would be an infringement of the individuals right to privacy unless the interference is reasonably justified and unless it is impossible or inappropriate to do so, the individual’s informed consent has been obtained.

A four-part test is required to determine if interferences are reasonably justified. The only permissible interferences would be:

1) where lawful;

2) where necessary to achieve a compelling societal interest that warrant’s limiting an individual’s privacy;

3) where no other lesser measure will accomplish this objective; and

4) where both the importance of the objective and the beneficial effects of the interference outweigh the privacy loss.

The Federal Parliament approved Bill C-6, the Personal Information Protection and Electronic Documents Act in April 2000.[126] The Act adopts the CSA International Privacy Code (a national standard: CAN/CSA-Q830-96) into law for enterprises that process personal information “in the course of a commercial activity,” and for federally regulated employers with respect to their employees. It does not apply to information collected for personal, journalistic, artistic, literary, or non-commercial purposes. The law will go into effect for companies that are under federal regulation, such as banks, telecommunications, transportation and businesses that trade data interprovincially and internationally in January 2001, except with respect to medical records, which are exempted from the new law until 2002 (most medical records, however, fall under provincial jurisdiction). In three years, the Act will cover provincially regulated sectors unless the province enacts “substantially similar” laws, such as Quebéc’s law.

The scope of the act is still limited. As noted by the federal Privacy Commissioner Bruce Phillips, “it is by no means the whole answer. Still missing is an adequate legal regime covering such things as video surveillance, physical privacy, biomedical privacy, drug and DNA testing, to mention a few.” The European Commission said in July 2000 that it would begin a review of the Canadian law to determine that it provides adequate protection to allow for transborder data flows.[127]

The federal Privacy Act[128] provides individuals with a right of access to personal information held by the federal public sector. In addition, the Privacy Act contains provisions regulating the confidentiality, collection, correction, disclosure, retention and use of personal information. Individuals may request records directly from the institution that has the custody of the information. The Act establishes a code of fair information practices that apply to government handling of personal records. However, its provisions can be ignored when another federal Act allows for the processing of personal information.

Individuals can appeal to a federal court for review if access to their records is denied by an agency, but are not authorized to challenge the collection, use or disclosure of information. In the Fall of 1998, the Commissioner asked a court to review the matching of the Customs declarations of returning travelers against the Employment Insurance database. The Federal Privacy Commissioner asked the court to decide whether the Customs Act overrides the government’s obligation in the Privacy Act to use personal information only for the purpose for which it is collected unless the individual consents. In February 1999, the court ruled that the matching could not be conducted without ministerial approval and the program was suspended. This was overturned by the Court of Appeals and the Privacy Commissioner has appealed the case to the Supreme Court.

The Privacy Commissioner finished an extensive review of the Act in 1999 and has recommended over 100 changes to the law to improve and update it including giving it primary authority over all information collecting by the federal government, extending its coverage beyond “recorded” information, increasing notices of disclosures, expanding court reviews, creating rules on data matching, controlling “publicly available” information and expanding the mandate of the Privacy Commissioner.[129]

Both the Personal Information Protection and Electronic Documents Act and the Privacy Act are overseen by the independent Privacy Commissioner of Canada.[130] Under the Privacy Act, the Commissioner has the power to investigate, mediate and make recommendations, but cannot issue binding orders. The office received 1,584 complaints in 1999-2000, down from 3,105 in 1998-1999 and completed 1,399 complaint investigations in 1999-2000.[131] In ten years, the Office has received 15,526 complaints. The Office also received 11,256 calls and letters in 1999-2000. The commission has received 82,422 inquiries in ten years.

The Commissioner can initiate a Federal Court review in limited circumstances relating to denial of access to records. In May 2000, the Commissioner called for an update of the Federal Privacy Act and expressed concern about the misuse of the Social Insurance Number, health privacy and the release of census records.

The Commissioner’s 1999-2000 report revealed the existence of a government database called the Longitudinal Labour Force File, managed by Human Resources Development Canada, which contained over 2,000 pieces of information on each Canadian. The information was gleaned from other government data banks and includes details from tax returns, child tax benefit files, provincial and municipal welfare files, federal jobs, job training and employment programs and services, employment insurance files and the social insurance master file. HRDC announced on May 29, 2000 that it was dismantling the Longitudinal Labour Force File and said it was scrapping the software that allowed sharing with other agencies and returning information following a public outcry.[132]

Privacy legislation covering government bodies exists in almost all provinces and territories.[133] In the province of Québec, the Charter of Rights specifically mentions the right to privacy and the law regulates the collection and use of personal information held by private sector businesses operating in the province of Québec.[134] This law sets rules for the collection, confidentiality, correction, disclosure, retention and use of personal information by these businesses. It also provides individuals with a right of access and correction. Nearly every province has some sort of oversight body, but their powers vary. The Québec Commission d’accès à l’information has broad powers over the public and private sectors. The Information and Privacy Commissioners of British Columbia and Ontario have been very active in promoting privacy through their oversight powers of public bodies and public education efforts. A number of provinces are now looking into adopting privacy legislation based on the Personal Information Protection and Electronic Documents Act.

Part VI of Canada’s Criminal Code makes the unlawful interception of private communications a criminal offense.[135] Police are required to obtain a court order. In 1998, there were 157 orders for warrants under the Criminal Code, a decrease from 187 in 1997, 281 in 1996 and 266 in 1995.[136] Amendments to the Radiocommunication Act[137] also forbid the divulgence of intercepted radio-based telephone communications. The Canadian Security Intelligence Service Act[138] authorizes the interception of communications for national security reasons. A federal court in Ottawa ruled in 1997 that the Canadian Security Intelligence Service was required to obtain a warrant in all cases.[139] In October 1998, Industry Minister John Manley announced a new liberal government policy for encryption that allows for broad development, use and dissemination of encryption products.[140]

Other federal legislation also has provisions related to privacy. The Telecommunications Act[141] has provisions to protect the privacy of individuals, including the regulation of unsolicited communications. Also, the Bank Act,[142] Insurance Companies Act,[143] and Trust and Loan Companies Act[144] permit regulations to be made governing the use of information provided by customers. There are sectoral laws for pensions,[145] video surveillance,[146] immigration,[147] and Social Security.[148] The Young Offenders Act[149] regulates what information can be disclosed about offenders under the age of eighteen while the Corrections and Conditional Release Act[150] speaks to what information can be disclosed to victims and victims’ families. In addition, most provinces have some form of legislation protecting consumer credit information. However, the vast majority of information collected by the private sector is on the provincial level and is not currently protected by any provincial laws. A poll in April 1999 found that 88 percent of people said the government should “not allow banks to use information about their customer’s bank accounts and other investments to try to sell customers insurance.”[151]

Identity issues are currently under debate in Canada. There is great concern about the use of the Social Insurance Number (SIN) by the private sector and identity theft. A Parliamentary committee recommended in May 1999 that an Act setting out limitations on the use of the SIN be developed and that agencies use of the SIN should be documented.[152] Human Resources Development Canada released it recommendations in November 1999 recommending that the SIN not become a national client identifier because of “severe privacy concerns” and costs but it also recommending against new laws to prevent its use and expanding access to the Social Insurance Register by users of the SIN to prevent fraud.[153] The Committee was critical of these recommendations.[154]

Québec considered creating a mandatory ID card but dropped the idea in 1998. In April 1999, it hired DMR Consulting Group to examine the possibility of creating a central database of all government records on residents.[155] In Toronto, a system to fingerprint all welfare recipients was dropped in March 1999 after Citibank, the contractor, was unable to create a working system.[156] The Ontario government continues to discuss a smart card system for all citizens to access government services. The UN Human Rights Commission was critical of the increasing use of fingerprinting in Canada and recommended in April 1999 “that Canada take steps to ensure the elimination of increasingly intrusive measures which affected the right of privacy of people relying on social assistance, including identification techniques such as fingerprinting and retinal scanning.”[157]

The federal Access to Information Act[158] provides individuals with a right of access to information held by the federal public sector. The Act gives Canadians and other individuals and corporations present in Canada the right to apply for and obtain copies of federal government records. “Records” include letters, memos, reports, photographs, films, microforms, plans, drawings, diagrams, maps, sound and video recordings, and machine-readable or computer files. About 12,000 requests are made annually for government records.[159]

The Act is overseen by the Office of the Information Commissioner of Canada.[160] The Commissioner can investigate and issue recommendations but does not have power to issue binding orders. The Office handed 1,670 complaints in 1998-99. It also released report cards on several agencies and issued seven subpoenas to government officials. The Canadian Federal Court has ruled that government has an obligation to answer all access requests regardless of the perceived motives of the requesters. Similarly, the commissioner must investigate all complaints even if the government seeks to block him from so doing on the grounds that the complaints are made for an improper purpose. Each of the provinces also has a Freedom of Information law.[161] A new coalition formed in March 2000 to promote freedom of information in Canada.[162]

Republic of Chile

Article 19 of Chile’s Constitution secures for all persons: “Respect and protection for public and private life, the honor of a person and his family. The inviolability of the home and of all forms of private communication. The home may be invaded and private communications and documents intercepted, opened, or inspected only in cases and manners determined by law.”[163]

Recently, Chile become the first Latin American country to enact a data protection law. The Act No. 19628, titled “Law for the protection of Private Life,”[164] came into force on October 28, 1999. The law has 24 articles, covering processing and use of personal data in the public and the private sector and the rights of individuals (to access, correction, and judicial control). The law contains a chapter dedicated to the use of financial, commercial and banking data, and specific rules addressing the use of information by government agencies. The law includes fines and damages for the unlawful denial of access and correction rights. Only databanks in the government must be registered.

There is no data protection authority, and enforcement of the law is done individually by each affected person. There is no case law yet interpreting the law. Another deficiency is that the law does not contain restrictions on transfers to third countries.

Chile’s transition to democratic rule in 1990 did not eliminate personal privacy violations by government agencies. The Investigations Police – a plainclothes civilian agency that functions in close collaboration with the International Criminal Police Organization (Interpol) and with the intelligence services of the army, navy, and air force – keeps records of all adult citizens and foreign residents and issues identification cards that must be carried at all times.[165] The personal data compiled during military rule was never destroyed. In January 1998, former dictator Gen. Augusto Pinochet threatened to use “compromising information” from secret military intelligence files against those who were trying to keep him from becoming a Senator for Life, a position which would provide immunity from civil suits and public accountability for crimes which took place during his dictatorship.[166] Under current law, the voter registration list is publicly disclosed and used for direct marketing purposes. In 1999, the UN Human Rights Committee criticized the requirement that hospitals report all women who receive abortions.[167]

A 1995 law bars the collection of information by undisclosed taping, telephone intercepts, and other surreptitious means, and bars the dissemination of such information, except by judicial order in narcotics-related cases.[168] In August 1996, the head of the Direccion de Inteligencia Policial (Dipolcar), the police intelligence service, was charged with authorizing a surveillance operation against the defense ministry official responsible for Carabineros, the militarized national police force. His resignation in disgrace allowed a greater role for the civilian security police, Investigaciones, in anti-drug operations.[169] In 1992, a surveillance center with 24-hour scanning devices was uncovered in downtown Santiago. It was run by an active army intelligence unit (DINE, incorporating former members of the secret police, the CNI) and, among other incidents, was found to have tapped into presidential candidate Sebastian Pinera’s cellular phone[170] and taped the calls of President Patricio Aylwin.[171] The Army admitted to tapping telephones in order to comply with its mission, but reaffirmed that it “does not tap phones in an attempt to interfere with peoples’ privacy.”[172] The scandal provoked the retirement of General Ricardo Contreras, head of the Army Telecommunications Command.[173]

Chile signed the American Convention on Human Rights on August 20, 1990.

People’s Republic of China

There are limited rights to privacy in the Chinese Constitution. Article 37 provides that the “freedom of the person of citizens of the People’s Republic of China is inviolable,” and Article 40 states: “Freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law. No organization or individual may, on any ground, infringe on citizens’ freedom of privacy of correspondence, except in cases where to meet the needs of state security or of criminal investigation, public security or prosecutorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.”[174]

There is no general data protection law in China and few laws that limit government interference with privacy. China has a long-standing policy on keeping close track of its citizens. According to expert W.J.F. Jenner, “Chinese states by the fourth century BC at latest were often remarkably successful in keeping records of their whole populations so that they could be taxed and conscripted. The state had the surname, personal name, age and home place of every subject and was also able to ensure that nobody could move far from home without proper authorization.”[175]

Concerns with the growing use of the Internet has led to technical and legal restrictions. With the assistance of American companies such as Bay Networks, China has developed a “Great Firewall” which limits traffic to the Internet outside China to only three gateways.[176] The firewall also blocks some western news web sites such as the BBC, New York Times and the Voice of America. In February 1999, the government announced the creation of the State Information Security Appraisal and Identification Management Committee which, according to the official Xinhua state news agency, “will be responsible for protecting government and commercial confidential files on the Internet, identifying any net user, and defining rights and responsibilities... The move is intended to guard both individual and government users, protect information by monitoring and keep them from being used without proper authorization.”[177] In December 1998, a Chinese businessman was handed a two-year jail sentence for subversion for supplying 30,000 e-mail addresses of Chinese computer users to a U.S.-based electronic dissident magazine.[178]

Under Article 7 of the Computer Information Network and Internet Security, Protection and Management Regulations, “the freedom and privacy of network users is protected by law. No unit or individual may, in violation of these regulations, use the Internet to violate the freedom and privacy of network users.”[179] Article 8 states that “units and individuals engaged in Internet business must accept the security supervision, inspection, and guidance of the public security organization. This includes providing to the public security organization information, materials and digital documents, and assisting the public security organization to discover and properly handle incidents involving law violations and criminal activities involving computer information networks.”[180] Articles 10 and 13 stipulate that Internet account holders must be registered with the public security organization and lending or transferring of accounts is strictly prohibited. Sections 285 to 287 of the Criminal Code prohibit intrusions into computer systems and punish violations of the regulations. In August of 1999, under orders from China’s Ministry of Information and Industry, Intel agreed to disable the “Processor Serial Number” function of its Pentium III chips, which makes it possible to identify and track Internet users as they engage in e-commerce.[181]

The secrecy of communications is cited in the constitution and in law, but apparently with little effect. In practice, authorities often monitor telephone conversations, fax transmissions, electronic mail, and Internet communications of foreign visitors, businessmen, diplomats, and journalists, as well as Chinese dissidents, activists, and others.[182] British Prime Minister Tony Blair was reported to be upset by the bugging and wiretapping of his rooms during his state visit to China in October 1998.[183] The U.S. State Department said in a 1999 report: “Chinese authorities often monitor telephone conversations, fax transmissions, electronic mail, and Internet communications of foreign diplomats and journalists, as well as Chinese dissidents, activists, and others.” The report also noted that the government has created “special Internet police units to increase control over Internet content and access.” Frank Lu, the head of the Hong Kong-based Information Center of Human Rights and Democratic Movement in China, reported in November 1999 that 300 computer graduates had been recruited by Shanghai security officials to carry out cyber-surveillance in 1999 alone.[184] Canadian, American, and British members of the Falun Gong movement claimed to be targets of such surveillance in fall of 1999, reporting assaults on their websites by various means commonly used to block or penetrate sites. [185]

The Chinese government announced and then retracted a broad-sweeping rule that required all entities other than embassies to register any software using encryption or including encryption technology. The original rule was announced on November 10, 1999 by the PRC State Encryption Management Commission and required registration by January 31, 2000.[186] However, after few companies registered by the due date, and under increasing pressure due to successful China’s WTO bid, officials reversed the hugely unpopular law, which would have banned foreign encryption software and likely would have delayed or prevented the launch of Microsoft’s Office 2000 and Cisco’s installation of new mobile phone networks.[187]

Postal enterprises and postal staff are prohibited from providing information to any organization or individual about users’ dealings with postal services except as otherwise provided for by law.[188] However, Article 21 of the Postal Law permits postal staff to examine, on the spot, the contents of non-letter postal materials. Mail handed in or posted by users must be in accordance with the stipulations concerning the content allowed to be posted; postal enterprises and their branch offices have the right to request users to take out the contents for examination, when necessary.

The Practicing Physician Law requires that doctors not reveal health information obtained during treatment. Doctors who violate the law face criminal penalties. In May of 1999, the Ministry of Health, with the approval of the State Council, published an administrative order declaring that personal information about HIV/AIDS sufferers be kept secret, and that the legal rights and interests of those people and their relatives should not be infringed. The Ministry of Health order asked all units and individuals in charge of diagnosis, treatment, and management work not to publish any personal information about HIV/AIDS sufferers, such as the name and the family address.[189]

Since 1984, all Chinese citizens over the age of 16 have been required to carry identification cards issued by the Ministry of Public Security. Identification cards include name, sex, nationality, date of birth, address and term of validity, of which there are three. Between the ages of 16 and 25, it is 10 years, between the ages of 25 and 45, it is 20 years and for those aged 45 and over it is permanent. In carrying out their duties, public security organs have the right to ask citizens to show their ID cards. In handling political, economic and social affairs, which involve rights and interests, government offices, people’s organizations and enterprises may also ask citizens to show their ID cards.[190] Failure to register for an identification card, forging or otherwise altering a residence registration, or assuming another person’s registration are all prohibited by law and punishable by fine. Failure to notify local authorities concerning visiting guests is also punishable by fine.[191] In 1997, the State Bureau of Technical Supervision began working on a new number system that will be used for Social Security and ID cards.[192] Smart card development is reportedly underway in China, with both domestic and international players competing to develop chips and modules to meet design and regulatory specifications.[193] In December 1998, authorities began a test program requiring five hotels in Guangzhou to fax copies of the data of all customers to the Public Security Bureau to capture “unwanted elements.”[194]

Special Administrative Region of Hong Kong

Following the People’s Republic of China’s resumption of sovereignty over Hong Kong on July 1, 1997, the constitutional protections of privacy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Article 29 provides “The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited.” Article 30 provides, “The freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses.” Also relevant is Article 17 of the International Covenant on Civil and Political Rights, which was incorporated into Hong Kong’s domestic law with the enactment of the Bill of Rights Ordinance.[195] Article 39 of the Basic Law provides that the Covenant as applied to Hong Kong shall remain in force and implemented through the laws of Hong Kong.

In 1995, Hong Kong enacted its Personal Data (Privacy) Ordinance,[196] and most of its provisions took effect in December 1996. The legislation enacts most of the recommendations made by the Hong Kong Law Reform Commission following its six-year comparative study.[197] The statutory provisions adopt features of a variety of existing data protection laws and the draft version of the EU Directive is also reflected in several provisions. It sets six principles to regulate the collection, accuracy, use and security of personal data as well as requiring data users to be open about data processing and conferring on data subjects the right to be provided a copy of their personal data and to effect corrections.

The Ordinance does not differentiate between the public and private sectors, although many of the exemptions will more readily apply to the former. A broad definition of “personal data” is adopted so as to encompass all readily retrievable data recorded in all media that relates to an identifiable individual. It does not attempt to differentiate personal data according to its sensitivity. The Ordinance imposes additional restrictions on certain processing, namely data matching, transborder data transfers, and direct marketing. Data matching requires the prior approval of the Privacy Commissioner. The transfer of data to other jurisdictions is subject to restrictions that mirror those of the EU Directive. Also based on the directive is the requirement that upon first use of personal data for direct marketing purposes, a data user must inform the data subject of the opportunity to opt-out from further approaches. The Commissioner had informal discussions with the EU over the question of adequacy but has not received a formal note on the adequacy of the statute.

The Ordinance establishes the Office of the Privacy Commissioner to promote and enforce compliance with statutory requirements.[198] The Commissioner is given strong enforcement powers based on those contained in the UK Data Protection Act. In addition to investigating complaints, the commissioner may initiate his own investigations of reasonably suspected contraventions. He may also conduct audits of selected data users. A contravention of any provision other than a data protection principle is a criminal offense. A contravention causing the data subject damage (including injured feelings) is a basis for claiming compensation. The Commissioner is empowered to designate classes of data users required to publicly register the main features of their data processing. The Commissioner may issue