‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But this article argues that we should not be too hasty, and outlines a number of reasons why ‘adequacy’ is now so entrenched in legal systems across the world that it will not be easy to remove. The list of countries considered adequate is expanding slowly: Uruguay and New Zealand will soon be added to the list. Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Consideration of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws suggests that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening.

As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol to Council of Europe Convention 108. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.

There is also, as yet, little indication that the current revisions of the Directive or the Convention will result in Europe abandoning its ‘border control’ approach. The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.

By ‘significant examples of privacy enforcement actions’ what we mean is as follows. Firstly, the action results from complaints to an independent authority, actions before any Court or Tribunal, or 'own motion' actions by an authority responding to a specific situation. General investigations or reform proposals by authorities are not included. Secondly, the authorities concerned could be Data Protection Authorities (DPAs) or Privacy Commissioners but they could also be telecommunications regulators, financial regulators, government agencies and so on. Independent industry self-regulatory bodies could be included. Thirdly, the result is a significant remedy for an individual or a group of people; or a significant change in (or confimation of) the interpretation of the law with potential remedial benefits; or a significant change in business or government practices.

At present there are well-established data privacy laws covering most aspects of the private sector in nine jurisdictions in Asia and Australasia. This article covers New Zealand and the three Australian jurisdictions. (An article in the next issue will cover the Asian jurisdictions.)

This survey of recent enforcement examples in New Zealand and Australia makes it clear that significant examples of enforcement of privacy laws continue to occur in all four jurisdictions considered, and some examples show the strengthening of particular remedies. However, the mechanisms through which signficant enforcement arises differs a great deal between jurisdictions. In these Australasian examples they include complainant-initiated injunctions, both awards of damages and mediations by Privacy Commissioners, orders by quasi-judicial Tribunals, and suppression orders by Tribunals. One overall factor shared by all four Australia and New Zealand jurisdictions is that payments of financial compensation to complainants are possible and do occur. A comprehensive assessment of enforcement effectiveness would also require statistical information to be considered. Such analysis of enforcement of privacy laws and its effectiveness (covering examples, statistics and mechanisms) is an important aspect of privacy research which is not yet fully developed.

The highlights of these new developments are new data privacy laws in South Korea, Taiwan, Malaysia and India, privacy protections in Vietnam’s new consumer law, and reform proposals in Singapore, Hong Kong, Australia and New Zealand. Legislative action seems to parallel the accelerating scale of threats to privacy, typified by massive data breaches in country after country, but the causal relationship is beyond the scope of this article. The article analyses these development, and the state of play in other countries of the regions, by sub-regions, in order of where the most dramatic recent developments have taken place: South Asia; North Asia; Indo-China; Australasia and the Pacific. The emphasis is on developments over the last 18 months, but background on previous data privacy laws is provided. The article updates Greenleaf, G ‘Asia-Pacific Data Privacy: 2011, Year of Revolution?’ (2011) Kyung Hee Law Journal.

Academic debate has tended to favour prisoner enfranchisement, on multiple grounds. In these accounts, the vote is seen as a fundamental, if not inalienable, human right in international law, whose denial to prisoners is indirectly racially discriminatory. Denying the vote is seen as counter-productive to the purpose of incarceration as social rehabilitation, and not sensibly understood as a form of punishment. There is more than a whiff of the discredited idea of ‘civil death’ about prisoner disenfranchisement.

On the political, and hence legislative front, however, prisoner voting has been fair game. This has chiefly been a symbolic battle, with conservatives seeing prisoners as having seriously breached the social contract. They remain part of the governed, but temporarily forfeit the right to select the governors.

For most of last century, prisoners were disqualified from voting, or nominating or serving as MPs whilst under sentence for an offence with a maximum of one year’s gaol. In 1983 the Hawke government expanded the federal franchise to prisoners whose offences carried a maximum sentence of less than five years. In 1995, the disenfranchisement was eased to an actual sentence of 5 years or more, largely for administrative convenience.

But in 2004 the Howard government reduced this to a three-year rule, in a compromise agreed by Labor. Then in 2006, this became a blanket ban on any prisoner under full-time sentence,4 at least for an Australian offence. Ironically, the voting rights of David Hicks, despite his US conviction on terrorism-related charges, were preserved. A further curiosity of the 2006 legislation was that prisoners were not freed of the compulsion to enrol. Rather, the Australian Electoral Commission (AEC) was to cleanse them from the certified lists for polling day.

The High Court of Australia was invited into this contentious fray by Vicki Roach. An Aboriginal woman who was sentenced in 2004 to six years for burglary including negligent injury and endangerment, Ms Roach had since completed a masters degree. Her case was driven by pro-bono lawyers and run through the Victorian Human Rights Law Resource Centre.

In late August this year, to the great surprise of most commentators, the High Court struck down the ban on prisoner voting. The surprise was a product of both the conservatism of the Court in the past decade, and its longstanding deference to parliamentary sovereignty in electoral matters.

The case was only a partial victory for Ms Roach, however. The 4-2 majority upheld the prior ban on voting by those subject to sentences of three years or more, and hence she will miss voting at the forthcoming federal election.

This note explores the compromise inherent in the Court’s reasoning, and reflects on its wider ramifications for the constitutionalisation of the right to vote given the absence of any mention of such a right in the Australian (or State) Constitutions.

In its submissions the Commonwealth advanced three alternative arguments for validity: -the 'geographic externality' argument - that ss.SOBA and SO BC are laws with respect to a matter physically external to Australia (ie, conduct outside Australia); -the 'external relations' argument- that ss.SOBA and SOBC are laws affecting Australia's external relations with other nations (being laws to curtail 'child sex tourism'); -and the 'international concern' argument- that ss.SOBA and SOBCare laws with respect to a matter of international concern (ie, 'child sex tourism').

The Full Court upheld the validity of the laws in question by a S:2 majority (Gleeson CJ, Gummow, Kirby, Hayne and Crennan JJ; Callinan and Heydon JJ dissenting). The order regarding validity was made at the conclusion of the hearing by the Full Courton 17November200S. Reasons were published on 13 June 2006.

The new Personal Data Protection Act enacted 26 May 2010 is in effect a new piece of legislation. It will not be brought into force until 2012 when the Enforcement Rules necessary for operation of some sections, are expected to be prescribed by the Executive Yuan. The Act is comprehensive in relation to both public and private sectors, and thus much more extensive than the previous Act in relation to the private sector. The revised Act still has no single oversight body, and does not create a data protection authority. Enforcement is left to the Ministries responsible for each industry sector. The obligations imposed by the Act have been considerably expanded, particularly those in relation to notice, and to sensitive data. Data exports (‘international transmission’) by private organisations (‘non-public agencies’) may be restricted by ‘the central competent authority for the relevant industry’ (A 21), but this is not an automatic prohibition on exports. The Act has the first example of an enforceable requirement to notify data subjects (but not the relevant authority) of data breaches enacted in Asian data protection legislation, although the data breach notification provisions in the 2011 Korean legislation is the first to come into force. However, the Taiwanese provision does not apply to all ‘data breaches’, only to those where the company or government agency has breached a provision of the Act. Contraventions of the Act, where damage is caused to another person, can be punished by imprisonment up to two years or substantial fines. Potentially more important are the extensive provisions for damages actions, and for class action litigation (where ‘the rights of multiple subjects are injured by the same causal facts’) by representative organisations which have objectives of protecting personal data. While not as innovative as Korea’s new law, this Act does bring Taiwan up to many aspects of international standards.

The Bill does not include the extensive strengthening advocated by the Privacy Commissioner, but does propose modest improvements. Companies will always have to give individuals notice that they intend to sell their personal data, or even use it for their own marketing, but will still be allowed to do so unless the individual exercises an ‘opt out’ right. Breaches can make businesses liable to a fine of up to HK$1 million (US$128,500), an amount that is potentially crippling for a small business. There are considerable anomalies in these provisions. It seems that a blanket ‘Don’t ever sell my personal data’ notice would be possible. This raises the prospect that an inventive ‘Do not sell/market’ list broker could offer a service to send mass written notifications to major Hong Kong organisations, relieving individual data subjects of the burden of multiple notifications, thus turning direct marketing completely on its head. The drafter may also have overlooked the fact that public bodies controlling public registers sell personal data by providing copies of the information in their registers for a fee and are generally obliged to do so by the legislation governing the registers. The Bill would, on its face, apply to prevent them so doing this unless they complied with its notification and objection provisions.

The Bill will improve the current weak enforcement provisions. The Commissioner will now be able to order organisations to remedy contraventions of the Ordinance. Compensation proceedings will now be moved to the District Court, where the usual costs order is ‘no order as to costs’, which may reduce or remove the deterrent effect of the risk of expensive court costs. The Commissioner will also be empowered to assist litigants. For the first time, the Commissioner will also be empowered to assist parties to reach a settlement or compromise. It is possible that the Bill may be strengthened by the legislature (LegCo), because of the extent of public disquiet over the data breach scandals involving police and hospitals, and data sales scandals involving data from the Octopus transit card, banks and telcos.

However, a measure of certainty followed the Court’s endorsement, through the 1990s, of the formulation contained in the judgment of Mason J in Queensland Electricity Commission v Commonwealth (“QEC”). He framed the principle as comprising 2 elements, or limbs. The first limb, described in terms of discrimination, dealt with Commonwealth laws that singled out States for special burdens or disabilities; the second limb dealt with Commonwealth laws which, while not singling States out, operated so as to destroy or curtail their continued existence or capacity to function.

I do not share his Honour’s gloom. First, not all Federal or State Court decisions dealing with the Constitution cower under the damoclean sword of a successful special leave application or a s 40 removal. Many clearly dazzle in their own right (and perhaps light). Secondly, while some such cases do end up in the High Court so that, to that extent, the Federal and State Court decisions might be seen as “unfinished matters”, no-one doubts the utility of the intermediate decisions which, to quote Justice French again, “will settle the factual aspects of the case, dispose of lesser issues and sharpen the focus of interpretational choices that have to be made.”

Indeed French J shook off his gloom to a certain extent by asking rhetorically “where would we be without” such decisions. As he said, “most of the important constitutional law of Australia originates in proceedings in the lower courts.” This is demonstrated by the range of cases decided by the Federal and State courts in the 2003 term.