Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2019
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Emergent Draft of 29 October 2010
Roger Clarke ** [and co-authors?]
© Xamax Consultancy Pty Ltd, 2010
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/APLvAC.html
A review of the history and status of privacy law in Australia reveals that the the human value of privacy has been consistently deprecated in favour of the convenience of the public service and business.
Privacy law has been an active area of development for 40 years, since the German Land of Hesse enacted the first statute in 1970. The first legislation in Australia followed 5 years later.
The primary purposes of this paper are to trace the development of privacy laws in each jurisdiction in Australia, and to place those developments within a framework that reflects developments elsewhere, and the political power of the key players.
The paper begins with a brief review of the emergence of privacy as a distinct concept, and then of privacy laws. A set of models of privacy protection is derived, as a basis for classifying approaches that have been used in Australia. The development of privacy law is then traced in each of the nine jurisdictions. The complex arrangements in place in the non-government sector warrant its treatment as a tenth context. Inferences are drawn about the nature of privacy protection in Australia.
The paper draws on prior work including Clarke (1998a, 1998b), and the resources on privacy laws maintained by the Australian Privacy Foundation (APF 2010). Other sources include Gunning (2001), PI (2007), OVPC (2009), OAPC (2010), and WorldLII (2010).
Discussions of the history of privacy generally normally commence with an article by the U.S. judges Warren & Brandeis (1890), who referred to privacy as 'the right to be let alone'.The interest in controlling information about oneself reflects concerns about the the exercise of power by others. It is a concern that has been heightened during the twentieth century, as the scale of social institutions grew, distance increased between individuals and the organisations that they dealt with, rational management took hold, organisational decision-making ceased to be based on personal judgement and trust and came to be based almost entirely on data, and technologies were developed and applied to achieve those ends.As ever, artists sensed the forthcoming change long before it arrived. The classic image of an information-rich government dominating citizens' thoughts and actions is associated with Zamyatin's 'We' (1922) and Orwell's '1984' (1948), but the technological basis of the surveillance culture had been established as early as the late nineteenth century by Jeremy Bentham's designs for a model prison, incorporating the all-seeing and ubiquitous 'panopticon' (1791). These initial warnings were stimulated by the spectre of authoritarian governments (variously fascist and communist) harnessing technology to their anti-democratic aims.
From about 1950 onwards, a gradual shift is discernible towards technology as itself a determinant of the directions of change. Early expressions of concern in non-fiction literatures included Packer (1957, 1964), Long (1967), Stone (1968), Miller (1969), Rosenberg (1969), Thompson (1970), Warner & Stone (1970), Miller (1972), Rule et al. (1974), Wessell (1974) and Weizenbaum (1976). Subsequent examinations of concerns arising from computer technology are to be found in Burnham (1983) and Laudon (1986). A more generalised expression of deep concern about the nature of the surveillance society is Foucault (1975), who argued that the prison metaphor was the leitmotiv of authoritarian society.
The international legal context of Australian privacy law is set by the Universal Declaration of Human Rights (UDHR 1948), which includes at Article 12 "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks". This is supplemented by more detailed instruments such as the United Nations Convention on the Rights of the Child adopted in 1989, and the United Nations Guidelines concerning Computerized Personal Data Files, adopted in 1990.The UDHR is merely a statement of aspiration. An instrument was later negotiated which includes provision for some degree of enforcement. The International Covenant on Civil and Political Rights (ICCPR 1966), includes Article 17, which has similar wording to UDHR 12.
Analyses of privacy-intrusive behaviours and technologies are available in more formal works, such as Rule (1974) and Foucault (1977). Rule identified as the key factor the 'information-intensity' of administration during the twentieth century, resulting in the collection, maintenance and dissemination of ever more data, ever more 'finely grained'.
The 'information-intensity' phenomenon has arisen from the increasing scale of human organisations, making them more remote from their clients, and more dependent on abstract, stored data rather than personal knowledge. Other factors have been an increasing level of education among organisations' employees, the concomitant trend toward 'scientific management' and 'rational decision-models', and, particularly since the middle of the century, the brisk development in IT.
Many discussions have mistakenly focussed on the technology as if it were the root cause of the problems, rather than an enabler of more information-intensive ways of working. Clarke (1988) identified the way in which organisations adopted data surveillance technologies in replacement for more labor-intensive manual and electronic methods.
Concern about unfair information practices developed quickly during the latter half of the 1960's. This was stimulated by growth in the power of computers, and the extent of their use, although many problems either pre-existed computers, or were associated also with other forms of information system automation, such as photocopying, microfilm and telecommunications. Concern about the social impact of computers resulted in a significantly improved appreciation of the impact of information technology generally.In many countries it was felt that the emergence of the various information technologies represented a challenge that existing legal protections were unable to cope with. As a result, during the decade of the 1970's, many of the 'advanced western nations' acted to provide legislative and/or administrative protections.Important early activity in the United States included studies by Westin (Westin 1967, 1971, 1974) and an Advisory Committee to the then Department of Health Education and Welfare (HEW 1973). Congress passed the Privacy Act in 1974 regulating federal government agencies. A report on early experiences is to be found in the Report of the Privacy Protection Study Commission (PPSC 1977). The efforts of President Ford's administration succeeded in emasculating the legislation and the report (Rule et al. 1980, pp. 75, 110).See also Hondius (1975). Flaherty (1984) provides a bibliography of privacy works. Burkert (1999) reports that a 1970 edition of Westin's 1967 publication was available in German translation in the same year, courtesy of IBM, and significantly influenced developments in Germany. This reflects the close association that has always existed between Westin's work and the needs of business and government.
Legislation in Europe began even earlier, with the West German Land of Hesse passing the very first Data Protection Act in 1970, and Sweden's Data Act of 1973 being the first comprehensive legislation at national level.In the United Kingdom, Private Members' Bills were introduced in the late 1960's, and successive Government Committees reported and were ignored(Younger 1972, Lindop 1978).Since the early 1970's, most of the advanced western nations have legislated. In addition, many of the states of the U.S.A., provinces of Canada and Länder of West Germany have also passed laws. Some of these apply to all personal data systems, while others are restricted, e.g. to the public sector, or to automated or computerised systems. In an endeavour to achieve some amount of consistency in the highly varied approaches, the European Economic Community adopted a Convention in 1980 (EEC 1980).The United Kingdom ignored the recommendations of , but finally responded to commercial pressure to ensure that British companies were not disadvantaged against their European competitors, and passed the Data Protection Act in 1984.Around the world, information privacy protections display a number of variants. All, however, can be classified as 'fair information practices' (FIPs) legislation. The essential postulate of FIP is that the efficiency of business and government should not be hindered.The origins of FIP lie in the work of Columbia University political economist Alan Westin (Westin 1967, 1971; Westin & Baker 1974). In those early years of personal data systems, the dominant school of thought, legitmised by Westin's publications, was that the invisible economic hand of business and government activity would ensure that IT did not result in excessive privacy invasion. Hence privacy regulation was unnecessary, or, to the extent that it was imposed, it was essential that the detrimental effects on business and government be minimised.During the 1970s (which the Chair of the OECD Expert Group later described as 'the decade of privacy'), a great deal of legislative activity occurred, particularly in the legislatures of countries on the Continent of Europe, but also in the U.S.A. The OECD, concerned that a proliferation of varied privacy protection laws might harm economic growth by creating accidental trade-barriers, codified the FIP-based regime in the OECD Guidelines (OECD 1980).The OECD work was was expressly not an attempt to flesh out more general documents concerning human rights, such as ICCPR (1966). The prime concern was to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD, 1980, p.7). The concern to ensure that member-countries had a clear statement of international expectations regarding privacy protection was quite secondary. The dominance of economic over social interests is embedded in FIP regimes.The Guidelines are contained in OECD (1980), and comprise a 1-page Council Recommendation, 4 pages of Guidelines and a 22-page Explanatory Memorandum. The document provides " ... a general framework for concerted action by Member countries: objectives ... may be pursued in different ways" (p.23). It does not represent a binding International Convention.Legislation passed subsequently by many other countries reflects those Guidelines. A re-structuring of the OECD Guidelines into a form suitable for the creation of new schemes or the evaluation of existing and proposed regulatory regimes is at Clarke (1989).The term used in Europe to refer to the FIP/OECD approach is 'data protection': it protects data about people, rather than people themselves. This is justified on the pragmatic grounds that it is an operational concept more easily coped with by business and government agencies than the abstract notion of privacy, and it is therefore easier to produce results. The intervening quarter-century has demonstrated quite comprehensively that, pragmatic or not, FIP-based privacy protection laws have not delivered what humans actually need.For reviews of the origins of FIP laws and guidelines, and collections of contemporary privacy protection regimes, see Smith (1976-), Flaherty (1989), Bennett (1992, pp.96-101), and Madsen (1992).During the 1970s and 1980s, almost all countries in Australia's reference group legislated to create 'data protection' or 'fair information practices' regimes. In order to avoid differences in the countries' legislation becoming an obstacle to trade, the general principles were codified, most influentially in the OECD's 1980 Guidelines.
A small number of international documents are influential in discussions about regulation by Australian governments:
The EU Directive was finalised in 1995, to come into force on 24 October 1998 (EU 1995). Its motivations can be perceived as being to improve protections for Europeans personal data, or as a 'non-tariff trade barrier', designed to achieve advantage over the U.S.A. The EU Directive's implications, meanwhile, remain unclear and much debated.During 1998-99, the United States Federal Trade Commission conducted reviews of corporations' privacy policies, as evidenced by statements on their web-sites. In common with other such reviews (EPIC 1997, EPIC1998) and Culnan 1999), it concluded that the standard was extremely poor. After some sabre-rattling, it decided that business had taken notice of it, and that it needed to do nothing whatsoever. It provides a guide for the public which reflects the country's preference to let corporations dominate consumers; but provides no guidance to corporations as to what they are expected to do. In short, Stateside, the farcical game continues.
[The U.S. ... Safe Harbor ... adequacy ...]
Meanwhile, U.S. companies have conducted initiatives based on trademarks (especially TRUSTe) and on privacy-sensitive technology (especially W3C's P3P protocol - see Clarke 1998d and Clarke 1998e). These are very unlikely to be, by themselves, sufficient to achieve the necessary public confidence.
[I can think of three main alternatives.]
Four models of privacy protection
Braithwaite J. & Drahos P. (2000) 'Global Business Regulation' Cambridge University Press, 2000
If so, some hard work is needed, to get to grips with the theory, and apply it to a complex and changing landscape across nine jurisdictions.
Should the paper instead be driven by work of Colin Bennett, Bennett & Raab, Lee Bygrave, or David Flaherty?
Bennett C. (1992) 'Regulating Privacy: Data Protection and Public Policy in Europe and the United States' Cornell University Press, New York, 1992
Bygrave L. (2002) 'Data Protection Law: Approaching Its Rationale, Logic and Limits' Kluwer Law International, 2002
Flaherty D.H. (1989) 'Protecting Privacy in Surveillance Societies', Uni. of North Carolina Press, 1989
If so, some hard work is needed, to get to grips with the theory, and apply it to the ten Australian contexts.
The Commonwealth of Australia was formed in 1901, through the federation of six colonies that had been formed between 1788 and 1851. The six colonies becames six States of the Commonwealth. One Territory was granted self-government in 1978, and another had self-government thrust upon it in 1988. There are accordingy nine Crowns in Australia, the Commonwealth (also variously referred to as 'federal' and 'Australian'), six States with substantial powers, and two Territories. Each of the nine Crowns has authority over its own public sector. However, the Commonwealth Parliament retains the power to over-ride the Territory Parliaments, and has occasionally done so, relevantly in relation to euthanasia laws.
For the purposes of privacy law, a tenth context needs to be recognised - the non-government sectors. These include both for-profit business enterprises - including corporations, unincorporated businesses including sole traders, partnerships and trusts, and many cooperatives (which is the narrow interpretation of the term 'private sector') - and not-for-profit organisations - including charities, associations, clubs and some cooperatives. Under the Australian Constitution, the non-government sectors are subject to aspects of both Commonwealth law and the laws of the States and Territories. In some contexts, one is clearly relevant and the other clearly not; but in some contexts there are grey areas.
Despite the exhortations of UDHR (1948), and Australia's undertakings arising from ICCPR (1966), privacy was not a major item of discussion during the immediate post-war period. This was a time in which recovery, progress, the Communist menace, and the Cold War dominated. At about the same time as privacy issues were beginning to attract attention in Europe and North America, the wake-up call was issued in Australia by Zelman Cowen (some years later Governor-General), in his ABC Boyer Lecture Series in 1969 (Cowen 1969). This had direct consequences in, but only in, N.S.W.
Australia signed the ICCR in 1972 and ratified it in 1980. The act of ratification required Australia to adopt legislative and other measures to give effect to the ICCPR. However, the ICCP has never been adopted as law of the Commonwealth of Australia, and mainly operates as a reference point for the functions of the Human Rights Commission (AHRC 2006, 2010).
This section provides a necessarily brief overview of the history and status of privacy law in each of the ten contexts.
Summarise from History of Australian Privacy Law - The Commonwealth.
Summarise from History of Australian Privacy Law - The Private Sector.
Summarise from History of Australian Privacy Law - N.S.W.
Summarise from History of Australian Privacy Law - Victoria.
Summarise from History of Australian Privacy Law - Queensland.
Summarise from History of Australian Privacy Law - Western Australia.
Summarise from History of Australian Privacy Law - South Australia.
Summarise from History of Australian Privacy Law - Tasmania.
Summarise from History of Australian Privacy Law - Australian Capital Territory.
Summarise from History of Australian Privacy Law - Northern Territory.
e.g. if applying the pragmatic framework, then:
no instance of the strongest form
several implementations of the Data Protection Commission model, but with very weak protections, and extremely weak powers, with appointees subjected to consistent and at times very substantial pressure from public service and corporate interest groups, in most cases giving away after a period of time to the yet weaker Information Commission model
increasing implementation of the Information Commission model, which involves the privacy aspect being subsumed within a broader agenda with greater momentum, resulting in even less substantive protective action than under the Data Protection Model
several jurisdictions remain in what is essentially a pre-historic state, with no law, and mere instruments issued by some organ of the public service with no enforceability or enforcement
absence of entrenched rights
dominance of public services and industry associations over parliament, cabinet and ministers resulting in weak protections, no sanctions and weak enforceability, and very weak enforcement
substantial absence of civil society from policy formation
incremental reduction in protections
SELECTED FROM History References
PLUS ADDITIONAL REFERENCES AS APPROPRIATE
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 60 million in early 2019.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 7 August 2010 - Last Amended: 29 October 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/APLVAC.html