Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 24 June 1998
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/APCC980624.html
The Australian Privacy Charter Council was formed in 1992 to promote observance of best practice privacy standards throughout the Australian Community. Under the chairmanship of Justice Michael Kirby, then of the NSW Court of Appeal, the Council brought together privacy, consumer and civil liberties experts with representatives of the business community.
In 1994, the Charter Council launched the Australian Privacy Charter, which is attached to this submission. The Charter sets out 18 principles, reflecting international best practice, which provide a benchmark against which specific proposals for privacy laws and guidelines can be measured. The Charter and its principles are appended to this submission.
The Charter Council continues in existence to promote the Charter and its principles, to comment on privacy initiatives, or the lack of them, in particular sectors and jurisdictions, and to provide a forum for discussion of privacy which brings together representatives from a wide range of interests - non-government organisations, business and government.
The Charter Council's main concern is to ensure that internationally recognised privacy principles, and fair information practices, are applied to the handling of personal information in all jurisdictions and sectors in Australia. Because of the absence in Australia of comprehensive privacy law applying to the private sector, there is currently inadequate protection for consumers against the misuse of their personal information. This is a particular concern in relation to electronic transactions, including the use of the Internet.
It is important to recognise that privacy concerns extend well beyond confidentiality and security. People are also increasingly wanting to know how organisations they are dealing with propose to use any personal information they obtain from them, and demanding some control over those uses. In particular, there is strong resistance to the idea that businesses should be able to sell or give away personal details for marketing, or even to use them 'in-house' for selling unrelated products or services, without the consent of the customer. People also want a right of access to personal information held about them and an ability to challenge its quality, and have corrections made where necessary.
It has been widely recognised by expert opinion both in Australia and overseas that a comprehensive and consistent framework of privacy or data protection law is an essential pre-condition for consumer confidence in electronic transactions. This in turn makes such a framework a pre-condition for business investment in new technology and services, and for acceptance of electronic delivery of government services.
If Australia is to gain the benefits of electronic commerce and service delivery, adequate privacy protection must be guaranteed, and the Charter Council calls on the Committee to lend support to the establishment of a national statutory framework for fair information practices.
Furthermore there is also a danger that in pursuit of other legitimate public interests such as revenue protection and law enforcement, government authorities will over-react and introduce levels of monitoring of electronic transactions which impinge on important rights and freedoms which are essential characteristic of a free society. A comprehensive framework of binding privacy law is essential to maintain the balance between individuals rights and other public interests.
1. The need for the Commonwealth privacy legislation to be extended to the private sector, with particular reference to:
(a) relevant international standards and obligations
(f) the rights of consumers
These two parts of the terms of reference are inseparable and both should logically come first, since individuals' rights to privacy underly the other considerations. Australia has already accepted the rights of individuals to privacy, through its ratification of the International Covenant on Civil and Political Rights, Article 17 of which guarantees protection against 'arbitrary or unlawful interference with ... privacy...'; and its adoption of the 1980 OECD Guidelines on the protection of privacy and transborder flows of personal data.
Apart from the limited protection offered by the Commonwealth Privacy Act 1988, Australian governments have so far failed to deliver the protection promised by these international commitments.
Australians have a right to expect, and increasingly demand, that the protections they enjoy in respect of the federal public sector should apply equally to the private sector (and to State and Territory governments, although this appears to be beyond the constitutional competence of the federal government). The boundaries between the public and private sectors are becoming increasingly blurred with corporatisation, privatisation and outsourcing, and it no longer makes sense, if it ever did, to single out activities performed by government agencies for special treatment.
While it is not an obligation on Australia, this is probably the appropriate place to mention the European Union Data Protection Directive. This requires the 15 EU member countries to harmonise their privacy laws and to include provisions for prohibiting the transfer of personal data to 'third' (ie non-EU) countries where adequate privacy protection is not assured. The Directive takes effect in October 1998 and has the potential to significantly effect many commercial and government activities that involve the transfer of personal data from Europe to Australia. While it is not yet clear exactly how the transfer prohibition provisions will be applied, it seems likely at the very least that some transfers will be challenged and organisations forced to spend considerable time, effort and money demonstrating to the satisfaction of the Europeans how the privacy of their data can be assured when it is handled in Australia.
I enclose a recent paper in which Nigel Waters discusses the issue of adequacy assessment for the purposes of the EU Directive. I also draw the committee's attention to an article by the Head of the EU Delegation in Canberra - Aneurin Hughes - in a recent issue of the Delegation's newsletter, EU News. Other analyses of the issue by Professor Graham Greenleaf of the University of New South Wales, and also a member of the Charter Council, can be found on his world wide web site at http://www2.austlii.edu.au/~graham/
(b) international comparisons
Australia now lags behind all fifteen European Union member states, New Zealand, Hong Kong, Taiwan and South Korea in its response to concerns about privacy protection in the private sector. The Canadian federal government announced in 1996 that it would legislate for private sector protection before the year 2000 and in January this year released a discussion paper on the proposed legislation.
Details are at: http://strategis.ic.gc.ca/privacy/
The United States is sometimes used as an example of how self -regulation can satisfy privacy concerns. This is simply not true. Apart from the fact that there is already a raft of sector or activity specific privacy laws at federal and state level, it is becoming increasingly clear that the private sector is unable to respond adequately to growing public concern about the potential for privacy abuses.
The U.S. Department of Commerce is holding a two-day public forum on privacy
and electronic commerce on 23 & 24 June, in Washington DC. The purpose of
the meeting is to promote dialogue and discussion regarding privacy issues
related to electronic commerce, to discuss whether, and to what extent, self
regulation can address privacy concerns, to discuss the elements of effective
self regulation, to consider privacy issues and concerns specific to children,
to review and discuss the advantages and disadvantages regarding a proposed
methodology for assessing compliance in regard to self regulation, to examine
successful strategies for protecting privacy on the Internet and to survey
current technologies available to protect consumer privacy on the Internet
Details of the forum are at http://www.ntia.doc.gov/ntiahome/privacy/.
This forum follows repeated exhortations from the federal government to come up with effective self-regulatory mechanisms to address consumer concerns about privacy. Recently, Vice-President Al Gore called for an "Electronic Bill of Rights", effectively increasing the pressure on businesses to implement effective self-regulation if they want to avoid government intervention (some 80 privacy bills are currently before Congress). In a speech at New York University on 14 May, Gore outlined several administration initiatives. One will limit access to personal information, such as medical records, credit status, income, and online reading and shopping preferences and will also give people the right to view and correct their own records.
Another US initiative will establish an "opt-out" Web site, where consumers can register to have their names permanently deleted from 'spam' email and telemarketing lists. Vice President Gore also called for all federal agencies to have a privacy officer in place to ensure that existing privacy laws were being complied with, and the President has directed all agency heads to review their departments' privacy practices.
(c) current legislative and other frameworks for privacy regulation in the Commonwealth, States and Territories
(d) the role, responsibilities and practices of Commonwealth, State and Territory governments
These two parts of the terms of reference are inseparable. It is precisely the failure of the various Australian governments to provide effective frameworks for privacy protection, in the face of the manifest inability of the private sector to deliver effective self-regulation, that has created the void that must now be filled.
National leadership is required to avoid a confusing and costly patchwork of inconsistent laws and policies. Victoria, the ACT and other States cannot be faulted for insisting on offering their citizens a degree of protection in the absence of a national scheme, but as the Victorian government has acknowledged, it would be far better for the Commonwealth to step in an provide a national framework.
(e) the needs and responsibilities of the private sector
The needs of the private sector are not a material consideration in this respect, other than their legitimate desire to see any regulatory burden minimised. Privacy and consumer advocates reject the proposition that private sector businesses have 'rights' which compete with individuals' rights. They do not dispute that there is a public interest (ultimately the interests of a majority of individuals) in as free a marketplace as is consistent with other values and interests which need to be protected.
The responsibilities of the private sector, which need to be enshrined in law, are to respect fundamental rights and freedoms in the pursuit of commercial objectives. In the privacy context, those responsibilities must include compliance with international best practice standards of fair information handling.
2. The effectiveness of any privacy scheme that does not have legislatively backed complaints, investigation and enforcement mechanisms.
It is clear that the private sector is incapable of providing an adequate level of privacy protection without a legislative framework. To date we have only seen a modest incorporation of some of the privacy principles into a few codes of practice, applying to limited and self-selected areas of the private sector, and generally without effective complaints, investigation and enforcement mechanisms.
Even following the release of the National Principles for the Fair Handling of Personal Information by the Privacy Commissioner, there is only limited progress towards adoption of the principles by significant business sectors. To date, we understand, only the Insurance Council of Australia, the Australian Direct Marketing Association and the Internet Industry Association have publicly committed to incorporating the National Principles into their industry codes of practice. It remains to be seen whether they will be able to deliver not only a commitment to comply with the principles but also the compliance and complaint handling mechanisms that are necessary for an effective scheme.
Other key sectors such as the banks seem unwilling to even adopt the National Principles as part of their existing self-regulatory frameworks (which in Banking comprises the Banking Code of Practice and the Banking Industry Ombudsman).
In many other areas of the private sector, such as general retailing, real estate sales and management, fund-raising, debt collection, and private security and investigation there is no realistic prospect of any voluntary initiative to provide privacy protection. In many areas there are not even associations or peak bodies with wide coverage of the sector which would be able to approach such a task.
A statutory scheme is essential, but need not be 'heavy handed'. There is plenty of scope for those sectors which are able to act collectively to devise mechanisms which would fit within a statutory framework. The Telecommunications Act provides one such model although the Charter Council and other consumer groups would not recommend its adoption unchanged, as it has serious flaws. These flaws were set out in our submission to the Senate Committee on Information Technology earlier this year. I enclose a copy.
3. The appropriateness of using the National Principles for the Fair Handling of Personal Information , as produced by the Privacy Commissioner, as the basis for a co-regulatory regime for the private sector, and the best means of implementing such a scheme.
Privacy and consumer advocates participated in the development of the Privacy Commissioner's National Principles, although the final Principles cannot be seen as a consensus, having been issued by the Commissioner as her 'best effort' but incorporating some provisions which had not been discussed in the consultation meetings. Some of the views of privacy advocates, and of business representatives, are outlined in the special issue of Privacy Law and Policy Reporter (Volume 4 No 9), which we have arranged to be sent to the Committee.
The Principles are generally seen as being a reasonably close to international best practice. Privacy advocates have some reservations about the exception relating to direct marketing (P2.1(c)), some of the exceptions from the access principle (P6), and the 'law enforcement' exceptions, which we comment on further below. Another important point is that if the Principles are implemented on anything less than an Australia-wide basis, then the Trans Border data flow principle (P9) will need to be turned into a generic 'onward transfer' provision so that personal information is protected if it is transferred from a State or sector with legal protection to one without.
The Commissioner is currently engaged in consultations to try to resolve the contentious issue of access to personal information by a range of government agencies (Principle 2, exceptions (e), (g) and (h)). Privacy advocates would like to reserve their position pending the outcome of these consultations. We acknowledge the need for some exceptions for access by law enforcement and other agencies but our starting point is that all such exceptions should be expressly authorised by law and subject to record-keeping requirements and other accountability safeguards. Any less formal processes for access inevitably encourage the sort of 'mates club' of informal information exchange, which can easily spill over into corrupt and unlawful conduct, as was exposed by the 1992 report of the Independent Commission against Corruption in New South Wales, Unauthorised release of confidential government information.
The best means of implementing the National Principles is obviously national (federal) legislation. Such legislation need not be unduly burdensome on private sector businesses - the New Zealand and Hong Kong experience shows that well designed 'light-handed' privacy laws are relatively painless - the costs of implementation are, properly, correlated with the size and complexity of personal information holdings.
4. The appropriateness of the provisions of the Privacy Amendment Bill 1998
The Amendment Bill goes a long way towards addressing the 'leakage' of privacy protection that would otherwise result (and has already resulted) from the contracting out of a variety of government functions to the private sector. To this extent, it is a welcome initiative, responding to the recommendations of the Privacy Commissioner over a number of years.
However, there are a number of aspects of the proposed regime that still give cause for concern. These are detailed in the cover article by Nigel Waters in Privacy Law and Policy Reporter, Volume 4 No 10, March 1998 (copy of the article attached - I have asked the publishers to send you copies of this issue).
Whether the issue of privacy protection is approached from a business or from a consumer perspective, the overwhelming consensus is that a comprehensive national framework is essential, and that the only way of achieving this is through federal framework legislation for the private sector.
The need for such legislation was agreed by all parties at the time of the last federal election. The government's flirtation with the alternative of self-regulation has been exposed as fruitless, and has set us back 18 months in achieving the level of privacy protection we need, not least as an essential infrastructure for the information economy. We note that the Public Accounts Committee, in its recent report on Internet Commerce, agrees with the need for comprehensive privacy legislation for the private sector.
The Australian Privacy Charter Council urges your Committee also to recommend urgent action by the federal government to provide comprehensive statutory privacy protection for the private sector. This would simultaneously deal more effectively with the issue of outsourcing which the current amendments are designed, somewhat clumsily, to resolve.
The Australian Privacy Charter is at http://www.anu.edu.au/people/Roger.Clarke/DV/PrivacyCharter.html
A brief history of the development and purposes of the Australian Privacy Charter is available.
See also Dixon T. 'Privacy Charter sets new benchmark in privacy protection' PLPR 2, 3 (April 1995) 41
Go to Roger's Home Page.
Go to the contents-page for this segment.
Send an email to Roger
Created: 28 June 1998
Last Amended: 28 June 1998
|These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).|
| The Australian National University|
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Consultancy Pty Ltd, ACN: 002 360 456|
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472