Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Rough Version of 11 October 1998
© Xamax Consultancy Pty Ltd, 1998
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/OzHC.html
This file contains preliminary reading for the paper 'AHistory of Privacy Protection in Australia'. It provides information on the setting in which the history of Australian privacy has been played out. It is in three sub-sections:
The origins of the concept of privacy need to be traced along a number of different lines.
In literature, the genre of 'anti-utopian' novels described futures repugnant to humanity. The classic image of an information-rich government dominating citizens' thoughts and actions is associated with Zamyatin's 'We' (1922) and Orwell's '1984' (1948), but the technological basis of the surveillance culture had been established as early as the late nineteenth century by Jeremy Bentham's designs for a model prison, incorporating the all-seeing and ubiquitous 'panopticon' (1791). Foucault (1975) argued that the prison metaphor was the leitmotiv of authoritarian society. Bradbury's 'Fahrenheit 451' (1953) and Umberto Eco's 'The Name of the Rose' (1980) speculated on the process and implications of denying information to the public.
Analyses of privacy-intrusive behaviours and technologies are available in more formal works, such as Rule 1974, Foucault 1977, Kling 1978, Rule et al 1980, Burnham 1983, Marx & Reichman 1984, OTA 1985, OTA 1986, Roszak 1986, Laudon 1986, Clarke 1988, Flaherty 1989, Bennett 1992, Davies 1992, and Davies 1996. Key concepts include the 'information-intensity' of administration during the twentieth century, resulting in the collection, maintenance and dissemination of ever more data, ever more 'finely grained'.
The 'information-intensity' phenomenon has arisen from the increasing scale of human organisations, making them more remote from their clients, and more dependent on abstract, stored data rather than personal knowledge. Other factors have been an increasing level of education among organisations' employees, the concomitant trend toward 'scientific management' and 'rational decision-models', and, particularly since the middle of the century, the brisk development in IT.
On a more practical level, an analysis of why the public is scared of the public sector is provided in Clarke (1993a). This identified a range of specific concerns, including the powers government agencies have:
A similar analysis of why the public is concerned about particular private sector behaviours would be likely to identify many similarities, and some distinct differences. Relevant sources include Packard (1957, 1964), Larsen (1992) and Gandy (1993).
A common approach to privacy is to perceive it as a fundamental human right. It is, after all, expressly recognised in the key international instruments, the Universal Declaration of Human Rights (UDHR 1948) and the International Covenant on Civil and Political Rights (ICCPR 1996). It is also embedded in the U.S. Constitution, albeit in a qualified manner.
An alternative approach is to conceive of a property right in personal data. Proposals surface from time to time, particularly in North America, for the creation of such a right, which would vest in the individual concerned, and which would be tradeable (e.g. Laudon 1993). This could involve outright ownership of personal data, or the preclusion of the use of personal data in the absence of a right established in law or contract to do so.
During the last quarter-century, enormous advances have been made in information technology, and the potential invasiveness of applications has become ever more intense. Moreover, organisations are increasingly eager to take advantage of data surveillance technologies, and to achieve greater data-intensity in their relationships with individuals.
Examples of IT that is significantly privacy-intrusive include:
Existing privacy-protective regimes have proven to be incapable of coping with and responding to these challenges, and legal and administrative staff are not going to be able to help understand them, let alone achieve a reasonable balance between the privacy interest and other, more powerfully represented interests.
Discussions of the history of privacy generally normally commence with an article by the U.S. judges Brandeis & Warren (1892), who considered privacy as 'the right to be let alone'.
Little attention appears to have been paid to the idea during the next half-century, in a world dominated by the greatest wars in the history of mankind. Nonetheless, the Universal Declaration on Human Rights, established by the United Nations in 1948, included reference to privacy (UDHR 1948):
Article 12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference or attacks.
Concern about unfair information practices developed quickly during the latter half of the 1960's. This was stimulated by growth in the power of computers, and the extent of their use, although many problems either pre-existed computers, or were associated also with other forms of information system automation, such as photocopying, microfilm and telecommunications. Concern about the social impact of computers resulted in a significantly improved appreciation of the impact of information technology generally.
In many countries it was felt that the emergence of the various information technologies represented a challenge that existing legal protections were unable to cope with. As a result, during the decade of the 1970's, many of the 'advanced western nations' acted to provide legislative and/or administrative protections.
Important early activity in the United States included studies by Westin (Westin 1967, 1974) and an Advisory Committee to the then Department of Health Education and Welfare (HEW 1973). Congress passed the Privacy Act in 1974 regulating federal government agencies. A report on early experiences is to be found in the Report of the Privacy Protection Study Commission (PPSC 1977). The efforts of President Ford's administration succeeded in emasculating the legislation and the report (Rule 1980, pp.75,110).
Legislation in Europe began even earlier, with the West German Land of Hesse passing the very first Data Protection Act in 1970, and Sweden's Data Act of 1973 being the first comprehensive legislation at national level.
In the United Kingdom, Private Members' Bills were introduced in the late 1960's, and successive Government Committees reported and were ignored(Younger 1972, Lindop 1978).
Since the early 1970's, most of the advanced western nations have legislated. In addition, many of the states of the U.S.A., provinces of Canada and Länder of West Germany have also passed laws. Some of these apply to all personal data systems, while others are restricted, e.g. to the public sector, or to automated or computerised systems. In an endeavour to achieve some amount of consistency in the highly varied approaches, the European Economic Community adopted a Convention in 1980 (EEC 1980).
The United Kingdom ignored the recommendations of , but finally responded to commercial pressure to ensure that British companies were not disadvantaged against their European competitors, and passed the Data Protection Act in 1984.
Around the world, information privacy protections display a number of variants. All, however, can be classified as 'fair information practices' (FIP) legislation. The essential postulate of FIP is that the efficiency of business and government should not be hindered.
The origins of FIP lie in the work of Columbia University political economist Alan Westin (Westin 1967, 1971; Westin & Baker 1974). In those early years of personal data systems, the dominant school of thought, legitmised by Westin's publications, was that the invisible economic hand of business and government activity would ensure that IT did not result in excessive privacy invasion. Hence privacy regulation was unnecessary, or, to the extent that it was imposed, it was essential that the detrimental effects on business and government be minimised.
During the 1970s (which the Chair of the OECD Expert Group later described as 'the decade of privacy'), a great deal of legislative activity occurred, particularly in the legislatures of countries on the Continent of Europe, but also in the U.S.A. The OECD, concerned that a proliferation of varied privacy protection laws might harm economic growth by creating accidental trade-barriers, codified the FIP-based regime in the OECD Guidelines (OECD 1980).
The OECD work was was expressly not an attempt to flesh out more general documents concerning human rights, such as ICCPR (1966). The prime concern was to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD, 1980, p.7). The concern to ensure that member-countries had a clear statement of international expectations regarding privacy protection was quite secondary. The dominance of economic over social interests is embedded in FIP regimes.
The Guidelines are contained in OECD (1980), and comprise a 1-page Council Recommendation, 4 pages of Guidelines and a 22-page Explanatory Memorandum. The document provides " ... a general framework for concerted action by Member countries: objectives ... may be pursued in different ways" (p.23). It does not represent a binding International Convention.
Legislation passed subsequently by many other countries reflects those Guidelines. A re-structuring of the OECD Guidelines into a form suitable for the creation of new schemes or the evaluation of existing and proposed regulatory regimes is at Clarke (1989).
The term used in Europe to refer to the FIP/OECD approach is 'data protection': it protects data about people, rather than people themselves. This is justified on the pragmatic grounds that it is an operational concept more easily coped with by business and government agencies than the abstract notion of privacy, and it is therefore easier to produce results. The intervening quarter-century has demonstrated quite comprehensively that, pragmatic or not, FIP-based privacy protection laws have not delivered what humans actually need.
For reviews of the origins of FIP laws and guidelines, and collections of contemporary privacy protection regimes, see Smith (1974-), Flaherty (1986), Bennet (1992, pp.96-101), and Madsen (1992).
During the 1970s and 1980s, almost all countries in Australia's reference group legislated to create 'data protection' or 'fair information practices' regimes. In order to avoid differences in the countries' legislation becoming an obstacle to trade, the general principles were codified, most influentially in the OECD's 1980 Guidelines.
During the early 1990s, the European Union developed a number of extensions to the conventional FIP/OECD approach. These have been widely accepted in Europe, with even the conservative business magazine, 'The Economist', recently calling for adoption of privacy laws affecting the private sector, arguing that "There is little reason to suppose that market-driven practices will by themselves be enough to protect privacy" (Editorial, 10 February 1996).
The EU Directive was finalised in 1995, to come into force on 24 October 1998 (EU 1995). Its motivations can be perceived as being to improve protections for Europeans personal data, or as a 'non-tariff trade barrier', designed to achieve advantage over the U.S.A. The EU Directive's implications, meanwhile, remain unclear and much debated.
The U.S. has been tardy in implementing data protection law. During the late 1990s, however, the U.S. Federal Trade Commission has become concerned about the slow adoption of electronic commerce, and has recently put significant pressure on direct marketers to greatly improve their present, entirely ineffectual self-regulatory arrangements, and has placed privacy legislation firmly on the Congressional agenda ( FTC 1998). Meanwhile, the U.S. Administration is also hardening its attitude (e.g. Gore (1998).
Meanwhile, U.S. companies have conducted initiatives based on trademarks (especially TRUSTe) and on privacy-sensitive technology (especially W3C's P3P protocol - see Clarke 1998d and Clarke 1998e). These are very unlikely to be, by themselves, sufficient to achieve the necessary public confidence. The new and hastily organised industry association called Privacy Alliance is also very unlikely to deliver anything of consequence.
A reasonable interpretation of these developments is that there has been a detectable swing away from the long-standing, almost axiomatic position among voters that corporations should be left alone to drive the economy, towards an expectation that privacy-invasive corporate behaviour needs to be reined in.
A further stream of developments is in the area of standards. In 1995-96, the Canadian Standards Association developed and issued a standard, which is billed as 'a model code for the protection of personal information'. The assessment in Greenleaf G. 'Stopping surveillance: Beyond `efficiency' and the OECD', a commentary on the CSA Model Code, at 3, 8 PLPR (December 1996) 148-152, concluded that it is definitely not adequate.
In October 1998, the Canadian Government drew on the CSA Model Code when it introduced a Bill designed to encourage electronic commerce, through a basket of measures including privacy protections. See also Waters (1998a).
Consistent with the FIP approach, the motivation for virtually all initiatives remains not social goals but economic ones.
Developments since late 1998 are described in a companion document.
This file contains preliminary reading for the paper 'A History of Privacy Protection in Australia'.
The references for works cited in this file are at Context.
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 10 October 1998
Last Amended: 11 October 1998
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax
Consultancy Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |