22 February 2014


'Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts' by Tamara Dinev, Heng Xu, Jeff H. Smith and Paul Hart in (2013) 22 European Journal of Information Systems 295–316 argues that
Privacy is one of the few concepts that has been studied across many disciplines, but is still difficult to grasp. The current understanding of privacy is largely fragmented and discipline-dependent. This study develops and tests a framework of information privacy and its correlates, the latter often being confused with or built into definitions of information privacy per se. Our framework development was based on the privacy theories of Westin and Altman, the economic view of the privacy calculus, and the identity management framework of Zwick and Dholakia. The dependent variable of the model is perceived information privacy. The particularly relevant correlates to information privacy are anonymity, secrecy, confidentiality, and control. We posit that the first three are tactics for information control; perceived information control and perceived risk are salient determinants of perceived information privacy; and perceived risk is a function of perceived benefits of information disclosure, information sensitivity, importance of information transparency, and regulatory expectations. The research model was empirically tested and validated in the Web 2.0 context, using a survey of Web 2.0 users. Our study enhances the theoretical understanding of information privacy and is useful for privacy advocates, and legal, management information systems, marketing, and social science scholars. 
The authors comment that
Privacy has been studied for more than 100 years in almost all spheres of social science, most notably law, economics, psychology, management, marketing, and management information systems. Amazingly, however, it is also a concept that ‘is in disarray [and n]obody can articulate what it means’ (Solove, 2006, p. 477). Margulis (1977) noted the variety of conceptualizations of privacy and the disagreement among scholars on what privacy is. The lack of a clear, concrete, measurable, and empirically testable conceptualization of privacy affects many aspects of the society – the vagueness of the concept fails to guide adjudication and lawmaking (Bennett, 1992; Solove, 2006), as well as formation of government and organizational management policies and practices regarding the privacy and security of employees, consumers and clients, and citizens. Numerous attempts have been made by scholars to define and develop a coherent understanding of privacy and to integrate the different perspectives from different fields. The picture of privacy that emerges is fragmented and usually discipline-specific. The concepts, definitions, and relationships are inconsistent and neither fully developed nor empirically validated.
In Law, many scholars defined privacy as a ‘right’ or ‘entitlement’ (e.g., Warren & Brandeis, 1890); others from other disciplines, including philosophy and psychology, define it as a ‘state of limited access or isolation’ (e.g., Schoeman, 1984); and yet another group of scholars, particularly from the social sciences and information systems used ‘control’ as a definition of privacy (Westin, 1967; Culnan, 1993). Privacy ‘has been described as multidimensional, elastic, depending upon context, and dynamic in the sense that it varies with life experience’ (Xu et al, 2011, p. 799). And yet, ‘much of the work y has come from groups with a single point of view (e.g., civil liberties advocates, trade associations) and/or a mission that is associated with a point of view (e.g., regulatory agencies)’ (Waldo et al, 2007, p. vii). Many overlapping concepts, such as intrusion, deception, secrecy, anonymity, have been built into the definition of privacy and have added to the confusion (Margulis, 2003a, b). Moreover, very few have been empirically measured or tested. As Solove (2006, p. 479) notes, ‘privacy seems to be about everything, and therefore it appears to be about nothing’. In its report on the status of privacy research, the Committee of Privacy in the Information Age at the National Research Council of the National Academy of Sciences notes that it was ‘struck by the extraordinary complexity associated with the subject of privacy’, and that ‘the notion of privacy is fraught with multiple meanings, interpretations, and value judgments’ (Waldo et al, 2007, p. x).
Solove (2006) also notes that many discussions about privacy are targeted toward people’s fears and anxiety to the extent that the expression ‘this violates my privacy’ or ‘my privacy should be protected’ has become more a product of instinctive recoil void of meaning rather than a well-articulated statement carrying reason and a specific relevance. The difficulty in articulating what constitutes privacy, and thus what constitutes harm to privacy, translates into policymaker’s and the courts’ difficulty in defending privacy interests. This further leads to dismissing cases and disregarding organizational and government problems (Solove, 2006).
Given these challenges and murky conceptual waters, our study attempts to build a more rigorous, empirically testable framework of privacy and its correlates, which have often been confused with or built into the definitions of privacy per se. The specific research goals of our study are to (i) identify the appropriate conceptualization of privacy and the correlates that previously have been closely associated or confused with privacy; and (ii) develop empirical measures and test a nomological model of these correlates to examine their relationship to privacy and their distinctness from it.
We believe that our study is timely and needed. The dynamic globalization of the economy and information technology (IT), and the ubiquitous distributed storage and sharing of data puts the issue of information privacy at the forefront of society policies and practices. This development contributes to the urgency and need for finding a better and common framework for privacy, and information privacy in particular, that can be used across multiple areas that affect social life.
The focus of our paper is information privacy, although we found that in public and political discourse, as well as in various research streams, a clear distinction between physical and information privacy is not made. For example, polls and surveys ask about ‘privacy’ rather than ‘information privacy’. In many disciplines, including law, marketing, management information systems and economics, physical privacy concepts and definitions are directly applied to information privacy, providing continuity in the nomological models associated with information privacy (Smith et al, 2011). Analogously, we will use earlier, general privacy concepts to derive and analyze information privacy-specific concepts. In an attempt to be as clear as possible in our framework, throughout the remainder of this paper we will use the term ‘privacy’ to refer to ‘information privacy’. We will refer to ‘general privacy’ when we use previous studies and theories that are relevant to information privacy, but did not specify whether the term ‘privacy’ concerns physical or information privacy.
The overarching models guiding this process are the general privacy theories of Altman (1974, 1975), Westin (1967), and Margulis (1977, 2003a, b; see Margulis, 2003a for a review) and the general privacy taxonomy developed by Solove (2006). Each of these identifies a set of privacy dimensions but to the best of our knowledge have not been empirically validated. In addition, we employ the Zwick & Dholakia’s (2004) conceptualization of identity management that will help us rigorously define and operationalize the tactics of information control we will identify in the study.We conducted a survey study to test the research model.
In what follows, we first describe the literature review for our research, presenting the overarching theories and privacy definitions that guide the development of the research model. Then we develop the logic underlying the research model that presents the process through which individuals form privacy perceptions. This is followed by a description of the research methodology, choice of context to empirically test our model, and our findings. The paper concludes with a discussion of the results and implications of the findings.

Privacy's Midlife Crisis?

'Privacy Law’s Midlife Crisis: A Critical Assessment of the Second Wave of Global Privacy Laws' by Omer Tene in (2013) 74(6) Ohio State Law Journal argues that
Privacy law is suffering from a midlife crisis. Despite well-recognized tectonic shifts in the socio-technological-business arena, the information privacy framework continues to stumble along like an aging protagonist in a rejuvenated cast. The framework’s fundamental concepts are outdated; its goals and justifications in need of reassessment; and yet existing reform processes remain preoccupied with internal organizational measures, which yield questionable benefits to individuals. At best, the current framework strains to keep up with new developments; at worst, it has become irrelevant. More than three decades have passed since the introduction of the OECD Privacy Guidelines; and fifteen years since the EU Directive was put in place and the “notice and choice” approach gained credence in the United States. This period has seen a surge in the value of personal information for governments, businesses, and society at large. Innovations and breakthroughs, particularly in information technologies, have transformed business models and affected individuals’ lives in previously unimaginable ways. Not only technologies, but also individuals’ engagement with the data economy have radically changed. Individuals now proactively disseminate large amounts of personal information online via platform service providers, which act as facilitators rather than initiators of data flows. Data transfers, once understood as discrete point-to-point transmissions, have become ubiquitous, geographically indeterminate, and typically “residing” in the cloud.
This Article addresses the challenges posed to the existing information privacy framework by three main socio-technological-business shifts: the surge in big data and analytics; the social networking revolution; and the migration of personal data processing to the cloud. The term big data refers to the ability of organizations to collect, store, and analyze previously unimaginable amounts of unstructured information in order to find patterns and correlations and draw useful conclusions. Big data creates tremendous value for the world economy, individuals, businesses, and society at large. At the same time, it heightens concerns over privacy, equality, and fairness, and pushes back against well-established privacy principles. Social networking services have revolutionized the relationship between individuals and organizations. Those creating, storing, using, and disseminating personal information are no longer just organizations, but also geographically dispersed individuals who post photos, submit ratings, and share their location online. The term cloud computing encompasses (at least) three distinct models of utilizing computing resources through a network—software, platform, and infrastructure as a service. The advantages of cloud computing abound and include, from the side of organizations, reduced cost, increased reliability, scalability, and security, and from the side of users, the ability to access data from anywhere, on any device, at any time, and to collaborate on a single document across multiple users; however, the processing of personal information in the cloud poses new privacy risks.
In response to these changes, policymakers in the Organization for Economic Co-operation and Development (OECD), EU and the United States launched extensive processes for fundamental reform of the information privacy framework. The product of these processes is set to become the second generation of information privacy law. Yet, as discussed in this Article, the second generation is strongly anchored in the existing framework, which in turn is rooted in an architecture dating back to the 1970s. The major dilemmas and policy choices of information privacy remain unresolved.
First, the second generation fails to update the definition of personal data,  the fundamental building block of the framework. Recent advances in reidentification science have shown the futility of traditional de-identification techniques in a big data ecosystem. Consequently, the scope of the framework is either overbroad, potentially encompassing every bit and byte of information, ostensibly not about individuals; or overly narrow, excluding de-identified information, which could be re-identified with relative ease. More advanced notions that have gained credence in the scientific community, such as differential privacy and privacy enhancing technologies, have been left out of the debate.
Second, the second generation maintains and even expands the central role of consent. Consent is a wild card in the privacy deck. Without it, the framework becomes paternalistic and overly rigid; with it, organizations can whitewash questionable data practices and point to individuals for legitimacy. The Article argues that the role of consent should be demarcated according to normative choices made by policymakers with respect to prospective data uses. In some cases, consent should not be required; in others, consent should be assumed subject to a right of refusal; in specific cases, consent should be required to legitimize data use. Formalistic insistence on consent and purpose limitation can impede data driven breakthroughs that benefit society as a whole.
Third, the second generation remains rooted on a linear approach to processing whereby an active “data controller” collects information from a passive individual, and then stores, uses, or transfers it until its ultimate deletion. The explosion of peer produced content, particularly on social networking services, and the introduction into the data value chain of layer upon layer of service providers, have meant that for vast swaths of the data ecosystem, the linear model has become obsolete. Privacy risks are now posed by an indefinite number of geographically dispersed actors, not least individuals themselves, who voluntarily share their own information and that of their friends and relatives. Despite much discussion of “Privacy 2.0,” the emerging framework fails to account for these changes. Moreover, in many contexts, such as mobile applications, behavioral advertising, or social networking services, it is not necessarily the controller, but rather an intermediary or platform provider, that wields the most control over information.
Fourth, the second generation, particularly of European data protection laws, continues to view information as “residing” in a jurisdiction, despite the geographical indeterminacy of cloud storage and transfers. For many years, transborder data flow regulation has caused much consternation to global businesses, while generating formidable legal fees. Unfortunately, this is not about to change. While not providing solutions to these challenging problems, the Article sets an agenda for future research, identifying issues and potential paths towards a rejuvenated framework for a rapidly changing environment.
'The EU-US Privacy Collision: A Turn To Institutions And Procedures' by Paul M. Schwartz in (2013) 126 Harvard Law Review 1966 argues that
 Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties. The EU has played a major role in international decisions involving information privacy, a role that has been bolstered by the authority of EU member states to block data transfers to third party nations, including the United States.
The European Commission’s release in late January 2012 of its proposed “General Data Protection Regulation” (the Proposed Regulation) provides a perfect juncture to assess the ongoing EU-U.S. privacy collision. An intense debate is now occurring about critical areas of information policy, including the rules for lawfulness of personal processing, the “right to be forgotten,” and the conditions for data flows between the EU and the United States.
This Article begins by tracing the rise of the current EU-U.S. privacy status quo. The European Commission’s 1995 Data Protection Directive (the Directive) staked out a number of bold positions, including a limit on international data transfers to countries that lacked “adequate” legal protections for personal information. The impact of the Directive has been considerable. The Directive has shaped the form of numerous laws, inside and outside of the EU, and contributed to the creation of a substantive EU model of data protection, which has also been highly influential.
This Article explores the path that the United States has taken in its information privacy law and explores the reasons for the relative lack of American influence on worldwide information privacy regulatory models. As an initial matter, the EU is skeptical regarding the level of protection that U.S. law actually provides. Moreover, despite the important role of the United States in early global information privacy debates, the rest of the world has followed the EU model and enacted EU-style “data protection” laws.
At the same time, the aftermath of the Directive has seen ad hoc policy efforts between the United States and EU that have created numerous paths to satisfy the EU’s requirement of “adequacy” for data transfers from the EU to the United States. The policy instruments involved are the Safe Harbor, the two sets of Model Contractual Clauses, and the Binding Corporate Rules. These policy instruments provide key elements for an intense process of nonlegislative lawmaking, and one that has involved a large cast of characters, both governmental and nongovernmental.
This Article argues that this policymaking has not been led exclusively by the EU, but has been a collaborative effort marked by accommodation and compromise. In discussing this process of nonlegislative lawmaking, this Article will distinguish the current policymaking with respect to privacy from Professor Anu Bradford’s “Brussels Effect.” This nonlegislative “lawmaking” is a productive outcome in line with the concept of “harmonization networks” that Professor Anne-Marie Slaughter has identified in her scholarship. “Harmonization networks” develop when regulators in different countries work together to harmonize or otherwise adjust different kinds of domestic law to achieve outcomes favorable to all parties. The Article then analyzes the likely impact of the Proposed Regulation, which is slated to replace the Directive. The Proposed Regulation threatens to destabilize the current privacy policy equilibrium and prevent the kind of decentralized global policymaking that has occurred in the past. The Proposed Regulation overturns the current balance by heightening certain individual rights beyond levels that U.S. information privacy law recognizes. It also centralizes power in the European Commission in a way that destabilizes the policy equilibrium within the EU, and thereby threatens the current policy processes around harmonization networks.
To avert the privacy collision ahead, this Article advocates modifications to the kinds of institutions and procedures that the Proposed Regulation would create. A “Revised Data Protection Regulation” should concentrate on imposing uniformity only on “field definitions,” that is, the critical terms that mark the scope of this regulatory field. The Revised Regulation should be clear that member states can supplement areas that do not fall within its scope with national measures. This approach would leave room for further experiments in data protection by the member states. The Revised Regulation should also alter the currently proposed procedures to limit the Commission’s assertion of power as the final arbiter of information privacy law.


Perhaps no-one is a hero to his valet or his ghostwriter.

The LRB features Andrew O'Hagan's account of ghosting for the most prominent guest in the Ecuador Hotel, ie Julian Assange.

People who've followed the adventures of Mr Wikileaks will be unsurprised by passages such as
Assange referred a number of times to the fact that people were in love with him, but I couldn’t see the coolness, the charisma he took for granted. He spoke at length about his ‘enemies’, mainly the Guardian and the New York Times.
Julian’s relationship with the Guardian, which appeared to obsess him, went back to his original agreement to let them publish the Afghan war logs. He quickly fell out with the journalists and editors there – essentially over questions of power and ownership – and by the time I took up with him felt ‘double-crossed’ by them. It was an early sign of the way he viewed ‘collaboration’: the Guardian was an enemy because he’d ‘given’ them something and they hadn’t toed the line, whereas the Daily Mail was almost respected for finding him entirely abominable. The Guardian tried to soothe him – its editor, Alan Rusbridger, showed concern for his position, as did the then deputy, Ian Katz, and others – but he talked about its journalists in savage terms. The Guardian felt strongly that the secret material ought to be redacted to protect informants or bystanders named in it, and Julian was inconsistent about that. I never believed he wanted to endanger such people, but he chose to interpret the Guardian’s concern as ‘cowardice’.
His relationship with the New York Times was every bit as toxic. He believed its editor, Bill Keller, was determined to treat him as a ‘source’ rather than a collaborator – which was true – and that Keller wanted to hang him out to dry, which was not true. Keller wrote a long piece in his own paper saying Julian was dirty, paranoid, controlling, unreliable and slightly off his head, which naturally made Julian feel his former collaborator was out to get him. But both newspapers, in concert with others, had given over vast numbers of pages to the leaks and given WikiLeaks top billing in bringing the material. I always felt the involvement of the New York Times would save Julian from prison, and I still believe that. Even the US authorities see that it would be impossible for them to convict Assange without also convicting Keller and Rusbridger. But instead of seeing that, Julian could only see the men in personal terms as dissemblers or something worse.
He had a strange, on-the-spectrum inability to see when he was becoming boring or demanding. He talked as if the world needed him to talk and never to stop. Oddly for a dissident, he had no questions. The left-wingers I have known are always full of questions, but Assange, from the first, seemed like a manifestation of the hyperventilating chatroom. It became clear: if I was to be the ghost, it might turn out that I was the least ghostly person in the enterprise.
He was avoiding ‘our book’. He wanted to talk about the other books about to be published. ‘There’s this book by two guys from Der Spiegel,’ he said. ‘It will be more high-toned than the others. The two guys are friendly towards me but the book will contain new allegations.’ He spoke about another book to be published by the Guardian. He said it would come from journalists he’d worked with there. He was obsessed with David Leigh and Nick Davies, two of the main reporters. ‘Davies is extremely hostile to me,’ Assange said. ‘The Guardian basically double-crossed the organisation in the worst way.’ (The Guardian denies this.) ‘We left them with a cache of cables – to act as security in case any of us got it in the neck – and they made a copy of the data. They were against my getting other media organisations involved, so they leaked the data to the New York Times and others and they behaved abominably. Davies has a known personal animosity towards me.’
‘Because he’s an old man who’s basically at the end of his career. He can’t bear it that a one-time source of advancement has gone away. He wrote a smear about me and none of the Guardian management stood in his way.’ He mentioned Ian Katz as failing in this regard. He said the Guardian’s behaviour would likely be laid out in the Der Spiegel book, and that the Guardian journalists were obviously keen to put out their version. ‘They have scheduled the book to come out at the time of my legal hearing, to cause maximum damage.’
‘Surely not,’ I said, incredulous. ‘Wouldn’t they wait, just for old time’s sake?’
‘You’re joking.’
I’d never been with a person who had such a good cause and such a poor ear, nor had I met a head of an organisation with such an unending capacity to worry about his enemies and to yawn in one’s face. I asked him how he thought the court case would turn out. ‘I have, I’d say, a 40 per cent chance of being freed,’ he said. ‘If they free me on 6 February, I’ll leave the country immediately because in this country there would be a second arrest and the US will be determined to have me extradited. I would sooner be in a country where no extradition treaty exists with the US, such as Cuba or Switzerland. A lot of people in America want me dead and there was an article in the Washington Times which showed my face with a target on it and blood coming out the back of my head.’
I spoke to Jamie Byng, who made the point that Julian didn’t appear to see how unattractive he could seem. He said the book would fail if we didn’t know how to temper or transform that; if the book didn’t save him from himself and go deeper than his defences. I knew what he meant. I told him I was trying to give Julian a crash course in self-deprecation, and would continue to insist that he not make himself the hero of every anecdote. I told Jamie the work WikiLeaks was trying to do might be bigger than Julian’s ability to articulate it.
There was this incredible need for spy-talk. Julian would often refer to the places where he lived as ‘safe houses’ and say things like, ‘When you go to Queensland there’s a contact there you should speak to.’
‘You mean a friend?’ I’d say.
‘No. It’s more complicated than that.’ He appeared to like the notion that he was being pursued and the tendency was only complicated by the fact that there were real pursuers. But the pursuit was never as grave as he wanted it to be. He stuck to his Cold War tropes, where one didn’t deliver a package, but made a ‘drop off’. One day, we were due to meet some of the WikiLeaks staff at a farmhouse out towards Lowestoft. We went in my car. Julian was especially edgy that afternoon, feeling perhaps that the walls were closing in, as we bumped down one of those flat roads covered in muck left by tractors’ tyres. ‘Quick, quick,’ he said, ‘go left. We’re being followed!’ I looked in the rear-view mirror and could see a white Mondeo with a wire sticking out the back.
‘Don’t be daft, Julian,’ I said. ‘That’s a taxi.’
‘No. Listen to me. It’s surveillance. We’re being followed. Quickly go left.’ Just by comical chance, as I was rocking a Sweeney-style handbrake turn, the car behind us suddenly stopped at a farmhouse gate and a little boy jumped out and ran up the path. I looked at the clock as we rolled off in a cloud of dust. It said 3.48.
‘That was a kid being delivered home from school,’ I said. ‘You’re mental.’
‘You don’t understand,’ he said. 
What Julian lacked in efficiency or professionalism he made up for in courage. What he lacked in carefulness he made up for in impact. In our overnight conversations, he told me about the mindset of the expert hacker. He described how, as a teenager, he’d wandered through the virtual corridors of Nasa, Bank of America, the Melbourne transport system or the Pentagon. At his best, he represented a new way of existing in relation to authority. He wasn’t very straightforwardly of the left and couldn’t have distinguished dialectical materialism from a bag of nuts. He hates systems of belief, hates all systems, wants indeed to be a ghost in the machine, walking through the corridors of power and switching off the lights. I found myself writing notes culled from what he said to me about himself. ‘When you’re a hacker you’re interested in masks within masks,’ and ‘We could undermine corruption from its dead centre. Justice will always in the end be about human beings, but there is a new vanguard of experts, criminalised as we are, who have fastened onto the cancer of modern power, and seen how it spreads in ways that are still hidden from ordinary human experience.’ 
But he was also losing touch with promises he had made and contracts he’d signed. His paranoia was losing him support and in a normal organisation, one where other people’s experience was respected and where their value was judged on more than ‘loyalty’, he would have been fired. I would have fired him myself if I hadn’t been there merely to help him straighten out his sentences. But his sentences too were infected with his habits of self-regard and truth-manipulation. The man who put himself in charge of disclosing the world’s secrets simply couldn’t bear his own. The story of his life mortified him and sent him scurrying for excuses. He didn’t want to do the book. He hadn’t from the beginning.

Mental Health Privacy in US

The US Department of Health and Human Services (HHS) has released  guidance regarding interpretation of the HIPAA Privacy Rule in relation to mental health information about individuals.

The guidance covers circumstances in which the Privacy Rule permits health care providers to communicate with  family members and others to enhance the  treatment of patients and assure safety.

 It includes answers to questions about when it is appropriate under the Privacy Rule for a health care provider to
  • share the protected health information of a patient who is being treated for a mental health condition
  • communicate with a patient’s family members, friends, or others involved in the patient’s care, depending on whether the patient is an adult or a minor
  • consider and address the patient’s capacity to agree or object to the sharing of their information.
  • involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy
  • listen to family members about their relatives receiving mental health treatment.
The guidance clarifies how providers may communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to themselves or others. It also deals with
  • heightened protections afforded to psychotherapy notes by the Privacy Rule, 
  • a parent’s right to access the protected health information of a minor child as the child’s personal representative, 
  • potential applicability of Federal alcohol and drug abuse confidentiality regulations or state laws that may provide more stringent protections for the information than HIPAA, 
  • the interaction of HIPAA and the national Family Educational Rights and Privacy Act (FERPA) in a school setting. Student health information held by a school generally is subject to FERPA rather than HIPAA.
The guidance notes that
The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers issued on January 15, 2013, and below.
Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.

21 February 2014

US Whistles

'The Federal Media Shield Folly' by Brad A. Greenberg in (2013) 91 Washington University Law Review 437-451 comments -
The [US] Free Flow of Information Act of 2013 purports to “maintain the free flow of information to the public” by providing various degrees of protection to journalists, conditioned on whether the matter is germane to a civil or criminal case, or relates to national security. Journalists and publishers from traditional media overwhelmingly have endorsed the bill and urged passage; the bill also enjoys bipartisan support in the Senate and from President Obama. The only cognizable debate has concerned whether the law should limit its scope to professional journalists or extend to anyone doing journalism. However, the bill, which purports to preserve the flow of information by protecting sources’ expectations of confidentiality, would do little to thwart government pursuit of reporters’ records; worse, it distracts public debate from a more serious threat to press freedom.
While discussing the breadth of the shield’s national security exception, this Essay focuses on two core concerns regarding shield’s ability to serve its stated purpose. The first is substantive, namely that the bill overlooks the 800-pound gorilla known as the third-party doctrine. In 1979, the Supreme Court, colored by experiences of dialing a switchboard and asking an operator to connect the caller with a given phone number, held that an individual did not have a Fourth Amendment interest in his phone records. In light of contemporary reporting practices and the third-party doctrine’s expansion to cellular and digital technologies, I argue that any meaningful shield must burden access to phone, e-mail, and related records. Second, I address a practical concern. Internal Justice Department guidelines indicate that a reporter can only be subpoenaed with the approval of the Attorney General. Yet, if passed, a federal reporter shield law would diffuse responsibility across Congress and the Judiciary — in effect, reciprocally shielding the Executive Branch from public accountability.
While the substantive concern suggests that the bill needs further reworking to provide the proscribed protections, the practical account implies that some shield laws would confer more cost than benefit. Whereas journalism advocates tend to see the shield debate as binary — yes or no, good or bad — it is riddled with complexity. That is, some shield is not necessarily better than no shield. Yet, in light of recent threats to the free flow of information and the democratic role information plays in empowering people and holding officials accountable, additional protections are needed. In this Essay, I argue that, at the least, the shield bill in Congress needs to provide stronger limitations on the third-party doctrine. Without those reforms, a reporter can give a source little guarantee of confidentiality.

APP Guidelines

The Office of the Australian Information Commissioner has released Guidelines regarding application of the Australian Privacy Principles.

Those Principles (aka the APP) replace the NPP and IPP that were enshrined in the Privacy Act 1988 (Cth) prior to the amendment that is effective next month.

The OAIC states that -
These APP guidelines may be updated from time to time, including to take account of changes in the Privacy Act or other legislation, determinations made under s 52 of the Privacy Act and relevant tribunal and court decisions. 
The APPs and the APP guidelines apply from 12 March 2014 and cover both Australian Government agencies and organisations covered by the Privacy Act. These new principles replace the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs) (except for ACT Government agencies, who will continue to be covered by the IPPs). 
The APP guidelines outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters we may take into account when exercising functions and powers under the Privacy Act.
The consolidated Guidelines run to some 211 pages.

The OAIC is to be commended for production of the Guidelines and for their release prior to the start date for the amendments.

ACCC Compliance Priorities

The Australian Competition and Consumer Commission (ACCC) has released its 2014 Compliance and Enforcement Policy, outlining its priority areas for the year and "the factors to be taken into account when deciding whether to pursue matters".

The ACCC has identified nine consumer protection priorities:
  • activity in the telecommunications and energy sectors including door to door selling and telemarketing, with a particular focus on savings representations, also referred to as “discounts off what?”
  • emerging consumer issues in the online marketplace, particularly drip-pricing and comparator websites 
  • competition and consumer issues in highly concentrated sectors, in particular in the supermarket and fuel sectors
  • the disruption of scams that rely on building deceptive relationships and which cause severe and widespread consumer or small business detriment 
  • complexity and unfairness in consumer or small business contracts 
  • credence claims, particularly those with the potential to adversely impact the competitive process and small businesses 
  • misleading carbon pricing representations 
  • the ACL consumer guarantees regime, particularly in the context of the sale of extended warranties 
  • consumer protection issues impacting on Indigenous consumers. 
ACCC chair Sims commented that
some forms of conduct are so detrimental to consumer welfare and the competitive process that the ACCC will always assess them as a priority such as cartel conduct, anti-competitive agreements and misuse of market power. Just like others other forms of anti-competitive conduct, secondary boycotts can be extremely detrimental to businesses, consumers and the competitive process. Where the ACCC becomes aware of possible secondary boycott conduct, it will investigate.

Neurolaw and Privacy

'Will There Be a Neurolaw Revolution?' by Adam J. Kolber in (2014) 89 Indiana Law Journal 807-845 argues that
The central debate in the field of neurolaw has focused on two claims. Joshua Greene and Jonathan Cohen argue that we do not have free will and that advances in neuroscience will eventually lead us to stop blaming people for their actions. Stephen Morse, by contrast, argues that we have free will and that the kind of advances Greene and Cohen envision will not and should not affect the law. I argue that neither side has persuasively made the case for or against a revolution in the way the law treats responsibility. 
There will, however, be a neurolaw revolution of a different sort. It will not necessarily arise from radical changes in our beliefs about criminal responsibility but from a wave of new brain technologies that will change society and the law in many ways, three of which I describe here: First, as new methods of brain imaging improve our ability to measure distress, the law will ease limitations on recoveries for emotional injuries. Second, as neuroimaging gives us better methods of inferring people’s thoughts, we will have more laws to protect thought privacy but less actual thought privacy. Finally, improvements in artificial intelligence will systematically change how law is written and interpreted. … 
The emerging field of neurolaw addresses two major topics that have only limited overlap. The “neurolaw of responsibility” concerns how neuroscience will and should affect laws related to responsible action. It was traditionally addressed by punishment theory and the philosophy of action. The “neurolaw of technology,” by contrast, concerns the ways the law will and should respond to new brain-related technologies. It covers issues traditionally addressed by applied ethics. Both topics require familiarity with law and neuroscience, but they otherwise examine rather different issues. Nevertheless, since both fields happen to involve law and neuroscience, the neurolaw moniker seems to have stuck. 
Greene, Cohen, and Morse write principally about the neurolaw of responsibility. They spend much of their energy defending their substantive views about free will, though none of them purport to offer a new argument to break the free will impasse. Greene and Cohen also claim that advances in neuroscience will change the way we think about punishment, but they have yet to persuasively defend the claim. Similarly, Morse may be right that we ought to understand the law in compatibilist terms, but current law may be rooted in contrary assumptions. 
While prospects for a responsibility revolution remain hard to predict, I claim that there will be a technology-driven neurolaw revolution. The law will change in many ways, and I focus on three hypotheses: (1) the differences in how the law treats emotional and physical injuries will diminish as neuroscientists develop more objective methods of identifying and assessing emotional injuries; (2) new methods of “mind reading” will lead us to have less thought privacy but more thought privacy laws; and (3) as autonomous and semiautonomous machines become more integrated into human life, they will have systematic effects on the law and its interpretation, perhaps by increasing the concretization of the law. The precise details of how technology will develop are hard to predict, but by trying to predict the path of technology, we can hope to make the law better prepared for the changes to come.
Kolber argues that there will be "More Privacy Laws but Less Privacy" -
 Researchers are working on a variety of technologies aimed at what can loosely be referred to as mind reading. For example, based on measurements of brain activity, researchers can make pretty good guesses about what images are shown to a subject in a brain scanner, be it a still image or even, to some extent, a video. One recent study demonstrated that subjects under fMRI can be taught to mentally spell words in a manner that can be decoded in real time by researchers, a technique that could prove especially helpful for people with locked-in syndrome or other conditions that make it difficult to communicate. Neuroscientist Jack Gallant predicts that “[w]ithin a few years, we will be able to determine someone’s natural language thoughts using fMRI-based technology.” 
These new brain imaging techniques point to a future where our thoughts will not be as private as they are now. We will not read minds directly in any spooky sense, but we will continue to get better at identifying correlations between brain activity and mental activity and using brain activity to make predictions about mental activity. 
Legal scholars have focused their attention on efforts to develop more accurate lie detectors. Brain-based methods of deception detection are still in the early stages. Much of the research compares the brain activity of a group of “honest” subjects relative to a group of “dishonest” subjects. More helpful research to determine whether a particular person is lying is beginning to accumulate, but the testing has always been done in somewhat artificial contexts. If we put aside concerns about how well these experiments apply to real-life contexts, most published studies report using fMRI to distinguish honesty and deception at accuracies “between 70% and slightly over 90%.” 
But even if we develop a lie detector that works well with the cooperative subjects that tend to participate in experiments, very little research examines the possible countermeasures people could take to fool such a device. One fMRI study was 100% accurate in detecting the lies of individual subjects, but accuracy fell to 33% when subjects used countermeasures they were trained to apply. So even though at least two companies have marketed brain-based methods of lie detection, many neuroscientists are skeptical of the current state of the technology. Indeed, two recent attempts to introduce fMRI evidence of deception in court were unsuccessful. 
Nevertheless, deception detection has so many potential uses that the incentives to improve it are quite strong. Someday, the technology will at least be a useful aid in assessing credibility. When that day comes, many questions will be raised about how, if at all, the technology should be used in court. The real question we ought to ask ourselves when considering some supposed lie detector is: will we tend to get more accurate outcomes with or without it? 
The answer may depend on the context. Lie detection evidence offered by prosecutors to provide evidence of guilt beyond a reasonable doubt would have to be extremely accurate, while lie detection evidence offered by a defendant to generate a reasonable doubt could be much more imperfect.  Deciding whether or not brain-based lie detection will improve outcomes, however, will put us in an awkward position: we will have to compare the error rates of lie detection technology to our current technology, namely, the jury, and we know relatively little about how well juries assess credibility. What we do know is that people are not very good at detecting deception, and there is little correlation between people’s confidence in their ability to detect deception and their accuracy. Our entrenched preference for jury decision making is largely a result of the path of history, rather than an empirically validated conclusion about how good juries are at discerning credibility. 
In an opinion in United States v. Scheffer, Justice Clarence Thomas, joined by three other Justices, wrote that a rule banning all polygraph evidence in military trials serves the legitimate government interest of preserving jurors’ “core function of making credibility determinations in criminal trials.” According to Thomas, “[a] fundamental premise of our criminal trial system is that ‘the jury is the lie detector.’” His remarks admit the possibility that even perfectly accurate lie-detection evidence could be excluded from the courtroom on the ground that it would infringe the province of the jury. 
In my view, excluding accurate lie-detection information to protect the province of the jury makes a mockery of the justice system. The most important role of trials is to uncover the truth as best we can. To do so, we ought to use the best technology that cost-effectively helps us do so. There are legitimate concerns that poor quality lie detection evidence could irrationally sway jurors. They may not understand how the technology works or how to interpret known rates of error. But it would be foolish to keep some high-quality future lie detector out of the courtroom — under a blanket rule — simply because credibility determinations have traditionally been made by jurors. 
Of course, even a perfectly accurate lie detector could not usurp all jury functions. Some cases do not depend on credibility assessments at all. For example, whether or not conduct was consistent with that of a reasonably prudent person cannot be determined by a lie detector alone. Moreover, when cases do depend on witness credibility, there is an important difference between honesty and truth. Honest assertions are not necessarily true. A person may believe he committed a crime that, in fact, never occurred. Similarly, a dishonest assertion can turn out to be true. A gunman may believe he fired the coup de grâce shot that ended the life of a rival gang member. Denying that he killed the rival would be dishonest, even if unbeknownst to him, the deceased was already dead before he fired. 
If direct attempts at brain-based lie detection fail, other mind reading efforts may still prove helpful. The technologies discussed in the preceding section on the experiential future can serve as indirect methods of lie detection by telling us whether a person’s pain claims are likely to be false. (In fact, pain measurement techniques could give us information that cannot be obtained from truthful subjects. Even when a person honestly reports his pain as “9” on a scale of 1 to 10, we cannot easily compare his report to those of others.) 
Researchers are improving their understanding of other experiences, as well, including sexual arousal. One study examined the brain activity of male pedophiles and male non-pedophiles when shown images of nude children. Researchers used brain activity to accurately classify the pedophilia status of more than 90% of subjects. While this technique may be subject to countermeasures, it may be less so than other techniques used to classify pedophiles. Another study looked at the brain activity of subjects while they looked at male and female human genitalia. Researchers could determine sexual orientation with more than 85 percent accuracy. 
Of course, all of this work on mind reading raises privacy concerns. The pedophilia research suggests that fMRI could someday be used to assess the likelihood that a person has committed or will commit a sex crime. The research on sexual orientation could potentially bear on the distribution of assets in a divorce or the way prisoners are segregated. Other neuroscientific research may uncover conscious or unconscious racial biases. People could be scanned for one purpose, say, to see how an advertising campaign affects their brains, while they inadvertently generate information that bears on their racial biases, sexual orientation, and other sexual preferences. One group of researchers recently demonstrated that the very simple electroencephalography (EEG) sensors in certain mass-market video games can already be used to make plausible inferences about gamers’ private “information related to credit cards, PIN numbers, the persons known to the user, or the user’s area of residence,” and may enable more confident inferences as these sensors improve. 
Brain imaging may even inform questions about mens rea. It might help us assess a person’s capacity to generate some mental state or bear on the credibility of a person’s statements about his past mental states. Brain imaging might even have more direct applications. For example, one group of researchers is trying to use fMRI to identify the culpable mental states described by the Model Penal Code. Imagine a border crossing where someone is transporting a suspicious container. Before opening it, we could scan the brain of the person carrying the container to see if his brain is consistent with a culpable mental state of knowledge, recklessness, or negligence with respect to its contents. (The person might have to believe he was randomly selected for screening so that the mere fact of being selected does not significantly alter his beliefs.) 
Accurate mind-reading technologies would raise a host of questions: For example, when, if ever, could prosecutors use brain-based lie detectors to incriminate or defendants to exculpate? How would police and other investigators use such tools? Could they be used by employers to make hiring and firing decisions? 
Even if accurate mind-reading techniques are still decades away, we already have reason to think about their implications because of what I call the technological look-back principle. If we develop an accurate lie detector thirty years from now, you can be asked in 2044 about your conduct today in 2014. When you are in such a scanner in 2044, your spouse could ask if you have ever been unfaithful, and the police could ask if you have ever killed someone. And just as campaigning politicians often make their tax returns public even though they are under no legal obligation to do so, voters may expect politicians to go into a scanner and tell them what their intentions really are and whether or not they have ever acted corruptly. 
I am not arguing that we need legislation today to prepare for all of the potential future uses of mind-reading techniques.  We would have little confidence that such legislation would survive the intervening period or that it would it take the appropriate form. Moreover, we often worry too much about the privacy concerns raised by new technologies in ways that unnecessarily hinder their development. 
But those expecting to be alive in coming decades or who care about those who will should begin to think about the privacy implications of mind-reading technologies. Many who shed their DNA while committing crimes before DNA sequencing became common are now in prison, prosecuted with evidence they never imagined could be used against them. Our memories may become the evidence that embarrasses or incriminates us in the future. 
I offer two general predictions about how our rights to privacy may change in a world with better mind-reading technology. First, as the preceding suggests, we will have less mental privacy as advances in neuroscience make it easier to infer thoughts and thought patterns. We strike a balance between the societal value of making information public and the value to a person or group of people of keeping it private. These costs and benefits push and pull each other to reach a certain equilibrium. Neuroscience will reduce the costs of obtaining otherwise private information and will likely enable access to information that would otherwise be unavailable. Given that societal demand for information is likely to stay the same or increase, the equilibrium is likely to shift toward more information gathering. 
In the days before the Internet, one could hire a private investigator to learn about people’s occupations, family members, and various likes and dislikes. Today, such information is frequently easy to obtain. Indeed, many people publicize it themselves on social networking sites. Even when people try to keep their own information private, their associates still generate information about them. As technology makes information easier to obtain, it becomes harder to keep private. Second, I speculate that we will craft more laws to protect thought privacy. Right now, there is little we can do to penetrate the thoughts of people who prefer to keep them secret. Only when we have plausible methods of doing so will we fully see the need to create laws to protect thought privacy. For example, as polygraphs became more reliable and widespread, Congress passed the Federal Employee Polygraph Protection Act in 1988 to prohibit most private employers from subjecting employees to polygraphs and other forms of lie detection. And just as we have seen an onslaught of laws to protect electronic privacy, we will see new laws directed at protecting the privacy of our thoughts. Laws addressing rights to read minds or to be free of mind reading will grow more prevalent, complex, and controversial in a world with more accurate neurotechnology. Hence, we will have more law protecting thought privacy but less actual thought privacy.


The Criminal Code Amendment (Identity Crime) Bill 2014 (NT), read a first time in the Territory's Legislative Assembly, provides for insertion into the Criminal Code Act of new offences that specifically address identity theft.

The Bill features
228C Dealing in identification information 
(1) A person commits an offence if:
(a) the person deals in information; and 
(b) the information is identification information; and 
(c) the person does so with intent to commit a crime or facilitate the commission of a crime.
 Maximum penalty: Imprisonment for 7 years.   
(2) This section applies:
(a) even if the crime mentioned in subsection (1)(c) is impossible to commit; and 
(b) whether or not the victim consented to the dealing in the identification information. 
(3) This section does not apply to dealing in a person's own identification information. 
228D Possessing identification information 
(1) A person commits an offence if:
(a) the person possesses information; and 
(b) the information is identification information; and 
(c) the person does so with intent to commit a crime or facilitate the commission of a crime.
Maximum penalty: Imprisonment for 3 years.
(2) This section applies:
(a) even if the crime mentioned in subsection (1)(c) is impossible to commit; and 
(b) whether or not the victim consented to the possession of the identification information. 
(3) This section does not apply to the possession of a person's own identification information. 
228E Possessing equipment used to deal in identification information or identification documentation 
(1) A person commits an offence if:
(a) the person possesses equipment; and 
(b) the equipment can be used to deal in identification information or identification documentation; and 
(c) the person does so with intent to commit a crime or facilitate the commission of a crime. 
(2) This section applies even if the crime mentioned in subsection (1)(c) is impossible to commit. Maximum penalty: Imprisonment for 3 years.
28C Court may issue certificate to victim of identity crime 
(1) The Court may, on application by a person (the victim), issue a certificate if satisfied on the balance of probabilities that:
(a) an offence against section 228C, 228D or 228E of the Criminal Code has been committed; and 
(b) the victim's identification information was the subject of the offence; and 
(c) the certificate may assist the victim to deal with any problems the commission of the offence has caused in relation to the victim's personal or business affairs.
(2) The Court may issue a certificate whether or not: 
(a) the person who committed the offence is identifiable; and 
(b) any criminal proceedings have been or can be taken against a person in relation to the offence or are pending.
(3) A certificate must:
(a) identify the victim of the offence; and 
(b) explain how identification information relating to the victim was used to commit the offence; and 
(c) contain any other information the Court considers appropriate in order to assist the victim to deal with any problems the commission of the offence has caused in relation to the victim's personal or business affairs.
(4) Despite subsection (3), a certificate must not identify the person who committed, or allegedly committed, the offence to which it relates. 
(5) A certificate is not admissible as evidence in any criminal proceedings in relation to the offence to which it relates.
'Identification documentation' refers to "a document or other thing" that: (a) contains identification information; and (b) can be used by a person to pretend to be, or to pass the person off as, another person (whether living, dead, real or fictitious).

'Identification information' means
information that can be used (whether alone or in conjunction with other information) to identify, or purportedly identify, a person (whether living, dead, real or fictitious), including the following:
(a) a name, address, date of birth or place of birth; 
(b) information as to a person's marital status; 
(c) information about the relatives of a person; 
(d) a driver's licence or driver's licence number; 
(e) a passport or passport number; 
(f) biometric data; 
(g) a voice print; 
(h) a credit or debit card, its number, or data stored or encrypted on it; 
(i) a financial account number, user name or password; 
(j) a digital signature; 
(k) a series of numbers, letters, symbols (or a combination of these) intended for use as a means of personal identification; 
(l) an ABN, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth).

20 February 2014


'Hermeneutics, Jurisprudence and Law' by Ralf Poscher in Jeff Malpas and Hans-Helmuth Gander (eds) Routledge Companion to Philosophical Hermeneutics (Routledge, Forthcoming) offers
an overview of the discussion of hermeneutics in legal theory from the beginning of the 19th century to the present. It organizes the different scholarly strands along the lines of the distinction between interpretation and construction, which runs like a clear thread through the hermeneutical discussion from its beginning to its present in both the continental and the Anglo-Saxon tradition. Examining authors as diverse as Friedrich Karl von Savigny, Francis Lieber, Emilio Betti, Hans-Georg Gadamer, Paul Ricoeur, Ronald Dworkin and Michael Moore an attempt is made to get an analytical grip on the distinction by emphasizing the categorical difference between the two hermeneutical activities. Pursuing the analytical distinction, however, is only the first step of the analysis. In the third part, the relations and the interconnectedness of legal interpretation and legal construction come into focus. They can help to explain some of the major controversies in legal hermeneutics and also why the analytically clear cut distinction is so difficult to draw in the actual legal practice. At the level of legal doctrine the interconnectedness of legal interpretation and legal construction cautions against tendencies especially in administrative but also in constitutional law to define the role of courts with the help of the distinction.
Poscher comments that
Hans Georg Gadamer famously referred to the law and its application as revealing a general feature of hermeneutics, which by the time of his “Truth and Method” had developed – Martin Heidegger’s lead – into a fundamental ontological concept. For Heidegger and Gadamer, our most fundamental relation with the world is hermeneutical. Heidegger insisted that we are ontologically situated in a world that is always already interpreted, that always already comes with a certain meaning. There are no uninterpreted objects, no objects as such (Heidegger 2010: § 32). A hammer is the object it is because we interpret it as such with respect to certain purposes and usages (cf. ibid. § 18). Our understanding of the world is thus hermeneutical in the most fundamentally ontological way. One feature of this existential hermeneutics is what Heidegger called the “fore‐structure of understanding” (ibid. § 32), which Gadamer coined into the famous “fore‐understanding” (Vorverständnis) of the hermeneutical subject (Gadamer 1989: 265–307). Our world is shaped by the hermeneutical fore‐understanding with which we encounter it. We see a hammer as a hammer only if we already know about hammering, nails and so forth. The involvement of the hermeneutical subject, its situatedness in the present, its particular hermeneutical fore‐understanding became a central theme for Gadamer. He rejected the concept of Romantic hermeneutics as developed by Schlegel, Schleiermacher, Ast, and others and taken up in large part not only by legal methodology but also by nineteenth‐ century historiography. He rejected the idea that interpretation should aim to reconstruct the intentions or experiences of the author, since this did not take into account the importance of the situatedness and fore‐understanding of the hermeneutical subject.
For Gadamer, the case in point for showing that understanding always involves situatedness and fore‐understanding is law. The central task in law is the application of a – historical – text to a present case. Due to changing historical contexts, for Gadamer the application of a legal text to the present always requires that the normative content of the law be determined anew (Gadamer 1989: 327). The application of the law amounts to more than the historical or psychological reconstruction of legislative intentions. It requires the mindful and prudent adaption or “appropriation” (Ricœur 1981) of the law to present circumstances and cases. It not only requires technical legal skills but practical wisdom: Aristotelian phronesis not mere techne (Gadamer 1989: 317–324). For Gadamer, „legal hermeneutics is no special case but is, on the contrary, capable of restoring the hermeneutical problem to its full breadth and so re‐establishing the former unity of hermeneutics“ (Gadamer 1989: 328). In this perspective, legal hermeneutics brings the applicational element of any hermeneutics into the spotlight, which Gadamer sees at work in historical interpretation as well. First, a historian too cannot help but approach a historical text from the perspective of his contemporary understanding (Gadamer 1989: 327) and can – following Gadamer – only bridge the gap by a fusion of horizons (Gadamer 1989: 307). Second, Gadamer points to the fact that historiography is not interested in historical facts as such, but in their meaning in an emphatic sense, which can only be construct ed by relating it to our present interests and concerns (Gadamer 1989: 328) 
Gadamer’s account of legal hermeneutics has been quite influential. Even critics of Gadamer’s views on historical hermeneutics like Emilio Betti (Betti: 81–84) stress that legal hermeneutics show the specific constructive elements mediating between the historical horizon of the text and its present application. But unlike Gadamer, Betti regards legal hermeneutics as a special form of hermeneutics, which he describes as “value‐oriented” or “normative”.
 “That the application of the law demands a legal interpretation that is related to the present and to contemporary society follows by necessity out of the function of the law as the ordering of co‐existence in a human community. It is part of its essence, therefore, that it should achieve a concretion of the law; it should be practically relevant in that it is called upon to provide a legally adequate direction and directive for communal existence and behaviour.”


There's an old gibe that vaudeville isn't dead, it just smells that way.

I was reminded of that claim in reading reports that retail giant Coles has defended its use of the descriptor “baked today, sold today” in a federal court action brought by the Australian Competition and Consumer Commission (ACCC).

The ACCC, represented by Colin Golvan SC, has argued that the bread is partially baked before being sold in store, with Golvan commenting
It essentially involves a process where [a] product is cooked to the part where the interior is complete and there is a commencement of the baking of the crust, which is left to be finished by Coles
Representations by Coles were false, misleading and deceptive on the basis that baking occurred six month before the bread was sold in stores.

Last year it was argued in court that the bakery products were either made in Ireland or had been initially baked in different locations in Australia.

In a nice example of casuistry Coles claims that it was not suggesting that the bread was baked on the day.
What is happening with this ‘baked today, sold today’ in a Coles supermarket is that a consumer is being given the choice between the juxtaposition, the commercially manufactured bread, which has preservatives and keeps for longer, with the bread that is baked in-store and doesn’t have preservatives.
The bread that is baked in-store is crunchier, and smells and has the flavour of freshly baked bread. That’s what we submit it is.
In mid 2013 the ACCC indicated that
The ACCC is alleging false, misleading and deceptive conduct in the supply of bread that was partially baked and frozen off site, transported to Coles stores and ‘finished’ in-store. The products were then promoted as ‘Baked Today, Sold Today’ and/or ‘Freshly Baked In-Store’ at Coles stores with in-house bakeries. 
The legal action covers various ‘Cuisine Royale’ and ‘Coles Bakery’ branded bread products. The ACCC alleges that labels on these par baked products stating ‘Baked Today, Sold Today’ and in some cases ‘Freshly Baked In-Store’, and nearby prominent signs stating ‘Freshly Baked’ or ‘Baked Fresh’, were likely to mislead consumers into thinking that the bread was prepared from scratch in Coles’ in-house bakeries on the day it was offered for sale and that it was entirely baked on the day it was offered for sale. 
Coles also uses these same representations to promote bread that has been made from scratch in Coles’ in-store bakeries. The ACCC is concerned that Coles’ lack of distinction in its promotional representations between bread products that are freshly prepared from scratch and par baked products is misleading to consumers and places competing bakeries that do freshly bake from scratch at a competitive disadvantage. 
ACCC Chairman Rod Sims said, “There are two important issues at stake. First, consumers must be able to make informed purchasing decisions. Bread is an important grocery basket staple and customers need to be confident in claims made about food they buy.” 
“We believe consumers are likely to have been misled by Coles that the entire baking process, including preparation, occurred in-store, when in fact the bakery products were prepared and partially baked off site, frozen, transported and then ‘finished’ in store. Indeed, the Cuisine Royale products were partially baked overseas.” 
“Second and just as important, is the detrimental impact on the businesses of competitors. Misleading credence claims can undermine the level playing field and disadvantage other suppliers. In this case those suppliers are the smaller, often franchised bakeries that compete with Coles,” Mr Sims said. 
In the past few years, Coles has heavily promoted its in-store bakeries and introduced a number of ‘rustic’ bread lines. Many of these ‘artisan-like’ breads have been par baked and frozen before being ‘finished off’ before sale, whereas many independent bakeries make their bread from scratch in the bakery on the day of sale. 
Bringing this action is part of the ACCC’s publicly declared enforcement priority of investigating credence claims, particularly in the food industry, with the potential to significantly impact consumers and competitors.


'Patent Trolling — Why Bio & Pharmaceuticals are at Risk' by Robin Feldman and W. Nicholson Price II comments that
Patent trolls — also known variously as non-practicing entities, patent assertion entities, and patent monetizers — are a top priority on legislative and regulatory reform agendas. In the modern debates, however, the biopharmaceutical industry goes conspicuously unmentioned. Although biopharmaceuticals are paradigmatically centered on patents, conventional wisdom holds that biopharmaceuticals are largely unthreatened by trolls. This article shows that the conventional wisdom is wrong, both theoretically and descriptively. In particular, the article presents a ground-breaking study of the life science holdings of five major universities to determine if these might be attractive to monetizers. 
This was deliberately a light, rather than an exhaustive, search. Nevertheless, we identified dozens of patents that could be deployed against current industries. These include patents on active ingredients of drugs; methods of treatment; screening methods to identify new drugs; manufacturing methods; dosage forms; and ancillary technologies that could be deployed in a “peddler’s bag” approach. The article describes the types of patents we found, including an example of each type. 
In deciding whether to undertake this analysis, we lost sleep over whether the potential for harm outweighed the potential benefit. If reform efforts are not undertaken, our work could do no more than provide a handy road map for those who would follow. However, with scattered anecdotal evidence suggesting that monetization is moving into biopharmaceuticals, life sciences trolling is predictable and in its infancy. If reforms are implemented before the problem proliferates, legislators and regulators could cabin the activity before it becomes deeply entrenched and too much harm occurs.

Vexatious People in Victoria

Given the recent judgments in New South Wales regarding a vexatious litigant (noted here and here) it is useful to note the Vexatious Proceedings Bill 2014 (Vic), introduced and read for the first time in the Victorian Legislative Assembly.

The Attorney-General indicates that the proposed legislation will introduce "a new regime for the management and prevention of vexatious litigation in Victorian courts and tribunals".
The Bill aims to improve the effectiveness of the justice system by ensuring that unmeritorious litigation is disposed of at an early stage and that persons are prevented from wasting court time with further unmeritorious cases. This will allow court and judicial resources to be allocated to the determination of meritorious cases, which will reduce delays in the court system for other pending matters. 
The Bill enables the Supreme Court, the County Court, the Magistrates' Court and VCAT to make various types of "litigation restraint orders", which increase in severity in accordance with a person's litigation history and pattern of vexatious behaviour. The Children's Court is also given the power to make litigation restraint orders, but only in relation to litigation conducted under the intervention order legislation. The tiered approach to litigation restraint orders promotes early intervention and aims to provide flexibility for the Courts and VCAT to adopt a proportionate response to a person's conduct. 
The Bill draws upon recommendations made by the Victorian Parliamentary Law Reform Committee in 2008, and also implements aspects of a Model Bill approved in 2004 by the former Standing Committee of Attorneys-General (Model Bill). 
The Bill repeals the vexatious litigation regimes in the Family Violence Protection Act 2008 (Vic) and the Personal Safety Intervention Orders Act 2010 and re-enacts those regimes in the Bill to align those regimes with the new regime established under the Bill.

Victorian Mental Health Law

In Victoria the Mental Health Bill 2014 (Vic) is past the first reading stage.

In summary the Bill is for an Act to provide a legislative scheme for the treatment of persons with mental illness, to repeal the Mental Health Act 1986 (Vic), to make consequential amendments to the Sentencing Act 1991 (Vic), the Crimes (Mental Impairment and Unfitness to be Tried) Act 1997 (Vic) and other Acts and for other purposes.

Its specific purposes are -
(a) to provide a legislative scheme for the assessment of persons who appear to have mental illness and for the treatment of persons with mental illness; and 
(b) to provide for the appointment of the chief psychiatrist; and 
(c) to establish the Mental Health Tribunal; and 
(d) to establish the Mental Health Complaints Commissioner; and 
(e) to continue the Victorian Institute of Forensic Mental Health; and 
(f) to provide for the appointment and functions of community visitors; and 
(g) to repeal the Mental Health Act 1986; and 
(h) to amend the Sentencing Act 1991 and the Crimes (Mental Impairment and Unfitness to be Tried) Act 1997; and 
(i) to make consequential and statute law amendments to other Acts.
In the Northern Territory the Criminal Code Amendment (Expert Psychiatric or Medical Evidence) Bill 2013 (NT) has been read a third time, passed all stages and is awaiting assent

19 February 2014


A recent post noted concerns regarding the UK care.data initiative, i.e. proposals to commercialise anonymised/pseudonymised whole-of-population health data gathered from UK National Health Service hospitals and general practitioners on a poorly-managed opt-out basis.

(Another piece on concerns regarding commercialisation of NHS Big Data is here).

The UK Independent now reports that the grand plan has been somewhat delayed
Although leading groups, including the British Medical Association and the Royal College of General Practitioners (RCGP) initially backed the scheme, both have broken ranks within the past week saying that while they back the principle, NHS England needed to do more to guarantee “the support and the consent of the public”. 
Concerns persisted despite a publicity campaign in which information leaflets were delivered to 26 million households in England in January. Polls suggested that fewer than one in three adults recall receiving the leaflets, which were derided as “junk mail” by critics. Despite containing important information, the leaflets were not addressed to individuals and did not contain an opt-out form. … 
Tim Kelsey, NHS England’s national director for patients and information who has spearheaded care.data, said the NHS was “determined to listen”. 
He added: “We have been told very clearly that patients need more time to learn about the benefits of sharing information and their right to object to their information being shared ... [and] that is why we are extending the public awareness campaign by an extra six months.” … 
A Department of Health spokesman said ministers support the decision to delay the launch. “This is a vital programme which will bring real benefits to patients. But concerns over how this has been explained to patients have been raised which must be addressed,” he said. 
Dr Chaand Nagpaul, chair of the BMA’s GP committee, said it was “only right” that the public “fully understand what the proposals mean to them and what their rights are”. 
“With just weeks to go until the uploading of patient data was scheduled to begin, it was clear from GPs on the ground that patients remain inadequately informed,” he said.
The Independent comments
The pause will allow the NHS more time to inform people about “the benefits of using the information, what safeguards are in place, and how people can opt out if they choose to,” officials said. 
The Department of Health has grown increasingly concerned in recent weeks that NHS England has not sufficiently reassured the public – nor the medical profession – about how the care.data programme would benefit patients. Critics have also warned that the private data, which will be held centrally in a “pseudonymised” form, could be vulnerable to hackers who would be able to identify individual patients.
In France, meanwhile, the Commission nationale de l’informatique et des libertés (CNIL) reports -
On 3 January 2014, the CNIL’s Sanctions Committee issued a decision against Google for infringing several provisions of the French Data Protection Act. It consequently ordered the company to pay an administrative fine of 150.000 € and to publish a communiqué referring to its decision on the homepage « www.google.fr ». 
The company had requested the Conseil d’Etat (the French High Administrative Court) to suspend this publication order. In a ruling dated 7 February 2014, the judge rejected this request. 
Google must publish this communiqué for a period of 48 hours in accordance with the modalities set by the Sanctions Committee. 
This decision does not prejudice the final claim against the decision that is still pending in the Conseil d’Etat.

Refugee Data Breach

The Guardian has revealed that there has been a serious data breach involving the Department of Immigration and Border Protection.
The personal details of a third of all asylum seekers held in Australia – almost 10,000 adults and children – have been inadvertently released by the Department of Immigration and Border Protection in one of the most serious privacy breaches in Australia’s history. 
A vast database containing the full names, nationalities, location, arrival date and boat arrival information was revealed on the department’s website, raising serious concerns that thousands of asylum seekers have had confidential details made public.
Every single person held in a mainland detention facility and on Christmas Island has been identified in the database, as well as several thousand who are living in the community under the community detention program. A large number of children have been identified in the release, which also lists whether asylum seekers are part of family groups. 
The breach raises serious questions about whether those identified could be placed at risk of retribution if they are returned to their countries of origin. ... 
Guardian Australia has chosen not to identify the location of the data and made the department aware of the breach before publication. 
The Department of Immigration has released a statement saying the information was never intended to be in the public domain. 
“The department acknowledges that the file was vulnerable to unauthorised access. The department is investigating how this occurred to ensure that it does not happen again,” it said.
So far there has been no statement from the Office of the Australian Information Commissioner, which has been promoting the amendments to the Privacy Act 1988 (Cth) that come into effect next month. The Office has been recurrently criticised in scholarly and civil society organisation literature for its dilatory and permissive response to serious data breaches.

The Commissioner will presumably lament that the Office is under-resourced and under-authorised … and that in dealing with the breach it is inappropriate to take any action until all information is available.

I have argued elsewhere that the Commissioner can and should offset resource problems - or lack of power pending establishment of the amendments - by use of its moral authority.

A quick and public response that condemns bad behaviour - including behaviour, such as egregious invasions of privacy by media organisations, that are permitted by the Act - may be just as effective as any imposition of a financial penalty.

So far there hasn't been a peep from the Office. That's a lost opportunity.

If the Office wants to signal that it is engaged, is vigilant, is positive, and is credible why not issue a media release indicating that the Commissioner notes with concern reports regarding a major unauthorised disclosure of sensitive information about vulnerable people. Indicate that investigation is underway. Don't wait until directed by the Minister. Don't delay for six months.

The Guardian aptly notes that
At a news conference last November, the immigration minister, Scott Morrison, outlined the government’s responsibility to protect the identities of asylum seekers in its care. 
“What the Australian government has an obligation to do, though, is ensure that we take all steps necessary so as not to violate their identity,” he said. 
“Now, it is important that people who are making claims about asylum can do so in a discreet way and a private way. And we need to take all reasonable steps under our duty of care to ensure that we don’t expose people to that situation.” 
Both the current and previous governments have said the secrecy surrounding Australian detention facilities is necessary to protect asylum seekers’ privacy.
If that is the case, let's be seen to be providing protection. More broadly, since all people - refugees or otherwise - have a right to privacy - let's see the Office announce that the matter is being investigated. Such an announcement doesn't involve a condemnation of the Department or an endorsement of claims by media organisations that are now echoing the Guardian. It does however tell us something about the Office's culture and about the importance of privacy.

As a colleague noted, it takes ten minutes to make a call to the Department, a few words for a short media release and only a few keystrokes to let the world know that exploration is underway. All in all, not very hard. All in all, cost effective. All in all, the responsiveness and initiative that we can reasonably expect from some quite well-paid bureaucrats but alas have not been seeing.
  • update 1: the Commissioner
In a welcome development the OAIC has released the following statement -
Personal information of asylum seekers — Statement from Privacy Commissioner 19 February 2014 
The Office of the Australian Information Commissioner (OAIC) is aware of this data breach. I have spoken to the Department of Immigration and Border Protection and have been assured that the information is no longer publically available. This is a serious incident and I will be conducting an investigation into how it occurred. As part of this investigation, the Department has undertaken to provide me with a detailed report into the incident. Further, the OAIC will be working with the Department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated.
Past public reports by the OAIC into data breaches have been slow to appear, far less detailed and more permissive than reports by ACMA (notably regarding the latest Telstra data breach). Let us hope that the OAIC acts with vigour.
  • update 2: the Minister
The Minister for Immigration subsequently released the following media statement
Unacceptable breach of privacy 
I am advised that an immigration detention statistics report released on the Department of Immigration and Border Protection's website on 11 February 2014 inadvertently provided access to the underlying data source used to collate the report content which included private information on detainees. 
This is an unacceptable incident. I have asked the department Secretary to keep me informed of the actions that have been initiated, including any disciplinary measures that may be taken, as appropriate. 
Immediate steps were taken to remove the documents from the department's website immediately after the department became aware of the breach from the media. 
The information was never intended to be in the public domain, nor was it in an easily accessible format within the public domain. 
The department Secretary has engaged KPMG to review how this occurred and an interim report is expected to be provided next week. 
As part of that investigation the department has tasked KPMG to review all data publications and to ensure that proper mechanisms will be in place to make sure it doesn't happen again. 
I am advised the department has ensured all possible channels to access this information are closed, including Google and other search engines. It appears the personal information underlying the report cannot be accessed through search engines. 
This is a serious breach of privacy by the Department of Immigration and Border Protection. 
I have received a brief on this matter and have sought assurances that this will not occur again. 
I also welcome the privacy commissioner's investigation into this breach. 
My department will also be requesting that the media organisation that published this data advise if they have disseminated the information to any other parties and to return all copies of the information to the department.
The Guardian responded
[T]here are a few points in the immigration minister’s statement which require a response. 
Morrison says the information was not “in an easily accessible format within the public domain”. Guardian Australia can confirm that the document was freely available for download from a public area of the department’s website, along with many other public files. The document and the data contained within it were straightforward to access. 
In his statement, Morrison reveals details about the document, including the date of its publication and the type of file. In a subsequent television interview, he named the document. Guardian Australia has not released the name or date of the document, to ensure no further breach of privacy. 
Morrison concludes his statement with this paragraph: “My department will also be requesting that the media organisation that published this data advise if they have disseminated the information to any other parties and to return all copies of the information to the department.” 
No such requests have yet been received by Guardian Australia from the department, but we can confirm that we have never published the data, including in our original story; that we have refused all requests for the data from other news organisations, to protect the privacy of those named; and that we have not disseminated the data in any way. 
Guardian Australia notified the department of the breach before publication, and did not publish until the document had been removed from the department’s website. We also notified the privacy commissioner of the breach.
My item in The Conversation, with Benjamin Smith and concentrating on privacy aspects rather than broader duties to vulnerable people under the Migration Act and international law, is here.