Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Prepared for presentation at Privacy.au, Marcus Evans Conferences, Sydney, 23-24 October 2001
Version of 21 October 2001
© Xamax Consultancy Pty Ltd, 2001
This document is at http://www.rogerclarke.com/DV/PPSwamp.html
The new private sector privacy laws, far from addressing the serious problem of corporate credibility, exacerbate them. At the same time as achieving some adequate degree of compliance with the law when it comes into force in December 2001, companies needs to look further into the future. Consumers will be demanding genuine privacy-protections, and a more effective regulatory instrument will emerge during the coming 5 years. In the meantime, there is an extended period within which companies can choose to approach privacy as a strategic factor for their businesses.
In the second half of 2001, with the implementation date of the Privacy Amendment (Private Sector) Act 2000 imminent, it's not surprising that corporations are focussing primarily on compliance with the new law. It is entirely appropriate that this event be given over almost entirely to papers that address these short-term concerns. It's also appropriate that at least one paper put the current flurry in context, by considering what the new law will do to ease the problems faced by corporations. This is that paper.
It commences by examining consumers' trust in companies, especially companies' marketing activities. It then surveys the technologies that have emerged during the last 30 years, and that companies are deploying. Their highly intrusive nature leads to serious questions about the adequacy of even conventional private sector privacy laws, let alone an anti-privacy statute like the legislation brought forward by the Howard government in 2000, and passed by the federal parliament in December 2000.
Rather than consumers' fears being allayed by the new law, public concerns will actually be heightened. The prospect exists of increased use of countermeasures being used not just by nerds and geeks, but also by mainstream consumers. This will result in further legislation, partly to correct some of the grossly invasive measures in the present law, but also to start extending protections to cope with post-1970 information technology. During the intervening period, however, there will be a longer-than-expected opportunity for corporations to exploit a privacy-protective stance as a strategic weapon.
Trust is confident reliance by one party about the behaviour of other parties. In e-business, it's what each party has to depend on when no other form of risk amelioration strategy is available. There are many dimensions to trust relationships between organisations and people. This event, and hence this paper, focus on the privacy aspects.
Trust arises from a variety of sources. It is most readily achieved through direct relationships, or at least some kind of prior and positive experience of dealing with the other party. A weaker form is referred trust, which arises from word-of-mouth, reputation, and accreditation schemes. The least effective forms are brand-names, and the modern phenomenon of 'meta-brands' which are seals of approval granted by organisations with no relationship or reputation of their own. Trust in the context of e-business is examined in greater detail in Clarke (2001e).
Trust can be undermined by a variety of factors, and hence a further vital consideration in encouraging e-business is mis-trust. One of the great inhibitors of consumer Internet commerce has been the Neanderthal attitudes adopted by marketers. Clarke (1999b) documented the succession of failed manouevres intended to achieve conquest by dominant business over subservient consumerdom.
The re-conception of the web as a long line of advertising billboards, its subversion by push-technology, and the capture of consumers' eyeballs by portals have all failed in their primary aims. What they have done, however, is to stimulate enormous cynicism among net-consumers about the role performed by corporations on the Internet. Suggestions as to how a less predatory approach can pay dividends are offered in (Clarke 1998a), Clarke (1998f) and Clarke (1999b). But the old warriors in the direct marketing industry aren't listening, and refuse to believe that the mass marketing techniques that worked with broadcast media are inappropriate to the new context.
Other forms of e-business also need to confront the questions of inculcating trust, and avoiding mis-trust undermining the scope for progress. In the area of e-government, initiatives such as the Commonwealth Government's Gatekeeper project have set back the cause by years. Counter and telephone services are being rapidly downgraded. In order to do business through the primary channel to a government agency, the Internet, people are to be required to have a government-ordained and very mysterious 'asymmetrical / public key digital signature key-pair' and a 'digital certificate'. To get one, they will have to gather up lots of documents, and stand in a queue, just as they would have been required to do for their Australia Card. Better yet, the government will generate the key-pair, and the public will have to trust the government that they won't use it against the person, or withdraw it and deny them their e-personhood.
There have been few more ill-judged propositions put to the Australian population than Gatekeeper. By the time it has run its course, been abandoned, and eventually been forgotten, it will have held back the adoption of e-government by a decade.
During the second half of the twentieth century, longstanding visual surveillance techniques, and electronic enhancements, were complemented, and then increasingly supplanted, by surveillance of individuals and populations through the copious data trails that are generated about their activities. Mass dataveillance provides an efficient means of monitoring large numbers of people in order to generate suspicion about specific individuals and select them for closer attention. Larger numbers than ever before can be subjected to more intensive personal dataveillance, because the techniques are largely automated.
Key technologies of dataveillance include the following:
The most chilling aspect of dataveillance is not the individual technologies, but their convergence, and the development and deployment (often covertly) of schemes that integrate a web of surveillance techniques.
Most discussions about privacy continue to be at the psychological level, expressing concern about the disclosure and abuse of the sensitive data (particularly medical, financial and consumer data) of specific individuals. Important though it is for organisations to be forced to recognise the interests of each individual, this is merely the most trivial level of privacy issues.
Progress in society and the economy alike are dependent upon the freedom of individuals to create and innovate. Dataveillance has the effect of squelching freedom, and imposing uniformity. Different-thinkers who challenge the contemporary orthodoxy stand out from the crowd. Intensive data-collections about individuals enable them to be targetted by organisations whose interests are threatened by their thoughts, arguments and actions. The serious debates about privacy are at the levels of society and democracy; and they have barely even begun.
Dataveillance is examined in Clarke (1988), Clarke (1999e) and Clarke (2001a). Identification schemes in particular are examined in Clarke (1987), Clarke (1994), and Clarke (1997c).
The Internet era was heralded as a a breakthrough for freedoms. Yet it has spawned a wide array of new privacy-invasive technologies. Cookies and web-bugs are used to extract and consolidate data about consumers. Spam is used to bombard the individual's mailboxes. Workstations and hosts alike are wide open to being cracked, because of the criminally insecure state in which Microsoft delivers its software, and the lack of professionalism of systems administrators. New techniques have been devised to aid in identity theft and exploitation. Additional demands are made for electronic self-identification. National security and law enforcement agencies are utilising the 11 September terrorist strikes as an opportunity not merely to bring existing investigative powers up to date, but also to shift the balance of power away from freedoms towards unconstrained law enforcement access to personal data.
For examinations of the phenomena, see Davies (1996), Clarke (1996b), Clarke (1998d), Clarke (1999d) and Clarke (2001d). An annotated bibliography of papers on e-privacy is in Clarke (2000e). For analyses of the authoritarian public key infrastructure that governments have been attempting to impose on businesses and the public, see Greenleaf & Clarke (1997), Clarke (1998c), Clarke (2000d) and Clarke (2001c).
Privacy has multiple dimensions, including privacy of the person, privacy of personal behaviour, privacy of personal communications, and privacy of personal data. For examples of each of these dimensions, see Clarke (1997b). Most countries have scattered and incidental protections for various aspects of the four dimensions, but very few have even attempted to establish a coherent framework for the first three of those dimensions.
The privacy of personal data, on the other hand, has been addressed for the last three decades, initially by European countries and subsequently by some others, including Canada, Hong Kong and even Japan. These have focussed not on the protection of people or their interests, but rather on the protection of their data. For an examination of data privacy, see sections 2.1 and 2.2 of Clarke (2000a). For catalogues of privacy laws around the world, see Clarke (2000b) and Rotenberg (2001).
During the late 1970s, the Organisation for Economic Cooperation and Development (OECD) was concerned that inconsistencies in approaches to privacy protection among member-countries could create barriers to trade. An Expert Group (which was chaired by Michael Kirby, subsequently of the High Court of Australia) negotiated the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD 1980). They represent the clearest codification of the 'fair information practices' (FIP) approach to the protection of data privacy. For summaries of the Guidelines and their history, see Clarke (1989) and sections 2.3, 2.4 and 3 of Clarke (2000a).
FIP was thought by corporations and bureaucrats to be sufficient to buy off the increasing public concerns about new applications of computers. European countries have found it necessary to extend their 1970s protections. The EU Directive (EU 1995) came into force in 1998, and is forcing further adaptations by the laggards among European countries.
Alone among their reference group, the United States and Australia have resisted, and continue to resist, the establishment of schemes that actually apply the FIP approach. Because of its tendency to pass knee-jerk legislation, the U.S.A. is one of the most over-regulated and patchily regulated countries in the world, with in excess of 200 statutes in existence (Smith 2000, Rotenberg 2001). Clarke (1999a) argues that concerns about the assault on privacy on the net privacy confirms the case for coherent statutory protections in the U.S.A. and Australia like everywhere else in the advanced western world.
Both the U.S. 'safe harbor' self-regulatory arrangement and the Australian legislation due to come into force on 21 December 2001, are derisorily inadequate in comparison to the standard set by the EU Directive (EU 2000, 2001). See also Waters (2001). The two countries have gambled that European countries will not actually invoke their rules about precluding the export of personal data to jurisdictions whose protections fall significantly short of the EU's expectations.
Even when they were created, during the period 1965-1980, and when they were codified in 1980, the fair information practices approach to data protection was utterly inadequate. Its deficiencies include:
For a detailed examination of these problems, see section 4 of Clarke (2000a).
Technologies have developed rapidly in the three decades since the FIP approach was formulated. Computers are no longer standalone storers of data. They are now comprehensively networked, and data flows unseen, fast, and in huge volumes. Many additional deficiencies in the OECD Guidelines have emerged as a result. These include:
For a detailed examination of these problems, see sections 5 and 6 of Clarke (2000a).
When the Commonwealth legislation was developed during 1999, it might have been expected that the government would have taken into account the public's needs and expectations in relation to controls over powerful twenty-first century technologies. Or, if that was too forward-looking, or too apparently threatening to conservative views within business, as represented by associations like ADMA, then it was reasonable to expect that the legislation would embody an updated version of the FIP approach. At the very least, the legislation had to reflect the codification of FIP that was embodied in the OECD's 1980 document, and that addressed the needs already perceived a quarter-century ago, when Johnnie Howard was a young back-bencher.
Far from doing even the least of these, the new legislation actively undermines privacy, and seeks to authorise many private sector practices that were until now dubiously legal. The Attorney-General (or perhaps it was the Prime Minister's advisers) chose to ignore the outcomes of the consultation process that the Attorney-General had set in train, and created a Bill substantially different from what had been negotiated. The needs had been clearly expressed, e.g. in ACS (1990), APCC (1994), ACS (1998), APCC (1998), Clarke (1998e) and Waters (1999). The manifold problems with the Bill were identified at a very early juncture in Clarke (2000c), Waters (2000), Greenleaf (2000a) and Greenleaf (2000b).
The Privacy Act 1988, as amended by the Privacy Amendment (Private Sector) Act 2000, comprises 253 pages of the most tortuous legalese imaginable. Even the so-called 'principles' occupy over 3,000 words and 12 pages. They have all manner of exceptions and exemptions scattered through them, and the undefined term 'reasonable' appears 24 times. Corporations and expensive lawyers and consultants are having to spend a lot of time trying to grasp the meaning of all that verbiage. For a summary, see Gunning (2001).
Buoyed by this recognition that business is more important that people, the unreconstructed fundamentalists at ADMA urged their members to entirely ignore the Privacy Commissioner's fleeting attempt of early 2001 to interpret the Act in a manner that would have brought it closer to the balances sought by the OECD's 1980 expression of fair information practices.
Some corporations, and some industry associations, misguidedly think that consumers can safely be abused over the long term. The signs have been gathering over an extended period, but old habits die hard, and ostrichlike behaviour works until finally, very suddenly, it doesn't work any longer.
Here are some of the measures that people adopt, and that will be used even more in the future because of the privacy-abusive attitudes and practices of too many businesses:
Corporate supremacists like those members of ADMA that applaud its present staff's approach will call for ever tighter laws against 'computer crimes'; and pro-business/anti-consumer governments like that of John Howard will doubtless grant their wishes. That doesn't alter the facts that such crimes are difficult to prosecute, and that prosecutions in any case attack only the symptom, not the cause.
Consumers are restless and disaffected. That isn't good for business.
The thesis of this paper is that marketers, far from inculcating trust among net-consumers, have engendered and aggravated high levels of dis-trust. The development and deployment of dataveillance technologies is heightening consumers' fears about privacy-abusive behaviours by corporations, by governments, and by unholy alliances emerging between the two sectors.
Privacy protection laws have been far too little, far too late. The private sector privacy law that comes into effect on 21 December 2001 is an anti-privacy statute. That will become very apparent to the public as soon as they and their representatives try to use it. The media know that their readers are attuned to bad news stories about privacy invasions, and word will travel fast. Moreover, the net-using public is increasingly capable of stubbornly resisting marketer activities, and utilising technology to avoid disclosing real data about themselves.
That thesis leads to the following specific conclusions.
The Privacy Commissioner has very little in the way of sanctions available to him; and the additional resources that have been provided to him are zero. (He has additional staff, but only the same number as the government took away a couple of years earlier. This is a well-established mechanism with universities, and is clearly capable of much more frequent application). The result is that the cowboys in each industry sector will get away with very limited compliance and very limited official chastisement.
So the title of this paper is not about draconion laws, nor about rabid watchdogs. The alligators it refers to are the non-privacy-law-compliant competitors snapping away at your market-share heels.
The likelihood of the law doing you any damage is so low that you can give serious consideration to joining them. ADMA went so far as to advise its members to ignore the Privacy Commissioner's Guidelines unless he changed them; and if you genuinely believe in the law of the jungle then I encourage you to go ahead and do it: the business ethics movement wasn't ever credible, and everyone admires people who tell it as they see it, and act in accordance with what they say.
The Privacy Amendment (Private Sector) Act 2000 will quickly gather a very unpleasant smell. There will soon be calls for it to be at least adapted, and even rescinded, in favour of a real privacy-protective statute. Some of those calls will come from businesses and industry associations.
Some of the adaptations are necessary to overcome the gross privacy-invasiveness of the Act's provisions. Some will be needed in order to address the fundamental inadequacies of FIP-based approaches documented earlier in this paper, and the many additional inadequacies that have become apparent during John Howard's time in Parliament. Some will be needed to cope with ongoing inventiveness by privacy-abusing organisations (see for example Dixon 2001). Others will be adaptations to overcome some of the bureaucracy inherent in a statute that has been presented by the government's spin-doctors as thought it were 'co-regulation' when it is actually black-letter-law of the worst kind.
The likely prevalence of pseudo-compliance with privacy norms creates an opportunity. Companies that perceive their customers as being cynical about marketers, and who realise how low-quality the customer-data is that they're collecting, can adopt an alternative approach. This involves actually applying the principles of permission-based marketing rather than mouthing the words, and thereby gaining an advantage over the other organisations operating in the particular market segment.
I long ago documented the scope for privacy as a competitive weapon. See Clarke (1996a). I susbequently added flesh to the basic principles, in Clarke (1998a) and Clarke (1999b). My guidelines on information, consultation and participation were published as far back as Clarke (1992).
The government's appallingly bad handling of the privacy legislation has extended the window of opportunity for those approaches. Corporations that can see the merits of consensual / permission-based / relationship-based marketing can invest now, secure in the knowledge that many of their competitors are still in denial, and are being advised by consultants and industry associations that have yet to adjust to the real virtual world.
ACS (1990) 'Position Paper # 8 - Information Privacy Implications of Information Technology, Australian Computer Society, November 1990, at http://www.acs.org.au/president/1998/past/acspos8.htm
ACS (1998) 'Position on Privacy', Submission to the Senate Legal and Constitutional Committee, Australian Computer Society, Economic, Legal and Social Implications Committee, 24 June 1998, at http://www.acs.org.au/president/1998/past/privpos.htm
APCC (1994), 'Australian Privacy Charter', Australian Privacy Charter Council, December 1994, at http://www.apcc.org.au/Charter.html
APCC (1998) 'Australian Privacy Charter Council Submission to the Senate Legal & Constitutional References Committee Privacy Inquiry, June 1998', Australian Privacy Charter Council, 24 June 1998, at http://www.apcc.org.au/Submns/Senate980624.html
Clarke R. (1987) 'Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme' Prometheus 5,1 (June 1987). Republished in Computers & Society 18,1 (January 1988), together with an Addendum in Computers & Society 18,3 (July 1988), at http://www.rogerclarke.com/DV/OzCard.html
Clarke R. (1988) 'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1989) 'The OECD Data Protection Guidelines: A Template for Evaluating Information Privacy Law and Proposals for Information Privacy Law ' April 1989, at http://www.rogerclarke.com/DV/PaperOECD.html
Clarke R. (1992) 'Extra-Organisational Systems: A Challenge to the Software Engineering Paradigm' Proc. IFIP World Congress, Madrid, September 1992, at http://www.rogerclarke.com/SOS/PaperExtraOrgSys.html
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1996a) 'Privacy and Dataveillance, and Organisational Strategy' Proc. Conf. I.S. Audit & Control Association (EDPAC'96), Perth, Western Australia, 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1996b) 'The Information Infrastructure is a Super Eye-Way' Privacy Law & Policy Reporter 3, 5 (August 1996), at http://www.rogerclarke.com/DV/Monitor.html
Clarke R. (1997a) 'Exemptions from General Principles Versus Balanced Implementation of Universal Principles', February 1997, at http://www.rogerclarke.com/DV/Except.html
Clarke R. (1997b) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' 15 August 1997, at http://www.rogerclarke.com/DV/Intro.html
Clarke R. (1997c) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal (September 1997), at http://www.rogerclarke.com/DV/IDCards97.html
Clarke R. (1998a) 'Direct Marketing and Privacy', Proc. AIC Conf. on the Direct Distribution of Financial Services, Sydney, 24 February 1998, at http://www.rogerclarke.com/DV/DirectMkting.html
Clarke R. (1998b) 'Privacy Impact Assessments', February 1998, at http://www.rogerclarke.com/DV/PIA.html
Clarke R. (1998c) 'Public Key Infrastructure: Position Statement', May 1998, at http://www.rogerclarke.com/DV/PKIPosn.html
Clarke R. (1998d) 'Information Privacy On the Internet: Cyberspace Invades Personal Space' Telecommunication Journal of Australia 48, 2 (May/June1998), at http://www.rogerclarke.com/DV/IPrivacy.html
Clarke R. (1998e) 'Submission to the Senate Legal and Constitutional References Committee's Inquiry Into Privacy and the Private Sector' 7 July 1998, at http://www.rogerclarke.com/DV/SLCCPte.html
Clarke R. (1998f) 'Key Issues in Electronic Commerce and Electronic Publishing' 22 November 1998, Proc. Information Online and On Disc 99, Sydney, 19 - 21 January 1999, at http://www.rogerclarke.com/EC/Issues98.html
Clarke R. (1999a) 'Internet Privacy Concerns Confirm the Case for Intervention', Communications of the ACM 42, 2 (February 1999), at http://www.rogerclarke.com/DV/CACM99.html
Clarke R. (1999b) 'The Willingness of Net-Consumers to Pay: A Lack-of-Progress Report'' Proc. 12th Int'l Bled Electronic Commerce Conference, Bled, Slovenia, June 7 - 9, 1999, at http://www.rogerclarke.com/EC/WillPay.html
Clarke R. (1999c) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conference, Stockholm, 14-15 June 1999, at http://www.rogerclarke.com/DV/UIPP99.html
Clarke R. (1999d) 'Current Developments in Internet Privacy' Proc. IIR Conference on Data Protection and Information Privacy, 31 August 1999, at http://www.rogerclarke.com/DV/ICurr9908.html
Clarke R. (1999e) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st International Conference on Privacy and Personal Data Protection, pp.131-150, held in Hong Kong on 13-15 September 1999. Revised version published in Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.rogerclarke.com/DV/PLT.html
Clarke R. (2000a) 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century', January 2000, at http://www.rogerclarke.com/DV/PP21C.html
Clarke R. (2000b) 'Privacy Laws' January 2000, at http://www.rogerclarke.com/DV/PrivacyLaws.html
Clarke R. (2000c) 'Submission to the Commonwealth Attorney-General Re: 'A privacy scheme for the private sector: Release of Key Provisions' of 14 December 1999 ' 17 January 2000, at http://www.rogerclarke.com/DV/PAPSSub0001.html
Clarke R. (2000d) 'Privacy Requirements of Public Key Infrastructure' Proc. IIR IT Security Conference, Canberra, 14 March 2000. Republished in Internet Law Bulletin 3, 1 (April 2000) 2-6. Republished in 'Global Electronic Commerce', published by the World Markets Research Centre in collaboration with the UN/ECE's e-Commerce Forum on 'Electronic Commerce for Transition Economies in the Digital Age', 19-20 June 2000, at http://www.rogerclarke.com/DV/PKI2000.html
Clarke R. (2000e) 'Publications Relevant to e-Privacy ' 30 July 2000, at http://www.rogerclarke.com/DV/AnnBibleP.html
Clarke R. (2001a) 'While You Were Sleeping ... Surveillance Technologies Arrived' Australian Quarterly 73, 1 (January-February 2001), at http://www.rogerclarke.com/DV/AQ2001.html
Clarke R. (2001b) 'Biometrics and Privacy' 15 April 2001, at http://www.rogerclarke.com/DV/Biometrics.html
Clarke R. (2001c) 'The Fundamental Inadequacies of Conventional Public Key Infrastructure' Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001, at http://www.rogerclarke.com/II/ECIS2001.html
Clarke R. (2001d) 'Paradise Gained, Paradise Re-lost: How the Internet is being Changed from a Means of Liberation to a Tool of Authoritarianism' Mots Pluriels 18 (August 2001), at http://www.rogerclarke.com/II/PGPR01.html
Clarke R. (2001e) 'Trust in the Context of e-Business' 1 October 2001 , at http://www.rogerclarke.com/EC/Trust.html
Davies S. (1996) 'Monitor: Extinguishing Privacy on the Information Superhighway' Pan Macmillan, Sydney, 1996
Dixon T. (2001) 'Public debacles prompt privacy rethink' Privacy Law & Policy Reporter 7, 8 (February 2001), at http://www.austlii.edu.au/au/journals/PLPR/2001/1.html
EU (1995) 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data', Official Journal L 281 , 23/11/1995 p. 0031 - 0050, at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
EU (2000) 'Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles', Data Protection Working Party of the European Commission, 16 May 2000, at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp32en.htm
EU (2001) 'Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000', Data Protection Working Party of the European Commission, 26 January 2001, at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp40en.htm
Greenleaf G.W. (2000a) 'Private Sector Bill amendments ignore EU problems' Privacy Law & Policy Reporter 7, 3 (August 2000), at http://www.austlii.edu.au/au/journals/PLPR/2000/30.html
Greenleaf G.W. (2000b) 'Editorial: a Bill not worth supporting' Privacy Law & Policy Reporter 7, 3 (August 2000), at http://www.austlii.edu.au/au/journals/PLPR/2000/31.html
Gunning P. (2001) 'Central features of Australia's private sector privacy law' Privacy Law & Policy Reporter 7, 10 (May 2001) 189-199
OECD (1980) 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data', Organisation for Economic Cooperation and Development, Paris, 1980, at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM
PC (2001) 'Privacy and the Community, July 2001', Privacy Commissioner, Sydney, at http://www.privacy.gov.au/publications/rcommunity.html
Privacy Act 1988 (Cth), as amended, at http://www2.austlii.edu.au/privacy/Privacy_Act_1988/index.html
Privacy Amendment (Private Sector) Act 2000 (Cth), at http://www.austlii.edu.au/au/legis/cth/num_act/pasa2000n1552000373/index.html
Rotenberg M. (2001) 'The Privacy Law Sourcebook: 2001' Electronic Privacy Information Center, 20001, from http://www.epic.org/bookstore/pls2001/
Smith R.E. (2000) 'Compilation of State and Federal Privacy Laws' Privacy Journal, edition of 2000, from http://www.townonline.com/specials/privacy/
Waters N. (1999) 'Essential elements of a new Privacy Act', Privacy Law and Policy Reporter 5, 9 (March 1999), at http://www.austlii.edu.au/au/journals/PLPR/1999/18.html
Waters N. (2000) 'Was it worth the wait?' Privacy Law and Policy Reporter 6, 9 (March 2000), at http://www.austlii.edu.au/au/journals/PLPR/2000/10.html
Waters N. (2001) 'International adequacy still an issue - Commissioners are not helping' Privacy Law and Policy Reporter 8, 2 (August 2001) 25-26, 48
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 28 September 2001 - Last Amended: 21 October 2001 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PPSwamp.html