It has become clear that private individuals were becoming concerned about two issues regarding the processing of personal information by organisations using computers. The first was that increasing amounts of so-called ‘junk mail’ were arriving clearly derived from computerised mailing lists. The second was that people were concerned that personal information about themselves was being processed without their knowledge. In particular, there was concern that this information was being communicated electronically to other organisations, was being massaged and merged with other data, and that decisions – credit ratings, job appointments and the like – were being taken on the basis of these data which might not be accurate. There was also particular concern regarding the manipulation of such data by security services, the police, the tax man, and so on, and particular concern, too, regarding sensitive data, such as medical and financial histories, records kept of political affiliations, sexual tastes and ethnic origin.
The rapid developments in ICT has led to increasing concern about the development of the so-called surveillance society. It is believed, whether justifiably or not, that governments and many private sector organisations are routinely collecting information about individuals for purposes that range from the bona fide to those which are sinister. Much of this information is easily and conveniently collected by electronic means, as every time an individual directly or indirectly interacts with electronic systems, he or she leaves so-called footprints in the snow, the so-called exoinformation[435].
One of the key ways that the citizen can redress the balance is by use of relevant data protection legislation. All data protection legislation is concerned with the handling of any information about individuals. That information handling can be in computerised form or in other forms, such as manual filing systems, tape recordings, CCTV footage, and the like. Some countries’ data protection laws cover only machine-readable data, but the trend is increasingly towards covering information in all media.
There is general consensus that individuals should have the right to keep information about themselves private. This is certainly the case when the information is of a very personal nature. In contrast, there is a general presumption that if an individual has chosen to publicly issue information about him or herself, e.g. by publishing an article, then he or she has forgone any right to privacy about that particular piece of information.
The difficult area lies in fields, such as financial, health and career information that an individual may feel should be kept private, but that certain people feel they need access to in order to make informed judgements about that individual. There is also the question of the public interest in the case of individuals in the public eye.
The situation can be summarised that there are three types of information - highly sensitive that should not circulate at all; confidential that should only be circulated on a need to know basis; and public information that need not have any restriction placed upon it.
However, in data protection law, the approach is more simplistic. The law applies to information about individuals, whether it is totally innocuous, such as author entries in library catalogues, moderately sensitive information such as home addresses and phone numbers, or highly sensitive information, such as peoples’ financial, criminal, medical or sexual histories.[436] It is worth stressing that it makes no difference how sensitive or innocuous the information is; it makes no difference how confidential or how public the information is; in general - there ARE some exceptions - all such data is subject to the relevant Data Protection Act. “Data protection” is, of course, a misnomer. It is actually protecting an individual from unwanted or harmful uses of data about him.
Data Protection legislation requires organisations that control records containing personal information about living identifiable individuals to register with an appropriate authority. The legislation also typically allows individuals who are the subject of such databases the right to know what records there are about them and the content of those records. Typically, too, there will be exceptions to permit the processing of data by government and related bodies for the purposes of crime prevention, national security, tax collecting, and the like without having to inform the data subject. Medical records are more controversial, with some countries maintaining that data subjects should have the right to see their own records, others thinking they should not.
These days, most developed countries have at least a minimum level of data protection legislation in place. The USA is notable in having only limited protection at a federal level, although many states have introduced such legislation. However, it must be remembered that data protection and FoI are in tension with one another. On the one hand, there is the view that everyone should have freedom of expression, the freedom to hold opinions and to impart information and the right to access information without interference. On the other hand, there is the view that every individual has the right to be left alone.
Such legislation includes at a minimum the following:
· Data users must register if they use personal data;
· Data subjects have the right to know that data are held about them, and to inspect what information is held about them;
· Data subjects can sue for damage caused by inaccurate data;
· Data users must abide by certain general principles and codes of practice;
· There are exemptions for matters of national security, crime prevention, etc.
· There must be systems in place to prevent unauthorised access, deletion or amendment of records.
Some legislation goes much further, for example requiring:
· Data users must request permission of data subjects before handling personal data;
· Data subjects can insist that data about them are wiped clean;
· Extension to manual systems as well as computerised systems;
· Data subjects shall be entitled to know to whom data about them have been passed;
· No decisions about the data subject may be made purely relying on information obtained from personal data files.
Despite the presence of these basic components, there are many subtle differences between different national legislations about data protection. Some countries have no national laws at all. Those that do have legislation, have considerable variations in their definitions (‘data’, ‘personal data’, and so on) which lead to differences in questions whether (say) real-time or other transitory electronic data are subject to data protection.
There are differences, too, when one comes to consider the restrictions on gathering and storing personal data that apply. Some laws also prohibit the collection and storage of certain types of sensitive personal data; Luxembourg and French laws are particularly stringent on this. Danish law also has restrictions, some of which are deliberately designed to hamper direct mailing. Curiously, certain laws, such as France, Luxembourg and Denmark, extend data protection to legal persons (e.g., companies) as well as individuals.
There are differences, too, in registration procedures. In some cases, such as Luxembourg, processing cannot start until specific approval has been given; in most others, one can go ahead and process once registered, and can assume the registration is approved unless one hears to the contrary. The cost of registration varies from zero to about $250 in the many countries with data protection acts.
Disclosure provisions vary widely. In Britain, for example, one can disclose personal data to any third party, whilst in Luxembourg, one may not disclose data to any third party except with the specific permission of the minister of justice. Other countries lay down restrictions on when and how data may be passed to third parties. Some laws require that the data subject’s permission must be requested before a transfer overseas is permitted. Finally, there are many differences in criminal penalties for breaking the local data protection law, ranging from small fines through unlimited fines through to prison (e.g., Germany and France).
As with IPR, much of the legislation has been put in place by the efforts of international bodies, including the Council of Europe, OECD and the European Union. A full review of the recent history of data protection world-wide can be found in[437].
During the 1960s and the 1970s, a number of countries initiated studies on the subject. In 1967, the Swedish section of the Commission of Jurists held a conference on the issue; the Council of Europe sent observers to this. Between 1968 and 1970, the Council of Europe undertook a survey of human and modern scientific and technological developments, which concluded that existing laws did not provide sufficient protection for individuals.
As a result, the Council of Europe produced two resolutions on privacy and databanks, one for the public sector and one for the private sector, and in 1976 it established a Committee of Experts on data protection to prepare a Convention on Data Protection. The result was the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, issued in 1981. The European Commission immediately recommended all member states to ratify the convention, a response consistent with the commission’s long standing interest in the subject (the first suggestion that the Commission should develop a Directive on the subject was in 1975).
The guidelines[438] produced by the OECD are advisory, but have been extremely influential. These guidelines, which were formulated in the 1970s, have formed the basis of data protection and privacy laws in most industrialised nations that have adopted them (i.e., New Zealand, Australia and Canada), and greatly influenced the development of the EU Directive (see below). The guidelines outline eight data protection principles. The guidelines do not explicitly state how the principles are to be enforced.
In 1988, a Privacy Act was passed by the federal Parliament. The Act gave effect to Australia's agreement to implement the 1980 OECD Guidelines for the Protection of Privacy and Trans-border Flows of Personal Data. The Privacy Act 1988 established privacy safeguards that Commonwealth agencies must observe when collecting, storing, and using and disclosing personal information. The Commonwealth Privacy Act 1988[439] lays down privacy safeguards which must be observed when Commonwealth (federal) and ACT government agencies collect, store, use and disclose personal information. The Act also gives individuals the right to access their personal information held by government and correction rights in relation to their own personal information.
All Commonwealth departments and agencies have the responsibility to make sure that their Web sites comply with the Privacy Act 1988[440]. The Australian Privacy Commissioner has established a set of guidelines so that they comply with the Privacy Act.
The Australian Privacy Commissioner has also issued a privacy policy to be adhered to by all Government Web sites. This policy covers the following issues: information collected, access to information collected, use of information collected and cookies.[441] According to the Commissioner, "nearly one third of Commonwealth websites still fail to meet the baseline requirement of displaying a privacy statement. For government agencies, anything less than 100% compliance is not acceptable,"[442]
The Privacy Act was extended to the private sector under the Privacy Amendment (Private Sector) Bill 2000[443]. This Bill received the Royal assent in December 2000. The Privacy Amendment (Private Sector) Bill 2000. The Attorney General claimed that the Bill was to be a "light touch" co-regulatory regime, as the Bill was drafted as an amendment to the Privacy Act 1988. However, the Bill contained a large number of exemptions and was considered not to be up to standard to meet the European Data Protection Directive. It was referred to the House Standing Committee on Legal and Constitutional Affairs for further analysis. It was finally passed into law in December 2000, with very few and only minor amendments. One of the main aims of this Bill was to significantly increase and make protection of information compulsory, whether used by or available in private or public sectors. The Act also intends to ensure that it is workable, nationally consistent and cost-effective; provides Australian businesses with a framework which will assist them to take a leading role in the global information economy; and finally is compatible with the European Union Directive on data protection to remove any potential barriers to international trade.[444]
Canada’s Privacy Act was passed by Parliament in 1982 and came into effect in 1983. Canadians had before then limited privacy rights (i.e., the protection of one’s personal information under the Human Rights Act – passed 1977). The Privacy Act was a wide expansion of the individual’s privacy rights and overrode the section in the 1977 Human Rights Act. The Privacy Act was a twin piece of legislation as part of the Access to Information Act that was passed at the exact same time. Access to Information Act was, essentially, an instrument to create transparency and government accountability. The Privacy Act was passed at the same time as it was recognised that individuals should have the right of access to their own personal information held by government departments and agencies. The Privacy Act also mandated certain basic personal information rights such as: the right of correction of personal information if it was incorrect or misleading; the right of access to one’s own personal information; the right to have information used for the purpose for which it was collected with limited sharing within governments, and the right of the citizen to be notified when personal information was to shared. Finally, there is a right of appeal to an independent body, in this case the Federal Privacy Commissioner.
The Information Commissioner and Privacy Commissioner share the same offices, but their functions are separate and each Commissioner is independent in his/her own right.
In 2000, the Personal Information Protection and Electronic Document Act[445] was enacted. This Act was designed with the aim to regulate the processing of personal information by the private sector. The Act is split up into five parts, including:
Part 1 - Protection of personal information in the private sector
The purpose of this Part is to establish, rules to govern the collection, use and disclosure of personal information in a manner that recognises the right of privacy of individuals with respect to their personal information and the need of organisations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Part 2 - Electronic Documents
This Part provides recognition for the use of electronic alternatives in the manner where federal laws contemplate the use of paper to record or communicate information or transactions.
A number of amendments have to be made to the Canadian Evidence Act and to the Canadian Statutory Instruments Act.
The Act will be implemented
in a number of stages. The first part of the Act came into force on January
1, 2001 and applies to every organisation that operates as a federal work, undertaking
or that discloses personal information outside a province for consideration.
However, there is one exception to this scheduled implementation. Any organisation
that deals with personal health information will not enact upon the criteria
in the Act until January 1st, 2002.
The third stage of implementation will commence on January 1, 2004. This is when the protection of personal information in the private sector will apply to every organisation that collects, uses or discloses personal information in the course of commercial activities.[446]
The European Union passed its important Data Protection Directive[447] in 1995. This was to have been implemented in all Member States before October 24th 1998, although in fact some member States have failed to do so and are now subject to European Court actions. This Directive has a very broad scope. The claim was that inconsistent data protection laws in Member States were distorting the single market because some Member States were personal data “havens”. The objective was that data protection laws of Member States became compatible with each other, to enable the free movement of data/information within the EU and establish a high degree of personal data protection for EU citizens.
The EU Directive on Data Protection presents the bare minimum legislation to be implemented by Member States. No Member State can implement a law that is weaker than the Directive, but a Member State can introduce a stricter set of laws. This means that there remains room for variations and inconsistency between Member States of the EU. This may cause some problems for organisations and companies that conduct business across EU national borders. Nonetheless, the situation is far more uniform than it was before the passage of the Directive. The EU Directive covers public and private sectors within the EU Member States.
The Directive prohibits the transfer of personal data to countries outside the EEA (European Economic Area) that do not have “an adequate level of protection”. As a result of this, the EU Directive has placed pressure on non-EEA countries to adopt privacy standards similar to the European standard. This particularly applies to the USA, which has virtually no data protection legislation in place. Two questions therefore are generated, what is “transfer”, and what constitutes “an adequate level of protection”?
“Transfer” means either exporting data, or permitting people overseas to access the data. Placing personal data on the Internet permits people outside the EEA to access that data. Executives travelling from the UK to outside the EEA, or company Intranets that permits access to users outside the EEA, are just as problematic as the more obvious transfers.
Three key features can be identified that are likely to indicate that an adequate level of protection exists. These are as follows:
· The presence of a data protection law
· Rights for data subjects to inspect records about themselves, to demand rectification, and to sue for damage caused by inaccurate data.
· The presence of a supervisory body
It is still unclear how broadly or narrowly, adequacy will be defined beyond these basic principles. It is likely that evaluation will depend upon the particular circumstances of the type of data being transferred. Thus, transfer of one type of data to a particular country may be acceptable, whilst transfer of sensitive personal data to the same country may not be.
The USA at present has no federal data protection law. Personal data use is largely self-regulated by trade associations. So, prima facie, transfer to the USA is illegal. This is a reflection of a fundamental difference in approach. The USA favours commercial enterprises; the EU favours human rights. The EU is not just trying to obtain a uniform law amongst its Member States. It is also trying to impose its standards of personal privacy on other countries. This has greatly angered many in the USA. Many in the USA have argued that the USA should not comply with the extra-territorial application of another jurisdiction’s laws. They would also argue that the trade in personal data is so widespread in the USA, and so profitable, that it must not be damaged. There is an argument that the cost of compliance on industry is too high to be justified by any social good thereby acquired. Finally, there are the arguments that the US Constitution is incompatible with data protection laws, and voluntary codes work effectively anyway.
To get round this awkward problem, the idea of “safe harbours” in non-EEA countries (and in particular the USA) has been developed. These are companies that commit to a set of privacy principles. Any data transferred is stored by the safe harbour and may not be transferred anywhere else. Safe harbours voluntarily adhere to a binding set of data protection principles approved by the EU, and then enter into contracts with data controllers within the EU. The US Department of Commerce would maintain the list of approved US safe harbour organisations. The personal data could not be passed out of these safe harbours without special safeguards being implemented and approved. The development of such safe harbours in the USA appeared until April 2001 to be assured, but the new Bush administration took issue with the burden that it claimed a safe harbour would impose on US corporations.
Another idea is to use “model contracts” between the EU data “exporter” and the US receiving organisation. The difficulty with these is that if the US “importer” breaks the contract, say by passing a long list of personal details to another organisation, there is little the aggrieved individuals that have suffered can then do.
The EU has recommended standard contractual clauses to deal with transfers outside the EEA.
The Directive has a number of exemptions. It does not apply to the processing of data by individuals in the course of purely personal or household activities, to areas such as public security, defence or criminal law enforcement which are outside the competence of the EC and remain a national prerogative.[448]
The collectors, processes and users of personal information must comply with the following principles under the EU Directive;
· Data should be processed fairly and lawfully.
· They should be collected for specified purposes and used accordingly. The purpose of the processing should be explicit and should be legitimate.
· Data should be adequate relevant and not excessive in relation to the purpose for which they are processed.
· Data should be accurate and where necessary kept up to date. Data controllers are required to take any reasonable step to ensure the rectification or erasure of inaccurate data.
· Finally data should be kept in a form, which permits identification of individuals for, no longer than it is necessary. [449]
The related 1997 Telecommunications Directive was established to provide specific protection to cover the telephone, digital television, mobile networks and other telecommunications systems.[450]
All EU member states have a privacy commissioner to enforce their data protection laws. Other features of Member States’ initiatives are noted below.
Denmark's " The Act on Processing of Personal Data", its implementation of the EU Directive came into force on July 1, 2000. Denmark's privacy laws are enforced by an independent agency, the Data Surveillance Agency (Registertilsynet).[451]
France enacted its first Data Protection Act in 1978, long before the EU Directive; France had to amend the Act to comply with the Directive. In the first instance the Act covered personal information held by government agencies and private entities. France did not implement any changes to the Act within the time period stipulated by the European Commission. The European Commission initiated a case before the European Court of Justice against for failure to implement the Directive in time.[452]
The original data protection Act established by Federal Germany was not adequate enough to comply with the EU Directive. Like France, Germany was slow to implement any changes to the Act. In response to the European Commission announced in January 2000 that it was going to take Germany to court for failure to implement the Directive.[453] Since then, Germany has amended the “German Federal Data Protection Act” (known as “Bundesdatenschutzgesetz”) to implement the EU Directive. The new law now applies to any collection, processing, transfer or use of personal data after the 23rd May 2001[454]
The changes have meant that any German company that collects, processes or uses personal information must appoint a data protection officer and the company must register in Germany if it wishes to hold a database of personal information.
In 1988, the Data Protection Act was passed in Ireland. The Act regulates the collection, processing, keeping, use and disclosure of personal information processed by both the private and public sectors, however it was only applicable to information that was processed automatically.
When the EU introduced the EU Data Protection Directive, Ireland was obliged to amend the Act so that it complied with the instructions in the Directive. The changes should have been implemented by 1st October 1998, however as of July 2000, the Irish government had not made any alteration to the legislation[455].
In 1998, the EU Data Protection Directive was implemented into Swedish law, when the Personal Data Act was adopted in 1999. Sweden amended section 33 of the Personal Data Act so that it would closely follow the EU Directive. The new wording of this Act means, for example, that personal data can only transferred to non EEA country on condition that the receiving country has policies/legislation or laws that provide adequate protection for personal data.
Hong Kong has adopted European-style laws that govern the collection, use and dissemination of personal information. Hong Kong's Personal Data (privacy) Ordinance was brought into force in December 1996[456].
The Ordinance covers any data relating directly or indirectly to an individual, from which it is easy to ascertain the identity of the individual. It applies to any person that controls the collection, holding, processing or use of personal data.
Under the Personal Data Ordinance, individuals are given the rights to confirm with data users whether their personal data is held, to obtain a copy of such data, and to have personal data corrected.[457] The Act adopts a very broad definition of “personal data” so that readily retrievable data recorded in all media that relates to an identifiable individual's is covered. Within this legislation charges maybe applicable to the individual wishing to enact upon their rights (as stated above), and obtain a copy of the personal data held by the data user. It is stated within the ordinance that the charge for this charge must not be excessive
If an individual has been damaged or been harmed by incorrect data held by a data user, then the individual may complain to the Privacy Commissioner for Personal Data. If a breach is discovered with respect to the Ordinance's requirements, then it is possible for the individual to claim compensation for damage(s) caused to them as a result of a contravention of the Ordinance through civil proceedings.[458]
All the provisions set out in this Ordinance are promoted and enforced by the Office of the Privacy Commissioner.
The New Zealand Privacy Act (1993)[459] covers both private and public sectors, with regard to personal information irrespective of the technology used. As the Act is technology-neutral this means that the 12 principles of the Act will not date as new technological advancements come into operation and existence. This Act implements the 1980 OECD Guidelines. This adoption of this Act means that New Zealand provides adequate protection for the purpose of transfer of data from the EU. It therefore offers New Zealand provides competitive advantage over countries that have a less developed set of policies and legislation.
All New Zealand Web sites that to collect personal information must provide a privacy statement that informs users and consumers to the reasons for the data/information collection, with reference to the purpose and use. It should also declare any disclosures that might be made of the information collected.
In a privacy protection paper called “A key to E-commerce” by Bruce Slane, the Privacy Commissioner of New Zealand, it was noted that the current Privacy Act has several limitations. The first is that the Act does not protect or restrict information from being transferred to other countries that do not have adequate information privacy and protection policies, and secondly the Act restricts the right for any New Zealander permanently based in the country from making an information privacy request. Therefore the information held on an individual cannot be accessed[460].
The Commissioner advised the Government to take action on these issues. The government’s approach is to actively encourage the private sector to implement appropriate technological solutions and self-regulation[461].
South Africa does not hold any specific data protection or privacy laws, except for the provisions made by Section 14 of the South African Constitution of 1996[462]. This states that, “Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed.....National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state.”
In contrast to many other countries, South Africa does not have a privacy commission but has a Human Rights Commission.
The United States takes a different approach to privacy from that taken by the European Union. It relies upon a mixture of legislation, regulation and self-regulation to provide personal privacy and protection.[463] As noted above, this has put the USA into a confrontation with the European Union. However, one should not get the impression that the USA has no federal data protection legislation at all. The Privacy Act 1974 was designed to provide certain protection for personal information held by federal agencies. The Children's Online Privacy Protection Act of 1998[464] makes it unlawful for any person who operates a Web site or online service directed to children, or any operator that has actual knowledge to collect personal information from a child.[465] This Act applies to all children under the age of 13. Under this Act, it is the responsibility of the operator of a web site aimed at children that collects personal information from them or an owner of a web site that has actual knowledge that they are interacting with children and collecting information to provide information on the website detailing the information that is collected from the children, and how that information is going to be used. The operator must also obtain the consent of parents/guardian for the collection, use, or disclosure of personal information from children. This consent must also be verifiable.
Despite the lack of enthusiasm of the US administration for safe harbours, The US and the EU did reach an agreement to allow the continued flow of personal information between EU Member States and organisations within the United States. The Safe Harbor scheme has been considered adequate by the European Commission, for the protection of personal data, and a number of major US corporations have agreed to abide by it. The crucial difficulty is that the US Department of Commerce is not prepared to give its imprimatur to the agreement, and is unwilling to commend it to US corporations.
The Agreement can be joined in one of three ways. An organisation can join a self-regulatory privacy program that adheres to the safe harbour’s requirements, develop its own self-regulatory privacy policy that conforms
to the safe harbour, or be subject to a statutory, regulatory, administrative or other body of law that effectively protects personal privacy.
The United States Mission to the EU has stated that enforcement of the safe harbour will generally be carried out by the private sector in the United States. Private sector self-regulation and enforcement may be backed up by government enforcement of the federal and state unfair and deceptive trading statutes. Even when a company relies in part or completely on self-regulation in relation to the safe harbour principles, its failure to comply with such self-regulation may be actionable under federal or state law prohibiting unfair and deceptive acts.[466]
The European Union and the USA have adopted fundamentally different approaches to the protection of personal information or privacy. Unlike the EU, the United States has focused on developing a culture of industry self-regulation, supplemented by specific sectoral legislation, and has not enacted comprehensive privacy legislation. The fact remains that the privacy protection arrangements in the United States do not meet the EU’s standard of adequacy.
A report was published in the Washington Post this year on how federal agency Web sites do not always adhere to their privacy policies, thereby violating their own privacy policies, with the use of ‘cookies’. The report follows a study conducted by 51 inspector generals required by a measure passed in 2000 as part of the Treasury Postal sending package. The study was carried out on numerous federal Web sites, and according to the study 116 out of 206 Defence Department Web sites had no privacy policies. The Department of Veterans Affairs agency stored 29 cookies, while the Department of Transportation’s Web sites contained 23 cookies. The Inspector general found from the study that 14 agencies had agreements with third parties, that information collected from the cookies stored was shared, therefore a violation of a person’s privacy of personal data. The study also showed that three independent organisations where collecting personal information from agency Web sites. The Office of Management and Budget (OMB) has prohibited the use of cookies and other tracking devices on public government Web sites. The decision to prohibit cookies came following a report that the White House’s Office of National Drug Control Policy (ONDCP) was using cookies to track potential drug enthusiasts.[467]
The Department of Commerce announced in April 2001 that a ‘privacy advisor’ would be appointed, to ensure that the Commerce Web sites operate according to strict privacy policies. The privacy advisor is responsible for protecting the Departments Web sites from privacy abuse and non-compliance to privacy policies in force.[468]
In this area, as for IPR, the UK’s laws are largely led by EU initiatives. The UK’s approach has been to do what it must do under the EU Directive, but not much more. There are some initiatives from other countries, such as the New Zealand requirement that all Web sites must have a privacy statement that informs consumers that information will be collected about them and why. Whilst this is implicit in the UK Data Protection Act, it would help if explicit regulations were passed to this effect.
[435] Brunk, B. Exoinformation and interface design, Bulletin of the American Society for Information Science and technology, 2001 (August/Spetember), 11-13.
[436] However, it is worth noting that in many countries’ laws, there are special rules for sensitive personal information
[437] Dearnley, J.A., Oppenheim, C. and Warren, A., Sources of literature on data protection and human rights,Journal of Information Law and Technology, 2001 (2), http://elj.warwick.ac.uk/jilt/01-2/warren.html [2.7.01]
[438] OECD Guidelines
(http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM), [24.8.01].
[439] Australian Privacy Act 1988
(http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/), [24.8.01].
[440] Australian Privacy Act 1998.
(http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/index.html), [21.8.01].
[441] The Australian Privacy Commissioner’s Privacy Policy.
(http://www.privacy.gov.au/policy/index.html), (1 March 2001)
[442] The Australian Privacy Commissioner’s Website
(http://www.privacy.gov.au/news/index.html#6.67), [20.8.01)
[443] Privacy Amendment (Private Sector) Bill, http://www.search.aph.gov.au/search/ [31.8.01]
[444] Electronic Frontiers Australia. Online Privacy Issues, http://www.efa.org.au/Issues/Privacy/index.html#bill [30.8.01]; Western Australian E-commerce Centre. Security, Privacy and Legal Issues, http://ecommercecentre.online.wa.gov.au/text_version/news/getarticle.asp?articleID=1476 [30.8.01]; The EU Data Protection directive and its effects on E-commerce: the transfer of personal data to third countries, http://www.kogels.com/dataprot.htm#3.5.2. Australia [31.8.01].
[445] Peronal information Protection and Electronic Documents Act, http://laws.justice.gc.ca/en/P-8.6/79803.html [31.8.01]
[446] The Personal Information Protection and Electronic Document Act, http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6TOCE.html [30.8.01]; Electronic Commerce in Canada, http://e-com.ic.gc.ca/english/privacy/part-1.html [29.8.01]
[447] EU Directive 95/46/EC
[448] EU Data Protection Directive
(http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html), [23.8.01].
[449] EU Data Protection Directive
(http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html), [23.8.01].
[450] Privacy International
(http://www.privacyinternational.org/survey/phr2000/overview.html#Heading2), [24.8.01].
[451] Danish Data Protection Agency, http://www.datailsynet.dk/eng/ [31.8.01]
[452] Privacy International
(http://www.privacyinternational.org/survey/phr2000/countriesag.html#Heading2), [24.8.01].
[453] Privacy International
(http://www.privacyinternational.org/survey/phr2000/countriesag.html#Heading2), [24.8.01].
[454]Baker and McKenzie, http://www.bmck.com/ecommerce/whatsnew-privacy.htm [31.8.01]
[455] Privacy International
(http://www.privacyinternational.org/survey/phr2000/countrieshp.html#Heading4), [31.8.01].
[456] Office of the Privacy Commissioner for Personal Data, Hong Kong: The Ordinance, http://www.pco.org.hk/english/ordinance/ordglance.html [31.8.01]
[457] Office of the Privacy Commissioner for Personal Data
(http://www.pco.org.hk/english/ordinance/ordglance.html), [24.8.01].
[458] Office of the Privacy Commissioner for Personal Data
(http://www.pco.org.hk/english/ordinance/ordglance.html), [24.8.01].
[459] The Privacy Act and Amending Legislation, http://www.knowledge-basket.co.nz/privacy/legislation/1993028/toc.html
[460] http://www.privacy.org.nz/media/nzic.html
New Zealand Ministry of Economic Development
[461] http://www.med.govt.nz/irdev/elcom/ecommerce/ecomm.html
[462] Constitution of the Republic of South Africa 1996
(http://www.gov.za/gazette/acts/1996/a108-96.html), [24.8.01].
(http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp46en.pdf), [22.8.01].
[464] Children's Online Privacy Protection Act 1998
(http://www.access.gpo.gov/nara/cfr/waisidx_00/16cfr312_00.html), [24.8.01]
[465] Children's Online Privacy Protection Act 1998
(http://www.ftc.gov/ogc/coppa1.htm), [24.8.01].
(http://www.aph.gov.au/senate/committee/it_ctte/e_privacy/e-privacy.pdf), [23.8.01]
[467] Newsbytes: Article, Government sites still track visitors – Report.
(http://www.newsbytes.com),[18.6.01]
[468] Commerce Department Creates ‘Privacy Advisor’ Position.
(http://www.newsbytes.com/news/01/165119.html).[30.4.01]