Australian Privacy Foundation
Submissions to the Internet Industry Association (IIA)

Dated 9 October 2001

This document is at http://www.privacy.org.au/Papers/SubmnIIA0110.html


Submission re the IIA's draft Privacy Code

The Australian Privacy Charter Council welcomes the opportunity to comment on the IIA's draft Privacy Code. As you know, we have closely followed the development of this Code, through earlier versions, and we compliment the IIA on its thorough and professional approach to the important issue of privacy in the on-line environment.

Information about the Charter Council and its role can be found at http://www.apcc.org.au

Our general view is that the draft Code represents not only a positive initiative to ensure compliance by members with the new law, but also a significant improvement on the default law, which as you know we consider to be flawed and weak in some key respects. The additional clauses relating to childrens' information; to direct marketing and to `EU compliance' (the latter in the EU Extended Code version), and the application of the Code to small businesses are all highly desirable `extras', and we hope that these survive into the final adopted version(s) of the Code. We do however have specific comments on the first three of these `extra' provisions, as well as some concerns about the complaints and enforcement aspects, and about Code review. These are explained as follows:


Childrens' privacy

The voluntary `promotion' of information about children under 13 to the category of `sensitive' information is welcome, together with the requirement for specific consent (in this case from a parent or guardian) to use and disclosure of personal information as well as to collection (clause 6.7). This repairs a significant flaw in the default NPPs.

We note that the Attorney-General's Department has convened a consultative group on childrens' privacy and assume that the IIA would revise this part of its Code to be consistent with any final outcome of that process, provided it is no less protective.


Direct Marketing

There remains significant confusion about how the default NPPs operate in relation to direct marketing - and the Commissioner's final NPP Guidelines do not clear up all of the uncertainty. We believe the IIA's commentary on this issue in the Code launch site is incorrect in two respects:

It asserts that `in the case of `secondary purpose direct marketing' the law requires users to opt-out unless it is not practicable to do so. This should read `... requires organizations to offer an opt-out unless ...' We assume that this is an unintended mistake.

More importantly, it asserts that `primary purpose direct marketing will require informed consent under the law, in any case'. We disagree - it is only true that if direct marketing is a primary purpose, individuals will need to have been informed of this. But because it may be part of a transaction with other primary purposes, with direct marketing effectively a condition of the transaction, it cannot be assumed that individuals will have willingly consented. The withdrawal of the Privacy Commissioner's previous `tough' advice on the nature of consent makes our interpretation more certain.

There is also the possibility of direct marketing being carried out without express consent both under the `secondary related purpose within reasonable expectations' exception (clause 6.8 (a)) (we read this, like its counterpart in NPP 2.1(a), clearly as an alternative to 6.8(c) (2.1(c)); and, under the Commissioner's weaker guidelines, the consent exception (2.1(b).

The IIA's intention of requiring Code subscribers to offer an opt-out in all situations subject to 6.8(c) is commendable. However, the method adopted - insertion of clause 6.9, seems to us an unhelpfully oblique way of achieving this objective. Surely it would be much simpler and easier for both organizations and individuals to understand to simply delete 6.8(c)(i) (which incidentally seems to be worded incorrectly in the draft Code - we assume it should read `unless, subject to clause 6.9, it is impracticable ...')? That is, unless the intention is to leave in the `default' version of 6.8(c)(i) to apply to members `off-line' activities? Is this the case?


Application of Code to information about all individuals, whatever their residency status in Australia.

This extension is a welcome attempt to repair a weakness in the legislation which has been identified by the European Union as a barrier to an assessment of `adequacy' under its Data Protection Directive. Clause 9.1 clearly requires Code Subscribers to deal with complaints from any individual `irrespective of nationality or place of residence'. (We are not clear why it has been necessary to include the definition of `user' as `a user of the Internet who is resident in Australia'; as the term user does not appear to be employed in the draft Code.)

However, we fear that the intention behind this part of Clause 9.1 may be defeated by the Privacy Commissioner's inability to handle complaints about access and correction from individuals other than citizens and permanent residents. This is because this restriction on the Commissioner's jurisdiction is to be found in Part V of the Act (spcfically s.41(4)), which the Code does not seek to replace (and which we suggest no Code would be able to amend). We question whether it is possible for a Code to extend the Commissioner's jurisdiction in this respect. The flaw is one that only amendments to Part V can repair.


Other jurisdictional issues

We believe there may be other jurisdictional issues arising from the proposal to leave the Privacy Commissioner as the default complaint handler, given the various `extensions' of the scope and content of the default scheme.

These `extensions' fall into different categories. The parliament has provided expressly for `voluntary' application of the Privacy Act to small businesses, and the equivalent extension in application of the draft Code is consistent both with the legislative framework and with the government's policy intent. The modifications on direct marketing and childrens' information also seem generally consistent both with the policy and with the legislated purpose of Codes.

However, the proposed extension to employee records seems much more at variance with government policy and with the clear exemption of these records from the Act. Apart from small businesses, the Act does not give any indication of allowing or expecting application to the other categories of exempt records, organizations or practices. It is arguable that it is beyond the intended scope of Codes to seek to reverse the legislated exemptions (other than small businesses). The Commissioner may not feel able to approve a Code which so clearly departed from government policy and even if he did, his decision could be subject to judicial review.

We assume that the IIA has discussed its intentions with the Privacy Commissioner's Office, and it may be that some of our jurisdictional concerns are unfounded. If so, we would welcome an explanation.


Code Review

We are concerned that Clause 8.1, concerning the establishment and constitution of the proposed Code Review Panel, does not sufficiently guarantee its independence, as it does not establish criteria for membership. We believe that the Panel should be required to be constituted with equal numbers of `industry' and `consumer' members, plus the independent chair, with some mechanism for nomination and appointment acceptable to both `interest groups' being specified in the Code. Our reading of the Privacy Commissioner's Code Development Guidelines suggests to us that he is likely to share our view of this clause in assessing any application for approval of the Code.

Clause 8.5 should perhaps mention the necessity to seek Privacy Commissioner approval for any amendment to the Code, assuming it is intended to seek approval and registration under the Privacy Act.

Please let me know if you would like any further information about the Charter Council's views.


Navigation

Go to the APF Home Page.

Send an email to APF

Created: 7 February 2003

Last Amended: 7 February 2003


Sponsorship

APF thanks its site-sponsor: