Showing posts with label Anonymity and Re-identification. Show all posts
Showing posts with label Anonymity and Re-identification. Show all posts

12 October 2023

Defamation

Yesterday's 2nd Reading Speech for the Defamation Amendment Bill 2023 (NSW) seeks to give effect to the Stage 2 reforms program for Australia's uniform defamation laws. 

It states 

 In summary, there are six key reforms: one, a conditional exemption from defamation liability for conduit, caching and storage services, and for search engines in relation to organic search results; two, updates to the mandatory requirements for an offer to make amends for online publications; three, a requirement for courts to consider balancing factors when making preliminary discovery orders against digital intermediaries; four, a new innocent dissemination defence for digital intermediaries, subject to a simple complaints process; five, a specific power for courts to make non-party orders against digital intermediaries to prevent access to defamatory matter online; and six, expanded electronic means by which notices can be served. 

I now turn to the detail of the proposed digital intermediary amendments. Schedule 1 [1] to the bill adds new defined terms to the existing section 4 definitions of the Defamation Act 2005. The new defined terms are fundamental to the operation of the digital intermediary amendments in the bill. I will explain some of the new defined terms later as I outline the substantive amendment provisions to which they relate. However, some of terms apply broadly across the amendment provisions so I will cover those now, starting with the term ''digital intermediary". First, I note that a lot of policy thinking, consultation and refinement sits behind this definition. Digital intermediary, in the context of the publication of digital matter, is defined to mean: … a person, other than an author, originator or poster of the matter, who provides or administers the online service by means of which the matter is published. 

A note makes clear that there may be more than one digital intermediary in relation to the publication of the same digital matter. ''Online service" essentially means any service provided to a person to enable them to use the internet. This includes using the internet to do a range of things, such as sending or receiving content, searching for content, sharing content and interacting with other people. Some examples of an online service are included in a note to the definition to emphasise the range of services covered by the definition. An ''online service" specifically includes a forum created or administered by a person using a facility provided by an internet‑based social media platform that enables users to share content or interact with other users about a topic. 

The term ''digital intermediary" is intended to apply broadly. It was developed to cover the full spectrum of functions considered by the stage two review of the Model Defamation Provisions. It deliberately includes forum administrators. It is also intended to cover any new or emerging functions, given the pace at which technology in this area evolves. Another important aspect of the definition of 'digital intermediary is the exclusions. The definition specifically excludes the author, originator or poster of the matter because they are not intermediaries. "Poster" is defined to mean a person who uses the online service to communicate the matter to one or more other persons. The terms ''author" and ''originator" are not defined. Both terms are used in the existing innocent dissemination offence at section 32. 

For the purpose of the digital intermediary amendments, firstly, ''author" is intended to cover circumstances such as when a person who writes a defamatory statement is not the person who posts it. Secondly, ''originator" is intended to include anyone who plays a role in creating the content. Often they may also be the poster, but in some circumstances they may not—for example, where a person edits and endorses a statement that is drafted and posted by another person. Finally, the term ''digital matter" is defined to mean "matter published in electronic form by means of an online service". This is not intended to affect or limit the meaning of ''matter" in the Act. It is only intended to cover a subset of matter, being digital matter. ... 

I now turn to parts of the bill relating to exemptions from liability for digital intermediaries. Schedule 1 [3] to the bill inserts new division 2A into the Defamation Act. This includes two conditional statutory exemptions from defamation liability that apply to narrow classes of digital intermediaries. In the development of defamation law it has been argued that certain traditional intermediaries, such as telephone lines and postal services, are so passive in the publication process that they are not publishers; indeed, they are mere conduits. The stage two review considered if there are equal passive digital intermediary functions that should have statutory protection from defamation liability for third‑party content. The stage two review concluded that there is a very small group of digital intermediary functions that meet this criteria. 

As a result, schedule 1 [3] establishes a conditional exemption from defamation liability for three specific digital intermediary functions. Firstly, a caching service that stores content temporarily to make onward transmission more efficient will be exempted. For example, this includes files commonly downloaded from a website temporarily and automatically stored to speed up the download time. Secondly, a conduit service whose principal function is to enable users to connect with the internet, send data or receive data will be exempted. This includes internet service providers and email service providers. Thirdly, a storage service whose principal function is to enable users to store content remotely will be exempted. An example is a cloud service provider that enables users to store photos for later retrieval. Proposed new section 10B defines "caching service", "conduit service" and "storage service" and includes examples to illustrate what each definition is intended to cover. 

The policy rationale for this narrow exemption from liability is to recognise the passive role that these digital intermediaries play in the publication process. This does not substantially change the law. These digital intermediaries are generally not the subject of defamation claims and are unlikely to be considered publishers under the Commonwealth test. The intention is to provide clarity and certainty. The exemption would apply irrespective of whether the digital intermediary knew, or ought reasonably to have known, the digital matter was defamatory. Given the breadth of this protection, the exemption only applies very narrowly, and a set of conditions are included to ensure that if an intermediary plays a more active role in a publication—for example, by editing the content—that would make the intermediary ineligible. 

The conditions that apply to the exemption are listed at proposed new section 10C (1) (c). Even where a digital intermediary meets the definition of caching, conduit or storage service, if it played a more active role in relation to the digital matter in question, such as editing or promoting, the exemption would not apply. The stage two review of the Model Defamation Provisions also included careful considerations of the functions performed by search engine providers. Ultimately, it was concluded that a conditional exemption from defamation liability from search engine providers in relation to organic search results is appropriate. 

The policy rationale behind this conclusion is that, firstly, in performing the standard functions, search engine providers have no interest in the content. They simply use an automated process to provide users with access to third‑party content. Secondly, search engine providers are unable to remove content from the internet and can only block access to identified URLs from their search engine. Thirdly, unlike, for example, a social media platform, a search engine provider does not have any relationship with the original author. Fourthly, search engines provide significant public benefit and operate on a massive scale. The exemption for search engine providers applies regardless of whether the search engine provider knew, or ought reasonably to have known, the digital matter was defamatory. 

Given the strength of the protection, the exemption has been designed to apply very narrowly. Firstly, proposed new section 10D (1) provides that the exemption only applies to the publication of digital matter comprised of search results or the publication of digital matter to which the search results provide a hyperlink. ''Search result" is defined in proposed new section 10B. It means a result generated by a search engine that is limited to identifying a webpage on which content is located by reference to one or more of: the title of the webpage, a hyperlink to the webpage, or an extract or an image from the webpage. 

Secondly, proposed new section 10D (1) confines the exemption to publications where the search engine provider's role was limited to providing an automated process for the user to generate the results. An example of a publication that would not be covered by the exemption due to these limitations is an autocomplete suggestion for search terms. Another example is an answer composed by artificial intelligence, such as Bing Chat, in response to a question input by a user. Thirdly, proposed new section 10D (2) provides that sponsored search results are not covered by the exemption. 

The new court power to make orders against non-party digital intermediaries provides for a safeguard where defamatory matter may have been published, even where digital intermediaries qualify for a statutory exemption from liability. The bill will insert new section 39A into the Defamation Act, providing the court with the power to order a digital intermediary that is not a party to proceedings to remove or disable access to defamatory matter online in certain circumstances. The new court power would apply to all digital intermediaries, including those that qualify for the statutory exemptions, meaning that even if a digital intermediary is exempt from liability it will still be possible for orders to be made that the digital intermediary remove access to defamatory material in some circumstances. I will go into further detail about this amendment as I speak about remedies introduced by the bill. 

The bill provides an early determination process for the digital intermediary exemptions. This is at proposed new section 10E, which provides that the judicial officer in defamation proceedings is to determine whether an exemption is established as soon as practicable before the trial starts, unless the judicial officer is satisfied that there are good reasons to postpone the determination to a later state of the proceedings. New section 10E (2) (a) provides a non-exhaustive list of matters that are relevant to this decision. The purpose of the early determination process is to support the policy intent behind the statutory exemptions—namely, to recognise that the role of these digital intermediaries in the publication process is such that they should not be subject to defamation claims. Ideally, the early determination process will mean that time and costs are not expended unnecessarily. The savings and transitional provisions in relation to the statutory exemptions are the same as those for the new innocent dissemination defence. I will briefly outline the intended operation when I speak about the new defence. 

One of the objects of the Defamation Act 2005 is to promote speedy and non-litigious methods of dispute resolution. Part 3 of the Act establishes a procedure to enable parties to settle disputes without the need for expensive litigation by encouraging a publisher to make a reasonable offer to make amends to the aggrieved person. If the aggrieved person does not accept an offer that was reasonable in all the circumstances, the publisher may rely on their offer to make amends as a defence in any subsequent defamation action against them, in accordance with the terms of the Act. 

Section 15 of the Act sets out a number of elements a reasonable offer to make amends must and may include. I will refer to these requirements as the mandatory and discretionary elements of an offer to make amends. The bill includes two proposed amendments to section 15 of the Act. The first is a minor amendment to one of the discretionary elements of an offer to make amends. Section 15 (1A) (b) currently provides that, if the defamatory matter in question has been "published on a website or any other electronically accessible location", an offer to make amends may include "an offer to remove the matter from the website or location". That was added as part of the stage one amendments to accommodate online publications. 

The bill amendments section 15 (1A) (b) to provide that, if the matter is digital matter, an offer to make amends may include an "offer to take access prevention steps in relation to the matter". This amendment broadens the provision by allowing a publisher to offer to remove, block, disable or otherwise prevent access to a matter, and is consistent with wording used in the bill. A more significant amendment is proposed in relation to two of the mandatory elements of an offer to make amends. 

These existing mandatory elements are, firstly, section 15 (1) (d), which provides, relevantly, that an offer to make amends must include "an offer to publish, or join in publishing, a reasonable correction of, or clarification of or additional information about, the matter in question"; and, secondly, section 15 (1) (e), which provides that an offer to make amends must include, "if material containing the matter has been given to someone else by the publisher or with the publisher's knowledge, an offer to take, or join in taking, reasonable steps to tell the other person that the matter is or may be defamatory of the complainant". 

These mandatory elements were not originally designed with digital intermediaries for online publications in mind. They make sense for traditional publications, such hard copy newspapers, that do not remain readily accessible at the click of a button. If the publisher of a newspaper receives a concerns notice about a defamatory statement in a particular edition, they could then offer to publish a correction in a subsequent edition, presumably reaching largely the same audience. However, a digital intermediary may not be able to do these things. For example, a search engine would not be able to publish a reasonable correction for a search result. Also, when defamatory matter is published online, it often stays there. Added to this concern is the ease and speed at which it can be further disseminated to a wider audience. It is understandable then that, for many plaintiffs, their central concern is simply to have the matter removed. 

The bill inserts new section 15 (1B), which updates the operation of these two mandatory elements for digital matter. It provides that, if the matter in question is digital matter, an offer to take access prevention steps may be made instead of or in addition to either or both of the offers mentioned in paragraphs 15 (1) (d) and (e). The purpose of this amendment is to ensure that there is an appropriate avenue for offering to make amends in circumstances where it is not possible or meaningful for online publishers to publish a correction or clarification. It also reflects the kind of remedy that many plaintiffs are seeking in relation to online publications. An important safeguard is that, under the existing section 18, if the defendant seeks to rely on the offer to make amends defence, the court must be satisfied that, in all the circumstances, the offer was reasonable. The offer to make amends changes will apply to offers made after the commencement of the amendments. That is even where the matter is published before the commencement. 

Many originators who post defamatory material online do so using a pseudonym. In order to commence defamation proceedings, the plaintiff must identify and locate the originator. In some recent cases, particularly in the Federal Court, plaintiffs have obtained preliminary discovery orders requiring a digital intermediary to disclose information concerning the originator's identity. Australian courts already can and do consider proportionality, privacy and the risk of abuse of process in exercising the discretion to make preliminary discovery orders. However, there may still be a risk that such orders are abused or have a chilling effect. 

Proposed new section 23A provides that, before making an order for preliminary discovery, the court must take into account the objects of the Act and any privacy, safety or other public interest considerations. This does not provide a new avenue to seek preliminary discovery; it simply applies this requirement over the general rules. While courts already have the discretion to consider these factors, there is value in making consideration of these factors mandatory. This will promote consistency across jurisdictions. It is also in the interests of protecting domestic violence victims and other vulnerable members of society. For example, a person who has published matter online using a pseudonym may fear for their safety. A bad actor could seek a preliminary discovery order on the basis that they want to commence defamation proceedings against the person when the real motive is to find out the person's current location or other contact details. 

Proposed new section 23A would ensure the court takes into account privacy and safety considerations before making a preliminary discovery order requiring a digital intermediary to disclose any identifying information it holds about the person. The savings and transitional provisions for proposed new section 23A are the same as for the power of the court to make non-party orders. I will briefly outline their intended operation when I speak about the power to make non-party orders in a moment.

Posted by at
Labels: , , ,

16 September 2023

Deidentification

'De-Identifying Government Datasets: Techniques and Governance' (NIST SP 800-188) by Simson Garfinkel, Barbara Guttman, Joseph Near, Aref Dajani and Phyllis Singer comments 

De-identification is a general term for any process of removing the association between a set of identifying data and the data subject. This document describes the use of deidentification with the goal of preventing or limiting disclosure risks to individuals and establishments while still allowing for the production of meaningful statistical analysis. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing, or publishing government data. Previously, NIST IR 8053, "De-Identification of Personal Information," provided a detailed survey of deidentification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification. Before using de-identification, agencies should evaluate their goals for using de-identification and the potential risks that releasing de-identified data might create. Agencies should decide upon a data-sharing model, such as publishing de-identified data, publishing synthetic data based on identified data, providing a query interface that incorporates de-identification, or sharing data in non-public protected enclaves. Agencies can create a Disclosure Review Board to oversee the process of de-identification. They can also adopt a de-identification standard with measurable performance levels and perform re-identification studies to gauge the risk associated with de-identification. Several specific techniques for de-identification are available, including de-identification by removing identifiers, transforming quasi-identifiers, and generating synthetic data using models. People who perform de-identification generally use special-purpose software tools to perform the data manipulation and calculate the likely risk of re-identification. However, not all tools that merely mask personal information provide sufficient functionality for performing de-identification. This document also includes an extensive list of references, a glossary, and a list of specific de-identification tools, which is only included to convey the range of tools currently available and is not intended to imply a recommendation or endorsement by NIST.

Posted by at
Labels:

13 September 2023

Profiling and Matching

The Explanatory Memo for the Identity Verification Services Bill 2023 (Cth) states 

 Identity verification services are a series of automated national services offered by the Commonwealth to allow government agencies and industry to efficiently compare or verify personal information on identity documents against existing government records, such as passports, driver licences and birth certificates. 

1:1 matching services (the Document Verification Service and the Face Verification Service) are now used every day by Commonwealth, State and Territory government agencies and industry to securely verify the identity. In 2022, the DVS was used over 140 million times by approximately 2700 government and industry sector organisations, and there were approximately 2.6 million FVS transactions in the 2022-23 financial year. 

Examples of the current uses of the DVS and FVS include:

• verifying the identity of an individual when establishing a myGovID to access online services, including services provided by the Australian Taxation Office 

• financial service providers, such as banks, when seeking to verify the identity of their customers and to meet the ‘know your customer’ obligation under the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) 

• Government agencies when providing services, disaster relief and welfare payments, and 

• Commonwealth, state and territory government agencies verifying identity in order to provide or change credentials. 

The Identity Verification Services Bill 2023 establishes new primary legislation that provides a legislative framework to support the operation of the identity verification services. The Bill will support the efficient and secure operation of the services without compromising the privacy of the Australian community. 

The IVS Bill will:

• authorise 1:1 matching of identity through the identity verification services, with consent of the relevant individual, by public and private sector entities. This will be enabled by:

 the Document Verification Service which provides 1:1 matching to verify biographic information (such as a name or date of birth), with consent, against government issued identification documents; 

the Face Verification Service which provides 1:1 matching to verifiy biometric information (in this case a photograph or facial image of an individual), with consent, against a Commonwealth, state or territory issued identification document (for example, passports and driver licences); and 

the National Driver Licence Facial Recognition Solution which enables the FVS to conduct 1:1 matching against State and Territory identification documents such as driver licences. 

• authorise 1:many matching services through the Face Identification Service only for the purpose of protecting the identity of persons with a legally assumed identity, such as undercover officers and protected witnesses. The protection of legally assumed identities will also be supported by the use of the FVS. All other uses of 1:many matching through the identity verification services will not be authorised, and will therefore be prohibited. 

• authorise the responsible Commonwealth department – in this case the Attorney General’s Department – to develop, operate and maintain the identity verification facilities (the DVS hub, the Face Matching Service Hub and the NDLFRS). These approved identity verification facilities will be used to provide the identity verification services. These facilities will relay electronic communications between persons and bodies for the purposes of requesting and providing identity verification services. 

Subject to robust privacy safeguards, the Department will be authorised to collect, use and disclose identification information through the approved identity verification facilities for the purpose of providing identity verification services and developing, operating and maintaining the NDLFRS. Offences will apply to certain entrusted persons for the unauthorised recording, disclosing or accessing protected information. 

The Bill ensures that the operation the identity verification services and requests for the use of those services are subject to privacy protections and safeguards. These include consent and notice requirements, privacy impact assessments, requirements to report security breaches and data breaches, complaints handling, annual compliance reporting and transparency about how information will be collected, used and disclosed. Furthermore, privacy law and/or the Australian Privacy Principles will apply to almost all entities that seek to make a request for identity verification services. These privacy protections and safeguards will be set out in participation agreements. 

Government authorities that supply identification information that is used for the purpose of identity verification services will also be subject to the privacy protections and safeguards captured in the participation agreement. Breaches of participation agreements can lead to suspension or termination of the agreement, meaning that the entity would no longer be able to request identity verification services. 

States or territories seeking to contribute to the NDLFRS will be subject to privacy obligations and safeguards, which are required by the Bill and will be set out in the NDLFRS hosting agreement. 

The Bill requires parties to the agreement to agree to be bound by the Privacy Act or a state or territory equivalent, or agree to be subject to the Australian Privacy Principles. The Bill requires state or territory authorities to inform individuals if their information is stored on the NDLFRS (and provide for a mechanism by which those persons can correct any errors), inform the Department and individuals whose information is stored on the NDLFRS of any data breaches, establish a complaints mechanism, and report annually to the Department on the party’s compliance with the agreement. The Bill enables states and territories to limit the use of identity information stored on the NDLFRS, and requires the Department to maintain the security of the NDLFRS. The Department may suspend or terminate access to the NDLFRS in the event of a party’s non-compliance with legislative obligations. 

To protect the privacy of Australians, the Department will be required to maintain the security of electronic communications to and from the approved identity verification facilities, and the information held in the NDLFRS. This information and communications must be encrypted and data breaches reported. 

There will be transparency about the operation of the approved identity verification facilities, including through extensive annual reporting requirements and annual assessments by the Information Commissioner on the operation and management of the facilities. 

The Bill reflects and seeks to implement aspects of the Commonwealth’s commitments under the Intergovernmental Agreement on Identity Matching Services (Intergovernmental Agreement). The Intergovernmental Agreement provides that jurisdictions would share and match biographic and biometric information, with robust privacy safeguards, through the identity verification services. 

The Bill will be supported by the Identity Verification Services (Consequential Amendments) Bill which amends the Australian Passports Act 2005 to provide a clear legal basis for the Minister to disclose personal information for the purpose of participating in one of the following services to share or match information relating to the identity of a person:

- the DVS or the FVS, or 

- any other service, specified or of a kind specified in the Minister’s determination. 

The Consequential Amendments Bill will also allow for automated disclosures of personal information to a specified person via the DVS or the FVS. In combination, this comprehensively authorises the operation of the DVS and FVS in relation to Australian travel documents regulated by the Australian Passports Act.

The Memo also states

... subclause 6(4) of the Bill ensures certain types of information are excluded and cannot be sought or requested through the identity verification services. This information is: 

  •  information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a trade union, sexual orientation or practices, or criminal record (paragraph (a)) 

  • health information about an individual (as defined in section 6FA of the Privacy Act) (paragraph (b)), and 

  • genetic information about an individual (paragraph (c))

Posted by at
Labels: , , , , , , , ,

23 June 2022

Identity

'From knowing by name to targeting: the meaning of identification under the GDPR' by Nadezhda Purtova in (2022) International Data Privacy Law comments 

Despite its core role in the EU system of data protection, the meaning of identification remains unclear in data protection law and scholarship while the spotlight focuses on the legally relevant chance of identification, ie identifiability. While Article 29 Working Party interpreted identification broadly, as distinguishing one in a group, this interpretation has been questioned in light of the CJEU decision in Breyer. This article tackles this uncertainty. This article offers an integrated socio-technical typology of identification where, in addition to the known identification types (look-up-, recognition-, session- and classification identification), targeting is added as a new identification type. To identify by way of targeting means to select a particular individual from a group as an object of attention or treatment in a single moment of time. The article clarifies the legal meaning of identification under the GDPR. It proposes a contextual interpretation of Breyer, which negates Breyer’s restrictive potential and brings all identification types within the GDPR. The article concludes with a discussion of the implications of this reading of identification for data protection in terms the applicability of the GDPR to new data technologies and practices such as facial detection and non-tracking based targeted advertising, effects of certain privacy preserving technologies such as federated learning of cohorts, consequences for invoking data protection rights when identification is not possible, but also in terms of the need to clearly define the objectives of the data protection law. 

 Purtova argues 

 Identification, referring both to the process of identifying someone and the fact of being identified, is one of the boundary concepts of data protection law. It separates the data that is personal, i.e. relating to an identified or identifiable natural person, from non-personal, and thus triggers the applicability of the EU General Data Protection Regulation (the GDPR). Yet, despite the high stakes attached to the meaning of this concept, relatively little attention is paid both in law and legal scholarship to what identification is. Therefore the chief issue tackled here is the meaning of identification under the GDPR. 

The primary focus of the current scholarly attention lies on the adjacent concept of identifiability which refers to the possibility of identification, ie of being identified, in future. This is not surprising since in practice whether or not a person is identifiable rather than identified is regarded as an easier criterion to meet and is therefore a de facto ‘threshold condition’ when determining the status of data as personal. Some legal scholars discuss the meaning and legally relevant degree of identifiability, pseudonymization, and true meaning and possibility of anonymization. The debates among computer scientists tackle anonymization and reidentification techniques and their (in)effectiveness. These discussions clarify the boundaries of application of data protection law and contribute to practical solutions for at least some of the data protection concerns, and as such are valuable and relevant. Yet, the meaning of identifiability is derived from and hence is secondary in relation to the primary concept of identification. Therefore any identifiability debate is at risk of being hollow when not underpinned with a robust understanding of identification. It makes little sense to argue if a natural person is ‘identifiable’ when it is not clear when a natural person would be ‘identified’ and what it means to identify somebody. 

As the technologies to target a person evolve and test the boundaries of data protection, the meaning of identification becomes less clear, and the gap in understanding what it means to identify becomes increasingly more obvious and imperative to close.8 A relatively recent case of such technological development is face detection and analysis used in ‘smart’ advertising boards. Unlike with facial recognition where one’s facial features are compared to pre-existing facial templates to establish if a person is known, face detection and analysis do not recognize people but ‘detect’ them and, in case of smart billboards, classify them into gender-, age-, emotion-, and other groups based on processing of their facial features to display tailored ads. The industry that develops, sells, and employs the technology argues that facial detection does not involve processing personal data,10 eg because the chance of establishing who a person before the ‘sensor’ is close to null. In part this is due to the ‘transient’ nature of the processing, where raw data of an individual processed by the detection ‘sensors’ is discarded immediately. The technology does not allow tracking a person and recognizing him or her over time either. To be clear, as will become apparent from further analysis, these industry arguments do not necessarily withstand legal scrutiny and it is highly likely that personal data will be processed in these contexts, if the proposed interpretation of identification is adopted. Yet, there is no uniform position on the interaction of face detection and data protection across the EU Member States. For instance, the Dutch data protection authority considers face detection in the context of smart billboards as processing of personal data, while its Irish and reportedly Bavarian counterparts are of the opposite view. More similar debates and uncertainties are likely to emerge in other contexts where facial analysis and sensing can be used, such as healthcare for pain or pulse detection, in the news sector for audience measurement, or in assisted driving, video surveillance with face analytics, but also online in the context of tracking-free advertising, and in other cases of the ‘transient’ data processing. While the applicability of the GDPR would be the focus of debate in these contexts, the discussions will inevitably emerge also where the applicability of the GDPR is not in dispute, eg in the context of invoking data protection rights. Article 11(2) GDPR—under some caveats—exempts data controllers from complying with data subjects’ data access and rectification requests, requests for erasure and restriction of processing, as well as data portability obligations where ‘the controller is able to demonstrate that it is not in a position to identify the data subject’. The question will then be: what does it mean to identify? The definition of biometric data in Article 4(14) GDPR and pseudonymization in Article 4(5) GDPR also hinge on the meaning of identification. 

To date, there have been disappointingly few attempts in the data protection legal scholarship, at least in English, at understanding identification beyond identifiability. In 2007 Leenes proposed a four-fold classification of identification. According to Leenes, there is more to identification than simply establishing one’s civil identity, and we need to read identification broadly if we are to address the ‘real privacy concerns’. He distinguished look-up (l-), recognition (r-), classification (c-), and session (s-) identifiability. A recent notable contribution to the debate on the meaning of identification is by Davis who examines the meaning of an ‘identified natural person’ specifically in the context of smart billboards and articulates the importance of looking into the meaning of ‘identified’ as a baseline for establishing the meaning of ‘identifiable’. However, Leenes, while examining the meaning of identification in data protection law, does so with a view to inform the information privacy debate across borders rather than to offer an interpretation of the specific legal concept of the EU data protection law, among others in light of the evolving case law of the Luxemburg Court, and Davis’ analysis is limited to the legal status of data in the context of facial detection. Jasserand addressed the meaning of identification under the GDPR framework, but only when it concerns the definition of biometric data. 

In addition, there is a swirling stream of sociological and philosophical literature focusing on the related concepts of identity and anonymity. To name a few, in 1999 Gary Marx presented a sociological typology of what he called ‘identity knowledge’, which is the opposite of anonymity and hence I consider it equal to identification. He specified seven broad types of identity knowledge: legal name, locatability, pseudonyms linked to identity or location, pseudonyms that are not linked to name or location, pattern knowledge, social categorization, and symbols of eligibility/non-eligibility. Helen Nissenbaum discussed the meaning and value of anonymity in the information age as ‘unreachability’. A range of scholars offer many accounts of the meaning and construction of identity, generally and in the context of ambient intelligence and profiling. Against this backdrop the legal scholarly account of the meaning of identification is inadequate. 

This lack of academic consideration might be partially explained by the fact that the Article 29 Working Party, an EU advisory authority on data protection under the former 1995 Data Protection Directive, defined what an identified person means in its 2007 opinion on the concept of personal data: ‘[i]n general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is “distinguished” from all other members of the group’.  The same explanation arguably holds for the concept of personal data in the GDPR, since there are no fundamental differences between the definitions of personal data under the 1995 Directive and the Regulation. This approach includes identification by name, but also other modes of ‘zoom[ing] in on a flesh and bone individual’.  The authority of the Working Party when it comes to the data protection on the ground is undoubted, and its opinion on the concept of personal data is the most comprehensive and influential guideline for the controllers as to how this concept should be used in practice. The general perception of the meaning of identification under the GDPR following from the WP29 interpretation is thus that it is broad, flexible, and generously accommodating to the realities and challenges of the modern data processing practices.  Indeed, the meaning of identification as distinguishing a person from a group should bring the cases of targeted advertising, profiling, and others where the name of a person is of no consequence to the protective bosom of the GDPR. Perhaps for this reason the data protection scholarship seems to be comfortably content with the status quo in law and literature. 

However, the status quo has been resting on shaky grounds. The position of the Working Party, and hence the ‘distinguished from’ approach to identification, are not formally binding. The Court of Justice of the European Union (CJEU), the only body with authority to issue binding interpretations of the GDPR, was long silent on the meaning of identification. While the Court did follow the Working Party in interpreting the ‘information’ and ‘relating to’ elements of the concept of personal data in Nowak, it also has a record of not following the lines of interpretation chosen by the WP29 earlier. To complicate matters further, the Court in its 2016 Breyer decision appeared to have invalidated the understanding of identification as distinguishing or being distinguished from a group, advanced by the Working Party and granting the GDPR protection a broad reach. Without any detailed consideration about the meaning of identification, the Court in Breyer dismissed a dynamic IP (Internet Protocol) address as an identifier sufficient to identify a person, while one of the core functions of an IP address is exactly to distinguish one web visitor, or at least a location on the network, from another. 

This brief consideration seems to restrict the interpretation of identification under the GDPR to the identification by name or a similar unique identifier representing one’s civil identity, the narrowest meaning of identification possible. This effectively takes cookies, IP addresses, and other online trackers, and with them a large part of online tracking and discrimination, but also not name-tied individual profiling and (real-time) automated decision-making, among others enabled through some of the new technologies such as facial detection, outside of the scope of the data protection law, and deprives people affected by these practices of legal protection that the GDPR would have granted, was the identification interpreted broadly. The very limited scholarly commentary on the Breyer case has largely overlooked this remarkable and consequential departure of the CJEU from the WP29 interpretation.  Hence, the question remains: how should identification under the GDPR be understood? 

This article will answer this question in two steps. First, it will examine the meaning of identification outside of the legal context (the Section ‘Meaning and Socio-Technical Approaches to Identification outside of the GDPR’). It will offer an integrated typology of identification as a process and result of distinguishing a person in a group. The typology builds on three prominent socio-technical accounts of identification: four identifiability types by Leenes, seven types of identity knowledge by Marx, and anonymity as unreachability by Nissenbaum. In addition to the established types, I will identify targeting as a new identification type, where to identify by way of targeting means to select a particular individual from a group as an object of attention or treatment in a single moment of time. The argument will build, among others, on the literatures on calculated publics, profiling in recommender systems, price, and content personalization. Second, I will focus on the legal meaning of identification under the GDPR. I will build a case that all five identification types not limited to civil identity identification are covered by the GDPR meaning of identification. It is an easy conclusion to draw if one follows a non-binding interpretation of Article 29 Working Party that to identify means to distinguish one in a group. This approach will be detailed in the section ‘The Article 29 Working Party Interpretation of the GDPR’. In the section ‘Meaning of Identification in CJEU’s case law’ I review the CJEU case law with relevance to the meaning of identification, including Breyer and its potentially restrictive impact. I then propose a contextual interpretation of Breyer in light of the facts of the case, which negates Breyer’s restrictive potential and brings all types of identification, including non-civil identity ones, within the meaning of identification under the GDPR. The section’ Conclusion: What This Means for Data Protection’ will conclude with a discussion of the implications of this broad reading of identification for EU data protection law practice and research.

Posted by at
Labels: , ,

07 January 2021

Identification and Identity Offences

'Identification in EU Data Protection Law' by David Erdos comments 

Although the new EU data protection framework includes new pan-European limits based on notions of non-identification, these provisions cannot be construed in a sweeping or linear fashion. Non-identified data can only include information which is not being used to target a specific individual on- or offline and which does not readily and manifestly enable such pinpointing. Although GDPR controllers cannot generally be obliged to render such data identified, they must stand ready to do so to facilitate reactive subject rights. However, they have no design obligation to ensure this is easy. Identifying or authenticating whether a particular individual is a specific data subject and considering whether other data subjects are also linked to the information are separately regulated. With the exception of the GDPR rights to data portability and a copy of personal data, the latter is in principle left to national derogation. Regarding the former, both the GDPR and LED allow controllers to require further information where reasonably required to identify a claimant of reactive rights. However, controllers retain a fundamental duty to organise their processing to secure data obligations and rights. Controllers can generally only resist reactive rights claims where they can positively demonstrate that the request is manifestly excessive.

Late last year in Victorian Legal Services Board v Razos (Legal Practice) (Corrected) [2020] VCAT 1304 the Tribunal considered a disqualification order - for an indefinite period - regarding paralegal Athena Razos. It states

 the respondent has at various times been known by the aliases listed at Schedule 1 below. ... 

Schedule 1: Aliases 

Athena Ligris Zizzi 

Athena Athina Bouzas; 

Athena Katherine Bouzas-Legris; 

Athena Legris; Athina Ligris; 

Teena Ligris; Tina Ligris; 

Athina Zissi 

Athina Zissiadis; 

Teena Zissiadis; 

Zissiadis; 

Teena Zissiadis Ligris; and 

Tina Zissiadis-Ligris.

In providing Reasons VCAT states 

 Disqualification of individuals (other than practitioners) 

(1) The designated tribunal may, on the application of the designated local regulatory authority, make an order disqualifying a person who is an individual (other than an Australian legal practitioner) for the purposes of this Law, for a specified period or indefinitely, if satisfied that— (a) a ground for making the order under this section has been established (see subsection (2)); and (b) the disqualification is justified. 

(2) Any of the following are grounds for disqualifying a person— (a) that the person has been convicted of a serious offence; (b) that the person is not a fit and proper person to be employed or paid in connection with the practice of law or to be involved in the management of a law practice; (c) that the person was formerly an Australian legal practitioner and has, when an Australian legal practitioner, been guilty of conduct that constituted unsatisfactory professional conduct or professional misconduct; (d) that the person has been guilty of conduct that, if the person were an Australian legal practitioner, would have constituted unsatisfactory professional conduct or professional misconduct; (e) that the person could be disqualified under sections 206C–206F of the Corporations Act from managing a law practice if the law practice were a corporation. 

The grounds here are that Ms Razos has been convicted of a serious offence, in fact multiple serious offences, and is guilty of conduct which, if she were an Australian legal practitioner would have constituted professional misconduct. She has engaged in fraud and theft, including while employed in law practices. Ms Razos consents to the order, although she has sought suppression of publication of the order and any information about the reasons for it. ... 

My orders attach an agreed schedule of 14 other names by which Ms Razos has been known, which was itself attached to the minutes of consent order filed last year. I note that the convictions referred to below were in three different names: Tina Zissiadis-Ligris (2000 conviction) Athina Zissi (2007 conviction); and Athina Ligris (2009 conviction) 

... Ms Razos has advised that Zissiadis is her maiden name which she still uses and Ligris and Razos are married names. Whatever the reason for the use of so many different names, I am satisfied that the purposes of an order under s 119 are served by including the schedule in my orders and these reasons. 

In the following section, I have re-ordered the agreed facts so that the most recent conduct – misappropriation of over $1,000,000 from trust monies while working as a paralegal at a law practice between 2016-2017 – is set out first. The criminal convictions are dated 2000, 2007 and 2009 respectively. 

It underlines what I consider to be a continuing risk posed by Ms Razos if she were ever to be employed in a law practice again. My view is that this conduct, of itself, would justify the disqualification order, as would the criminal offending set out below. If she had been an Australian legal practitioner, it would constitute the most serious professional misconduct, misconduct at common law, warranting strike off from the roll of practitioners. 

Ms Athena Razos is not and has not at any time been an Australian legal practitioner. However, between 1984 and 2017, Ms Razos was employed in the following roles within the legal profession:

Secretary at Mallesons Stephen Jacques (1984) to 1988); Legal secretary at Minter Ellison. (1990 to 1988); Law clerk at Legal Finance and Business Matters (2002 to 2004); Senior secretary at Freehills (2004 to 2008); Senior conveyancer at Professional Legal Group (2007 to 2008); and Paralegal at Moray & Agnew (2008 to 2017). 

Misappropriation of trust funds 

While Ms Razos was employed as a paralegal with Moray & Agnew, her role involved the management of conveyancing matters and she was responsible for directing Moray & Agnew’s accounts department to bank deposit monies that were to be held on trust by the law practice pending settlement and allocate the receipted funds to clients’ trust ledgers. 

Between April 2016 and July 2017, Ms Razos used trust monies totalling $1,051,063 for her own benefit. These funds were obtained by providing false and/or misleading documents in support of unauthorised payments out of the Moray & Agnew trust account: into a trust ledger in her own name, with those funds subsequently paid out at her direction; into bank accounts controlled by her; to third parties as payment for goods and services procured by her; and to third parties as payment of costs and/or expenses associated with her own residential property. 

During this period, Ms Razos also: made unauthorised transfers of funds between trust ledgers in respect of different client files, making up the shortfall caused by the funds paid out as above; and overpaid clients from funds in trust, stating that the additional money had been earned in interest on the funds invested on the clients’ behalf, when in fact the funds had not been invested and no interest had been earned. Ms Razos has since repaid the law practice amounts totalling $1,103,157 including amounts for lost interest and costs resulting from the above conduct. 

Criminal Offending 

On 7 September 2000, under the name of ‘Tina Zissiadis-Ligris’, Ms Razos was convicted of the following offences:

  • one count of theft; 

  • 17 counts of obtaining property by deception 

  • one count of making a false document to the prejudice of another person; and 

  • one count of using a copy of a false document. 

By way of sentence, Ms Razos was sentenced to three months’ imprisonment (wholly suspended for 12 months), placed on a 12-month Community Corrections Order and ordered to pay $81,192.46 in compensation. Subsequently, while working at the law practice Freehills, Ms Razos stole amounts from petty cash totalling $16,346.60. 

As a result, on 6 August 2007, Ms Razos was convicted of the following offences under the name of ‘Athina Zissi’ and ordered to pay compensation: 

  • 61 counts of obtaining property by deception; and 

  • 141 counts of theft. 

On 8 May 2009, Ms Razos was convicted of further offences relating to conduct occurring between 1992 and 2003. Convictions were recorded under the name of ‘Athina Ligris’ in relation to the following offences:

  • seven counts of making a false document to the prejudice of another person; 

  • seven counts of using a false document to the prejudice of another person; 

  • two counts of attempting to obtain property by deception; 

  • two counts of obtaining property by deception; and 

  • nine counts of obtaining financial advantage by deception. 

For these offences, Ms Razos was sentenced to 16 months’ imprisonment (with 1 year being suspended for a period of 18 months) and ordered to pay $5,081.08 in compensation. 

Ms Razos ’ conduct leading to the 2009 conviction occurred both before and after the first Magistrates’ Court conviction and involved:

  • forging her husband’s signature on a Transfer of Land in respect of jointly-owned property; 

  • forging the signatures of her husband and a solicitor as witness (who did not exist) on documents relating to a mortgage over jointly-owned property; 

  • applying for a credit card in her husband’s name, in respect of which a debt of $38,957.25 was written off by the bank; 

  • forging her husband’s signature in respect of a ‘direct debit authority’ for payment of insurance premiums; 

  • forging her husband’s signature and that of a witnessing solicitor (who did not exist) on an affidavit filed in the County Court of Victoria; obtaining an amount of $12,000 from the ANZ bank by a fraudulent credit card application in the name of ‘Athina’ K Bouzas Legris’; 

  • incurring debts of $3,231.83 on a credit card in the name of a third party, without that person’s knowledge or consent; 

  • writing fraudulent cheques to herself, drawn on accounts in the names of third parties, which were subsequently dishonoured; 

  • forging her husband’s signature on government documents in order to access his superannuation benefit of $2,545.87; and 

  • using cheques to pay for goods, services and cash advances to the value of $3,258.41, which were dishonoured.

Posted by at
Labels: , , , ,

17 December 2020

Open Justice in NSW

The NSW Law Reform Commission has released a conbsultation paper regarding its Open Justice - Court and tribunal information: access, disclosure and publication onquiry.

The Commission's Terms of reference are to review and report on the operation of: 

1. legislative prohibitions on the disclosure or publication of NSW court and tribunal information, 

2. NSW court suppression and non-publication orders, and tribunal orders restricting disclosure of information, and 

3. access to information in NSW courts and tribunals; 

In particular, the Commission is to consider:

a) Any NSW legislation that affects access to, and disclosure and publication of, court and tribunal information, including: - The Court Suppression and Non-Publication Orders Act 2010 (NSW); - The Court Information Act 2010 (NSW); and - The Children (Criminal Proceedings) Act 1987. 

b) Whether the current arrangements strike the right balance between the proper administration of justice, the rights of victims and witnesses, privacy, confidentiality, public safety, the right to a fair trial, national security, commercial/business interests, and the public interest in open justice. 

c) The effectiveness of current enforcement provisions in achieving the right balance, including appeal rights. 

d) The appropriateness of legislative provisions prohibiting the identification of children and young people involved in civil and criminal proceedings, including prohibitions on the identification of adults convicted of offences committed as children and on the identification of deceased children associated with criminal proceedings. 

e) Whether, and to what extent, suppression and non-publication orders can remain effective in the digital environment, and whether there are any appropriate alternatives. 

f) The impact of any information access regime on the operation of NSW courts and tribunals.  

g) Whether, and to what extent, technology can be used to facilitate access to court and tribunal information. 

h) The findings of the Royal Commission into Institutional Responses to Child Sexual Abuse regarding the public interest in exposing child sexual abuse offending. 

i) Comparable legal and practical arrangements elsewhere in Australia and overseas. 

j) Any other relevant matters. 

The consultation questions are 

 The open court principle and its exceptions

Q 2.1: Statutory requirements to hold proceedings in private 

(1) Are the current laws that require certain proceedings to be closed to the public appropriate? Why or why not? (2) What changes, if any, should be made to these laws? (3) Are the current statutory exceptions to the requirement to hold proceedings in private appropriate? Why or why not? (4) Should there be standard exceptions that apply in all (or most) circumstances? If so, what should they be, and in what circumstances should they apply? 

Q 2.2: Statutory powers to hold proceedings in private 

(1) Are the existing laws that give courts discretionary powers to make exclusion orders appropriate? Why or why not? (2) What changes, if any, should be made to these existing laws? (3) Should there be standard grounds that need to be satisfied before a court can make a discretionary exclusion order in all (or most) circumstances? If so, what should they be and in what circumstances should they apply? (4) Should there be standard procedures by which an exclusion order could be made in all (or most) circumstances? If so, what should they be and in what circumstances should they apply? (5) Should there be a standard offence for breaching an exclusion order in most (or all) circumstances? If so: (a) what should be the elements of the offence and in what circumstances should it apply, and (b) what should be the penalty? 

Non-disclosure and suppression: statutory prohibitions 

Q 3.1: Statutory prohibitions on publishing or disclosing certain information As a matter of principle, should there ever be automatic statutory prohibitions on publishing or disclosing certain information? Why or why not? 

Q 3.2: Current statutory prohibitions on publishing or disclosing information (1) Are the current statutory prohibitions on publishing or disclosing certain information appropriate? Why or why not? (2) What changes, if any, should be made to the current statutory prohibitions? 

Q 3.3: Additional statutory prohibitions that may be needed What further information, if any, should be protected by automatic statutory prohibitions on publication or disclosure? 

Q 3.4: Types of action a statute may prohibit 

(1) Is the existing variety of types of action that a statute may prohibit justified? Why or why not? (2) What changes, if any, should be made? (3) Should a standard provision setting out the types of action that a statute may prohibit be developed? If so: (a) what should the provision say (b) how should key terms be defined, and (b) when should it apply? 

Q 3.5: Duration of the statutory prohibition 

(1) Should the statutory prohibitions on publishing or disclosing certain information always specify the duration of the prohibition? Why or why not? (2) What changes, if any, should be made to the existing duration provisions attached to statutory prohibitions on publishing or disclosing information? (3) What prohibitions, if any, should include a duration provision that do not already? What should these duration provisions say? 

Q 3.6: Application of the statutory prohibition to related proceedings 

In what circumstances, if any, should statutory prohibitions that protect the identities of people involved in proceedings apply in appeal or other related proceedings? 

3.7: When publication or disclosure of information should be permitted 

(1) Are the existing Q exceptions attached to statutory prohibitions on publishing or disclosing information appropriate? Why or why not? (2) What changes, if any, should be made to the existing exceptions? (3) What prohibitions, if any, should include exceptions that do not already? What should these be? (4) Should standard exceptions apply to all (or most) statutory prohibitions on publishing or disclosing information? If so, what should they be and in what circumstances should they apply? (5) Where exceptions allow a court to permit disclosure of protected information, what criteria, if any, should guide that court? 

Non-disclosure and suppression: discretionary orders 

Q 4.1: Actions targeted by an order 

(1) Are the existing definitions of “suppression order” and “non-publication order” in the Court Suppression and Non-publication Orders Act 2010 (NSW) appropriate? Why or why not? (2) What changes, if any, should be made to these definitions? (3) What other statutes should these definitions (with or without amendment) apply to? (4) What other changes (if any) should be made to these statutes in relation to the types of action an order may prevent? 

Q 4.2: Types of information that may be subject to an order 

(1) Are the current provisions that identify the types of information that may be the subject of a suppression or non-publication order, adequate? Why or why not? (2) What changes, if any, should be made to these provisions? 

Q 4.3: Consent to publication or disclosure 

What provision, if any, should be made about making an order where a person consents to the publication of information that would reveal their identity? 

Q 4.4: Limits to orders 

(1) Are the existing provisions relating to the scope of suppression and non-publication orders appropriate? Why or why not? (2) What changes, if any, should be made to existing provisions in relation to: (a) the exceptions and conditions that apply (b) the geographic limits of such orders (c) the duration of such orders, and (d) any other aspects of the scope of such orders? 

Q 4.5: Service and notice requirements 

(1) Are the existing procedures (under the Court Suppression and Non-publication Orders Act 2010 (NSW), or any other statute) for making suppression and non-publication orders adequate? Why or why not? (2) What changes, if any, should be made to existing procedures in relation to: (a) who may make an application for an order (b) when an order can be made (c) who can appear and be heard in an application for an order (d) the service and notice requirements for an order, or (e) any other matter? 

Q 4.6: Costs in proceedings for orders 

What provision, if any, should be made for cost orders in relation to applications for suppression or non-publication orders? 

Q 4.7: The public interest in open justice 

(1) Does the Court Suppression and Non-publication Orders Act 2010 (NSW) deal with the consideration of the public interest in open justice appropriately? Why or why not? (2) What changes, if any, should be made to the existing provision? (3) What provision, if any, should be made in other statutes that grant power to make suppression or non-publication orders for recognising the public interest in open justice? (4) What other considerations should be taken into account before an order is made? 

Q 4.8: The “necessary” test for making orders 

(1) What changes, if any, should be made to the “necessary” test? (2) Should a definition of “necessary” be included in the Court Suppression and Non-publication Act 2010 (NSW) or any other statute? If so, what should it be? 

Q 4.9: Grounds for making orders 

(1) Are the grounds for making suppression and non-publication orders under the Court Suppression and Non-publication Act 2010 (NSW) and other NSW statutes appropriate? Why or why not? (2) What changes, if any, should be made to them? 

Q 4.10: A requirement to give reasons 

(1) Should courts be required to give reasons for a decision to make or refuse to make a suppression or non-publication order in some or all circumstances? Why or why not? In what circumstances should this requirement apply? (2) If there was to be a requirement, how should it be expressed? 

Q 4.11: Interim orders 

(1) Is the current provision in the Court Suppression and Non-publication Orders Act 2010 (NSW) for interim orders appropriate and effective? Why or why not? (2) What changes, if any, should be made to the existing provision? (3) What provision, if any, should be made for interim orders in other statutes that grant powers to make suppression or non-publication orders? 

Q 4.12: Review and appeal of orders (1) Are the existing provisions relating to the review and appeal of suppression and non-publication orders appropriate? Why or why not? (2) What changes, if any, should be made to these provisions? (3) To what extent should review and appeal provisions be available for suppression and non-publication orders that are not covered by the Court Suppression and Non-publication Orders Act 2010 (NSW)? 

Q 4.13: Framing effective orders 

How could the Court Suppression and Non-publication Orders Act 2010 (NSW) provisions be amended to assist courts in framing more effective orders? 

Q 4.14: Interaction between the Court Suppression and Non-publication Orders Act 2010 (NSW) and other statutes 

(1) Should the Court Suppression and Non-publication Orders Act 2010 (NSW) only apply to situations that are not subject to other automatic prohibitions or provisions that allow suppression and non-publication orders to be made? Why or why not? (2) Which provisions for suppression and non-publication, if any, should be consolidated or standardised? 

Monitoring and enforcing prohibitions on publication and disclosure 

Q 5.1: Sources of sanctions for breaches of prohibitions 

(1) Is the current regime, in which some breaches of prohibitions on publication or disclosure of information are enforced through statutory offences and others are enforced by contempt proceedings, satisfactory? Why or why not? (2) What changes, if any, should be made to the existing arrangements? To what extent should there be greater consistency in the statutory offences? (3) In particular, what changes, if any, should be made in relation to: (a) a mental element for any offence (b) the definition of terms used for publication or disclosure (c) exceptions to any of the statutory offences, or (d) the current maximum penalties for any statutory offences? (4) What changes, if any, should be made to the current arrangements for enforcing contempt of court in relation to breaches of prohibitions on publication or disclosure? 

Q 5.2: Monitoring prohibitions on publication and disclosure 

(1) How should prohibitions on publication and disclosure of information be monitored? (2) Is public transparency about the number of people who are proceeded against for offences involving breaches of the prohibitions necessary or desirable? Why or why not? How could public transparency about these numbers be improved? 

Q 5.3: Enforcing prohibitions on publication and disclosure 

(1) Are the existing arrangements for managing breaches of prohibitions on publication and disclosure of information effective? Why or why not? (2) If not, what changes should be made? 

Q 5.4: Challenges in enforcing prohibitions on publication or disclosure 

(1) What changes, if any, could make it easier for justice agencies to identify and prosecute people who breach prohibitions on publication or disclosure of information? (2) Should there be a scheme for mutual recognition and enforcement of suppression and non-publication orders across Australia? If so, what would the scheme entail? (3) How should the law and/or justice agencies deal with situations where prohibitions on the publication or disclosure of information under NSW law are breached outside Australia? (4) Should the time limits for enforcing the statutory offences considered in this Chapter be extended? Why or why not? 

Access to information 

Q 6.1: Consolidation of the court information access regimes in NSW 

(1) Should the regimes governing access to court information be consolidated? Why or why not? (2) If so, how should the regimes be consolidated? (3) What principles and rules should underpin a consolidated regime? 

Q 6.2: Discretion to permit or deny access to information 

(1) In what circumstances, if any, should courts have discretion to permit or deny access to court information? (2) In what circumstances, if any, should information be available as of right? 

Q 6.3: Considerations in determining access requests 

(1) What, if any, standard considerations or principles should all (or most) courts apply when determining an access request? (2) Are there any circumstances that would warrant different considerations to the standard considerations being applied? If so: (a) what circumstances, and (b) what should the considerations be? 

Q 6.4: Types of court information available for access 

(1) What types of court information should be available for access? (2) Should different access rules apply to different types of information? 

Q 6.5: Prohibiting access to court information Should access to court information be prohibited in certain circumstances? If so, when? 

Q 6.6: Who can access court information? 

Who should be able to access what types of court information and on what conditions? 

Q 6.7: Privacy protections for personal information 

How should the privacy of personal identification information contained in court information be protected? 

Q 6.8: Applying for access to court information 

(1) What procedures, if any, should apply when a person seeks access to court information? (2) What guidance, if any, should be given in relation to these procedures? 

Q 6.9: How access to court information should be provided 

(1) By what methods should courts provide a person with access to court information? (2) Should the available methods be different depending on the applicant and the situation? If so, how? 

Q 6.10: Fees for accessing information 

(1) In what circumstances should a person be charged a fee to access court information? (2) In what circumstances should any fees for accessing information be waived or reduced? 

Q 6.11: A national access regime 

Should there be a national regime governing access to documents? Why or why not? 

Q 6.12: Public availability of judgments and decisions 

How could NSW courts and tribunals improve access to judgments and decisions? 

Protections for children and young people 

Q 7.1: Criminal proceedings – prohibition on the publication and disclosure of identifying information 

(1) Should there continue to be a general prohibition on publishing or broadcasting the identities of children involved in criminal proceedings in NSW? Why or why not? (2) What changes, if any, should be made to the existing prohibition and the exceptions to it? 

Q 7.2: Criminal proceedings – closed court orders (1) Should criminal proceedings involving children continue to be held in closed court as a rule? Why or why not? (2) Are the current exceptions to the rule appropriate? If not, what changes should be made? 

Q 7.3: Criminal diversion processes 

(1) Is the prohibition on publishing or broadcasting the identities of young offenders who take part in criminal diversion processes appropriate? Why or why not? (2) What changes, if any, should be made to the existing prohibition? 

Q 7.4: Proceedings for apprehended domestic violence orders 

(1) Is the prohibition on publishing the identities of children involved in apprehended domestic violence order proceedings appropriate? Why or why not? (2) What changes, if any, should be made to the existing prohibition? 

Q 7.5: Care and protection proceedings – prohibition on the publication and disclosure of identifying information 

(1) Is the prohibition on publishing or broadcasting the identities of children involved in care and protection proceedings appropriate? Why or why not? (2) What changes, if any, should be made to the existing prohibition and exceptions? 

Q 7.6: Care and protection proceedings – closed court orders 

(1) Are the existing provisions relating to the exclusion of people (including the child or young person themselves) from court and non-court proceedings under the Children and Young Persons (Care and Protection) Act 1998 (NSW) appropriate? Why, or why not? (2) What changes, if any, should be made to these provisions? 

Q 7.7: Adoption proceedings 

(1) Should there continue to be restrictions on the publication or disclosure of material that identifies people involved in adoption proceedings? Why, or why not? (2) What changes, if any, should be made to the existing restrictions and exceptions? (3) Should adoption proceedings continue to be held in closed court? Why, or why not? (4) What changes, if any, should be made to the existing closed court provisions? 

Q 7.8: Parentage and surrogacy proceedings 

(1) Should there continue to be prohibitions on the publication or disclosure of material relating to parentage and surrogacy proceedings? Why or why not? (2) What changes should be made to the existing restrictions? (3) Should parentage and surrogacy proceedings continue to be held in closed court? Why or why not? (4) What changes, if any, should be made to the existing closed court provisions? 

Q 7.9: Other proceedings 

What further protections, if any, should there be against the publication and disclosure of, or public access to, types of legal proceedings involving children other than those to which protections already apply? 

Victims and witnesses: privacy protections and access to information 

Q 8.1: General protections for victims and witnesses (1) Are the general privacy protections for victims and witnesses in NSW appropriate? Why or why not? (2) What changes, if any, should be made? 

Q 8.2: Current protections for specific types of victims and witnesses 

(1) Are the privacy protections for specific types of victims and witnesses in NSW appropriate? Why or why not? (2) What changes, if any, should be made? 

Q 8.3: Protections for other types of victims and witnesses 

What privacy protections, if any, are needed for other types of victims and witnesses? 

Q 8.4: Access to court information by victims 

(1) Are the current arrangements governing access to court information by victims appropriate? Why or why not? (2) What changes, if any, should be made? 

Protections for sexual offence complainants 

Q  9.1: The prohibition on publishing the identities of sexual offence complainants 

(1) Is the prohibition on publishing the identities of complainants in sexual offence proceedings and the exceptions to the prohibition appropriate? Why or why not? (2) What changes, if any, should be made? 

Q 9.2: Closing courts during sexual offence proceedings 

(1) Are the situations in which courts may be closed during sexual offence proceedings appropriate? Why or why not? (2) What changes, if any, should be made?  

Media access to information 

Q 10.1: Media access to court information in NSW 

(1) Are the current arrangements for the media to access court information in relation to both civil and criminal proceedings appropriate? Why or why not? (2) Should the media have special privileges to access court information in relation to civil and/or criminal proceedings? Why or why not? (3) What changes, if any, should be made to the current arrangements, including in relation to: (a) the nature of the access provided (b) the types of documents that may be accessed (c) time limits on access, and (d) application procedures? 

Q 10.2: Media access to court proceedings 

(1) Is the current regime governing media access to proceedings appropriate and workable? Why or why not? (2) What changes, if any, should be made to the current regime, including in relation to: (a) prescribed sexual offence proceedings (b) proceedings involving children (c) accessing “virtual courtrooms”, and (d) orders excluding people under the Court Security Act 2005 (NSW)? 

Q 10.3: Broadcasting court proceedings 

(1) Are the rules that apply to media recording and broadcasting of court proceedings appropriate? Why or why not? (2) What changes, if any, should be made? 

Q 10.4: Impact of publication restrictions on the media 

(1) Are the laws that restrict the media from publishing or broadcasting information relating to court proceedings appropriate? Why or why not? (2) What changes, if any, should be made? (3) In relation to suppression and non-publication orders: (a) are the interests of the media adequately reflected in the grounds for making such orders? (b) is the list of people with standing to be heard in applications for suppression or non-publication orders appropriate? (c) are the current arrangements for communicating the existence of suppression and non-publication orders adequate? (4) What changes, if any, should be made to the laws and procedures relating to the media and suppression and non-publication orders? 

Q 10.5: Contemporary media 

(1) Are the current definitions and use of the terms “media” and “news media organisation” appropriate? Why or why not? (2) What changes, if any, should be made to these terms and their definitions? (3) How else could members of the media be identified for the purposes of the laws dealing with media access to court information and proceedings? 

Researcher access to information 

Q 11.1: Researcher access to information 

(1) What changes, if any, should be made to the existing arrangements for providing researchers with access to court information? (2) In particular, what changes, if any, should be made in relation to: (a) a centralised scheme for giving researchers access to court information, including a research committee (b) the kinds of researchers who should be able to access court information (c) the kinds of research that court information should be available for (d) the other considerations that may be relevant to granting a researcher access to court information (e) the type of court information researchers should be able to access (f) the types of conditions that should be placed on researchers who are given access to court information (g) applicable fees and arrangements for fee waiver (h) access to archived court records, and (i) requests to collate data and/or statistics? 

Digital technology and open justice 

Q 12.1: Online courts 

If virtual courtrooms are to be available, what provision, if any, should be made to ensure that: (a) open justice principles are given effect to, where possible, and (b) risks of prohibited disclosure or publication are managed effectively? 

Q 12.2: Electronic access to court information 

(1) What arrangements, if any, should be made for electronic access to court information? (2) In particular, what should the arrangements be in relation to: (a) the type of information that can be accessed (b) who can access the information, and (c) any necessary protections against unauthorised disclosure or publication of such information? 

Q 12.3: Suppression and non-publication orders in the digital environment 

(1) What, if anything, can be done to deal with situations where suppression and non-publication orders under NSW law are breached outside Australia? (2) In particular, what, if anything can be done to minimise the risk of offending content affecting the fairness of a trial? 

Q 12.4: Tweeting and posting in court 

(1) Are current provisions regulating use of social media by the media and public in court adequate? Why or why not? (2) What changes, if any, should be made to the existing provisions? 

Other proposals for change 

Q 13.1: A register of orders 

(1) Should there be a publicly accessible register of suppression and non-publication orders made by NSW courts? Why or why not? (2) If so: (a) who should be able to access the register, (b) what details should be included in the register, and (c) who should build and maintain the register? 

Q 13.2: An open justice advocate 

(1) Is there a need for an advocate to appear and be heard in applications for suppression and non-publication orders? Why or why not? (2) If so, what responsibilities should the advocate have? 

Q 13.3: Education initiatives 

(1) What education initiatives could be implemented to improve people’s understanding of open justice and associated restrictions? (2) Who should be responsible for delivering those initiatives? 

Q 13.4: Other ways to avoid juror prejudice 

(1) Could the juror oath and affirmation be amended to better ensure jurors appreciate, and take seriously, the obligation not to seek or rely on potentially prejudicial information? If so, how could they be improved? (2) Is the current Jury Act 1977 (NSW) offence of making inquiries effective? If not, how could it be improved? (3) Are the current jury directions about avoiding media publicity and making inquiries about the case appropriate? If not, what reforms are required? (4) Could improving the way that juror questions are managed better ensure jurors do not conduct their own inquires? If so, what improvements could be made? (5) Could more educational guidance be provided to jurors about avoiding media publicity and making inquiries prior to the trial? If so, what should this guidance say? (6) Could pre-trial questioning of jurors be used more effectively to determine which potential jurors have been exposed to prejudicial information? If so, how? (7) Should NSW adopt the Queensland approach of allowing judge alone trials where there has been significant pre-trial publicity that may affect jury deliberations? Why or why not? (8) Are there any other ways in which current law or practice can be improved to prevent jurors from being influenced by potentially prejudicial information?

Posted by at
Labels: , , , , , , , , ,
Subscribe to: Comments (Atom)