Appendix 5

Privacy in the Private Sector

Appendix 5

Overseas and Australian developments in privacy

International comparisons – Term of Reference 1 (b)

A number of submissions addressed the standing of Australia's privacy protection efforts by comparing them to those of other nations. The privacy protection regimes in the following nations were reported on by the Privacy Commissioner [1] and the Australian Privacy Charter Council which provided a paper by Mr Nigel Waters. [2] The material therefore mainly reflects the situation at the time these submissions were written.

Europe

1.1 Data protection regimes in European countries vary, but all of them are based on laws that impose obligations on private sector organisations and establish a supervisory agency to administer those laws. Moreover, information privacy laws were rapidly being harmonised with the requirements of the EU Directive.

1.2 Discussion on aspects of the EU Directive is in the main text of this report, in Chapter 3 and Chapter 5.

Canada

1.3 Like Australia, Canada has for some time had a federal act applying privacy principles to most federal agencies. Unlike the Australian States, many provinces followed the Canadian Federal Government's lead, at times also combining privacy protection laws with freedom of information laws. According to Mr Waters, Canada “flirted with self-regulation of the private sector … but has now come off the fence …” [3]. Mr Waters advised in his submission that in September 1996 the justice minister announced the Canadian Federal Government's intention:

    … to bring in legislation to cover both the public and private sectors, so as to provide and effective and enforceable protection of privacy rights in the private sector ... According to the Canadian Federal Privacy Commissioner, the aim of the Federal Government is to enact privacy laws that will meet the test of adequacy envisaged by the EU Directive, including having the necessary oversight and enforcement mechanisms if the data protection principles are contravened. [4]

1.4 The Canadian Government is committed to enact this legislation by the year 2000. [5]

Japan

1.5 Since 1988, Japan has had a limited privacy law applying to central government agencies' use of computerised data. It has also some specific sectoral rules for credit data, and general guidelines for the private sector since 1989. Following the EU Directive the 1989 guidelines were amended in 1997 and by a supplementary memorandum in November 1997. In February 1998, the Finance and Industry Ministry (MITI) established a supervisory authority to monitor a new system for the grant of `privacy marks' to businesses committing to the handling of personal data in accordance with MITI guidelines and to promote awareness of privacy protection for consumers. The `privacy mark' system was introduced on 1 April 1998. It is administered by a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and will not be granted the privacy protection mark. The assumption is that they will be penalised by market forces. [6] The Japanese approach has been described by the US President as a “market-orientated, private sector-led approach”. [7] It is essentially a self-regulatory, voluntary approach. There are no legislatively backed sanctions for failure to comply with privacy principles. Stephen Lau reports that the Japanese measures provide partial conformance with the EU Directive. Debatable areas include private sector coverage, manual structured data processing, processing of sensitive data, an independent supervisory body, transborder data flow and codes of conduct. [8]

New Zealand

1.6 An enforced self-regulatory approach is used, based upon the implementation and observance of codes of practice and legislated privacy principles similar to those in the Australian Privacy Act 1988 (Cth). The New Zealand Privacy Act 1993 is administered by a Privacy Commissioner. Codes may be developed either by a particular organisation or the Privacy Commissioner, or through cooperation between them. The New Zealand privacy regime provides for enforcement of the codes in the case of non-compliance. The New Zealand Act applies to the entire New Zealand economy, including the private sector and all levels of government. [9]

Taiwan

1.7 In July 1995 Taiwan enacted an information privacy law that covers both the public and private sectors, but only in relation to computer processing systems with personal data. [10] Stephen Lau reports that there is partial conformance with the EU Directive. Debatable areas include manual structured data processing, processing of sensitive data, an independent supervisory body, regulation of transborder data flow for the public sector and codes of conduct. [11]

Hong Kong

1.8 The Personal Data (Privacy) Ordinance, enacted in 1995, covers both the public and private sectors. It regulates the processing of both automated and manual data. The ordinance also creates an independent supervisory body with significant enforcement powers. The Hong Kong Privacy Commissioner may issue and approve sectoral codes of practice in consultation with relevant representative bodies. Formal approval provides a legal basis for the code. [12] According to Stephen Lau, in Hong Kong there is general conformance with the EU Directive, except in some areas including purpose specification and the processing of sensitive data. [13]

South Korea

1.9 In 1994 South Korea enacted the Act on the Protection of Personal Information Managed by Public Agencies. There is also consumer credit information that is regulated separately by the 1995 Act Relating to Use and Protection of Credit Information. [14]

Malaysia

1.10 It is understood that Malaysia planned to enact a generic law on personal data protection in March 1998. This legislation will cover both the private and public sectors, and automated and manual data processing. The legislation is likely to establish an independent supervisory agency. The New Zealand model for privacy protection appears to be one of those under consideration. In January 1998 a committee was studying the implications of the OECD Guidelines and the EU Directive to formulate the new law. [15]

Philippines

1.11 There is no general law on personal data protection. [16]

Singapore

1.12 There is no general law on personal data protection. Singapore does have privacy protection in specific areas, including taxation, provident funds and banking. Singapore is very conscious of the OECD Guidelines and the EU Directive. This jurisdiction is monitoring the international developments. [17]

Indonesia

1.13 This jurisdiction has no general laws concerning personal data protection. According to Stephen Lau, it is not clear when such a law would be introduced or whether one is planned. [18]

China

1.14 This jurisdiction has no general law concerning personal data protection. According to Stephen Lau, it is not clear when such a law would be introduced or whether one is planned. [19]

Asia in General

1.15 In concluding his review of the privacy protection regimes in Asia, Stephen Lau said that: “The Hong Kong, Taiwan and Japan laws are in general conformance with the OECD principles.” [20]

United States

1.16 Jurisdictions in the United States have taken a cautious approach to the protection of personal information handled by private sector organisations. There are, however, many laws at both federal and state level that protect information privacy in particular contexts. These include:

  • personal information held by Federal Government agencies;
  • credit records;
  • tax return and tax filing information;
  • banking and financial records;
  • information communicated electronically;
  • labour-related records, such as union membership;
  • benefits-related records;
  • video rental or sale records;
  • cable television subscriber records;
  • family educational records;
  • certain types of medical records [usually addressed at the State level]; and
  • social security numbers and information.

1.17 The Privacy Commissioner reported that in the United States, legislation is not routinely pro-active and this leads to a patchwork of regulatory bodies:

    At times, legislation and regulation have developed in response to a specific incident. For instance, the Video Privacy Protection Act of 1988, the so-called `Bork Bill' grew out of a reaction to the disclosure of the video rental habits of a prominent Federal Court judge. This [approach] leads to a patchwork of legislative provisions and regulatory agencies. [21]

1.18 The US privacy protection system suffers from the two defects that the majority of submissions urged this committee to ensure that any Australian initiative avoided: a lack of consistent, national coverage and a lack of effective enforcement processes. In this vein, the Australian Privacy Charter Council reported that:

    The US is often mistakenly portrayed as a country without statutory privacy protection. This is far from the case, with a plethora of sectoral or activity-specific laws governing the use of personal information at both federal level and in many States, in areas such as credit reporting, telecommunications, motor vehicle and driver registration and video hire records. What is lacking in almost all cases is any effective supervisory body, so that compliance is very uneven, and relies generally on litigation by aggrieved individuals.

    …the Clinton administration itself has strongly resisted calls for comprehensive legislation, preferring to see the private sector provide privacy protection through a range of self-regulatory initiatives. In practice some of these are “co-regulatory” in nature with federal or state agencies able to enforce compliance with rules designed and implemented by industry associations ... [22]

1.19 The following assessment was given by Mr Nigel Waters of Australia's position and the effectiveness of the United States approach – the approach that is likely to emerge by default in Australia if no national initiative is undertaken and the States legislate unilaterally:

    It is clear that Australia is one of only a few countries still `holding out' against a growing international consensus that a legislative framework is necessary to deal with the privacy issue.

    The two other main countries which are still trying, like Australia, to pretend that self-regulation will suffice, are the United States and Japan. There may be some chance that in Japan, the centralised and disciplined private sector may be able to make the recently introduced `privacy mark' system work. In the US however there is abundant evidence that self-regulation cannot work in this area. Abuses of privacy for commercial reasons are rife, and even the forceful exhortations by the federal government over the last year have failed to elicit significant progress towards effective self-regulatory mechanisms. [23]

1.20 The Australian Privacy Charter Council assessed Australia's international position, with respect to privacy protection, in these words:

    Australia now lags behind all European Union member states, New Zealand, Hong Kong, Taiwan and South Korea in its response to concerns about privacy protection in the private sector. The Canadian federal government announced in 1996 that it would legislate for private sector protection before the year 2000 … [24]

1.21 In a further submission, the Council stated:

    In short, Australia is in danger of becoming isolated in its inadequate response to privacy concerns, with potentially serious consequences for business confidence and investment and international trade, as well as leaving citizens with a sub-standard privacy protection regime which will inhibit the acceptance of electronic commerce and service delivery. [25]

Current legislative and other frameworks for privacy regulation in the Commonwealth, States and Territories – Term of reference 1(c) [26]

1.22 Nationally: The Constitution does not explicitly guarantee a right to privacy. However, it is arguable that, given the implied rights doctrine that the High Court has been developing, an implied right to privacy may be found with respect to the operations of representative government. For example, abolishing the secret ballot or requiring people to express a political opinion in order to obtain some appointable public office, may be found to violate the Constitution. As well, Section 116, which prevents the Commonwealth legislating with respect to religion, may guarantee the privacy of religious belief and the privacy of the relationship between a communicant and his or her religious adviser.

1.23 The common law does not specifically protect the privacy of personal information. Such protections as exist at law rely upon the law of torts or contracts. Australia, the Privacy Commissioner reported, like other common law jurisdictions, has not developed a tort of breach of privacy. The courts have preferred to utilise existing courses of action. [27]

1.24 In addition to the Privacy Act 1988, the Privacy Commissioner reports that “hundreds of statutes in the State and federal jurisdictions provide limited privacy protections for personal information, usually information controlled by government agencies.” [28] Most of these statutes operate by way of secrecy provisions that prohibit public servants from disclosing information to which they have access in the course of their duties. Some provide specific protections. The picture that emerges is that of a patchwork of legislation, with significant holes in the coverage which results in important areas of life being devoid of privacy protection.

1.25 New South Wales: A privacy committee was established under the Privacy Committee Act 1975. The committee is responsible for providing advice about privacy issues to individuals, government agencies and business organisations, and conciliating complaints about breaches of privacy. Its jurisdiction extends to both public and private sectors. In addition to providing advice and conciliating complaints, the committee can investigate complaints, although the committee does not have the power to make binding determinations. It also lacks the power of enforcement of its decisions. The committee also conducts research on significant developments in law, policy and technology that affect privacy. As well, the NSW committee promotes public awareness of privacy issues. [29]

1.26 Tasmania: A set of information privacy principles has been developed and issued on an advisory basis for the guidance of government agencies. The Tasmanian Government supports the maintenance of privacy standards by government and non-government bodies through the use of policy and codes of practice. According to the Privacy Commissioner there are no other developments in the public area. [30]

1.27 Queensland: There is no general privacy protection applying to either the public or private sector in Queensland. In April 1998, the Legal, Constitutional and Administrative Review Committee of the Queensland Parliament released a report, Privacy in Queensland. The report recommends the enactment of a privacy act and the appointment of a privacy commissioner. It was also recommended that the proposed Act make allowance for information privacy principles modelled on the Privacy Act 1988 (Cth). The Queensland Act would bind all state government departments and agencies, local governments and private sector service providers contracted to State or local government.

1.28 The proposed powers of the Queensland Privacy Commissioner would be similar to the powers of the Commonwealth Privacy Commissioner in the Commonwealth sphere. The proposed Queensland Privacy Commissioner would be assisted by a privacy advisory committee, also to be established by legislation. This legislation would be broadly modelled on Part VII of the Privacy Act 1988 (Cth). The Queensland Act would also contain offence provisions modelled on those in the Privacy Act 1988. [31]

1.29 South Australia: Under Cabinet Administrative Instruction 1/1989, in July of that year, eleven information privacy principles were introduced and applied to South Australian government agencies. The South Australian principles are identical to those contained in the Privacy Act 1988 (Cth), but they are guidelines, not law. At the same time a privacy committee was established to hear complaints about breaches of the privacy principles and to provide advice on privacy protection matters. [32]

1.30 Western Australia: There is no general information privacy legislation applying to either the public or private sector. There are, according to the Privacy Commissioner, no other developments in the public arena. [33]

1.31 Northern Territory: There is no general information privacy legislation applying to either the public or private sector. There are, according to the Privacy Commissioner, no other developments in the public arena. [34]

1.32 Australian Capital Territory: All ACT government agencies are covered by the Privacy Act 1988. In addition, the Legislative Assembly passed the Health Records (Privacy and Access) Act 1997, which covers both the public and private sectors.

1.33 This Act provides for: privacy rights in relation to personal information; the integrity of records containing personal information; consumer access to personal health information in health records; the consumer to receive an explanation of his or her personal health information. The Act seeks to encourage agreement concerning the exercise of a right or the performance of a duty under the Act, between the persons concerned. [35]

1.34 Victoria: There is currently no general privacy legislation applying to the private sector in Victoria. Complaints about privacy matters relating to State government agencies are dealt with by the Ombudsman.

1.35 In July 1998 the Victorian Treasurer and Minister for Information Technology and Multimedia, Mr Alan Stockdale, released two discussion papers dealing with privacy issues. The papers also foreshadowed legislation addressing privacy issues, to be introduced into the spring session of the Victorian parliament. [36] The Victorian initiative represents the most extensive attempt to implement privacy protection legislation since the Commonwealth Attorney-General's proposal was abandoned in March 1997. The foreshadowed Victorian scheme is based upon the National Principles for the Fair Handling of Information released by the Privacy Commissioner in February 1998. [37] The Bill is likely to have the following key elements, according to the Discussion Paper: Information Privacy in Victoria: Data Protection Bill:

  • a privacy commissioner, who will oversee the administration and implementation of the legislation;
  • the legislation will provide for a default legislative privacy protection scheme that will apply to all sectors of the economy unless a sector has developed and, had accepted by and registered with, the privacy commissioner, a voluntary code.
  • organisations, including all private sector organisations, will be encouraged to develop voluntary privacy codes. Provided that organisations comply with their approved code they will be excluded from the default statutory scheme. Priority will be given to the development of voluntary codes. [38]
  • The privacy commissioner will be unable to prepare or impose a code and determinations will not be binding. [39]

1.36 The discussion paper also indicated that:

    If the Privacy Commissioner refuses to make a determination, he or she may refer the complaint to the Victorian Civil and Administrative Tribunal. The people affected by a determination, or the failure to make one, will be able to apply to the Victorian civil and Administrative Tribunal for it to be reviewed. This might require the prior approval of the Commissioner. [40]

1.37 Mr Alan Stockdale provided other details of the proposed Victorian regulatory scheme in a speech to Information Privacy & Data Protection Conference:

    “The Victorian legislative scheme will bridge the gap between voluntary codes and legislative schemes. We believe we are currently developing a third generation privacy regime that will be world's best practice. It is a regime that will address the needs of consumers and businesses in the Information Age, without stifling innovation and growth.

    1. Our scheme will enshrine with legislative force the basic privacy principle that information collected for one purpose should not be used for another purpose without the individual's permission.

    2. We will establish a default legislative scheme that will support and promote the development of voluntary privacy codes.

    3. The scheme will operate on the basis that priority is given to approved voluntary privacy codes. The approval process will involve the Privacy Commissioner certifying that the codes are suitable. The test will be whether: (i) the code is effective in broadly achieving the privacy objectives of the legalisation; and (ii) the code is not contrary to the public interest.

    4. The effect of approval will be that provided subscribers to the code comply with the approved voluntary privacy code, they will be excluded from the Victorian statutory scheme as long as they continue to comply with their code.

    5. The oversight of compliance, for both codes and the default legislative scheme, will operate as follows:

      • audits. An audit mechanism ensures a means of establishing whether or not an organisation is complying with its code or the default legislative regime. It is expected that audits will be triggered primarily by complaints or requests by the code's promoters
      • complaints. A complaints mechanism ensures that individuals are able to approach an organisation with an expectation of having their complaint dealt with efficiently and effectively. An individual will be obliged to approach the relevant organisation in the first instance.
      • education. In line with our general view that information privacy is largely an educative process, we consider the educational role to be played by the Privacy Commissioner as being crucial in getting appropriate privacy information out to business and community groups.
      • mediation. We consider that mediation provides an appropriate means of resolving complaints.
      • appeals. An effective privacy regime should ensure that appeals are the exception rather than the norm. However, for those situations where resolution cannot be reached by mediation, an appeal mechanism will be available.
      • penalties. Any penalties will be restricted to serious, flagrant or repeated breaches of a code or the legislative scheme.

    6. The framework of the Victorian scheme deliberately takes a national approach by adoption of the National Principles and, if agreed by the Commonwealth, we will explicitly reference the federal Privacy Commissioner in our scheme.

    7. The scheme is intended to be a light-handed, primarily educative scheme.

    8. A phase-in period of at least twelve months will ensure that all organisations have enough time to ensure that they are able to comply with the Victorian scheme, or to develop their own voluntary code”. [41]

1.38 Several potential problems were identified :

  • There is no assured independent complaints handling mechanism in the first instance. Such independence will occur for a voluntary code only if the voluntary code specifically provides for it. It is unclear whether the Victorian legislation will require independent complaints handling procedures as a condition of registration of a code. Independence would then seem to be assured only by taking a complaint from the voluntary code administrator to the Privacy Commissioner. The result is a labyrinthine system that effectively deters complaints. It seems unlikely that such a scheme would inspire the confidence of those who may wish to use the code to redress an invasion of privacy.
  • The determinations of the Privacy Commissioner are not binding. As a consequence, the Victorian scheme may lack credibility.
  • Enforceability is possible only if the complaint is taken to the Victorian Civil and Administrative Tribunal. It is not clear from the documentation and other information available to the secretariat that the Tribunal would have the power to enforce the code or any determinations. For example, amendment to the Victorian Civil and Administrative Tribunal legislation is not referred to in the Discussion papers, in the section `consequential amendments' [42].
  • It would seem that the proposed Victorian legislation does not specifically allow for effective, speedy remedies and effective sanctions.
  • If a voluntary code is not honoured, the default legislative scheme applies. It is not specified under what circumstances, and using what criteria, a decision would be made that a voluntary code has not been complied with. At present there is no guarantee to citizens that the voluntary schemes are going to be backed up with effective legislative muscle.
  • Any penalties will be restricted to serious, flagrant or repeated breaches of a code or the legislative scheme. This may send a message to citizens that breaches of privacy, that may damage a person's reputation and standing within the community, are not serious enough to deter by effective penalties.
  • Organisations that have more than one type of business and are members of more than one trade organisation may find themselves subject to inconsistent codes. This would increase compliance costs.
  • In the Victorian proposal, the Privacy Commissioner cannot impose or prepare a code. If the New Zealand experience is anything to go by, many industries would prefer the Privacy Commissioner to prepare a code. This reduces their running and compliance costs. The Victorian model seems to have selected a regulatory model that is more costly to business than others that are available, tested and found acceptable.
  • The EU has indicated that it prefers a scheme based on legislation, that allows for effective and speedy remedies, sanctions for breaches of privacy, and the resolution of complaints. Only a scheme that meets these standards will be considered `adequate'. It is not clear, given the foregoing, that the Victorian proposal will meet the EU `adequacy' test.

1.39 The nature of Victorian involvement in the development of the Commonwealth legislation announced in mid-December 1998 is not yet clear. [43] It is also possible that if satisfactory national legislation is developed there will be limited need for state-specific legislation. [44]

Footnotes

[1] Submission No 51, Human Rights and Equal Opportunity Commission, pp. 873-877.

[2] Submission No. 7A, Australian Privacy Charter Council, pp. 273-278

[3] Submission No. 7A, Australian Privacy Charter Council, p. 275.

[4] Submission No. 7A, Australian Privacy Charter Council, pp. 275-276.

[5] In October 1998 private sector privacy legislation was tabled, intended to ensure protection of all personal data handled by the federally-regulated private sector. This includes areas such as banking,telecommuncations and transportation. The legislation is the Personal Information Protection and Electronic Documents Bill

[6] Submission No. 7A, Australian Privacy Charter Council, p. 275.

[7] Submissions No. 7A, Australian Privacy Charter Council, p. 275.

[8] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[9] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 876.

[10] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) pp. 145-151.

[11] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[12] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) pp. 145-151.

[13] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[14] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 877.

[15] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 877; S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[16] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) pp. 145-151.

[17] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[18] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[19] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[20] S. Lau, “Observance of the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy Reporter 4 (1998) p. 151.

[21] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 874.

[22] Submission No. 7A, Australian Privacy Charter Council, p. 276.

[23] Submission No. 8, Mr Nigel Waters, p. 253.

[24] Submission No. 7, Australian Privacy Charter Council, p. 240.

[25] Submission No.7A, Australian Privacy Charter Council, p. 296.

[26] The major constitutional issues are discussed in Chapter 8 of this report, and other aspects of law at Chapter 4. In general, this Appendix reflects the situation as noted in submissions to the Committee, that is, prior to the end of 1998.

[27] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 878.

[28] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 880.

[29] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 881.

[30] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 883.

[31] Submission No.51, Human Rights and Equal Opportunity Commission p. 882; Queensland Legislative Assembly: Legal, Constitutional and Administrative Review Committee, Report No. 9; Privacy in Queensland, Brisbane, April, 1998.

[32] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 883.

[33] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 882.

[34] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 882.

[35] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 883

[36] Discussion Paper: Promoting Electronic Business: Electronic Commerce Framework Bill, July, 1998; Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998.

[37] Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998, p. 11.

[38] Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998, p. 12.

[39] Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998, pp. 17 & 37.

[40] Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998, p. 37.

[41] Mr Stockdale, speech to the Information Privacy & Data Protection Conference, available at , p. 5.

[42] Discussion Paper: Information Privacy in Victoria: Data Protection Bill, July, 1998, p. 38

[43] News Release, Attorney-General, Victorian Agreement on Privacy Welcomed, 16 December 1998 referred to in the Foreword to this report.

[44] See above, Chapter 8, Paragraphs 8.38-8.39.