Senate Legal and Constitutional References Committee
Inquiry Into Privacy and the Private Sector

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 5 August 1998

© Xamax Consultancy Pty Ltd, 1998

This document is at

It is an Addendum to the primary Submission of 7 July 1998, at


This document presents some further information that has become available during the course of the Committee's Inquiry. It deals with the following matters:

Supporting articles are attached, as follows

Yet Greater Urgency

This Inquiry has been conducted during a period of activity in relation to privacy protection in the private sector, the likes of which have not been experienced since 'the decade of privacy' in the 1970s.

Attention is drawn to the following developments, which have occurred, or come to light, in the 4 weeks since my original Submission was finalised:

* Medical Privacy in the A.C.T.

In February 1998, a new A.C.T. law came into effect which provides A.C.T. residents with comprehensive information privacy rights in respect of all personal health information, held in both the public and the private sectors. See:

Waters N. (1998) 'New health privacy law in Canberra' Privacy Law and Policy Reporter 4, 4 (January 1998) 121-122, 137

* Implications of the FTC Initiative for Direct Marketing

The implications of the U.S. Federal Trade Commission's major report of June 1998 are progressively becoming clearer. For an assessment of its impact on direct marketing, see:

Gellman R. (1998) 'The FTC Saws Off the Privacy Flagpole', DM [Direct Marketing] News, July 20, 1998, at

* FTC Describes Its Proposal for Statutory Protections

The Federal Trade Commission submitted a Prepared Statement to a Congressional Committee on July 21, 1998. It is available at

This Statement takes the FTC's position a step further along the path towards statutory regulation of the private sector in relation to Internet practices. A summary by EPIC says that "Under the FTC proposal, all commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with four basic information practices. ... The legislative model would provide a means by which industries could develop their own guidelines for protecting consumers' privacy, and that those guidelines could receive governmental approval. Industries also would be required to ensure that they comply with and enforce their guidelines".

This is in line with the model of co-regulation described in my original Submission, at 3.

* U.S. Administration Initiatives

Meanwhile, the U.S. Administration is also hardening its attitude. See:

Gore A. (1998a) 'Vice President Gore Announces New Comprehensive Privacy Action Plan For The 21st Century', Office of the Vice-President, Washington DC, 14 May 1998, at

Gore A. (1998b) 'Gore call for specific legislation in relation to medical privacy', June 1998, at

A reasonable interpretation of these developments is that there has been a detectable swing away from the long-standing, almost axiomatic position among voters that corporations should be left alone to drive the economy, towards an expectation that privacy-invasive corporate behaviour needs to be reined in.

* OECD Document on Internet Privacy

The Organisation for Economic Cooperation and Development is so far adopting a disappointingly static approach to the relationship between its 1980 Guidelines and the Internet. See:

OECD (1998) 'Implementing the OECD 'Privacy Guidelines' in the Electronic Environment: Focus on the Internet', Committee for Information, Computer and Communications Policy, Organisation for Economic Cooperation and Development, Paris, 12 June 1998, at

A draft paper submitted this week for publication in the leading U.S. publication Communications of the ACM argues that the Internet is having a revolutionary impact on the concept of privacy, and that the OECD will be forced into a much more activist stance. See:

Clarke R. (1999) 'Privacy: Cyberculture's Birthpain' Submitted to Communications of the ACM, 3 August 1998, at

Public Submission re the Victorian Data Protection Bill

My Submission to the Victorian Minister for I.T. & Multimedia, Alan Stockdale, concluded that "The privacy-protective regime described in the Discussion Paper has many excellent features. It has three very serious weaknesses, which would undermine public acceptance if they were not addressed, together with a number of additional weaknesses of consequence".

The three very serious weaknesses are in the following areas:

The Submission is at

Additional Considerations

* Further Weaknesses Apparent in the NPPs

Additional weaknesses in the Privacy Commissioner's National Privacy Principles (NPPs) have become apparent during the last few weeks.

One important concern is the NPP 2.1(a) formulation of 'reasonable expectations' as a basis for secondary use and disclosure of personal data. This is much broader than the fundamental concept of 'implied by the original purpose', and undermines the whole basis of privacy protections in much the same way that the U.S. Privacy Act 1974 was gutted by the simple inclusion of an exemption for 'routine uses'.

This is an insidious weakness, that lays the foundations for what is commonly termed 'function creep': the tendency for systems and data to gradually come to be used for purposes additional to those for which they were originally established.

There are also some shortfalls in the subject access and correction rights (NPP 6), in comparison with the OECD and other conventional formulations.

* Case Study: Calling Number Display

During the last few years, a technological enhancement to the telephone system has been foisted on Australians. Calling Number Display (CND) has some marginal social benefits, compared with some very substantial social costs.

CND has been deployed in Australia because telephone companies have seen it as a means of extracting revenue from consumer marketing corporations. Those companies apply it because it enables them to detect the incoming telephone number, and thereby:

The serious privacy concerns about CND were trampled upon in the rush to satisfy the needs of marketing interests. Successive, largely powerless committees proved completely unable to exercise any control over Telstra, which rode roughshod over the privacy interest.

For example, Telstra gagged the advisory panel, refusing to permit them to communicate to their constituencies the actual 'public awareness' statistics. Perhaps Telstra would be prepared to provide the Senate Committee with the data, so that the Committee can form its own opinion. If they do so, then it would be advisable to have the figures vetted by a member of the advisory panel, in order to ensure that they are the same figures as were provided at the time ...

Background to CND is provided by Robin Whittle's materials, at

The process whereby Telstra avoided its responsibilities in relation to privacy protections is documented in a series of articles in Privacy Law & Policy Reporter, most recently:

Waters N. (1997) 'Telecommunications: the privacy front line' Privacy Law & Policy Reporter 4, 6 (November 1997) 101-102

Dixon T. (1997) 'Calling Number Display about to hit the market' Privacy Law & Policy Reporter 4, 6 (November 1997) 102-104

Dixon T. (1998) 'Telstra fails to meet guidelines on CND' Privacy Law & Polict Reporter 4,7 (January 1998) 128-129

A Note on p. 136 of the same Issue draws attention to the powerlessness of the Privacy Commissioner to do anything more than provide basic information to the public on their limited rights.

The CND debacle provides a case study in the abuse of power by a corporation that is not subject to effective privacy regulation. The public is heartily cynical about nominal self-regulation by powerful organisations whose primary role in life is, by definition and of necessity, not corporate citizenship, but rather long-term profit-making.

* Telstra's Privacy Practices More Generally

That Telstra is prepared to use its market and political power in relation to privacy matters more generally is attested to by the "rather muted endorsement of its privacy policies" that it gained from its privacy audit in 1995. For a report which concludes that "Telstra fails on the litmus test privacy principles - identifying purpose, obtaining consent, and internal use", see

Greenleaf G. (1996) 'Telstra's First Privacy Audit: B-' Privacy Law & Policy Reporter 3, 5 (August 1996) 97

* Dangers in Granting Privileged Status to Pre-Existing Codes of Practice

Telstra's submission to this Inquiry raises an additional spectre.

Telstra has stated that it is hopeful that existing Codes of Practice will be preserved. The few Codes that do exist fall dramatically short of the requirements of the OECD Guidelines, the Australian Privacy Charter, and the Privacy Commissioner's NPPs, and of the expectations of the Australian public.

It is essential that privacy legislation regulating the private sector under no circumstances grant privileged status to existing codes: the corporations and industry sectors concerned must be subject to the same standards as all other sectors. There must, of course, be a suitable period allowed, during which companies in such industries can adapt their policies and practices to the full requirements.

The FTC Saws Off the Privacy Flagpole

by Robert Gellman

DM [Direct Marketing] News, July 20, 1998, page 14

By now, everyone following privacy issues has heard about the June online privacy study by the Federal Trade Commission.

The FTC found a privacy wasteland on the Internet. Most American companies with web sites are not even paying lip service to privacy. The truth is that no one can really claim to be surprised by this finding.

The broader question raised by the FTC is whether self-regulation is an effective way to promote the adoption of fair information practices. The FTC charitably said that industry efforts have "fallen short of what is needed to protect consumers." Some privacy advocacy groups were not so polite. They proclaimed that privacy self-regulation is a failure.

I want to offer two points. First, American business is justifiably being beaten up with its own self-regulatory club.

It is the business community, aided and abetted by the Commerce Department, that pushed the notion of privacy self-regulation for years. The standard response to European pressure on privacy was that we don't need legislation because we can do it all with self-regulation.

The trouble with the strategy is that no one thought it through to the end. It was, just like most American privacy legislation, an ad hoc response to a current crisis. The goal was to have something to say while waiting for the Europeans to fold their privacy tent and leave us alone.

So far at least, the Europeans have not gone away. Even worse, the rest of the world is adopting privacy policies more in alignment with the European approach. As a result, the United States is becoming isolated in its approach to privacy.

The self-regulatory mantra was, at its heart, a do-nothing policy. Most American businesses hoped that the privacy issue would disappear. It hasn't. Privacy is stronger than even, especially on the Net and especially for children.

Now the rhetoric is coming back to haunt the business community. The FTC was just the first to call the bluff. The agency looked at the results of self-regulation and found nothing there. Even the Commerce Department has begun to inch away from the do-nothing approach. To its credit, the Department now talks about effective self-regulation, and that is a whole different kettle of fish.

For the last few years, self-regulation mostly meant self- serving, incomplete trade association privacy policies offering little to consumers but promising companies business as usual. These policies were often cynical public relations activities, unrelated to the processing of consumer data in the real world. Commerce finally decided that it could not defend that type of self-regulation with a straight face.

It may be fair to call most current privacy self-regulation a failure, but it is too soon for final judgments. Some more enlightened members of the business community are working at better self-regulation. What they are learning is that self-regulation, just like privacy legislation, is hard to do. It remains to be seen if enough of the business community can reach agreement on a credible policy, but the sincerity of some of these new efforts is noteworthy.

Secondly, the FTC is guilty of privacy revisionism. Trade associations have for years played the game of redefining fair information practices to suit themselves. Their privacy policies simply omit any inconvenient requirements. The Direct Marketing Association privacy policy is a good example. Much of the content of fair information practices has simply been left out of the DMA policy.

The FTC did the same thing, although not to the same degree. The report sets out five fair information practice principles: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress. This is a better list than you will find in most industry codes, but it is still not complete.

For example, giving consumers a choice in how information collected from them is used can be perfectly reasonable up to a point. The DMA has refined this notion even further by saying, in effect, that privacy means opt-out and little else. But there is more to fair information practices than simply opt-out. One principle is that there should be limits to the collection of data and that data should be collected by lawful and fair means. Other principles seek firm, predictable, and known limits on the use and disclosure of information. These principles are not adequately recognized in the FTC report.

Privacy does not mean that anything goes as long as the consumer has not objected. We should not lose sight of the importance of the word fair in fair information practices. Some uses of data and some collection activities are simply inappropriate. Privacy is not just a game of wheedling consumers so they do not object to anything that industry wants to do with data.

Marc Rotenberg of the Electronic Privacy Information Center has said that privacy policy is being revised to suit the needs of organizations rather than to protect the interests of individuals. Where once there was an understanding that individuals should have the right to access and correct data, now those who favor self-regulation believe it is necessary only to provide access to a privacy policy. Rotenberg surely has a valid point about diminished privacy standards.

I am not a purist when it comes to privacy. Progress rather than perfection is a worthwhile objective. But we have to recognize what we are doing. Ignoring the fundamentals of privacy will not fool anyone for long. The Europeans will look behind labels for content. Eventually, so will American consumers who are most concerned about privacy.

It may not be possible or practical to achieve all fair information practices through self-regulation. Even so, self- regulation may still have a place. Nevertheless, we just can't saw off the flagpole and act like the flag is at full mast.

EPIC Alert, 5.11, July 29, 1998

Electronic Privacy Information Center (EPIC)

Washington, D.C.



[4] FTC Proposes Privacy Legislation


Testifying before a House Commerce Subcommittee on July 21, Federal Trade Commission Chairman Robert Pitofsky outlined model privacy legislation for commercial transactions on the Internet. Under the FTC proposal, all commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with four basic information practices: Notice, Choice, Security and Access. Pitofsky was joined by Commissioners Sheila F. Anthony, Mozelle W. Thompson, and Orson Swindle.

In June the FTC released a report on Internet privacy, "Privacy Online: A Report to Congress," modeled after the 1997 EPIC report, "Surfer Beware: Personal Privacy and the Internet." The FTC report, based on an analysis of the effectiveness of self-regulation as a means of protecting consumer privacy, found that industry's efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers. Also in June, the Commission released legislative recommendations for protecting children's privacy online.

Pitofsky said the implementation of the proposed practices will vary by industry and with technological developments. For this reason, the Commission recommends that any legislation be phrased in general terms and be technologically neutral.

Pitofsky also said that the FTC wished to create an incentive for continued participation by industry. The legislative model would provide a means by which industries could develop their own guidelines for protecting consumers' privacy, and that those guidelines could receive governmental approval. Industries also would be required to ensure that they comply with and enforce their guidelines.

In addition, the proposal calls for the granting of rule-making authority to the government agency charged with implementing the statute. Rule-making would allow for the promulgation of specific rules and procedures for the approval of industry guidelines.

The following materials are available online:

FTC Testimony, "Consumer Privacy on the World Wide Web" , at

FTC Report, "Privacy Online: A Report to Congress", at

EPIC Report, "Surfer Beware: Personal Privacy and the Internet", at


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 4 August 1998

Last Amended: 5 August 1998

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472