Copyright © 2003 by the Electronic Privacy Information Center and Privacy International
First edition 2003
Printed in the United States of America
All Rights Reserved
ISBN:1-893044-18-1
The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, DC It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC is a member of the Transatlantic Consumer Dialogue, the Global Internet Liberty Campaign, the Internet Free Expression Alliance and the Internet Privacy Coalition.
The EPIC Bookstore provides a comprehensive selection of books and reports on computer security, cryptography, the First Amendment and free speech, open government, and privacy. Visit the EPIC Bookstore at http://www.epic.org/bookstore.
Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, DC PI has conducted campaigns throughout the world on issues ranging from wiretapping and national security activities, to ID cards, video surveillance, data matching, police information systems, and medical privacy.
An electronic version of this report and updates is available from the Privacy International web page at www.privacyinternational.org
Marc Rotenberg, Executive Director
David L. Sobel, General Counsel
Chris Jay Hoofnagle, Deputy Counsel
Cédric Laurant, Policy Counsel
Ruchika Agrawal, IPIOP Science Policy Analyst
Marcia Hofmann, IPIOP Counsel
Frannie Wellings, IPIOP Fellow
Emily Cadei, Communications Associate
Mihir Kshirsagar, IPIOP Policy Analyst
Tiffany A. Stedman, IPIOP Policy Analyst
David Lesher, Technology Director
Wayne Madsen, Senior Fellow
Stephanie Perrin, Senior Fellow
Anna Slomovic, Senior Fellow
This study was first undertaken by David Banisar, Deputy Director of Privacy International in 1997 and has been updated on an annual basis since then. The 2002 update was prepared by Sarah Andrews, Research Director at EPIC, and Gus Hosein, Senior Fellow at Privacy International. The 2003 revisions were coordinated by Cédric Laurant, EPIC Policy Counsel. Substantial writing and research was provided by EPIC staff, Gus Hosein, and the law students who have participated in the EPIC Public Interest Opportunities Program (IPIOP). The 2002 IPIOP Fellows were Nicole Anastasopoulos, Will DeVries, Marcia Hofmann, Dwayne Nelson, Carla Meninsky, Greg Pemberton, Sara Rose and Jason Young. The 2003 IPIOP Fellows were John Baggaley, Doug Barnes, Erik Blum, Eva Gutierrez, Milana Homsi, Waseem Karim, Heather Newton, Christian Schröder, Sherwin Siy, Tiffany Stedman, Liz Tockman, and Maryam Zafar.
To gather information for this study and previous editions, knowledgeable individuals from academia, government, human rights groups and other fields were asked to submit reports and information. Their reports were supplemented with information gathered from constitutions, laws, international and national government documents, news reports, human rights reports and other sources.
EPIC and Privacy International would like to thank the following people for providing invaluable reports, information and advice to various editions of the Privacy and Human Rights survey: Jason Abrams; Linda Ackerman, Privacy Activism, United States; Andrzej Adamski, Nicolas Copernicus University, Poland; Yaman Akdeniz, University of Leeds and Cyber-Rights & Cyber-Liberties, United Kingdom; Ken Anderson, Information and Privacy Commission of Ontario, Canada; Antonio M. Aveleyra Ortiz, Universidad Iberoamericana, Mexico; Zuzana Babicová, Office for Personal Data Protection, Slovak Republic; Christoffer Badse, Danish Institute for Human Rights, Denmark; Aiga Balode, Data State Inspection, Republic of Latvia; Andrej D. Bartosiewicz, Association for Support of Local Democracy, Slovak Republic; Colin Bennett, University of Victoria, Canada; Jacques Berleur, Facultés Universitaires Notre-Dame de la Paix, Belgium; Mark Berthold, Office of the Ombudsman, New Zealand; Diana Alonso Blas, College Bescherming Persoonsgegevens,Netherlands; Joze Bogataj, Data Protection Inspectorate, Republic of Slovenia; Stefan Brands, Credentica and McGill School of Computer Science, Canada; Ian Brown, Foundation for Information Policy Research, United Kingdom; Mads Bryde Andersen, University of Copenhagen, Denmark; Herbert Burkert, GMD, Germany; Heiner Busch, Switzerland; Lee Bygrave, Norwegian Research Centre for Computers and Law (Institutt for rettsinformatikk) and Faculty of Law, University of Oslo, Norway, Baker & McKenzie Cyberspace Law and Policy Centre and Faculty of Law, University of New South Wales, Australia; Rafael Fernández Calvo, CLI, Spain; Anne Carblanc, Organization for Economic Cooperation and Development, France; Fred Carter, Privacy Commissioner's office, Canada; Pavel Cerny, EPS, Czech Republic; David Casacuberta, Computer Professionals for Social Responsibility-Spain, Spain; Beng Seng Chan, Documentation for Action Groups in Asia, Hong Kong; Dmitry Chereshkin, Russian Academy of Natural Sciences; Chris Chiu, American Civil Liberties Union, United States; Kira Kolby Christensen, Legal Adviser, Datatilsynet, Denmark; Panageas Christos, City College, Greece; Tyng-Ruey Chuang, Taiwan Association of Human Rights, Taiwan; David Clancy, Information Commissioner's Office, United Kingdom; Richard Claude, United States; Tracy Cohen, Toronto University, Canada; Bela Csiszer, Budapest University of Technology and Economics, Hungary; Ulrich Dammann, Bundesbeauftragte für den Datenschutz, Germany; Ravi Dhar, Punjab Agricultural University, India; Alexander Dix, Commissioner for Data Protection and Access to Information (Brandenburg) Germany; Ronnie Downes, Irish Data Protection Agency, Ireland; Pavan Duggal, Cyberlaws.net, Cyberlaw Asia and Cyberlaw India, India; Alexandre Dulaunoy, Association Electronique Libre, Belgium; Jos Dumortier, Katholieke Universiteit of Leuven and Interdisciplinary Centre for Law and Information Technology, Belgium; Bo Elkjaer, Denmark; Jón Erlendsson, Iceland; Maria Farrell, International Chamber of Commerce, France; Emilio Aced Félez, Agencia de Protección de Datos, Spain; William G. Ferroggiard, National Security Archive, United States; Anne-Marije Fontein, College Bescherming Persoonsgegevens, Netherlands; Maurice Frankel, Campaign for Freedom of Information, United Kingdom; Gabor Freidler, Office of the Parliamentary Commissioner for Data Protection and Freedom of Information, Hungary; Zoltan Galantai, Budapest University of Technology and Economics, Hungary; Miguel Angel Garcia, MAG (Estudios de Consumo), Spain; Marie Georges, CNIL (Commission Nationale Informatique et Libertés), France; Rishab Aiyer Ghosh, India; Ann Goldsmith, Office of the Privacy Commissioner, Canada; Eric Goldstein, Human Rights Watch Middle East/North Africa, United States; Graham Greenleaf, University of New South Wales, Australia; Marina Gromova, Russia; Valeriu Guguianu, Ministry of Public Information, Romania; Alex Hamilton, Liberty, United Kingdom; Pétur Hauksson, Mannvernd, Iceland; Hordur Helgi Helgason, Icelandic Data Protection Authority (Persónuvernd), Iceland; Bénédicte Havelange, Commission de la protection de la vie privée, Belgium; Helmut. Heil, Bundesbeauftragte für den Datenschutz, Germany; Jan Holvast, Holvast and Partners, Netherlands; Masao Horibe, Chuo University School of Law, Japan; Axel Horns, FITUG e.V. (Förderverein Informationstechnik und Gesellschaft), Austria; Deborah Hurley, Harvard Information Infrastructure Project, United States; Pavol Husar, Commissioner for the Protection of Personal Data in Information Systems, Slovak Republic; Yutaka Ishikawa, Chuo University School of Law, Japan; Joichi Ito, Japan; Joel Jaakkola, Finland; Triinu Jaaksoo, Data Protection Inspectorate, Estonia; Ona Jakstaite, State Data Protection Inspectorate, Lithuania; Rikke Frank Joergensen, Digital Rights, Denmark; Sigrún Jóhannesdóttir, The Icelandic Data Protection Commission, Iceland; Barbara Jurgeleviciene, State Data Protection Inspectorate of the Republic of Lithuania, Lithuania; Myungkoo Kang, Seoul National University, South Korea; Marina Karakonova, Access to Information Programme, Bulgaria; Alexander Kashumov, Access to Information Programme, Bulgaria; Michael Kassner, Electronic Privacy Information Center, United States; Yeoh Beng Keat, Ministry of Energy, Communications and Multimedia, Malaysia; Mindaugas Kiskis, Law University of Lithuania, Lithuania; Maija Kleemola, Office of Data Protection Ombudsman, Finland; Matej Kovacic, University of Ljubljana, Slovenia; Natalia Krajcovicova, Inspection Unit for the Protection of Personal Data, Slovak Republic; Andreas Krisch, VIBE!AT (Verein für Internet-Benutzer Österreichs), Austria; Dieter Kronegger, Arge Daten, Austria; Peter Kuhm, VIBE!AT (Verein für Internet-Benutzer Österreichs), Austria; Jorma Kuopus, Office of the Parliamentary Ombudsman, Finland; Margarita Lacabe, Derechos Human Rights, United States; Anne-Christine Lacoste, Commission de la protection de la vie privée, Belgium; Stephen Lau, former Hong Kong Privacy Commission; Pierre-Emmanuel Laurant, Elsewhere Entertainment, Belgium; Pippa Lawson, Public Interest Advocacy Centre, Canada; Georg Lechner, Austrian Data Protection Commission, Austria; Anatoly Levenchuk, Russia; Vaida Linartaite, State Data Protection Inspectorate, Lithuania; László Majtényi, Hungarian Information and Privacy Commissioner, Hungary; Bogdan Manolea, Romanian Information Technology Initiative, Romania; Veni Markovski, Internet Society Bulgaria, Bulgaria; Joe Meade, Data Protection Commissioner, Ireland; Meryem Marzouki, Imaginons un Réseau Internet Solidaire, France; Viktor Mayer-Schönberger, Harvard University, United States; Robin McLeish, Hong Kong; Pedro Mendizábal Simonetti; Computer Professionals for Social Responsibility-Peru, Peru; Erich Moechel, Quintessenz, Austria; Andrea Monti, Studio Legale Monti, Italy; Ioan Muraru, Avocatul Poporului, Romania; Dinesh Nair; Sjoera Nas, Bits of Freedom, Netherlands; Victor Naumov, Saint Petersburg Institute for Informatics RAS, Russia; Karel Neuwirt, Office for Personal Data Protection, Czech Republic; João Miguel Neves, Portugal; Detlef Nogala, Max-Planck-Institut, Germany; Bruno Nowak, Investlife, Luxembourg; Nelly Ognyanova, Bulgarian Institute for Legal Development, Bulgaria; Toshimaru Ogura, Toyama University, Japan; Ville Oksanen, Electronic Frontiers Finland, Finland; Kaidi Oone, Estonian State Chancellery, Department of State Information Systems, Estonia; Maxim Otstavnov, Computerra-Russia, Russia, Russia; Pablo A. Palazzi, Supreme Court of Argentina, Argentina; Vagelis Papakonstantinou, University of Frankfurt, Germany; Iris Pappo, Eitan, Pearl, Latzer & Cohen-Zedek, Israel; Hugues Parasie, Commission de la protection de la vie privée, Belgium; Andriy Pazyuk, Privacy Ukraine, Ukraine; Stephanie Perrin, Digital Discretion, Canada, and Electronic Privacy Information Center, United States; Alberto Escudero-Pascual, Royal Institute of Technology, Sweden; Charlotte Edholm Petersen, Datatilsynet, Denmark; Vladimir Pirosik, Environmental Lobbying Facility, Slovak Republic; Signe Plumina, State Data Inspection, Latvia; Erki Podra, Data Protection Inspectorate, Ukraine; Yves Poullet, Centre de Recherches Informatique et Droit, Belgium; Andrei Pribylov, Human Rights Network, Russia; Ivan Procházka, Office for Personal Data Protection, Czech Republic; Arturo Quirantes, University of Granada and Computer Professionals for Social Responsibility-Spain, Spain; Felix Rauch, Swiss Internet User Group, Switzerland; Joel Reidenberg, Fordham University Law School, United States; Nelson Remolina Angarita, Universidad de Los Andes, Colombia; Katitza Rodríguez Pereda, Computer Professionals for Social Responsibility-Peru and Privaterra-Perú, Peru; Dovota Rowicka, Bureau of Inspector General for the Protection of Personal Data, Poland; Felipe Rodriquez, Electronic Frontiers Australia, Australia; Roman Romanov, Sebastopol Group for Human Rights Protection, Ukraine; Anneliese Roos, University of South Africa, South Africa; Karen Rosier, Centre de Recherche Informatique et Droit, Belgium; Paul Roth, University of Otago, New Zealand; Sinapan Samydorai, Think Centre, Singapore; Dag Wiese Schartum, University of Oslo, Norway; Anat Scolnicov, Association for Civil Rights in Israel, Israel; Jin Wan Seo, University of Inchon, South Korea; Maria U. Shkarlat, Internews-Ukraine, Ukraine; Per Helge Sørensen, Digital Rights, Denmark; Antonino Serra Cambaceres, Consumers International; Justyna Seweryoska, Bureau of the Inspector General for the Protection of Personal Data, Poland; Bernard Silva, Office of the Federal Privacy Commissioner, Australia; Sergei Smirnov, Human Rights Network, Russia; Robert Ellis Smith, Privacy Journal, United States; Christoph Sobotta, University of Frankfurt, Germany; Per Helge Sørensen, Digital Rights Denmark, Denmark; Barry Steinhardt, American Civil Liberties Union, United States; Hana Stepankova, Office for Personal Data Protection, Czech Republic; Blair Stewart, New Zealand Privacy Commission, New Zealand; Bettina Stomper, Quintessenz, Austria; Thordur Sveinsson, Privacy and Data Protection Authority, Iceland; Ivan Szekely, Central European University, Hungary; Jérôme Thorel, France; Simonas Toliu, Law University of Lithuania, Lithuania; Igor Kowalewski, The Bureau of the Inspector General for Personal Data Protection, Poland; Kosmas Tsiraktsopulos, Swiss Data Protection Commission, Switzerland; Eduardo Ustaran, Berwin Leighton Paisner, United Kingdom; Mikko Valimaki, Electronic Frontiers Finland, Finland; Marie Vallée, Videotron, Canada; Shauna Van Dongen, Privacy Journal, United States; Vasja Vehovar, University of Ljubljana, Slovenia; Ondrej Veis, Charles University, Czech Republic; Geetha Veloo, Malaysia; Elisabeth Wallin, The Data Inspection Board, Sweden; Nigel Waters, Pacific Privacy Consulting and Australian Privacy Charter Council, Australia; Raymond Wacks, The University of Hong Kong, Hong Kong; Elizabeth Jane Walsh, University College Cork, Ireland; Maurice Wessling, Bits of Freedom, Netherlands, and European Digital Rights; Ingrid Wilson, Australian Privacy Commission, Australia; Niti Wirudchawong, Official Information Commission, Thailand; Bobson Wong, Digital Freedom Network, United States; Jason Young, Privaterra-Canada and Lex Informatica, Canada; Ko Youngkyoung, Social Information NetworkingGroup, South Korea.
Financial support for the 2003 Privacy and Human Rights report was provided by the Open Society Institute and the Ford Foundation.