Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's Senate Submission Feb 2005

Submission to the Senate Legal and Constitutional Committee re its Inquiry into the Privacy Act 1988

Roger Clarke **

Version of 25 February 2005

© Xamax Consultancy Pty Ltd, 2005

Available under an AEShareNet Free
for Education licence

This document is at http://www.rogerclarke.com/DV/SenateReview0502.html


Introduction

I have been active in relation to privacy issues since 1972, variously as information technology professional, researcher, consultant and public interest advocate. I provide a wide array of resources on the subject. I have been a Board member of the Australian Privacy Foundation since its inception in 1987, and draw attention to its submission to this Inquiry. My other major affiliations are listed at the end of this submission.

I provide below brief responses to each of the Inquiry's Terms of Reference, supported by references to papers that offer greater detail on each matter.


Term (a)(i)

(a) the overall effectiveness and appropriateness of the Privacy Act 1988 as a means by which to protect the privacy of Australians, with particular reference to (i) international comparisons

The Privacy Act was originally passed in 1988 (in relation to the public sector) and amended in 1989 (to extend it to credit reporting). In these first segments, I restrict my comments to those Parts, and defer comment on the private sector amendments until later.

The Privacy Act of 1988-89 was a long-delayed, modest, but reasonable implementation of the OECD Guidelines of 1980. An analysis of the shortfalls of the legislation compared with the OECD Guidelines is in Clarke (1989).

Because of its origins, the Act addressed technology of a past era, the 1970s. There has been no substantive review, and there have been no substantive enhancements, since that time. Meanwhile, it has been subject to continual weakening, through:

As a result of these depredations, if the Privacy Act is actually intended to be a means of protecting the privacy of Australian citizens, it is utterly inadequate.

An analysis of the shortfalls of the legislation in comparison with the needs of Australians at the commencement of the twenty-first century is in Clarke (2000a).

Those of the world's countries that place some value on their citizens' privacy have moved on beyond the dated and low standards of the OECD Guidelines and the Commonwealth Act. Some examples of extensions include anonymity, purpose justification, and requirements for the conduct of Privacy Impact Assessments (PIAs). See Clarke (2003a).


Term (a)(ii)

(a) the overall effectiveness and appropriateness of the Privacy Act 1988 as a means by which to protect the privacy of Australians, with particular reference to (ii) the capacity of the current legislative regime to respond to new and emerging technologies which have implications for privacy

The current regime contains no mechanisms whereby it can adapt or be adapted to new circumstances. It is the responsibility of the legislature to commission studies, to consider the submissions of the Privacy Commissioner and the reports of bodies such as the Law Reform Commission, and to take into account the submissions of researchers and interest groups. The Parliament has been seriously remiss in its execution of those responsibilities. It would be nice if people preparing public interest submissions to the present Inquiry were able to have confidence that their efforts would actually result in enhanced privacy protections.

The Attorney-General's Department has adopted the mantra of 'technology neutrality' as an excuse for avoiding any need to confront the ravages wrought on laws by changes in technology. The notion of technology neutrality is intuitively appealing; but in many circumstances it fails. For example, there was no need to create laws relating to nuclear proliferation until nuclear technology came along. Similarly, constraints on aircraft breaking the sound barrier over settled areas were unnecessary while such speeds were theoretical. Moreover, regulation of such technologies was simply inconceivable until the technologies were invented. It was therefore sheer fluke if any form of regulatory constraint existed when they were first deployed.

In short, Parliament has a clear and important obligation to amend legislation, and create new legislation, to regulate powerful new technologies.

Parliament has failed that duty.

Chips have been miniaturised, and inserted into a variety of carriers, including 'smart cards' and now 'RFID tags'. This has created all manner of new security vulnerabilities and privacy-invasions. A notable example is the naive and dangerous proposal by the Passports Office within DFAT to place enormously sensitive data into an RFID tag, including biometrics that will facilitate identity theft. There is no regulatory framework, and indeed no mechanism whereby the Parliament can be reliably informed about the nature, appropriate and inappropriate applications, impacts, implications, and necessary justification for and controls over, such complex, ill-understood and threatening technologies. Background information on smart cards is in Clarke (1998), and the privacy risks of smart cards applied to identification are addressed in Clarke (1997).

Proposals by the Government in relation to the capture and storage of biometrics are extraordinarily ill-informed and dangerous. They create scope for privacy invasion, identity theft and identity denial. The risks are summarised in Clarke (2001a). Proposals for a regulatory regime for biometrics are in Clarke (2003b). Further papers on biometrics are indexed in the annotated bibliography of my own papers, and my bibliography of other people's papers on the topic.

When I wrote about "imposed physical characteristics (e.g. dog-tags, collars, bracelets and anklets; brands and bar-codes; embedded micro-chips and transponders" in Clarke (1994), people told me that I'd been reading too much science fiction. The Terms of Reference for this Inquiry must now confront the fact that various organisations are seriously proposing that humans be demeaned through the at first voluntary, and shortly compulsory, use of the human body as a carrier for chips. These proposals are coming forward in a regulatory vacuum. The much-heralded FDA 'approval' for chip-implantation was merely a statement that the procedure does not automatically violate health care laws. The FDA is not even the arbiter of the rights of people in the U.S.A., far less the arbiter of the human rights of Australians.

The Parliament has a responsibility to proscribe all uses of chips in or closely associated with humans, and to sustain the ban until after research and public consultation have been undertaken and a suitable regulatory regime devised and implemented.

Other than expressing serious concern about their privacy impacts, I make no comment about genetic technologies. This is simply because the list of other threats closer to my areas of expertise has been so long that I have been unable to spend sufficient time to get to grips with it. The Australian Law Reform Commission's report made important contributions; and, like so many others before it, was ignored by the Government, and by the Parliament.

There is a long list of additional technologies that should also be subjected to examination. Data mining, CCTV, digital signatures, toll-roads that deny anonymous usage, pattern-recognition applied to car number-plates, caller-line identification, gross abuses of the 'white pages' database - IPND, auto-identification of telephone callers, and location and tracking of mobile phones, have all demanded attention from public interest organisations. They should all be subjected to publicly funded policy research, and then to appropriate regulation in order to rein in the privacy abuses that they embody.


Term (a)(iii)

(a) the overall effectiveness and appropriateness of the Privacy Act 1988 as a means by which to protect the privacy of Australians, with particular reference to (iii) any legislative changes that may help to provide more comprehensive protection or improve the current regime in any way

As argued earlier, the legislation is ancient, and requires substantial updating. The changes need to be even more dramatic than the cumulative changes in technology that have occurred since the late 1970s, because the law needs to 'play catch-up'. The changes required are documented in Clarke (1989), Clarke (2000a) and Clarke (2003a), and more specifically in Clarke (1997) and Clarke (2003b).


Term (b)

(b) the effectiveness of the Privacy Amendment (Private Sector) Act 2000 in extending the privacy scheme to the private sector, and any changes which may enhance its effectiveness

When referring to the private sector provisions, the Government has variously used the terms 'light touch' and 'co-regulation'. The expression 'light touch' is appropriately descriptive, in that the Government has prioritised the interests of business enterprises over those of citizens, authorised business activities that the public regards as privacy breaches, and ensured that privacy regulation is nominal and cheap.

On the other hand, it is not appropriate to use the term 'co-regulatory' to describe the regime that was established by the amendments of 2000. A statement of the requirements of a genuinely co-regulatory scheme are in Clarke (1999a).

The exemptions and exceptions in the private sector provisions are so broad that the regime is appropriately described as being at best self-regulatory, more likely as non-regulatory, or simply anti-privacy. See Clarke (1999b), Clarke (2000b) and Clarke (2001b). I argued at the time that the Bill should not be passed. In December 2004, in my submission to the Privacy Commissioner in relation to her own review, I argued that the Act should be rescinded, and replaced by a genuinely privacy-protective statute. See Clarke (2004).

My detailed arguments in relation to specific aspects of the private sector provisions are in that submission, and I have accordingly provided it as an Addendum to my submission to the Committee.


Term (c)

(c) the resourcing of the Office of the Federal Privacy Commissioner and whether current levels of funding and the powers available to the Federal Privacy Commissioner enable her to properly fulfil her mandate

The OFPC's budget was substantially reduced by the Government in the lead-up to the passage of the Amendment Bill in 2000. That enabled the Government to be appearing to provide new resources to enable the Privacy Commissioner to perform their function. That was simply not the case. The OFPC has had its responsibilities greatly increased, and has no more resources, and possibly fewer resources, than prior to the addition of the private sector to its purview.

The Government has further depleted the OFPC's resources by imposing on it additional requirements, without providing the necessary increment in resources. The review of the private sector provisions is a current case in point. It is in any case invidious for a commissioner to be required to review her own office.

The impact of this has been that the OFPC is prevented from fulfilling its responsibilities. It conducts few audits, its replies to complaints and submissions are very slow, it is unable to respond quickly to sudden demands, and it is able to conduct very little own-volition research and investigation.

It is clear that any Government of the day will prefer not to enable the OFPC to challenge the activities of the Government, and to create hurdles for the private sector. The OFPC's privacy protection role will not be able to be performed in anything approaching the necessary manner unless resourcing is guaranteed by the Parliament.


References

Clarke R. (1989) 'The Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines', Xamax Consultancy Pty Ltd, June 1989

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994)

Clarke R. (1997) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal, September 1997

Clarke R. (1998) 'Smart Card Technical Issues Starter Kit', for Centrelink, April 1998

Clarke R. (1999a) 'Internet Privacy Concerns Confirm the Case for Intervention', Commun. ACM, 42, 2 (February 1999) 60-67

Clarke R. (1999b) 'Submission to the Commonwealth Attorney-General, re: 'A privacy scheme for the private sector: Release of Key Provisions' of 14 December 1999' Xamax Consultancy Pty Ltd, January 2000

Clarke R. (2000a) 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century' Xamax Consultancy Pty Ltd, January 2000

Clarke R. (2000b)   'Submission to the Inquiry into the Privacy Amendment (Private Sector) Bill 2000' by the Senate Legal and Constitutional Legislation Committee, September 2000

Clarke R. (2001a) 'Biometrics and Privacy' Xamax Consultancy Pty Ltd, 15 April 2001

Clarke R. (2001b) 'Beyond the Alligators of 21/12/2001, There's a Public Policy Swamp' Proc. Privacy.au, Marcus Evans Conferences, Sydney, 23-24 October 2001

Clarke R. (2003) 'Emergent Privacy Protection Principles' Xamax Consultancy Pty Ltd, 28 April 2003

Clarke R. (2003) 'Why Biometrics Must Be Banned' Extended Abstract of a Presentation to the Baker & McKenzie Cyberspace Law & Policy Centre Conference on 'State Surveillance after September 11', Sydney, 8 September 2003

Clarke R. (2004) 'Submission to the Review of the Private Sector Provisions of the Privacy Act 1988 (Cth), in particular the Issues Paper of October 2004' Xamax Consultancy Pty Ltd, November 2004


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also Visiting Professor in the Baker & McKenzie Cyberspace Law & Policy Centre at the University of N.S.W., Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and Visiting Fellow in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 25 February 2005 - Last Amended: 25 February 2005 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/SenateReview0502.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy