Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age.[1]
Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties. Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.
Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define.[2] Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information.
Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs.[3] The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."[4]
Some viewpoints on privacy:
In the 1890s, future United States Supreme Court Justice Louis Brandeis articulated a concept of privacy that urged that it was the individual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms in a democracy, and he was concerned that it should be reflected in the Constitution.[5]
Robert Ellis Smith, editor of the Privacy Journal, defined privacy as "the desire by each of us for physical space where we can be free of interruption, intrusion, embarrassment, or accountability and the attempt to control the time and manner of disclosures of personal information about ourselves."[6]
According to Edward Bloustein, privacy is an interest of the human personality. It protects the inviolate personality, the individual's independence, dignity and integrity.[7]
According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person.[8]
The Calcutt Committee in the United Kingdom said that, "nowhere have we found a wholly satisfactory statutory definition of privacy." But the committee was satisfied that it would be possible to define it legally and adopted this definition in its first report on privacy:
The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.[9]
The Preamble to the Australian Privacy Charter provides that, "A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy...Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech...Privacy is a basic human right and the reasonable expectation of every person."[10]
Privacy can be divided into the following separate but related concepts:
Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. It is also known as "data protection";
Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches;
Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication; and
Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks.
There are four major models for privacy protection. Depending on their application, these models can be complementary or contradictory. In most countries reviewed in the survey, several are used simultaneously. In the countries that protect privacy most effectively, all of the models are used together to ensure privacy protection.
In many countries around the world, there is a general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body then ensures compliance. This is the preferred model for most countries adopting data protection laws and was adopted by the European Union to ensure compliance with its data protection regime. A variation of these laws, which is described as a "co-regulatory model," was adopted in Canada and Australia. Under this approach, industry develops rules for the protection of privacy that are enforced by the industry and overseen by the privacy agency.
Some countries, such as the United States, have avoided enacting general data protection rules in favor of specific sectoral laws governing, for example, video rental records and financial privacy. In such cases, enforcement is achieved through a range of mechanisms. A major drawback with this approach is that it requires that new legislation be introduced with each new technology so protections frequently lag behind. The lack of legal protections for individual's privacy on the Internet in the United States is a striking example of its limitations. There is also the problem of a lack of an oversight agency. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protections for certain categories of information, such as telecommunications, police files or consumer credit records.
Data protection can also be achieved, at least in theory, through various forms of self-regulation, in which companies and industry bodies establish codes of practice and engage in self-policing. However, in many countries, especially the United States, these efforts have been disappointing, with little evidence that the aims of the codes are regularly fulfilled. Adequacy and enforcement are the major problem with these approaches. Industry codes in many countries have tended to provide only weak protections and lack enforcement.
With the recent development of commercially available technology-based systems, privacy protection has also moved into the hands of individual users. Users of the Internet and of some physical applications can employ a range of programs and systems that provide varying degrees of privacy and security of communications. These include encryption, anonymous remailers, proxy servers and digital cash.[11] Users should be aware that not all tools effectively protect privacy. Some are poorly designed while others may be designed to facilitate law enforcement access. (For more discussion of this subject, see the section on Privacy Enhancing Technologies).
The recognition of privacy is deeply rooted in history. There is recognition of privacy in the Qur'an[12] and in the sayings of Mohammed.[13] The Bible has numerous references to privacy.[14] Jewish law has long recognized the concept of being free from being watched.[15] There were also protections in classical Greece and ancient China.[16]
Legal protections have existed in Western countries for hundreds of years. In 1361, the Justices of the Peace Act in England provided for the arrest of peeping toms and eavesdroppers.[17] In 1765, British Lord Camden, striking down a warrant to enter a house and seize papers wrote, "We can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society, for papers are often the dearest property any man can have."[18] Parliamentarian William Pitt wrote, "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter; the rain may enter - but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement."[19]
Various countries developed specific protections for privacy in the centuries that followed. In 1776, the Swedish Parliament enacted the Access to Public Records Act that required that all government-held information be used for legitimate purposes. France prohibited the publication of private facts and set stiff fines for violators in 1858.[20] The Norwegian Criminal Code prohibited the publication of information relating to "personal or domestic affairs" in 1889.[21]
In 1890, American lawyers Samuel Warren and Louis Brandeis wrote a seminal piece on the right to privacy as a tort action, describing privacy as "the right to be left alone."[22] Following the publication, this concept of the privacy tort was gradually picked up across the United States as part of the common law.
The modern privacy benchmark at an international level can be found in the 1948 Universal Declaration of Human Rights, which specifically protects territorial and communications privacy.[23] Article 12 states:
No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.
Numerous international human rights treaties specifically recognize privacy as a right.[24] The International Covenant on Civil and Political Rights (ICCPR), Article 17,[25] the United Nations Convention on Migrant Workers, Article 14,[26] and the UN Convention on Protection of the Child, Article 16[27] adopt the same language.[28]
On the regional level, various treaties make these rights legally enforceable. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950[29] states:
(1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others.
The Convention created the European Commission of Human Rights and the European Court of Human Rights to oversee enforcement. Both have been active in the enforcement of privacy rights and have consistently viewed Article 8's protections expansively and interpreted the restrictions narrowly.[30] The Commission found in 1976:
For numerous Anglo-Saxon and French authors, the right to respect "private life" is the right to privacy, the right to live, as far as one wishes, protected from publicity...In the opinion of the Commission, however, the right to respect for private life does not end there. It comprises also, to a certain degree, the right to establish and develop relationships with other human beings, especially in the emotional field for the development and fulfillment of one's own personality.[31]
The Court has reviewed member states' laws and imposed sanctions on numerous countries for failing to regulate wiretapping by governments and private individuals.[32] It has also reviewed cases of individuals' access to their personal information in government files to ensure that adequate procedures exist.[33] It has expanded the protections of Article 8 beyond government actions to those of private persons where it appears that the government should have prohibited those actions.[34]
Other regional treaties are also beginning to be used to protect privacy. Article 11 of the American Convention on Human Rights sets out the right to privacy in terms similar to the Universal Declaration.[35] In 1965, the Organization of American States proclaimed the American Declaration of the Rights and Duties of Man, which called for the protection of numerous human rights, including privacy.[36] The Inter-American Court of Human Rights has begun to address privacy issues in its cases.
Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978).[37]
Two crucial international instruments evolved from these laws. The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data[38] and the Organization for Economic Cooperation and Development's (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data[39] set out specific rules covering the handling of electronic data. These rules describe personal information as data that are afforded protection at every step from collection to storage and dissemination.
The expression of data protection in various declarations and laws varies. All require that personal information must be:
These two agreements have had a profound effect on the enactment of laws around the world. Nearly thirty countries have signed the COE convention and several others are planning to do so shortly. The OECD guidelines have also been widely used in national legislation, even outside the OECD member countries.
There are three major reasons for the movement towards comprehensive privacy and data protection laws. Many countries are adopting these laws for one or more reasons.
To remedy past injustices. Many countries, especially in Central Europe, South America and South Africa, are adopting laws to remedy privacy violations that occurred under previous authoritarian regimes.
To promote electronic commerce. Many countries, especially in Asia, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules.
To ensure laws are consistent with Pan-European laws. Most countries in Central and Eastern Europe are adopting new laws based on the Council of Europe Convention and the European Union Data Protection Directive. Many of these countries hope to join the European Union in the near future. Countries in other regions are adopting new laws or updating older laws to ensure that trade will not be affected by the requirements of the European Union Directive.
In 1995, the European Union enacted the Data Protection Directive in order to harmonize member states' laws in providing consistent levels of protections for citizens and ensuring the free flow of personal data within the European Union. The directive sets a baseline common level of privacy that not only reinforces current data protection law, but also establishes a range of new rights. It applies to the processing of personal information in electronic and manual files.[40]
A key concept in the European data protection model is "enforceability." Data subjects have rights established in explicit rules. Every European Union country has a data protection commissioner or agency that enforces the rules. It is expected that the countries with which Europe does business will need to provide a similar level of oversight.
The basic principles established by the Directive are: the right to know where the data originated; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from being sent direct marketing material. The Directive contains strengthened protections over the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs. In the future, the commercial and government use of such information will generally require "explicit and unambiguous" consent of the data subject.
The 1995 Directive imposes an obligation on member states to ensure that the personal information relating to European citizens has the same level of protection when it is exported to, and processed in, countries outside the European Union. This requirement has resulted in growing pressure outside Europe for the passage of privacy laws. Those countries that refuse to adopt adequate privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data.
In 1997, the European Union supplemented the 1995 directive by introducing the Telecommunications Privacy Directive.[41] This directive established specific protections covering telephone, digital television, mobile networks and other telecommunications systems.[42] It imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users' communications, including Internet-related activities. It covered areas that, until then, had fallen between the cracks of data protection laws. Access to billing data was severely restricted, as was marketing activity. Caller ID technology was required to incorporate an option for per-line blocking of number transmission. Information collected in the delivery of a communication was required to be purged once the call was completed.
In July 2000, the European Commission issued a proposal for a new directive on privacy in the electronic communications sector.[43] The proposal was introduced as a part of a larger package of telecommunications directives aimed at strengthening competition within the European electronic communications markets. As originally proposed, the new directive would have strengthened privacy rights for individuals by extending the protections that were already in place for telecommunications to a broader, more technology-neutral category of "electronic communications." During the process, however, the Council of Ministers began to push for the inclusion of data retention provisions, requiring Internet Service Providers and telecommunications operators to store logs of all telephone calls, e-mails, faxes, and Internet activity for law enforcement purposes. These proposals were strongly opposed by most members of the Parliament. In July 2001, the European Parliament's Civil Liberties Committee approved the draft directive without data retention stating:
The Civil Liberties Committee (LIBE Committee) expressed itself in favour of a strict regulation of law enforcement authorities' access to personal data of citizens, such as communication traffic and location data. This decision is fundamental because in this way the EP blocks European Union States' efforts underway in the Council to put their citizens under generalised and pervasive surveillance, following the Echelon model.
Following the events of September 11, however, the political climate changed and the Parliament came under increasing pressure from member states to adopt the Council's proposal for data retention. The United Kingdom and the Netherlands, in particular, questioned whether the proposed privacy rules still struck "the right balance between privacy and the needs of the law enforcement agencies in the light of the battle against terrorism."[44] The Parliament stood firm and up to a few weeks before the final vote on May 30, 2002, the majority of the Members of Parliament opposed any form of data retention. Finally, after much pressure by the European Council and European Union governments, and well organized lobbying by two Spanish MEPs,[45] the two main political parties (PPE and PSE, the center-left and center-right parties) reached a deal to vote in favor of the Council's position.
On June 25, 2002 the European Union Council adopted the new Privacy and Electronic Communications Directive as voted in the Parliament.[46]Under the terms of the new Directive, member states may now pass laws mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication device. Such requirements can be implemented for purposes varying from national security to the prevention, investigation and prosecution of criminal offences.
In other areas, the Privacy and Electronic Communications Directive had a more favorable outcome. For example, it adds new definitions and protections for "calls," "communications," "traffic data" and "location data" in order to enhance the consumer's right to privacy and control in all kinds of data processing. These new provisions ensure the protection of all information ("traffic") transmitted across the Internet, prohibit unsolicited commercial marketing by e-mail ("spam") without consent, and protect mobile phone users from precise location tracking and surveillance. The directive also gives subscribers to all electronic communications services (such as GSM and e-mail) the right to choose whether they are listed in a public directory.
The Directive will enter into force from data of publication in the official journal. After that time member states will have fifteen months to implement its provisions.
An essential aspect of any privacy protection regime is oversight. In most countries with an omnibus data protection or privacy act, there is an official or agency that oversees enforcement of the act. The powers of these officials, Commissioner, Ombudsman or Registrar, vary widely by country.Several countries including Germany and Canada also have officials or offices on a state or provincial level.
Under Article 28 of the European Union Data Protection Directive, all European Union countries must have an independent enforcement body. Under the Directive, these agencies are given considerable power: governments must consult the body when the government draws up legislation relating to the processing of personal information; the bodies also have the power to conduct investigations and have a right to access information relevant to their investigations; impose remedies such as ordering the destruction of information or ban processing, and start legal proceedings, hear complaints and issue reports. The official is also generally responsible for public education and international liaison in data protection and data transfer. Many authorities also maintain the register of data controllers and databases. They must approve licensing for data controllers.
Several countries that do not have a comprehensive act still have a commissioner. A major power of these officials is to focus public attention on problem areas, even when they do not have any authority to fix the problem. They can do this by promoting codes of practice and encouraging industry associations to adopt them. They also can use their annual reports to point out problems. For example, in Canada, the Federal Privacy Commissioner announced in his 2000 report the existence of an extensive database maintained by the federal government. Once the issue became public, the Ministry disbanded the database.
In several countries, this official also serves as the enforcer of the jurisdiction's Freedom of Information Act. These include Hungary, Estonia, Thailand and the United Kingdom.On the sub-national level, many of the German Lund Commissioners have recently been given the power of information commissioner, and most of the Canadian provincial agencies handle both data protection and freedom of information.
A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Many are burdened with licensing systems, which use much of their resources. Others have large backlogs of complaints or are unable to conduct significant number of investigations. Many that started out with adequate funding find their budgets cut a few years later.
Independence is also a problem. In many countries, the agency is under the control of the political arm of the government or part of the Ministry of Justice and lacks the power or will to advance privacy or criticize privacy invasive proposals. In Japan and Thailand, the oversight agency is under the control of the Prime Minister's Office. In Thailand, the director was transferred in 2000 after conflicts with the Prime Minister's Office. In 2001, Slovenia amended its Data Protection Act in order to establish an independent supervisory authority and thereby ensure compliance with the Data Protection Directive.This was previously the responsibility of the Ministry of Justice.
Finally, in some countries that do not have a separate office, the role of investigating and enforcing the laws is done by a human rights ombudsman or by a parliamentary official.
The ease with which electronic data flows across borders leads to a concern that data protection laws could be circumvented by simply transferring personal information to third countries, where the national law of the country of origin does not apply. This data could then be processed in those countries, frequently called "data havens," without any limitations.
For this reason, most data protection laws include restrictions on the transfer of information to third countries unless the information is protected in the destination country. For example, Article 12 of the Council of Europe's 1981 Convention places restrictions on the transborder flows of personal data.[47] Similarly, Article 25 of the European Directive imposes an obligation on member States to ensure that any personal information relating to European citizens is protected by law when it is exported to, and processed in, countries outside Europe. It states:
The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.
This requirement has resulted in growing pressure outside Europe for the passage of strong data protection laws. Those countries that refuse to adopt meaningful privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data. Determination of a third country's system for protecting privacy is made by the European Commission. The overarching principle in this determination process is that the level of protection in the receiving country must be "adequate" rather than "equivalent." Therefore, a reasonably high standard of protection is expected from the third party, although the precise dictates of the Directive need not be followed.
On July 26, 2000, the European Commission ruled that both Switzerland and Hungary provide "adequate" protection for personal information and therefore that all transfers of personal data to these countries could continue. [48] In January 2002, the European Commission recognized that the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) provides adequate protection for certain personal data transferred from the European Union to Canada. The Commission's decision of adequacy does not cover any personal data held by federal sector or provincial bodies or information held by personal organizations and used for non-commercial purposes, such as data handled by charities or collected in the context of an employment relationship.[49] The Commission is currently looking into the privacy protection schemes in several other non-European Union countries, including New Zealand, Australia, and Hong-Kong.
Another possible way to protect the privacy of information transferred to countries that do not provide "adequate protection" is to rely on a private contract containing standard data protection contractual clauses. This kind of contract would bind the data processor to respect fair information practices such as the right to notice, consent, access and legal remedies. In the case of data transferred from the European Union, the contract would have to meet the standard "adequacy" test, in order to satisfy the Data Protection Directive.[50] Several model clauses that could be included in such a contract were outlined in a 1992 joint study by the Council of Europe, the European Commission and the International Chamber of Commerce.[51] In a June 2000 report (see below), the European Parliament accused the European Commission of a "serious omission" in failing to draft standard contractual clauses that European citizens could invoke in the courts of third countries before the Data Directive came into force.[52] It recommended that they do so before September 30, 2000.[53] In July 2001, the Commission issued a final decision approving the standard contractual clauses.[54] During the drafting process, the United States criticized the standard contactsas "unduly burdensome" and "incompatible with real world operations."[55]
Although the Commission never issued a formal opinion on the adequacy of privacy protection in the United States, there were serious doubts whether the United States' sectoral and self-regulatory approach to privacy protection would pass the adequacy standard set out in the Directive. The European Union commissioned two prominent United States law professors, who wrote a detailed report on the state of United States privacy protections and pointed out the many gaps in United States protection.[56]
The United States strongly lobbied the European Union and its member countries to find the United States system adequate. In 1998, the United States began negotiating a "Safe Harbor" agreement with the European Union in order to ensure the continued transborder flows of personal data. The idea of the "Safe Harbor" was that United States companies would voluntarily self-certify to adhere to a set of privacy principles worked out by the United States Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and they could continue to receive personal data from the European Union. Negotiations on the drafting of the Safe Harbor principles lasted nearly two years and were the subject of bitter criticism by privacy and consumer advocates.[57] In early July, the European Parliament approved a forceful resolution that the agreement needed to be re-negotiated in order to provide adequate protection.[58]
On July 26, 2000, the Commission approved the agreement.[59] The Commission did, however, promise to re-open negotiations on the arrangement if the remedies available to European citizens proved inadequate. European Union member states were given 90 days to put the Commission's decision into effect and United States companies began joining Safe Harbor in November 2000. There is an open-ended grace period for United States signatory companies to implement the principles.
The principles require all signatory organizations to provide individuals with "clear and conspicuous" notice of the kind of information they collect, the purposes for which it may be used, and any third parties to whom it may be disclosed. This notice must be given at the time of the collection of any personal information or "as soon thereafter as is practicable." Individuals must be given the ability to choose (opt-out of) the collection of data where the information is either going to be disclosed to a third party or used for an incompatible purpose. In the case of sensitive information, individuals must expressly consent (opt-in) to the collection. Organizations wishing to transfer data to a third party may do so if the third party subscribes to Safe Harbor or if that third party signs an agreement to protect the data. Organizations must take reasonable precautions to protect the security of information against loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations must provide individuals with access to any personal information held about them, and with the opportunity to correct, amend, or delete that information where it is inaccurate. This right is to be granted only if the burden or expense of providing access would not be disproportionate to the risks to the individual's privacy or where the rights of persons other than the individual would not be violated. In terms of enforcement, organizations must provide access to readily available and affordable independent recourse mechanisms that may investigate complaints and award damages. They must issue follow up compliance procedures and must adhere to sanctions for failing to comply with the Principles.
Privacy advocates and consumer groups both in the United States and Europe are highly critical of the European Commission's decision to approve the agreement, which they say will fail to provide European citizens with adequate protection for their personal data.[60] The agreement rests on a self-regulatory system whereby companies merely promise not to violate their declared privacy practices. There is little enforcement or systematic review of compliance. The Safe Harbor status is granted at the time of self-certification. There is no individual right to appeal or right to compensation for privacy infringements. There is an open-ended grace period for United States signatory companies to implement the principles. The agreement will only apply to companies overseen by the Federal Trade Commission and Department of Transportation (excluding the financial and telecommunications sectors) and there are special exceptions granted for public records information protected by European Union law.
In February 2002, the European Commission issued a report on the practical operation of the European Union-United States Safe Harbor Agreement.[61] This was the first report to evaluate the success of the agreement. It concluded that all the essential elements of the agreement are in place and that a structure exists for individuals to lodge complaints if they feel their rights have been infringed. It did find, however, that there is not sufficient transparency among the organizations that have signed up to Safe Harbor and that not all dispute resolution providers relied on to enforce Safe Harbor actually comply with the privacy principles in the agreement itself. The Commission will issue a full evaluation of the agreement in 2003.
In July 2002, the Article 29 Data Protection Working Party issued a working paper on the functioning of the agreement. In it, the Working Party expressed its intention to study the agreement in further detail with particular regard to "possible gaps between the principles... and the implementing practices" and also "the transparency requirements to be met by organizations." The Working Party called on all authorities, organizations and companies concerned to enhance compliance and awareness of the Agreement.[62]