A Report on the Surveillance Society
enterprise, where codes of practice may apply; but also at the level of the country in which it is located, if there are laws or overarching codes covering workplace activity; and at the global level, from which the International Labour Organization’s code of practice on workers’ privacy304 originates. 44.6. Looking in another direction, the EU is not the only ‘regional’ or global arena that acts as a source or site of regulatory activity for some countries: the Asia-Pacific region has recently developed a Privacy Framework, albeit criticised as being of a low standard305, and the World Trade Organization is another high-level arena with some potential regulatory force over certain global information flows and personaldata processing that have surveillance implications. The attempt to produce privacy standards to be followed worldwide has had a chequered and politically highlycharged career,306 but nevertheless illustrates the way in which activity takes place beyond the borders of single nations, potentially affecting both them and the organisations that do business there, as well as their publics. Standardisation or privacy protection, beyond that for technical information-system security and including conformity assessment procedures for organisations, has been considered by many to be an important regulatory step, although so far its claims have not been strongly convincing in important policy arenas. 44.7. A further set of examples of international privacy-protection and surveillanceregulation activity at the regional level can be found within the EU and other European institutions. The EU’s Article 29 Working Party, established under the Directive 95/46/EC and comprising Member States’ commissioners, is noteworthy for the volume and range of its reports, opinions, working documents and the like, since 1997, on a host of topics that include the use of biometrics, video surveillance, the transfer of passenger name record (PNR) data from the EU to the USA, workplace surveillance, genetic data, RFID technology, and many more, totalling well over 100.307 The establishment of the role of European Data Protection Supervisor (EDPS),308 whose role includes monitoring ICT and other developments, advising on and influencing European Community policies in regard to personal data processing, and the evolution of global and lower-level networks, meetings and discussions amongst privacy commissioners on important topics and technologies, are among the ways in which activity relevant to regulation now transcends national boundaries. Other international or European bodies, such as Eurojust,309 which assists in the investigation and prosecution of serious cross-border and organised crime, have their data protection officers and derivative rules for the protection of personal data. 44.8. However, estimates of the efficacy of these levels of work in preventing or remedying the more insidious forms of surveillance and privacy invasion can be debated, especially in the current adverse climate of opinion about the precedence that counter-terrorism and law enforcement must take over the values involved in privacy and the limitation of surveillance. There are also many gaps among official organisations in the development of roles, institutions, responsibilities and strategies for safeguarding against surveillance. Moreover, whether or not regulatory activities 304 International Labour Organization (ILO) (1997) Protection of Workers’ Personal Data: An ILO Code of Practice. Geneva: ILO. 305 Greenleaf, G. (2005) ‘APEC’s Privacy Framework: a new low standard’. Privacy Law & Policy Reporter 11: 121-4. 306 op. cit. n. 281, 105-8. 307 See: CEC Directorate General Justice and Home Affairs (nd.) ‘Art.29 Data Protection Working Party,’ http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm . 308 See: EDPS (nd.) ‘Introduction,’ http://www.edps.europa.eu/01_en_presentation.htm ; EDPS (nd.) ‘Duties of the European Data Protection Supervisor and Deputy Supervisor,’ ch.5.4, http://www.edps.europa.eu/01_en_sub_fonctions.htm#Chap_54 309 See: Eurojust (nd.) http://www.eurojust.eu.int ; EDPS (nd.) ‘Data Protection Officers appointed by the Community institutions and bodies,’ http://www.edps.europa.eu/05_en_reseau_dpo.htm
87