SUBMISSION
From:
Chris Connolly
Coordinator
Campaign for Fair Privacy Laws
To:
Senate Legal and Constitutional References Committee
Re:

Privacy and the Private Sector

July 1998

Chris Connolly

Campaign for Fair Privacy Laws

GPO Box 846

Sydney NSW 2001

T (02) 9262 4237

F (02) 9262 4151

chrisc@socialchange.net.au

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/CFPLSen.html


Introduction
The Privacy Movement in Australia

The privacy movement in Australia consists of a number of community and public interest organisations and some individual privacy advocates. The main bodies are:

There are also Councils for Civil Liberties, human rights organisations, community groups, community legal centres and consumer organisations, all of which participate to some degree in campaigns on privacy issues. Naturally, there is some overlap of membership between the groups.

The privacy movement is non political and attracts membership from a wide cross section of the community.

The Campaign for Fair Privacy Laws

The Campaign for Fair Privacy Laws is a loose, single issue coalition of more than thirty privacy, consumer, civil liberties and community organisations, including:

It was formed immediately after the Government's 1997 decision to abandon attempts to extend the Privacy Act to the private sector. I have been acting as the national coordinator of the Campaign since that time.


The Need for National Legislation

There are many arguments in favour of legislation rather than voluntary self regulation: Some of the most often quoted arguments are:

But as we will see in this paper, there are a wide range of reasons for supporting a national legislative solution.

In evidence to the Queensland Parliamentary Committee inquiry into privacy, Professor Bill Caelli made a statement that epitomises a realistic approach to the debate:

I know of no case where appropriate levels of security have ever been introduced by the private sector into any industry on a totally voluntary basis without the 'big stick' of Government legislation - legislation aimed at protecting the public. Industry codes or the much vaunted 'self-regulation' works for minimal changes to accepted industry practice-a sort of control over errant companies who stray but within certain bounds. Those innocent citizens affected by the actions of a wildly errant company have little recourse in such schemes. That is where the law of a nation comes in; indeed isn't it the very base for the rule of law? For privacy protection, the self-regulation model will simply NOT work.

Previous Reports and Recommendations

There have been numerous reports recommending that the Privacy Act be extended to cover the private sector. The repeated warnings of these reports have been ignored. Here is a selection of recent reports:

Electronic Commerce

In electronic commerce (and the provision of on-line services generally) the interests of consumers, business and government converge, and there is a general recognition of the need to boost consumer confidence in electronic commerce. Indeed the Government, through the establishment of the National Office of the Information Economy, has taken steps to do just that.

However, there is one electronic commerce policy issue that we are struggling to resolve in a way which will help either business or consumers - privacy.

In a recent development regarding electronic commerce and privacy, it appears that the main attempt at self regulatory solutions to improve privacy protection on the Internet (the development of P3P) is likely to fail in the face of the EU Directive.

In a recent paper (WP 11) on this issue the Working Party on the Protection of Individuals With Regard to the Processing of Personal Data have stated:

A technical platform for privacy protection will not in itself be sufficient to protect privacy on the Web. It must be applied within the context of a framework of enforceable data protection rules, which provide a minimum and non-negotiable level of privacy protection for all individuals. Use of P3P in the absence of such a framework risks shifting the onus primarily onto the individual user to protect himself, a development which would undermine the internationally established principle that it is the 'data controller' who is responsible for complying with data protection principles

There is a risk that P3P, once implemented in the next generation of browsing software, could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data) if the individual user consents to this as part of the on-line negotiation. In fact those businesses, organisations and individuals established within the EU and providing services over the Internet will in any case be required to follow the rules established in the data protection directive

This development gives new impetus to the push for a legislative solution to Internet privacy - in order to send a clear message to consumers that it is safe to participate in electronic commerce.

The Patchwork Quilt

American Express has stated in evidence to the QLD Parliamentary Committee Inquiry that:

It is the fundamental belief of American Express that for legislation to be truly effective it needs to be national and uniform. State-based legislation, while addressing local needs, adds unnecessary compliance costs for. trans-border commerce.

The Australian Bankers' Association also submitted:

There is one overriding factor in implementing a private sector information privacy protection regime in Australia; that is, the regime must be a single, nationally effective and uniform regime under a single regulator.

Following recent announcements in Victoria, such a patchwork now exists:

There is also a patchwork of codes and self regulatory schemes that include aspects of privacy protection, rather than the Prime Minister's `dream' of a single national code:

...and many more


International Developments

Australia is now isolated as one of the only developed nation not considering a legislative solution to privacy protection.

In an open letter to the Prime Minister on April 16 1997, Privacy International wrote:

Privacy International is deeply concerned by your announcement of March 21 that the Australian government has abandoned its commitment to enact privacy legislation covering the private sector.

In taking this position, the government will leave Australian citizens without key rights and safeguards. Such rights are enshrined in numerous international conventions to which Australia is signatory. These fundamental agreements form the bedrock of a free society, and they quite properly make no distinction between private and public sector.

The government's decision goes starkly against the grain of international policy. Most countries are moving toward comprehensive privacy protection. By choosing an opposite path Australia will find itself isolated in the developed world.

Europe

The EU Directive makes it mandatory for the fifteen European Union member countries to have in place consistent and comprehensive information privacy laws by October 1998. The Directive further makes it mandatory for those member countries. (also from October 1998) to prohibit the transfer of personal data to any country that does not have 'an adequate level of protection' with respect to the processing of personal information.

The EU Directive also provides a number of exceptions to the 'adequate protection' requirement.

However, in both of the above cases these exceptions cannot be relied upon until they are embodied in the national legislation of the member states. Further, whilst the first category of exceptions are mandatory, member states have a discretion as to whether to recognise the adequate safeguards' exceptions.

For guidance on the meaning of `adequate safeguards" it is interesting to turn to the documents issued by the Working Party on the Protection of Individuals With Regard to the Processing of Personal Data.

In their paper First orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy (WP 4) they state:

...contractual solutions have inherent problems, such as the difficulty of a data subject enforcing his rights under a contract to which he is not himself a party, and they are therefore appropriate only in certain specific, and probably relatively rare, circumstances.

The Working party elaborated on the question of adequacy in WP7: Judging industry self-regulation: when does it make a meaningful contribution to the level of data protection in a third country? with a series of critical questions:

They state:

When examining the types of sanction in place, it is important to distinguish between a "remedial" sanction which simply requires a data controller, in a case of non-compliance, to change its practices so as to bring them into line with the code, and a sanction which goes further by actually punishing the controller for its failure to comply. It is only this second category of "punitive" sanction which actually has an effect on the future behaviour of data controllers by providing some incentive to comply with the code on an ongoing basis.

The absence of genuinely dissuasive and punitive sanctions is therefore a major weakness in a code. Without such sanctions it is difficult to see how a good level of overall compliance could be achieved, unless a rigorous system of external verification (such as a public or private authority competent to intervene in case of non compliance with the code, or a compulsory requirement for external audit at regular intervals) were put in place.

If the self-regulatory code is shown to have been breached, a remedy should be available to the data subject. This remedy must put right the problem (e.g. correct or delete any inaccurate data, ensure that processing for incompatible purposes ceases) and, if damage to the data subject has resulted, allow for the payment of appropriate compensation.

It is clear from these statements that the EU `hurdle' is going to be fairly high. It remains to be seen exactly what impact this will have on Australian business once countries implement these requirements in their national laws.

Our Close Neighbours

These countries have comprehensive national privacy laws in place, which cover the private sector:

These countries have announced that they will implement comprehensive national privacy laws which cover the private sector in the near future:

These countries are reported to be considering privacy laws affecting the private sector in certain industries:

A case study: Canada

It is useful to examine developments in Canada, a country with a similar federal structure to Australia, and also a country which, like Australia, often finds itself torn between American and European approaches to regulation.

Some Canadian provinces have legislation granting their residents civil protection against violations of their territorial and personal rights (a statutory tort of privacy).

Privacy of information is also protected by specific data protection legislation at both the federal and provincial levels. Canada's federal Privacy Act 1982 covers federal government agencies. Many of Canada's provincial governments have also passed similar legislation regarding information privacy in the public sector.

Quebec has legislation which covers the private sector. Since 1994 the Act Respecting the Protection of Personal Information in the Private Sector has granted individuals a right of access to, and control over the dissemination of, personal information held by private sector businesses operating in Quebec.

In 1996 the Canadian Standards Association released a Model Code for the Protection of Personal Information. The Model Code is designed as a standard which could be certified and registered like other quality management standards.

Despite the existence of this Code (and note that it is a true national Code and included consumer support), the Canadian federal government has decided that it can no longer rely on a self-regulatory approach to privacy protection in the private sector. It has announced that by the year 2000 Canada will have federal legislation providing effective and enforceable protection of privacy rights in the private sector.

In January 1998, a joint Justice and Industry Ministries Task Force issued a discussion paper about the form that the legislation should take. The paper acknowledges the work done on the Model Code as a valuable foundation, but states that light, flexible and effective legislation will provide the kind of backup that is needed to ensure that, when there are problems, consumers have mechanisms for recourse.

The US

In the US, where they favour self-regulation, a recent study has found that they actually have 940 individual laws affecting privacy depending on the jurisdiction and the sector. This may be the future for Australia if a national regime is not introduced here.

There are constant moves to introduce new privacy laws in the US, including several announcements relating to privacy on the Internet, and a recent announcement by Vice President Al Gore that he supports the push for a new Internet Bill of Rights, including privacy.

Of course, a degree of privacy protection is also afforded by the US Constitution.

The ISO

There have been several reports in the media suggesting that the International Standards Organisation (ISO) is writing a privacy standard. There have also been several reports suggesting that compliance with such a standard will ensure compliance with the European Union Directive on Data Protection. These reports are inaccurate.

The International Standards Organisation (ISO) has established a working group to consider the potential development of a standard for the protection of personal information. The group is known as the Ad Hoc Advisory Group on Privacy (AHAG) and is made up of representatives from national standards organisations from around the world. It is not writing a standard, but considering the potential for a standard to be developed.

The Standards Australia representatives on this group are myself (representing Consumers' Federation of Australia) and Chris Smith (the Manager of Consumer and Government Affairs for Readers Digest in Australia and New Zealand). The Privacy Commissioner, Moira Scollay, also attended one meeting.

The AHAG has been unable to reach a consensus agreement on the need for, or form of, an International Standard on privacy. It is also most unlikely that a Standard could ever form the basis of a compliance regime in relation to the EU Directive without regulatory backing at the national level. The AHAG is due to make a final report in September 1998, and I may be able to provide some additional information on this work at the public hearings.


The Recent Campaign

It may be useful to explain some of the decisions which have been made during the recent campaign.

The Prime Minister's Announcement

In March 1997 the Prime. Minister announced that "so as not to further increase the regulatory burden and compliance costs for business, the Commonwealth would not be implementing privacy legislation for the private sector." In order to avoid a patchwork of state regimes, the Prime Minister also requested the states and territories not to separately legislate for privacy in the private sector.

Instead, the Prime Minister offered the services of the federal Privacy Commissioner to assist business develop voluntary codes of conduct to meet privacy standards.

One aspect of this announcement which needs to be examined is whether the Prime Minister was reacting to the perceived compliance costs of a privacy regime as outlined in the discussion paper, or whether he had considered the improved regime suggested by many of those who had made submissions to the discussion paper.

The discussion paper had given the impression that businesses might have to submit annual reports of compliance to the Commissioner, and also that they would have to complete and forward additional documentation. It also appeared that the phase-in period would be quite short, and possibly not very flexible.

A number of privacy advocates and businesses had suggested, in response to the discussion paper, that the paperwork could be reduced, perhaps even eliminated (except where there was a complaint) and that the phase in periods could be lengthened and made more flexible.

These matters have never been the subject of further debate or consideration. Such measures may go a long way to alleviating concerns about the perceived compliance costs of a legislative regime.

The Alliance

Immediately following the announcement, a loose alliance of privacy advocates and businesses began a campaign to have the Prime Minister reconsider the decision. During the period following the announcement the range of organisations who have come forward to criticise the decision is astounding, including:

Seventy percent of respondents to a nationwide survey conducted by Price Waterhouse in 1997 supported the introduction of privacy legislation to cover the corporate sector. As noted in the report on that survey:

This is in contrast to the Government view that legislation would add unnecessary burden and overhead to Australian business. Of the organisations surveyed, it was found that 79% felt only minor changes would be required to their business practices in order to comply with legislation, highlighting the fact that Australian business does not believe that there will be significant costs associated with applying good privacy practice.

The Boycott

It has become increasingly difficult to see how the Government's strategy on privacy will benefit either business or consumers. The stated intention of the Government's policy is to develop a national voluntary code - yet this objective is no closer now than at the time of the announcement.

I have been an active participant in the process, led by the Privacy Commissioner Moira Scollay, to establish a modern set of Principles for the Fair Handling of Personal Information. This was considered to be a good first step towards either a code or legislation, and the negotiations showed that business and privacy groups can work together to achieve useful progress.

However, I am also an active participant in the national boycott by privacy and consumer advocates of the next stage in the Commissioner's process - discussion about the implementation of the voluntary code.

Every major privacy and consumer organisation has joined the boycott, and not a single advocate has participated in those discussions, nor will they do so.

There are several reasons for the boycott:

A national code can not be developed in these circumstances. Codes of conduct can only have meaning when they have been developed with the support and participation of consumer representatives.

In any event, there does not appear to be any great interest from business in developing a national code. Several industry groups have indicated that they may implement the principles in their own sectoral codes, but there is no indication of support for a general national code covering all business.

Indeed, it is the industries already covered by Codes and ombudsmen schemes (such as banking and insurance) who plan to add the principles to their codes. There has been no enthusiasm from the wider business community, and there does not appear to be any current timetable for the implementation of a national code.


Conclusion

A final quote from the EU Working Party may be appropriate here, indicating the uphill battle that Australia will have if it does not introduce national privacy legislation, and also indicating just how far removed from the rest of the world the current Australian approach has become:

For a self-regulatory instrument to be considered as a valid ingredient of "adequate protection" it must be binding on all the members to whom personal data are transferred and provide with adequate safeguards if data are passed on to non-members. The instrument must be transparent and include the basic content of core data protection principles. The instrument must have mechanisms which effectively ensure a good level of general compliance. A system of dissuasive and punitive sanctions is one way of achieving this. Mandatory external audits are another. The instrument must provide support and help to individual data subjects who are faced with a problem involving the processing of their personal data. An easily accessible, impartial and independent body to hear complaints from data subjects and adjudicate on breaches of the code must therefore be in place. The instrument must guarantee appropriate redress in cases of non-compliance. A data subject must be able to obtain a remedy for his/her problem and compensation as appropriate.

Australia has no current strategy to achieve these goals. Privacy and consumer organisations are boycotting any discussion of voluntary codes, a patchwork of inconsistent state and sectoral regimes is emerging, and despite a plethora of reports recommending a national scheme, and diverse business support for such a scheme, the Government has sent a signal that it has no serious interest in protecting privacy.


A Brief Note on Outsourcing

In the ongoing debate on privacy legislation, it is easy to overlook the smaller issue of IT outsourcing of information collected from the public by government agencies.

Obviously, we support the extension of legislative protection to cover this situation should it a arise. However, it should not be assumed that the privacy movement supports the outsourcing of this information in the first place. There are generally two views on this point:

  1. That no personal information collected by government agencies should be processed by private sector organisations; or
  2. That certain information may be outsourced, but that other more sensitive information should not. Examples usually given are:

In support of this last view, it is noted that the Government has chosen not to outsource "its" sensitive data, such as security, intelligence or law enforcement records. The same reasoning should be applied to "our" sensitive data.

There are a range of other arguments and views on this point, but I do not feel that it is appropriate for me to address them all in a submission from the Campaign for Fair Privacy Laws, which is a single issue alliance. I am sure that they can be discussed in more detail during the public hearings.

Chris Connolly

Coordinator

Campaign for Fair Privacy Laws

July 1998


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 10 July 1998

Last Amended: 10 July 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916