Australian Privacy Charter Council
Version of July 2000
© Australian Privacy Charter Council, 2000
This document is at http://www.privacy.org.au/apcc/Submns/Sen0007.html
The Australian Privacy Charter Council was formed in 1992 to promote observance of best practice privacy standards throughout the Australian Community. Under the chairmanship of Justice Michael Kirby, then of the NSW Court of Appeal, the Council brought together privacy, consumer and civil liberties experts with representatives of the business community.
In 1994, the Charter Council launched the Australian Privacy Charter, which is attached to this submission. The Charter sets out 18 principles, reflecting international best practice, which provide a benchmark against which specific proposals for privacy laws and guidelines can be measured. The Charter and its principles are appended to this submission.
The Charter Council continues in existence to promote the Charter and its principles, to comment on privacy initiatives, or the lack of them, in particular sectors and jurisdictions, and to provide a forum for discussion of privacy which brings together representatives from a wide range of interests - non-government organisations, business and government.
For convenience, we use the term e-Privacy to cover all three of the terms of reference of the Committee's Inquiry.
The Council urges the Committee to ensure that its report is integrated with the Senate's consideration of the Privacy Amendment (Private Sector) Bill 2000, and takes account of the advisory report of the House of Representatives Legal & Constitutional Affairs Committee on that Bill.
Although we have many criticisms of the Bill, we would not like to see an entirely separate regime for on-line privacy. We believe that organisations collecting personal information through electronic transactions should as a starting point have to comply with the same principles as organisations collecting personal information my any other means. A separate regime would create and artificial distinction which would only confuse businesses and consumers alike, and make policing and enforcement very difficult.
We do however accept that on-line collection and use of personal information does raise some specific privacy issues which require special consideration, and we therefore welcome the Committee's Inquiry.
We suggest that the best way of integrating e-Privacy both with the proposed general private sector regime and with the existing regime applying to Commonwealth agencies would be to recommend a statutory requirement for the Privacy Commissioner to develop a Code of Practice for on-line privacy protection, to be registered as a Code under the Privacy Act, and subject to the 'default' enforcement mechanisms in the Act.
One of our criticisms of the current Bill is that it provides only partial and imperfect 'safeguards' as to how personal information can be used. The proposed regime has lost most of its other critical function, which is to give individuals more control over when and if personal information can be used. In the context of growing business convergence, e-commerce and so-called customer relationship management (often a code term for cross-selling), it is this control function which will increasingly be demanded by consumers.
Our detailed comments and criticisms of the Bill are set out in our submission to the House of Representatives Committee Inquiry which is attached. Our conclusion is that if enacted unchanged, the Bill would provide an entirely false sense of re-assurance to the Australian public. It would also fail to achieve one of the main objects set out in Clause 3 -"meets international concerns and Australia's international obligations relating to privacy to meet our international obligations". In our view, based on the expert knowledge of several of our members, the Bill will fail to meet the standard of adequacy required by European Union member states for transfer of personal data to other jurisdictions under Articles 25 & 26 of the 1995 Data Protection Directive (95/46/EC).
As a result of the Bill's major weaknesses, it will fail to give consumers and business alike the confidence to use and invest in electronic commerce and service delivery, which we understood to be one of the government's main objectives.
Our general view is that there is no need for new additional principles to deal with e-Privacy - the need is for clear guidance as to the application of the proposed National Privacy Principles, and other laws, to electronic transactions and computer databases.
We strongly urge that the definition of personal information should include `potentially identifiable' information. The current Privacy Act definition requires that an individual be identifiable from the information.
Many of the recent privacy controversies, concerning collection of information on-line, have revolved around the collection of e-mail addresses or IP addresses, which can either be used to communicate directly with a person or can be subsequently matched with other information to add to a profile of a particular individual.
However, it is arguable that an email address or IP address is not 'personal information' as defined in the Bill, as they do not unambiguously identify an individual. The same applies to telephone numbers, even though these are routinely used as a surrogate identifier for either the subscriber to the line, or a regular user.
It is essential that the definition of personal information is clarified, to put beyond doubt that it applies to such 'indirect identifiers' and to the information collected and held in association with them. One way of doing this would be to adopt the definition in the UK Data Protection Act, which includes "identified from the information itself or from other information in the possession of the data user".
Another overarching issue is the application of Telephone interception and other Telecommunications laws to e-mail. These laws have failed to keep pace with technology, and it is currently unclear as to whether e-mails, while they are stored on computers at various stages in their life, are "content" of a telecommunication. If they are, then they would be subject to the very strict rules concerning access contained in the Telecommunications (Interception) Act 1979. If they are not, then they would only be subject to the much less strict controls on access to telecommunications call records in the Telecommunications Act 1997.
Given that the content of an e-mail is the electronic equivalent of a cross between a telephone conversation and a letter (also subject to strict interception safeguards), we believe that it should be put beyond doubt that e-mails, at least while between despatch by the sender and receipt by the addressee, is content subject to the Telecommunications (Interception) Act.
The concept of a database is becoming increasingly irrelevant as information is held as data dispersed amongst different storage devices, within and between organisations, and simply found and assembled for a specific transaction. We strongly urge the Committee to abandon the use of this concept which is obsolete and unnecessarily constrains consideration of the way information is actually processed in modern computer networks. There are still many traditional databases, and data warehousing techniques are creating either real or 'virtual' databases of immense size and sophistication. But the same privacy issues also apply where data about an individual is brought together only momentarily. Rules and safeguards should be designed to cope with both manifestations - in general, we think that rules that can deal with 'virtual' databases will apply equally to actual databases, whereas the reverse would not always be true.
We make the following comments on the Committee's 'scope' items.
This is one of the most problematic areas of Internet use. It would appear that there are now several techniques for collecting information about users, potentially without their knowledge. Cookies are one such technique - another that has been publicised recently is the use of single pixel GIFs (web bugs). It is important to deal with this issue in a generic way so that any rules are not outflanked by the next ingenious technical innovation.
Much of the information about Internet transactions and browsing collected automatically is about a user ID (such as IP number) which may not in itself be personal information (ie not linked uniquely to an identifiable individual). As discussed above under "Definition", it is essential that the law makes it clear that privacy principles apply to any information that can potentially become personal information in the hands of an organisation.
The main collection principle involved is clear - National Privacy Principle 1 covers it well. Internet users should always be put in a position where a reasonable person would understand that information about them is being collected, and for what purpose. The practical implementation of this requirement is discussed below after mention of anonymity.
This question also brings into play the proposed National Privacy Principle on anonymity (NPP8). We are concerned that this principle is being misinterpreted in some sectors as imposing unrealistic restrictions. It is important in our view to incorporate into the principle itself some reference to pseudonymity, which is likely to be a common means of implementing the intention of the principle, as a complement to genuine anonymity in as many circumstances as possible.
We believe the best way of implementing these principles in an Internet context is to make it very clear that the default position should be that no information uniquely identifying the user should be collected. Where an Internet site owner wishes to collect such information, they should be required to notify the user, and wherever possible give them the choice of not granting permission.
There will be many Internet applications where it is necessary to identify the user - this will often be required to comply with the security principle. Sites that give access to personal information, or those that invite financial transactions, will typically require users to accept a cookie or similar device to transmit identifying information. This is acceptable provided users know when this is happening. On the other hand, where access is simply to publicly available information (the Internet in "public library" mode), site owners should not be permitted to collect identifying information without express consent.
The default anonymity option should occur at two levels. Firstly, computer and software suppliers should be required to ship their products with cookies or similar devices switched off - users can be invited to turn them on as a default option - as a user-controlled function. Secondly, even where a user has chosen to set cookies 'on' a as a default, they should be reminded whenever a cookie or similar device is to be downloaded, and the proposed use of the information to be collected explained to them. (This need only be done once in each session, unless the nature of the cookie or its functionality changes significantly during the session). If clicking on an advert or other icon on a web site will result in identifying information being transmitted, this too must be explained at the time.
This is effectively what the whole Inquiry is about - as already stated, our view is that the regimes are inadequate, but that a separate regime is not required - what is needed is the binding application of national privacy principles (an improved version of those in the current Commonwealth Bill), together with specific implementation guidelines - probably best achieved in the form of a statutory Code of Practice under the Privacy Act.
We cannot see any e-Privacy specific factor in response to this scope point - consumer databases (or more dispersed collections) can potentially hold the same range of information as manual files. Obviously electronic data makes it easier to record details of transactions, including details of enquiries and 'browsing" behaviour that may not lead to any actual purchase or order.
This is a complex and uncertain area. There are many myths and unfounded fears about on-line security (the risk of interception of credit card details during transmission has been much exagerrated). But at the same time, we see constant examples of poor security, even in major government agencies and big businesses. This is despite the many other reasons, besides privacy, why they should keep data secure - such as commercial confidentiality.
While there is probably no absolute guarantee of security from the most inventive hackers, there is no excuse for organisations not taking advantage of the sophisticated security now available at reasonable cost. All organisations should be subject to the security principle (National Privacy Principle 4) and the Privacy Commissioner should issue guidance on the types of security measures that are appropriate for personal information in an electronic environment, such as firewalls and encryption.
As well as security against unauthorised access (both internal and external), organisations should be required to keep detailed audit trails or logs to facilitate investigation of any security breaches, and to act as a deterrent. Most computer systems have a facility for such logs, and the cost of data storage is now so low that this cannot be an excuse.
This relates to proposed National Privacy Principle 6. In general, providing individuals with a right of access to personal information should be easier and cheaper if the information is held in electronic form. Many businesses appear concerned that finding data about individuals will be unduly onerous. The basic rule should be that it is only necessary to apply the same search parameters as the organisation does for its own operational purposes. Organisations should not be required to 'find' linkages which they would not discover in the course of their own business activities.
It should be possible in many cases to allow individuals access to their own information 'on-line'. Many on-line service providers already provide facilities for customers to check order status and balances on-line, subject to appropriate security measures. It should be possible to extend these facilities to provide access to even more of the personal information held, although there will probably always need to be some manual intervention or screening with sensitive data to determine if access exemptions apply.
Our general views on the failure of the government Bill to meet international privacy standards are set out in the attached HoR submission. In the e-Privacy context, it is even more important to adopt highest common standards, as an increasing proportion of transactions are going to cross national borders. There are many issues of jurisdiction and cross border enforcement to be resolved, but at least adoption of highest common standards will remove an additional complicating factor.
This is a critical issue which does not fall readily under any of the 'scope' items above.
Although it is more a nuisance than a real threat, unsolicited direct marketing is one of the most visible privacy intrusions, and one which a large number of consumers find objectionable.
The fundamental issue (outside the Internet context) is whether organisations should be free to use personal information acquired in the context of a specific transaction to market other goods and services. We have argued in our submission on the Government's Bill that National Privacy Principle 2 needs to be tightened to ensure that consumers are always given an express opportunity to 'opt-out' of direct marketing for anything other than goods or services of the same nature as ones they have bought (and even here, an opt-out is desirable).
In the Internet context, we have argued for a higher standard - of "opt-in". This is because unsolicited e-mail is inherently more intrusive than postal mail - it takes up the user' space and time, and may even incur a cost. We believe strongly that the principle must be established that web sites, and organisations collecting e-mail addresses in other ways, must notify the address holder of the intended use for direct marketing and seek their consent. Only those giving express consent should be added to a marketing list or database.
It is appropriate in the context of direct marketing to mention a range of initiatives that are being developed to automate a match between supplier intentions and consumer preferences - so called privacy enhancing technologies or PETs) such as the Platform for Privacy Preferences (P3P), and Microsoft's Passport and proposed IE5 cookie cutter. It is intended that these products would work in association with various 'Trust mark' schemes that declare a web site's privacy policy.
While we consider that there may be a role for such products, we are concerned that at this stage of development, they appear too complex to be easily understood and used. There is a danger that they could 'trap' consumers into a default position of accepting certain uses without fully understanding the implications. One of the problems with a 'consumer choice' model in this area is that once data about a consumer has been transferred it will be very difficult if not impossible to retrieve it if the consumer subsequently changes their mind - perhaps as a result of exposure to direct marketing.
We would not at this stage either endorse particular PETs or accept that they offer a viable solution to some e-Privacy issues. We are however interested in their potential.
This is another complex issue with many ramifications outside privacy. The use of digital signatures does however have some very important privacy implications. Privacy advocates have been peripherally involved in the development of the Commonwealth government's policy on Public Key Infrastructure. They have expressed particular concern over two aspects of the Public Key Authentication framework (PKAF). These are the extent to which individuals will be able to have more than one digital 'persona' (otherwise digital signatures could become a surrogate Australia card); and access to certificate revocation lists (which could become in effect a log of all of an individual's electronic transactions). We are very dissatisfied with the hearing that our concerns have been given, and the lack of progress in addressing them. We urge the Committee to recommend an immediate public review of how the government's PKAF and PKI policies are dealing with privacy issues.
Nigel Waters
Convenor, Australian Privacy Charter Council
12A Kelvin Grove, Nelson Bay, NSW 2315
E-mail: nigelwaters@primus.com.au
Go to APCC's Home-Page.
Go to the contents-page for this segment.
Send an email to the APCC Convenor
Created: 3 August 2000
Last Amended: 3 August 2000
APCC thanks its site-sponsor: