Professional Documents
Culture Documents
Two Disciplines
Author: Alan Toy
EAP Date (approved for print): 14 November 2017
Note to users: Articles in the Epubs ahead of print (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), Article Title, Journal (Year),
Volume(Issue), EAP (page #).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.
ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org
http://www.jlisjournal.org/
ALAN TOY*
Abstract
Critical Theory provides a lens through which the practice of privacy auditing may be
viewed. This allows for a study of privacy auditing that emphasises areas in which the
practice may have room for improvement. It is suggested that privacy audits may be
improved by the use of standards that come closer to harmonisation. This would provide
the additional benefit of updating the standards to more modern criteria than are
currently contained within the national information privacy laws.
Introduction
Privacy audits are now firmly on the agenda of professional services firms in
the disciplines of both accounting/auditing and law. Some well publicised
privacy audits have targeted high-profile organisations.1 Audits can help to
address the concerns of individual citizens, particularly where concerns are
amplified by the sweeping nature of privacy violations,2 which can affect large
groups of citizens at once.
EAP 1
Journal of Law, Information and Science Vol 25 2017
However, privacy audits do not fall under one universally agreed definition.
The range of services that may be called privacy audits is very wide, and
different organisations are approaching privacy audits in different ways. It is
currently impossible to identify a set of standards for a privacy audit that the
majority of privacy auditors would agree upon. This variation of standards
impedes the development of privacy audits as an assurance service.
This article argues that accountants and lawyers may have some common
ground when creating standards for privacy audits. Further, agreement
between the disciplines on a common theoretical basis could allow for the
production of standards for privacy audits that are capable of providing
assurance to organisations that operate internationally, and to other
stakeholders such as consumers who might reside in a different country from
the one in which the audit report is produced.
As privacy audits develop, new types of expertise and institutions might arise
to conduct them. This may include private auditors such as audit firms
developing specialised privacy audit teams, or it may go further than that.
Multidisciplinary teams may also benefit from a common agreement on the
basis of standards for privacy audits.
More and more information is being collected about people in society: [t]he
scope of surveillance and social control in contemporary society is at an
unprecedented high.3 The focus must now turn from preventing collection of
personal information to overseeing its uses. The power of those who control
this data is increasing and this must be matched by a corresponding increase
in their responsibility. Accountability of data controllers can be facilitated by
the rise of privacy auditing. It has not been necessary until recently for privacy
auditing to assume a greater role, but changes in technology now make this
imperative.
The advent of Big Data4 has important implications for privacy and will result
in increasing risks of breaches of privacy. The benefits of Big Data are myriad,
EAP 2
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
but the danger is that people could be subject to profiling and decisions could
be made without the subject individuals knowing the reasons for such
decisions. Privacy audits may be a method of addressing these concerns. To
guard against the possibility of loss of autonomy and individual liberty, big
data will require monitoring and transparency, which in turn will require new
types of expertise and institutions.5 For example, some tertiary institutions in
the United States that have sufficient resources are using the social media
history of individual applicants as a screening process, assisting in a
determination of whether to admit a student to college or not. The potential
students are sometimes not informed that their information has been used in
this way.6 Privacy concerns of consumers appear to be significant,7 and in
research by the Federal Trade Commission (FTC), a nationwide survey
indicated that 57 per cent of all app users have either uninstalled an app over
concerns about having to share their personal information, or declined to install
an app in the first place for similar reasons.8
Privacy audits are one way of increasing privacy protections in the age of Big
Data and social networking. These audits investigate the flows of personal
information within an organisation and determine whether the organisation
implements appropriate privacy principles in its management of these data
flows. The scope of a privacy audit relates to personal information, whether or
not it is stored in an IT system. A privacy audit is therefore different from an
IT audit, which does not focus on implementation of appropriate privacy
principles but instead focuses on the security of information. Even if an
organisation implements the best security controls available, it may still fail to
implement appropriate privacy principles.
organisations, the relationship between citizens and governments, and more: Viktor
Mayer-Schonberger and Kenneth Cukier, Big Data: A Revolution That Will Transform
How We Live, Work and Think (Houghton Mifflin Harcourt, 2013) 6.
5 Mayer-Schonberger and Cukier, above n 4, 179.
6 Natasha Singer, Toning Down the Tweets Just in Case Colleges Pry The New York
Times (online) 19 November 2014
<http://www.nytimes.com/2014/11/20/technology/college-applicants-sanitize-
online-profiles-as-college-
pry.html?hp&action=click&pgtype=Homepage&module=mini-moth®ion=top-
stories-below&WT.nav=top-stories-below>.
7 Stephen Shelton, The Case for Privacy Audits (2010) 67 Internal Auditor 23, 23.
8 Federal Trade Commission, Mobile Privacy Disclosures: Building Trust Through
Transparency (Staff Report, Federal Trade Commission, February 2013) 3
<https://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-
disclosures-building-trust-through-transparency-federal-trade-commission-staff-
report/130201mobileprivacyreport.pdf>.
EAP 3
Journal of Law, Information and Science Vol 25 2017
The earliest privacy audits appear to have taken place in West Germany in the
early 1980s.9 Early examples also took place in other countries in Europe and
in Canada.10 In Europe, the number and frequency of [privacy] audits is
increasing.11 However the number of privacy audits still varies widely with
hundreds performed annually in some Member States, and just a few in
others.12 Interestingly, there has been some use of consistent privacy audit
standards simultaneously in multiple states of the European Union (EU). For
example, in 2006 the Article 29 Working Party began investigation of data
processing practices in the Private Health Insurance sector. This was a co-
ordinated EU-wide investigation that used the same methodology across the
different countries.13
There have been a small but increasing number of privacy audits required
under orders by the FTC in the United States. These have generally targeted
large, dominant players in the online environment such as Google.14 Another
example is Snapchat, which has recently been issued with a consent order that
requires it to have biennial assessments that certify that the privacy controls
are operating with sufficient effectiveness to provide reasonable assurance to
protect the privacy of covered information and that the controls have so
operated throughout the reporting period.15
EAP 4
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
16 David Wright and Paul De Hert, Privacy Impact Assessment (Springer, 2012) 172.
17 Lee Bygrave, Data Privacy Law: An International Perspective (Oxford University Press,
2014) 51.
18 Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, opened for signature 28 January 1981, CETS No 108 (entered into force
1 October 1985); Bennett and Raab, above n 10, 72.
19 Graham Greenleaf, Renewing Convention 108: The CoEs GDPR Lite initiatives
(2016) 142 Privacy Laws & Business International Report 14, 17.
20 ISO/IEC 29100:2011 (201112) International Organisation for Standardisation
<http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnu
mber=45123>.
21 Bennett and Raab, above n 10, 129.
22 Bygrave, above n 17, 101.
23 Bennett and Raab, above n 10, 141.
EAP 5
Journal of Law, Information and Science Vol 25 2017
and action, including legal action.24 There have also been official reports within
the United States that recommend changes to official policies on data collection,
due to the fact that
It is unknown whether and to what extent President Trump will give effect to
information privacy initiatives pursued by the White House under President
Obama. For example, President Obama has voiced privacy concerns in a speech
delivered at the FTC,27 and the latest Consumer Privacy Bill of Rights was
proposed.28 If passed, this Bill would allow enforcement by the FTC of privacy
rights for consumers. This document supports the approach suggested by some
research that is in favour of fundamental principles supplemented by industry
codes of conduct.29 However, it does not embrace the principles of
proportionality, legitimacy and privacy by design to the full extent that has
been recommended by the latest European proposals, and proposals by the
24 For example: Klayman v Obama 957 F Supp 2d 1 (D DC, 2013), which was brought
following the revelations by Edward Snowden.
25 Richard A Clarke et al, Liberty and Security in a Changing World (Report,
Presidents Review Group on Intelligence and Communication Technologies, 12
December 2013) 76
<https://obamawhitehouse.archives.gov/sites/default/files/docs/2013-12-
12_rg_final_report.pdf>.
26 Ibid 19.
27 Reed Freeman, President Obama Turns His Attention to Privacy (12 January 2015)
International Association of Privacy Professionals
<https://privacyassociation.org/news/a/president-obama-turns-his-attention-to-
privacy/>.
28 Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015 (2015) The
White House <https://www.scribd.com/document/257168595/Administration-
Discussion-Draft-Consumer-Privacy-Bill-of-Rights-Act-of-2015>.
29 Alan Toy, Different Planets or Parallel Universes: Old and New Paradigms for
Information Privacy (2013) 25 New Zealand Universities Law Review 938.
EAP 6
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
The use of new technologies is also changing the balance between privacy and
other interests in the legal sphere. New judgments are striking a different
balance regarding privacy and interests such as law enforcement. For example,
in Riley v California34 the majority in the Supreme Court of the United States
held that an appropriate balance must be struck with regard to searches of
digital data on cell-phones that is different to that struck with regard to
searches of other objects.35 In a concurring judgment, Justice Alito said that this
issue required a new balancing of law enforcement and privacy interests.36
This judgment prevents police officers from performing a warrantless search
of a cell-phones data even if the cell-phone is in the possession of a person who
has been arrested. The basis of this ruling is that the sheer quantity of data held
on a cell-phone requires different treatment from other items in a persons
possession, confirming that changes in technology can result in increases in
legal privacy protections. Privacy audits are able to apply the new balance of
30 H Jeff Smith, Tanara Dinev and Heng Xu, Information Privacy Research: An
Interdisciplinary Review (2011) 35 Management Information Systems Quarterly 989,
993.
31 Paul Pavlou, State of the Information Privacy Literature: Where Are We Now and
Where Should We Go? (2011) 35 Management Information Systems Quarterly 977, 981.
32 Clarke et al, above n 25, 45.
33 Ibid 456.
34 Riley v California 573 US __ (2014).
35 Ibid 8 (Roberts CJ).
36 Ibid 3.
EAP 7
Journal of Law, Information and Science Vol 25 2017
interests provided they are flexible and do not simply apply the information
privacy laws in place in one single jurisdiction.
There have been calls for greater harmonisation of information privacy laws.
For example, one recent survey about personal information found that 73 per
cent of respondents indicated that there should be a call for a global consumer
bill of rights and furthermore saw the United Nations as fostering that.37
Furthermore, the FTC has been active in recommending new initiatives to
address the challenges to privacy that are presented by the rise of data broker
organisations. These are organisations that collect personal information of
consumers and then use or transfer that information with or to others. There
are privacy risks with this business model. The FTC has stated that [t]he
specific legislative recommendations made by the Commission reflect high-
level principles drawn from the findings of this study, the Commissions
previous work in this area, and the ongoing public debate about data brokers.38
These principles reflect best practices for privacy protection, such as privacy
by design, which includes considering privacy issues at every stage of product
development.39 These policy recommendations may have significant influence
on the practice of privacy auditing because the high-level principles that the
FTC is recommending reflect some aspects of best practice (such as privacy by
design) that are not currently part of information privacy laws in countries such
as Australia, Canada, Ireland, New Zealand or the United States. The FTC has
developed privacy audits as a key part of settlements,40 and it will continue to
work with industry, consumer groups and lawmakers to further the goals of
increased transparency and consumer control.41 This indicates that the
37 Cloud Security Alliance Data Protection Heat Index Survey (Report, September
2014) 6 <https://cloudsecurityalliance.org/download/data-protection-heat-index-
survey-report/>.
38 Edith Ramirez et al, Data Brokers: A Call for Transparency and Accountability
(Report, Federal Trade Commission, May 2014) vii
<https://www.ftc.gov/system/files/documents/reports/data-brokers-call-
transparency-accountability-report-federal-trade-commission-may-
2014/140527databrokerreport.pdf>.
39 Ibid 54.
40 The Google privacy audit was a reasonable assurance attestation engagement: Alan
Toy and David Hay, Privacy Auditing Standards (2015) 34 Auditing: A Journal of
Practice & Theory 181, 184.
41 Ramirez et al, above n 38, 57; The National Telecommunications and Information
Agency (NTIA) within the US Department of Commerce has begun to convene
meetings to craft codes of practice for privacy best practices in specific industries.
The multi-stakeholder process to develop a code of conduct on mobile application
transparency began in July 2012 and there have been a number of subsequent
meetings: Federal Trade Commission, above n 8, iii; If the process results in the
development of strong codes, the FTC may refrain from exercising its law
EAP 8
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
The concept of privacy audits has existed at least since Gelinas PhD research.45
However, it was not until the 1990s that publicly available privacy audits were
conducted. More recently, it has been suggested that from a management
perspective, it may be useful to have a privacy audit.46
EAP 9
Journal of Law, Information and Science Vol 25 2017
Public concern may provide the impetus for an audit in a more general way
than the complaints route, and may trigger a privacy authority to conduct an
audit. This is the case with the privacy audit of the Canadian Border Services
Agency, which came about after findings in a 2004 study that the Canadian
public is concerned about the trans-border flow of their personal information
to the United States.51 Public concern regarding a number of breaches of data
security led to a privacy audit of the Office of the Revenue Commissioners by
the Office of the Data Protection Commissioner of Ireland.
EAP 10
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
<http://www.dataprotection.ie/viewdoc.asp?m=p&fn=/documents/AUDITS/A
uditReports.htm>.
53 Steven Morgan et al, Personal Information Disposal Practices in Selected Federal
Institutions (Final Report, Office of the Privacy Commissioner of Canada, 2010) 4
<https://www.priv.gc.ca/media/1143/ar-vr_pidp_2010_e.pdf>.
54 Steven Morgan et al, Audit of Selected Mortgage Brokers (Final Report, Office of
the Privacy Commissioner of Canada, 2010) 3
<https://www.priv.gc.ca/media/1140/ar-vr_mb_2010_e.pdf>.
55 Steven Morgan et al, Audit of Selected RCMP Operational Databases (Final Report,
Office of the Privacy Commissioner of Canada, 2011) 3
<https://www.priv.gc.ca/media/1148/ar-vr_rcmp_2011_e.pdf>.
56 Initial Assessment Report on Googles Privacy Program (Report, PwC, 22 June
2012) <https://epic.org/privacy/ftc/googlebuzz/FTC-Initial-Assessment-09-26-
12.pdf>.
57 Agreement Containing Consent Order with a service date of October 28, 2011, between
Google Inc and the Federal Trade Commission (US), above n 14.
58 KPMG and Information Integrity Solutions, Independent Review of ACCs Privacy and
Security of Information (Report, KPMG and Information Integrity Solutions, 22
August 2012) <https://privacy.org.nz/assets/Files/Media-Releases/22-August-
2012-ACC-Independent-Review-FINAL-REPORT.pdf>.
59 Deloitte, Ministry of Social Development Independent Review of Information
Systems Security (Report, Deloitte, 30 November 2012)
<http://img.scoop.co.nz/media/pdfs/1212/deloittephase2finalreport.pdf>.
EAP 11
Journal of Law, Information and Science Vol 25 2017
Further impetus for privacy audits can occur due to changes at public
institutions. An example is the sudden growth and change of Canadian
Passport Operations. This produced a situation where an unprecedented
increase in staff numbers resulted in a potentially lower level of compliance
with privacy procedures because new staff had not yet completed their privacy
training before starting work.63 Technology upgrades such as the provision of
smartphones to thousands of public servants have raised concerns regarding
the protection of data and have given rise to a privacy audit of wireless
environments in federal institutions.64 The introduction of naked scanners65
by the Canadian Air Transport Security Authority also justified a privacy
audit.66
EAP 12
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
Previous privacy audits or even mere investigations may also raise issues that
ought to be followed up in subsequent audits. This was the case with the re-
audit of Facebook Ireland.67 It is also demonstrated in a joint audit performed
by the Canadian Office of the Auditor General and the Office of the Privacy
Commissioner.68 This is the first evidence of collaboration in Canada between
these two offices in a privacy audit. An investigation of Veterans Affairs
Canada also led to a subsequent audit.69
EAP 13
Journal of Law, Information and Science Vol 25 2017
audits have been done by members of the American Institute of Certified Public
Accountants for WebTrust, a privacy seal organisation.73 These audits are
private documents and they are not available for the research in this paper.
As may be surmised from the preceding discussion, the drivers of the practice
of privacy auditing are diverse and it is therefore no surprise that the
theoretical basis of privacy auditing and the information privacy rights on
which the practice is based are underdeveloped.
Information privacy is a new and unsettled field of law, which emphasises the
necessity for an enhanced theoretical basis. For example, in Google Spain SL v
Agencia Espaola de Proteccin de Datos,74 the Court of Justice of the European
Union decided that Google must remove links in its website to some personal
information of European citizens, a decision that caused an important and
immediate change in the way that Google operates.
EAP 14
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
EAP 15
Journal of Law, Information and Science Vol 25 2017
Although there have been calls for harmonisation of global standards for
information privacy law, this may raise unrealistic expectations.79 The
differences between information privacy laws of different countries may
therefore continue to exist for a considerable time. However, this need not
present a problem for privacy audits. Privacy audits need not be a mechanical
application of the information privacy laws within a single jurisdiction, but
may instead apply standards for privacy auditing that may have more in
common across different countries than information privacy laws do. This is
not a resolved issue, however, as some privacy audits do represent application
of the information privacy laws of just one country. For example, the privacy
audit of Facebook Ireland demonstrates this approach. On the other hand, the
privacy audit of Google demonstrates a departure from application of
information privacy laws, instead focusing on other standards for the audit.
5 Critical Theory
While both accounting theory and legal theory recognise Positivism, this is
unlikely to be the theory that is most useful for the development of privacy
auditing. Privacy auditing is in a state of change and this is demonstrated by
the wide variety of different standards that are used in current privacy audits.82
Positivist theory does not provide a way for privacy auditing to advance from
the current, unsatisfactory position in which it finds itself. Indeed, it has even
been suggested that there will be no overall advantage in achieving an
79 Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University
Press, 2013) 164.
80 ISO/IEC 29100:2011 (201112) International Organisation for Standardisation 19
<https://www.iso.org/standard/45123.html>.
81 Details of approved accountability agents can be found here: Cross Border Privacy
Rules System, For Accountability Agents (19 January 2016)
<http://www.cbprs.org/Agents/AgentDetails.aspx>.
82 Toy and Hay, above n 40, 181.
EAP 16
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
Interpretivism is also a theory that has roots in both accounting and law, and it
has traditionally been associated with the jurisprudential arguments of
Dworkin.85 However, Interpretivism may also fail to provide a sufficient
theoretical basis for privacy auditing. The essential nature of privacy auditing
is that it exists to protect privacy, and it has been argued that one possible way
to achieve more consistency for privacy audits, and therefore more
applicability across different countries, is to adopt a common set of principles
that may be balanced in different ways to achieve the best fit among different
cultures.86 However, the balancing of the principles is under constant and
increasing assault from technological considerations. We need a completely
new approach to privacy to deal with the threat of constant surveillance and
control. The balance is always tipping away from privacy, so we need a strong
rebalancing event. Critical Theory87 may provide this.
Critical Theory is a better basis for a theory of privacy auditing than either
Positivism or Interpretivism. It has been suggested that [o]ne crucial
EAP 17
Journal of Law, Information and Science Vol 25 2017
It has been argued that steering media such as accounting and the law do not
have a fixed position in the lifeworld-system complex and may be increasingly
subsumed and internalized within systemic imperatives.89 The lifeworld is a
conception of everyday experience, while the system concept refers to
functional areas such as the economy as a whole. In accordance with this
argument, the basis of this paper is that social imperatives may influence the
actions of privacy auditors and that this may influence later changes in the law
to accord with modern practice. Especially in the area of information privacy
law, where it is difficult for legislators to predict the types of data flows that
will occur in the future, the law may need significant guidance from social
norms and ideals regarding the information privacy rights of citizens. Privacy
audits are an ideal mechanism for the recognition and propagation of practices
that are consistent with these social norms and ideals.
88 Rob Gray and Markus Milne, Its not what you do, its the way that you do it? Of
method and madness (2015) Critical Perspectives on Accounting (forthcoming) 6.
89 Michael Power, Richard Laughlin and David Cooper, Accounting and Critical
Theory in Mats Alvesson and Hugh Willmott (eds), Studying Management Critically
(Sage, 2003) 132, 142.
90 Stewart Clegg et al, The Sage Handbook of Organization Studies (Sage, 2006) 256.
91 Mei-Lien Young, Feng-Yang Kuo and Michael Myers, To share or not to share: a
critical research perspective on knowledge management systems (2012) 21 European
Journal of Information Systems 496, 498.
92 Michel Foucault, Afterword: The Subject and Power in Hubert Dreyfus and Paul
Rabinow (eds), Michel Foucault: Beyond Structuralism and Hermeneutics (The
University of Chicago Press, 1983) 208, 223.
EAP 18
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
6 Non-Positivism
This paper argues that Critical Theory is consistent with at least one form of
Non-Positivism and that it is essential for privacy auditing to be informed by
Critical Theory in order to progress. It has been suggested that Non-Positivism
can be divided into several different types95 of which the strongest form is
inclusive Non-Positivism. Inclusive non-positivism claims neither that moral
defects always undermine legal validity nor that they never do.96 One form of
inclusive Non-Positivism employs the Radbruch formula, which holds that
extreme injustice is not law.97 Therefore, if a law is immoral, it can still be a
law provided that it is not extremely immoral. This type of Non-Positivism may
EAP 19
Journal of Law, Information and Science Vol 25 2017
Those accustomed to balancing talk may think that the existence of a (morally)
EAP 20
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
legitimate law establishing a duty to perform a certain action is a reason for it, to
be added to other reasons for that action and balanced against whatever reasons
there are against it. That is a very misleading and wrong-headed view.103
Positivism cannot refer back to morally legitimate reasons for laws. It can only
refer to the pedigree (sources) of laws as legitimate reasons for action.104
However, Positivism appears to buck the trend of legal reasoning by judges in
both the EU and the US. In both of those jurisdictions, balancing talk is bound
into the reasons for decisions in information privacy cases.105 Positivism
appears to therefore be out of touch with the reality of judicial decision making
and, as such, cannot be a proper approach to the philosophy of law, at least
where information privacy is concerned.
Although they are necessarily linked in his theory, Dworkin still sees
distinctions between law and morality, and between law and justice. He states
the abstract idea that legal rights are those flowing from past political decisions
according to the best interpretation of what this means.106 He therefore
attempts to distance himself from the idea that law is a blueprint of morality.
While this argument is correct in its aims, there may be a less complicated way
to justify the distinction. Community morality is constantly changing. This can
be seen in the change in values over time relating to bankruptcy, which used
to cause the bankrupt to become a slave, then softened to a merely criminal
offence, then further softened to mere civil penalties, and now appears to have
softened even more to the point where facts entailing bankruptcy may no
longer in fact result in it.107
Changes to community morality occur before changes to the law, and changes
to the law may be very slow to respond to this. Law is created by humans with
limited resources, both legislative and judicial. These resources can do their
best, but cannot be entirely up to date with the communitys conception of
morality. This may result in the law not always being consistent with
community morality. Judges asked to interpret such a law may give it the most
up to date interpretation that they can, taking into account modern changes in
community morality, so far as this is possible. They may apply principles
103 Joseph Raz, Between Authority and Interpretation (Oxford University Press, 2009) 7.
104 H L A Hart, The Concept of Law (Oxford University Press, 3rd ed, 2012) 100.
105 For a detailed discussion of balancing information privacy rights in the EU: See Toy,
Different Planets or Parallel Universes, above n 29. The practice of balancing
information privacy rights against other rights is less developed in the US but it is
present, such as in Riley v California 573 US __ (2014) where the Supreme Court held
that privacy interests must be balanced against law enforcement interests.
106 Ronald Dworkin, Laws Empire (Fontana Press, 1986) 96.
107 An example is the No Assets Procedure: Insolvency Act 2006 (NZ) ss 361377B. This
allows an alternative to bankruptcy for persons who meet certain criteria, and avoids
some of the consequences of bankruptcy.
EAP 21
Journal of Law, Information and Science Vol 25 2017
according to the correct weight they would be given under the current
community morality. These principles may be reflected to a greater or lesser
extent in the wording of a statute. The closer the wording of a statute comes to
these principles, the easier it will be for citizens in society to adjust their
conduct in accordance with the law.
Examples of the speed at which legislation in this area changes may be seen in
New Zealands review of its privacy law. The New Zealand Law Commission
began this review in October 2006 and completed it in July 2011. However, the
recommendations made have not yet been adopted in legislation by the New
Zealand government. Also, the United States has been toying with the idea of
federal privacy legislation to cover consumers generally for some time now.
The White House, under the pre-Trump administration, introduced a draft
Consumer Privacy Bill of Rights in both 2012108 and 2015.109 Prior to that, however,
other consumer privacy bills have been proposed in the US, the most notable
of which is the bi-partisan Commercial Privacy Bill of Rights proposed by
Senators Kerry and McCain from opposing political parties.110 However, the US
has not yet adopted any of these proposals in legislation. Where information
privacy legislation is updated infrequently, there is a strong risk that it does
not reflect community morality. Privacy audits may bridge this fissure.
EAP 22
Generating Standards for Privacy Audits: Theoretical Bases from Two Disciplines
Finally, from an ethical perspective, privacy auditors may wish to apply the
latest thinking about information privacy to their privacy audits. The ethical
influence is consistent with Critical Theory. Organisations that wish to act not
only within the letter of the law, or even within the spirit of the law, but also in
accordance with general ethical principles may find that it is necessary to apply
standards that go beyond those enacted in local legislation.
Conclusion
Privacy auditing is not yet fully developed and therefore there are limited
benefits from a traditional Positivist analysis of privacy auditing. However,
Non-Positivist perspectives are present in the disciplines of accounting and
law. Critical Theory provides a theoretical perspective that can inform the
approach taken to the research in this paper. Furthermore, Critical Theory
provides the opportunity to suggest improvements to the practice of privacy
auditing. It is suggested that privacy audits may be improved by the use of
standards that come closer to harmonisation.112 Additionally, this would allow
the standards to be updated to more modern criteria than are currently
contained within national information privacy laws.
EAP 23