29 July 2015

PNR

The European Parliament’s Civil Liberties Committee has approved the EU Passenger Name Record (PNR) Directive, which provides for mandatory provision and retention on a central searchable database of information about passengers booked on flights originating outside the EU or leaving the EU.

The information will only be accessed "if a serious crime is suspected, such as human and drug trafficking, child sexual exploitation or money laundering as well as terrorism". Data will be stored on a central database for 30 days, before deidentification. Data will be retained for up to five years and can be “unmasked” after a request by authorities.

The data collected will be drawn from airline bookings, potentially could include the passenger’s contact information, travel routes, computer IP address, hotel bookings, credit card details and dietary preferences.

The Cameron Government is reported as being keen to extend the Directive to all airline flights within Europe (i.e. domestic travel).

In 2011 the Article 29 Working Party commented [PDF] -
The Working Party considers that the fight against terrorism and organised crime is necessary and legitimate and personal data, and in particular some passenger data, might be valuable in assessing risks and preventing and combating terrorism and organised crime. However, in the case of a European PNR system the limitation of fundamental rights and freedoms has to be well justified and its necessity clearly demonstrated so as to be able to strike the right balance between demands for the protection of public security and the restriction of privacy rights. 
The Working Party has consistently questioned the necessity and proportionality of PNR systems and continues to do so with the 2011 proposal. While we appreciate the extra detail provided in the impact assessment, we consider that it does not provide a proper evaluation of the use of PNR and does not demonstrate the necessity of what is being proposed. The proposal should be clear about whether the aim is to fight serious (transnational) crime, which includes terrorism; or whether the aim is to fight terrorism and terrorism-related crimes only. 
Chapter 3.2 of the impact assessment “Respect of fundamental rights” merely states that the Fundamental Rights Check List has been used, but there is no further information about this assessment to justify its conclusions. In addition, this chapter provides circular reasoning for the interference with privacy rights under Article 8 of the European Convention of Human Rights, and Articles 7 and 8 of the Charter on Fundamental Rights of the European Union. The legal precondition for interfering with these rights is that it is “necessary in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others” as well as being "necessary in a democratic society” and “subject to the principle of proportionality”. The fact that the purpose of the proposal is the prevention of terrorism and serious crime does not mean it clearly complies with these requirements; the necessity and proportionality have still to be proven. 
The Working Party goes on to comment
Under the proposal, a huge amount of personal in formation on all passengers flying into and out of the EU will be collected, regardless of whether or not they are suspects. Collecting and processing PNR data for the fight against terrorism and serious crime should not enable mass tracking and surveillance of all travellers. The Working Party considers it disproportionate and therefore not in line with Article 8 of the Charter of Fundamental Rights to collect and retain all data on all travellers on all flights. As previously mentioned above, the impact assessment does not include convincing evidence in this respect. EU-level proposals should be specific and targeted to address a particular issue and in this context the focus of any proposal should be on the risks posed by terrorism and serious crime. 
The Working Party has serious doubts about the proportionality of the systematic matching of all passengers against some pre-determined criteria and unspecified “relevant databases”. It is not clear how these pre-determined criteria and relevant databases are to be defined, whether PNR data will be used to create or update the criteria, and to what extent all matches will automatically become subject to additional investigations. The Working Party would also like to recall that in some Member States similar methods of policing are only constitutional and therefore available to the police on judicial approval and under specific circumstances, such as a specific threat. The proposed PNR system would render this exceptional method an ordinary instrument for police work. Measures put in place that cannot provide for the protection of the rights and freedoms of travellers are only proportionate when introduced as a temporary measure for a specific threat, which is not the case for this proposal. The invasion of privacy of travellers must be proportionate to the benefits as regards fighting terrorism and serious crime. The Working Party has yet to see any statistics showing the ratio between the number of innocent travellers whose PNR data was collected to the number of law enforcement outcomes resulting from that PNR data.

27 July 2015

Influence

'McCloy v New South Wales: Developer Donations and Banning the Buying of Influence' by Anne Twomey in  (2015) 37 Sydney Law Review 275  states
McCloy v New South Wales involves a challenge to the capping of political donations and the imposition of a ban on both indirect donations and donations from property developers in relation to New South Wales elections. If the challenge is successful, it would seriously damage the ability of state governments to take measures to prevent the risk and perception of corruption and undue influence arising from the unfettered making of political donations. While it is likely that the provisions capping donations and banning indirect donations will survive scrutiny by the High Court, the provisions most vulnerable to attack are those that single out property developers, banning them from making any donation at all.
Twomey comments
In McCloy v New South Wales (High Court of Australia, Case No S211/2014’), the High Court of Australia will face the question of whether to bring down the whole edifice of election campaign finance law in New South Wales (NSW) on the ground that it unduly burdens the implied freedom of political communication by limiting the funds available to pay for that communication. ... 
The challenge was brought by Mr Jeff McCloy, a property developer and then Lord Mayor of Newcastle, after hearings by the Independent Commission Against Corruption (‘ICAC’) revealed that he had made donations in excess of $31 500 to, and for the benefit of, candidates in connection with the NSW election of March 2011. In addition, one of his companies paid $9975 in remuneration to a person who was working on the campaign staff of an election candidate, amounting to an indirect campaign donation. These donations occurred at a time when political donations in relation to the NSW election were capped at $5000, indirect donations were banned and political donations by property developers were also banned. On 28 July 2014, McCloy commenced proceedings in the High Court of Australia challenging the validity of s 96GA of the Election Funding, Expenditure and Disclosures Act 1981 (NSW) (‘EFED Act’), contending that it breached the implied freedom of political communication. This provision prohibits certain persons and corporations, including property developers, from making political donations. No challenge was initially made to other provisions of the Act. The scope of the challenge was later expanded, as it appeared from the facts that McCloy may also have breached provisions that imposed a cap on donations and prohibited the making of indirect donations. Accordingly, the proceedings now also challenge:
  • the validity of the scheme for imposing caps on donations (EFED Act pt 6 div 2A); 
  • the banning of indirect donations (EFED Act s 96E); and
  • the banning of donations from all categories of prohibited donors (EFED Act pt 6 div 4A).
No challenge has been brought to the cap on electoral communications expenditure or the disclosure regime in the EFED Act. However, if the cap on political donations is held invalid, the cap on expenditure would inevitably fall in the future, as it imposes a more direct limitation upon political communication. Hence, all that would be likely to survive, if McCloy were fully successful in his challenge, would be the disclosure regime.

25 July 2015

Biopolitics

'Childhood, Biosocial Power, and the “Anthropological Machine”: Life as a Governable Process?' by Kevin Ryan in (2014) 15 (3) Critical Horizons 266-283 examines
 how childhood has become a strategy that answers to questions concerning the (un)governability of life. The analysis is organised around the concept of “biosocial power”, which is shown to be a particular zone of intensity within the wider field of bio-politics. To grasp this intensity it is necessary to attend to the place of imagination in staging biosocial strategies, i.e. the specific ways in which childhood is both an imaginary projection and a technical project, and to this end Agamben’s concept of the “anthropological machine” is used to examine how biosocial power has been assembled and deployed. The paper begins with the question of childhood as it was posed toward the end of the nineteenth century, focusing on how this positioned the figure of the child at the intersection of zoē and bios, animal and human, past and future. It ends with a discussion on how the current global obesity “epidemic” has transformed this one-time vision of mastery into a strategy of survival.
When Giorgio Agamben wrote his Homo Sacer: Sovereign Power and Bare Life, he undertook the ambitious, even audacious, task of “completing” Michel Foucault’s work on power. The literature that has since grown around this book is perhaps testimony to the fact that the study of power is unlikely to reach a terminus, i.e. to be completed in the literal sense of tidying up any and all loose ends. More intriguing, there is shadowy supplement to Homo Sacer: an other figure that seems to co-habit the “thresholds” and “zones of indistinction” that form the theoretical armature of Agamben’s exposition, and which offers a very particular way of examining the relation between zoē (“bare” or naked life) and bios (life which is “qualified”). The figure in question is that of the child.
While not the focus of Homo Sacer, elsewhere Agamben has examined childhood as an “unstable signifier”. Conceptualised in this way, childhood is a disruption between past and future, between death and life, nature and culture, animal and human – relations that appear dichotomous, but which are in fact “zones of indeterminacy”. It is through attempts to govern this indeterminacy that modern Western childhood has been constituted as a particular zone of intensity within the wider field of bio-politics, and to grasp this intensity – the way it is assembled and configured – it is necessary to attend to the centrality of the imagination in staging biopolitical strategies, that is, the ways in which childhood is deployed both as a technical project and as an imaginary projection. This article examines how childhood is one important – and largely overlooked – way in which zoē entered into the realm of politics which, for both Agamben and Foucault, “constitutes the decisive event of modernity”. The analysis begins with a specific apparatus – a technology of life – that was assembled at the turn of the twentieth century, and which takes the form of biosocial power.
By biosocial power is suggested a mode of power that shares much with Foucault’s concept of biopower but which, with the help of Agamben, is shown to be specific to childhood. The inquiry begins with the question of childhood as it was posed during the 19th century, examining how this positioned the figure of the child at the intersection of zoē and bios, animal and human, past and future. It ends with a discussion on how the current global obesity “epidemic” has transformed this one-time vision of mastery into a strategy of survival

21 July 2015

Subpoenaed Personal Health Information

The ACT Justice & Community Safety Directorate has released a position paper on Protecting the Privacy of Victims in Court and Tribunal Proceedings of Subpoenaed Personal Health Information [PDF].

The paper states -
Victims of crime often find themselves powerless to prevent details from their past health records being aired in court or to third parties, often without their knowledge, by documents produced in compliance with a subpoena. Case examples in the ACT suggest this is an area in need of legislative reform to ensure victims are protected in our legal system and are not re-traumatised through this process. This is an area of concern for the ACT Health Services Commissioner who will be providing a report to Government on this issue in coming months.
A subpoena is an order from a court or tribunal, issued at the request of a party to a proceeding, which compels the person who has been subpoenaed to give oral evidence, to produce documents, or both. Subpoenas can only be issued if legal proceedings have commenced – this applies in both criminal and civil proceedings. Failure to comply with a subpoena can be deemed to be in contempt of court, and can attract penalties of imprisonment and fines. This paper will focus on subpoenas issued to produce documents, in particular health records of health consumers who are often victims of crime.
The key issues this paper will identify is that a person’s personal health records may be subpoenaed, produced, inspected, copied and divulged to third parties, entirely without the knowledge of the person to whom the health record relates. This occurs when the person is not a party to the proceedings before a court or tribunal, and is not notified their health records have been subpoenaed and produced. A victim of crime in criminal proceedings is not a party to the proceedings.
In the ACT, there is no legal obligation that requires either the record holder, or party issuing the subpoena, to inform the health consumer that their records have been subpoenaed or produced. It is possible for a person with a ‘sufficient interest’ (for example the person to which the health record relates) to raise an objection to the production of documents, or apply to the court for an order to set aside the subpoena in certain circumstances. The grounds of objection can be abuse of process on the basis of relevance of the subpoena, the subpoena is too wide and oppressive, is a “fishing” expedition, or privilege can be claimed in certain circumstances, such as sexual assault counselling communications privilege. However, the ability to object relies on awareness that the subpoena exists, and a person who has not been informed their health records have been produced, obviously cannot raise an objection. The record holder, such as a medical practice or hospital, may raise these objections but often do not have the time or resources to do so, and also may not be able to ascertain whether information is particularly sensitive for an individual.
In our community, people expect to be able to freely and frankly disclose their personal information to health practitioners, including psychologists, medical practitioners and counsellors, and this is certainly crucial for accurate diagnosis and treatment. Consumers reveal highly sensitive information on the assumption that the communicated information will be treated confidentially.
During the 2012-2013 financial year, a single health service provider in the ACT received over 450 subpoenas to produce personal health information. This indicates that defendants (or their legal representatives) in criminal proceedings may be invading victims’ privacy by seeking personal health records on a regular basis. The impact on victims of crime who have their personal health records subpoenaed can be devastating and, in some cases, it can re-traumatise them. Victims feel their right to privacy has been violated.
There is currently a practice in the ACT of defence counsel in criminal proceedings issuing subpoenas of a broad scope to obtain highly confidential medical records. Examples of subpoenas being issued for personal health information, which raise privacy issues, include:
  • A criminal defence team issued a subpoena for the entire health records of a victim from a medical practitioner. While a copy of the subpoena was served on the Office of the Director of Public Prosecutions, the victim was unaware their personal records had been subpoenaed. There is no general obligation on the prosecution to advise the victim of the existence of the subpoena. 
  • In criminal proceedings, a self-represented accused person subpoenaed a copy of the entire personal health records of a victim of crime, and the contents of the records were disclosed to third parties including relatives of the accused person.This is a clear example when subpoenas have been misused. 
  • A subpoena issued in proceedings in the Coroners Court that was determining the cause of death of a person. The subpoena was for the health records of all consumers admitted to a health service provider facility (hospital) with assault related injuries within a certain time period. 
  • In domestic violence order proceedings in the ACT Magistrates Court, a subpoena was issued by the respondent’s solicitor, and was served on the applicant without explanation. The subpoena came completely unexpectedly and the person served was unaware what was expected of them in relation to the subpoena. 
  • A criminal defence team issued a subpoena for the entirety of the victim’s psychiatric records. The victim later discovered that their entire medical file, which detailed childhood sexual abuse, suicidal thoughts and major depression, had been provided to and read by all parties to proceedings and the judicial officer earlier in the court proceedings, without the victim’s knowledge. 
  • In family law proceedings, subpoenas are often issued for psychiatric records of the estranged spouse, as a ‘fishing expedition.’ Information can then be used to disadvantage the party by stigmatising them as they have consulted psychiatrists. In some situations, subpoenas may be issued as a mechanism to gain advantage using intimidation and humiliation of the opposing spouse.
There are also situations in which health records of a person who is not a party to proceedings in the ACT Civil and Administrative Tribunal are obtained, by means other than a subpoena. This may arise in health practitioner disciplinary cases involving a complaint of inadequate record keeping of a medical practitioner, and health records of numerous health consumers may be tendered in tribunal proceedings.
These examples highlight a number of issues with the current processes involving subpoenas in the ACT, and more generally, issues in relation to the release of a person’s health records. It is clear the existing legal provisions are failing to protect medical-patient confidentiality. Unfettered access to a person’s personal health records undermines a victim’s right to privacy and violates the confidential nature of health practitioner-patient relationship. Failing to safeguard confidentiality of health records poses a risk that members of our community are deterred from seeking medical attention, or not providing accurate disclosures about their symptoms, experiences and/or history, due to fear their privacy might be breached in legal proceedings.
The Directorate indicates that
Legislation should be amended to strengthen protections of privacy for personal health records. This could be achieved by amendments to the Court Procedures Rules 2006 (ACT).
Suggested amendments include:
1. A right that a person with sufficient interest be notified of the subpoena as soon as practicable after it is issued. Such a provision would require the issuing party to serve the subpoena on any interested parties, including the person to whom the health record is sought. The health consumer will then have the opportunity to challenge or object to the documents being produced.
2. A right for the health consumer to be notified if their health records are used in court or tribunal proceedings and have been obtained by means other than a subpoena. For example, documents obtained during the investigative stage of a complaint of inadequate record keeping by a medical practitioner.
3. An express prohibition on ulterior use, or disclosure to third parties, of subpoenaed personal health information. The current obligation requires that a person must only use documents obtained by subpoena for the purposes of the case before the court or tribunal, and must not disclose the contents or give a copy of any documents subpoenaed to any other person (except a lawyer representing them), without permission of the court. Self-represented litigants may not adhere to this obligation due to lack of awareness.
4. A person to which the subpoenaed health records relate, whether they are a party (or not) to the proceedings before the court or tribunal, to have the first right of access to inspect the documents that are produced to determine whether they will lodge an objection.
The court should also consider developing an information sheet to highlight rights and obligations in relation to subpoenas for personal health information and enclose that information sheet with every subpoena issued. This would assist victims of crime whose personal health records have been subpoenaed by a defendant or their legal representative to understand their rights and obligations, and how they could object to the records being released if they thought it appropriate. The law must strike a balance between a victim’s right to privacy and an accused person’s right to a fair trial. Current legislation does not adequately protect victims’ right to privacy when seeking health services and additional safeguards are required.
The quasi-privilege set out in section 126B of the Evidence Act 1995 can be used to abolish subpoenas which are unjustified and preserve a victim’s right to privacy to some extent. However, knowledge of how that section operates needs to be more widely understood. Information on how section 126B operates should be included in the information sheet, previously suggested, as a means of educating people on their rights and entitlements. The introduction of reforms aimed at protecting the rights and privacy of individuals who are the subject of subpoenas will assist victims of crime to prevent details from their past health records being aired in court or to third parties, often without their knowledge, by documents produced in compliance with a subpoena.

20 July 2015

Data Protection

'The Battle for Rights   ̶  Getting Data Protection Cases to Court' by Megan Richardson in (2015) 1 Oslo Law Review 23-35 compares
the legal protection of privacy and personal data principally in common law jurisdictions. It points out that the growth of privacy law in these jurisdictions has traditionally centred on the ability of individuals to bring claims to court, with claims largely dealt with as a matter of common law (i.e. judge-made law). However, the absence of a generally accepted principle that individuals should be free to bring a claim in court for a breach of a statute has worked to limit the development of (statutory) data protection norms in the common law world. Nevertheless, the situation now appears to be changing with some recent cases. 
Richardson comments
In his 1872 masterwork Der Kampf ums Recht, or The Battle for Right as it was known in England, the German legal sociologist Rudolf von Jhering argued that the ideal environment for the creation of law is one in which aggrieved individuals voice their grievances publicly, and lawmakers including judges respond with the development of legal standards in sympathy with their concerns. Law is thus the product of a constant struggle by individuals for the recognition of legal rights. In words later echoed to a considerable extent by the American jurist Oliver Wendall Holmes Jr, von Jhering said that ‘[t]he life of the law’ is based on the idea of ‘restless striving and working’. Or as Holmes eloquently put it in his own masterwork The Common Law in 1881, ‘the life of the law has not been logic; it has been experience’. Von Jhering may have restricted his comments to private law, taking the benevolent view that ‘the realisation in practice of public law and criminal law is assured, because it is imposed as a duty on public officials’. However, his logic may be extended to any law whose ‘practical realisation depends on the assertion by individuals of their legal rights’, including where public officials have wide discretion rather than a specific ‘duty’ to give effect to the law for the individual’s protection. In these instances, as in others where ‘the realisation’ of the law depends upon the ability of individuals to bring claims, it can be argued that the individuals concerned should have the power directly to vindicate their legal rights. 
In any event, this was the position taken by the framers of the Bürgerliches Gesetzbuch (BGB) who, in 1896, responded to von Jhering and others who maintained that law should reflect modern concerns, including protection against ‘attacks on personality’. Section 823 II of the BGB stated that a person harmed as a result of another’s breach of a statutory provision adopted for his or her protection is entitled to bring a claim for damages in court. After the BGB came into force the provision became an early platform for the development of personality rights in Germany in the early 1900s, even before the inclusion of rights to dignity and personality in the post-second world war German Constitution, which prompted a more expansive reading of the provisions of the BGB to flesh out personality rights in accordance with the new constitutional standards. 
A number of jurisdictions in the common law world have adopted versions of section 823 II of the BGB in ways tailored to personality rights. For example, the New York legislature, after the failure of the plaintiff’s privacy claim in the 1902 case of Roberson v Rochester Folding Box Co, enacted sections 50 and 51 of the New York Civil Rights Law in 1903. These sections, which continue in force today, impose criminal liability on those who without consent use a person’s name or likeness for advertising or trade purposes (the circumstances of the Roberson case) and further specify that a person harmed can bring a civil action for damages. Thus, even without much by way of common law protection of privacy in New York, there is some statutory protection available to privacy through sections 50 and 51 of the Civil Rights Law including a right to bring claims to court. Moreover, this protection has withstood (to an extent) the broad reading given by the US courts, especially from the 1960s onwards, of the right to freedom of speech and the press under the First Amendment to the Bill of Rights in the US Constitution. 
Norway provides an example of a mixed system with some common law features. As noted in Lillo-Stenberg and Sæther v Norway, plaintiffs can rely on sections 3-6 of the Damages Compensation Act of 1969 in conjunction with section 390 of the Penal Code of 1902 to bring civil claims for legal protection of privacy. Although Norwegian courts have also developed their own non-statutory precedents in favour of privacy, the above statutory provisions have often been relied on in cases involving privacy claims, including the Lillo-Stenberg case. It was only because of the particular circumstances of the latter case (involving celebrity performers engaged in a spectacular celebration of their marriage in a publicly accessible area) that the Norwegian Supreme Court held that the publication of unauthorised photographs of parts of the celebration (but not the actual marriage ceremony) in the magazine Se og Hør was not an unlawful violation of the plaintiffs’ privacy. When the case came before the European Court of Human Rights, the latter accepted that an appropriate balance had been reached between the rights to private life and freedom of expression under Articles 8 and 10 of the European Convention on Human Rights and Fundamental Freedoms (ECHR) taking into account the margin of appreciation afforded to national law. 
Nevertheless, common law jurisdictions have not, as a general matter, accepted that individuals should be entitled to bring an action under a statute adopted for their protection. Rather, developments of privacy law in common law jurisdictions have mainly been focused on common law (i.e. judge-made law), which itself is premised on the central idea of individuals bringing claims to court. While this approach has worked reasonably well for aspects of privacy law, it has led to a relative lack of development of data protection norms in these jurisdictions, although the situation appears now to be changing.

18 July 2015

Kuwait's DNA Profiling

Kuwait is reported to be introducing a law that mandates on DNA registration of all 1.3 million Kuwaiti citizens and 2.9 million expatriates, with the national database expected to be complete by September next year.

Registration will be underpinned by a penalty of one-year imprisonment, a US$33,000 fine or both for those who refuse to undergo DNA testing. Provision of a fraudulent sample  will attract a penalty of seven years' imprisonment.

It is unclear whether the biological sample will involve blood or skin cells.

Registration will supposedly "contribute to increased security in the society and justice through quicker identification of culprits", apparently through quicker identification of alleged terrorists who are in custody.

A mandatory population-scale database of people who have not been convicted of a crime is problematical.

In the UK the salient judgment is S and Marper v United Kingdom [2008] ECHR 1581, in which the European Court of Human Rights ruled in 2008 that permanent retention of a non-criminal's DNA sample under the Police and Criminal Evidence Act 1984 "could not be regarded as necessary in a democratic society", was disproportionate and was contrary to Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. The Protection of Freedoms Act 2012 sought to limit the scope of the DNA database - in essence restriction to people convicted of serious crimes - and comply with the Marper ruling.

Morrisons

The UK Crown Prosecution Service has announced that Andrew Skelton, a former employee of the Morrisons supermarket group, has been found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. Skelton was sentenced to eight years at Bradford Crown Court, in relation to stealing personal data belonging to nearly 100,000 Morrisons employees.

The CPS announcement states
Andrew Skelton was in a position of considerable trust with access to confidential personal information as Senior Internal Auditor at Morrisons. 
He abused this position by uploading this information - which included employees' names, addresses and bank account details - onto various internet websites. 
He then attempted to cover his tracks and implicate a fellow employee by using this colleague's details to set up a fake email account. 
Andrew Skelton's motive appears to have been a personal grievance over a previous incident where he was accused of dealing in legal highs at work. 
The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees' identities being stolen. 
Currently Morrison's has incurred costs of almost £2 million as a result of this fraud, costs have included professional fees, legal fees and fees incurred through attempts to safeguard their employees.
The CPS alleged Skelton uploaded personal information — including employees’ names, addresses and bank details — to various websites and then attempted to cover his tracks.