3 September 2000
Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000
Below is a copy of EFA's submission to the Senate Legal and Constitutional Legislation Committee's inquiry.
- Executive Summary
- Direct Marketing Exception and E-mail Spam
- Other problems with the Privacy Principles
- Exception for Existing Data
- Small Business Exemption
- Media Exemption
- Political Parties
- Inadequate Definition of "Personal Information" for Electronic Environment
- Enforcement Issues
- E-commerce implications
- Lessons from other countries
1. Executive Summary
EFA supports in principle the introduction of a co-regulatory scheme to provide privacy protection for Australians in relation to the activities of the private sector.
EFA is unable to support the Bill in its current form, because the Bill contains too many exemptions and exceptions and fails to come to grips with consumer privacy needs in the 21st century.
The exception to the Privacy Principles in the Bill in relation to direct marketing is contrary to international developments and effectively legitimizes the practice of "spamming" (the sending of unsolicited E-mail advertising) on the Internet.
The exemption for small business is unjustified and will introduce a confusing and complex regulatory environment that fails to protect consumers from privacy invasive practices. The confusion that will result from this exemption will hamper attempts by E-commerce vendors to attract overseas customers.
The exemptions for media organisations and political parties are far too broad and have not been justified. The definition of media organisation could well include almost every existing website.
The exemption for pre-existing data is unacceptable. A transition period should be provided for existing data uses to comply with the new legislation.
Enforcement provisions in the legislation are inadequate.
The definition of "personal information" in the Act is inadequate in context of the electronic environment.
Instead of empowering individuals to exercise their right to privacy of personal data, the Bill confers on certain business interests the right to invade individual privacy.
The Bill is at best a token attempt to introduce privacy legislation. It is complex, unwieldy, ineffective and an insult to the citizens of Australia. The Bill needs to be re-drafted, preferably as a replacement for, rather than an amendment to, the Privacy Act 1988. By so doing, Australia could establish a reputation for strong privacy protection and therefore take a leading position in global electronic commerce.
"Solitude and privacy have become more essential to the individual; but
modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury....
The common law has always recognized a man's house as his castle, impregnable, often even to its own officers engaged in the execution of its commands. Shall the courts thus close the front entrance to constituted authority, and open wide the back door to idle or prurient curiosity?"
Harvard Law Review 4 193 (1890)
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation formed to protect and promote the civil liberties of users and operators of computer based communications systems. EFA was formed in January 1994 and incorporated under South Australian law in May 1994.
Our major goals are to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech and unfettered access to information and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.
EFA has a particular interest in privacy protection for Internet users and our comments on the proposed legislation will therefore largely focus on matters that may impact in the online area. However, we recognise that privacy issues pervade many other aspects of life, and we will therefore briefly comment on other aspects of the proposals.
EFA generally believes that government regulation should be a measure of last resort, particularly when it comes to regulation of new technologies such as the Internet. We are of the view that existing law can be applied to most problems that arise in the new information economy. We put this view particularly strongly in opposing the government's move to censor the Internet through the Broadcasting Services Act amendment of 1999. The government failed to listen and the result was a bizarre piece of legislation that is all but unenforceable, that has failed to meet its objectives, and that has embarrassed Australia internationally. The Australian government has recently moved to enshrine privacy protection in legislation covering the private sector through the Privacy Amendment (Private Sector) Bill 2000. While EFA supports the stated intent of this Bill, we believe that it falls a long way short of what is needed, primarily because the exceptions and exemptions in the Bill effectively eliminate any real outcomes for genuine privacy protection for Australians. Privacy and security are the major issues affecting consumer confidence in electronic commerce, and if the proposed Bill is allowed to pass without major amendment, Australia may as well give up any hope of being a leading player in the information economy.
When it comes to privacy legislation, EFA is of the view that this is a legislative backwater that has been ignored in Australia for too long. We support a co-regulatory approach to privacy legislation, with approved privacy codes backed up by legal sanctions.
However, we consider that the current Bill fails to meet the standards of international best practice that have been established by other countries that have already legislated in this area, such as New Zealand, Canada, the UK and Hong Kong.
Furthermore, we are of the view that the Australian legislation in its current form will fail to meet the requirements of the European Union Directive on Data Protection and therefore threaten to prevent Australian industry from fully participating in the emerging information economy. Since raising this matter in our submission to the Standing Committee on Legal and Constitutional Affairs inquiry into the Bill, we have become aware that the European Commission advised the LACA Committee that:
"We note that one of the objectives of the legislation, as stated in the Explanatory Memorandum to the Bill, is for a scheme which is 'compatible with the European Union Directive…to remove potential barriers to trade'.
The comments below concern exclusively the Privacy Amendment (Private Sector) Bill to the extent it applies to private sector organisations.We have a range of issues which we would like to raise: some are principally to gain clarification on how the Bill is intended to operate; while others note our concern that, as currently drafted, the Bill may not provide an adequate level of protection for European citizens."
Privacy has been defined as the right to be left alone. Unfortunately this simple principle has been largely overlooked in the current Bill. Australians generally deplore being overwhelmed with junk mail, telemarketing calls, unsolicited E-mail and an arrogant and intrusive media. As citizens we are nervous about giving out information about ourselves lest it be used for purposes that we did not approve.
Privacy concerns are consistently raised as amongst the top reasons why
Internet users are reluctant to make purchases on the Internet. If
Australia is to be a successful E-commerce player, it will have to
convince the rest of the world that privacy is taken seriously and
that effective sanctions are in place against offenders. This Bill is unlikely to convince anyone.
3. Direct Marketing Exception and E-mail Spam
At 2.1(c) of Schedule 3 of the Bill (National Privacy Principles) an extraordinary exception for secondary use is permitted in respect of direct marketing. Although this exception existed in the original version of the NPPs, the version included in the Bill has been widened further. No justification has ever been provided for this quite unacceptable intrusion into individual privacy.
The exception to the Privacy Principles in relation to direct marketing is also contrary to international developments and effectively legitimizes the practice of "spamming" (the sending of unsolicited E-mail advertising) on the Internet.
Personal information should only be used for marketing purposes with explicit consent, not by default with the blessing of the government. Unsolicited direct marketing, whether in the form of junk mail, telemarketing phone calls, or by E-mail is notoriously unpopular with consumers.
The direct marketing exemption in the Bill requires a consumer to be aware that they are permitting the use of their data (provided for the primary purpose of, eg. purchasing a specific product) to also be used for the secondary purpose of direct marketing unless they remember to specifically request not to receive direct marketing communications at the time of providing the information.
EFA considers this to be an unfair information practice which inadequately protects an individual's fundamental right to privacy. Remembering to opt out of direct marketing is unlikely to be foremost in a purchaser's mind when transacting a purchase and what is "impracticable" for an organisation in terms of seeking an individual's consent (NPP 2.1(i)) is, to say the least, not clear and likely to be a matter of argument.
Although the Bill permits the sending of direct marketing material once only (if the recipient then asks not to be contacted again), the NPPs only apply to "organisations" and the definition of an "organisation" excludes a "small business operator" (SBO), which is defined to be an entity that carries on one or more small businesses. Once one small business carried on by an SBO has collected an individual's E-mail (or any other) address, each and every one of the other small business carried on by that SBO can send direct marketing material to the same individual who will, it appears, have to opt out each time (and the SBO businesses are not required to comply with the NPPs in any case). The SBO does not lose its exemption from the definition of "organisation" in the Bill by disclosing the information to its small businesses nor by those businesses using the information for direct marketing. The exemption is only lost if the personal information is disclosed to "anyone else for a benefit, service or advantage". Disclosure to businesses within the SBO are not disclosures to "anyone else". Therefore, the collection of personal information by one small business can result in an individual receiving "once only" direct marketing material from numerous other businesses as a result of the collection of the information by one small business.
There appears to be no impediment to an SBO business disclosing personal information collected by them and contained in a direct marketing lists to unrelated third parties. While such a business would lose its exemption from "organisation" if it received a "benefit, service or advantage" in return, the damage would already have been done prior to the exemption being lost. This appears to be contrary to Article 14 of the EU Directive which grants the data subject the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf "for the purpose of direct marketing".
The rapid expansion of E-mail as a means of communication has made unsolicited advertising by E-mail particularly obnoxious:
- Not only does the user have to put up with the nuisance value of the material, which in some cases can be quite offensive, but the user actually pays for delivery owing to the costing model for charging of bandwidth. Internet Access Providers pay by data volume, and this cost is passed on to their customers, Internet users. Barriers to entry to use of E-mail for direct marketing are therefore low and a blanket exception as currently in NPP 2.1 is unacceptable.
- While most E-mail spammers appear to provide an opt-out option, eg. reply to an E-mail address to be removed from their list, requests to opt-out are often not honoured. Instead, the remove request serves as confirmation that a person is reading E-mail sent to an address and that address is therefore regarded as more valuable data. A marketing list of known-to-be-read E-mail address has higher value in terms of sale of the list to third parties.
- Most spammers seem to hit only once, or change their "from"
address so that the E-mail appears to have originated from a different
entity. Moreover, if an entity is going to send out a million or so
E-mails, it is not a hardship for them to allow people to opt-out against second and subsequent messages.
- While some Internet users do not receive, or receive few, unsolicited advertising E-mails, this should not be seen to indicate that unsolicited direct marketing by E-mail is rare. The quantity of spam received by any individual is to a large extent dependent on where an individual's E-mail address is available. Individuals who participate in discussions in public newsgroups, mailing lists and chat rooms, or who have a web site that provides their E-mail address for feedback etc, are significantly more likely to receive large amounts of spam E-mail than individuals whose E-mail address is less widely known.
- The Internet Industry of Australia (IIA) Code of Practice and the
Government's Best Practice E-commerce principles oppose spam as widely
defined, i.e. it is only acceptable to send unsolicited commercial E-mail if the intended recipient has opted-in or there is an existing business relationship.
- An exclusion of E-mail from the direct marketing exemption is unlikely to adversely affect reputable businesses. These generally do not send unsolicited advertising by E-mail because they know spam has an extremely negative impact on Internet users and is more likely to decrease than increase their customer base. (Many Internet users will not purchase from businesses who spam, on principle).
EFA submits that the direct marketing exception should be replaced with an "opt-in" provision that permits the use of personal information for direct marketing purposes only by specific prior consent. In addition, direct marketers should be required to provide "opt-out" instructions, each and every time they send direct marketing materials, not only the first time. Sanctions should be applied to breaches of these principles.
4. Other problems with the Principles
EFA holds the view that Privacy Principles should consist of an easily understood and briefly stated set of rules that can be applied generally. Any exceptions should be justified on a case by case basis under approved Privacy Codes. When the National Privacy Principles were first promulgated by the Privacy Commissioner in 1998, the simple statement headings were qualified by large numbers of exceptions. The current Bill has taken this unfortunate situation a step further by adding more qualifications and further weakening the Principles. EFA believes it is wholly inappropriate to build such exceptions into legislation. The Canadian Act (referenced below) provides an excellent example of a more appropriate approach to legislative integration of privacy principles.
The qualifications placed on the application and enforcement of the Principles severely impair the effectiveness of the Principles in providing fair treatment of privacy. Changes to previous drafts and failure to define important terms require the Principles to be reviewed in full by process of community consultation.
Prior to the introduction of this Bill, the Principles were understood to represent a bona fide attempt to establish a series of basic protections for personal data and against undue intrusion. Eroded by exceptions, provisos and definitional deficiencies, the Principles no longer achieve a useful purpose, especially in an environment of self-regulation.
There are fundamental problems with the way this Bill treats the most
sensitive of personal information in the health industry and in the
workplace. Much work is needed to balance the rights of patients and
employees with the sweeping exemptions gifted to the holders of personal data of particular sensitivity.
5. Exception for Existing Data
Division 3 Clause 16C(3) (Approved privacy codes and the National Privacy Principles) provides:
(1) National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information after the commencement of this section.
(2) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section.
(3) National Privacy Principles 2 and 6 apply only in relation to personal information collected after the commencement of this section.
(4) National Privacy Principle 8 applies only to transactions entered into after the commencement of this section.
The exemption from Principles 2 and 6 is unreasonable. Principle 2 (Use and Disclosure) and Principle 6 (Access and Correction) are important privacy principles that
apply irrespective of whether the data is in existence prior to the commencement of the legislation. It is recognised that some organisations may require time to organise their procedures to take privacy rights into account. However, this should be accommodated by allowing a transition period of say, 12 months, rather than a blanket exemption.
6. Small Business Exemption
No justification has been provided for exempting small businesses from compliance with this legislation. (Schedule 1, 6C,6D,6E).
Small businesses comprise some 94% of Australian businesses, according to information provided by the Department of Employment, Workplace Relations and Small Business to the Standing Committee on Legal and Constitutional Affairs' inquiry into the provisions of the Bill.
Privacy rights do not disappear just because a consumer happens to be dealing with a small company. The responsibility upon commercial organisations to recognise the privacy rights of consumers does not magically become apparent when an organisation's revenue base exceeds some arbitrary figure.
All organisations, large and small, need to take consumer privacy obligations seriously. No other countries of significant standing in this field have found it necessary to exempt small business and EFA questions whether business organisations in Australia have even raised this issue as a major concern. It seems most unlikely that small businesses would incur any significant compliance costs if strong privacy legislation were to be introduced.
In conjunction with the related body corporate/small business operator provisions, this exemption could conceivably be used by large organisations with complex corporate structures to evade their responsibilities by transferring data collection activities to a smaller entity. (For further detail see section: Direct Marketing Exception and E-mail Spam above).
The small business exemption also poses a major problem in relation to global trading on the Internet. Both local and overseas customers will have no way of knowing what size organisation they are dealing with, and given that consumer confidence is vital in building good customer relationships, Australian traders are likely to be bypassed in favour of suppliers from countries that have introduced good privacy law. This will affect all Australian E-commerce traders, since customers will assume the worst once they learn of Australia's half-baked approach to privacy.
Moreover, the European Commission stated in their submission to the Standing Committee on Legal and Constitutional Affairs that:
"The exclusion of employee data and small business will mean that these sectors cannot be included in any consideration of 'adequacy' being provided by the Bill [in relation to the EU Data Directive]. In particular, we envisage the exclusion of small businesses would be problematical, since it would be very difficult in practice to identity small business operators before exporting the data to Australia."
The Bill unfairly discriminates against small businesses who care about their customers' privacy, since they are not even offered a means of opting in to coverage by the legislation. Consumers may consider it preferable to deal with businesses that are clearly very large (and who do not operate as "small business operators") because big business, unlike small business, is required to comply with privacy legislation.
EFA therefore strongly recommends that the exemptions for small businesses be dropped.
7. Media Exemption
As a strong supporter of the principles of freedom of speech and freedom of the press, EFA recognises the need for consideration to be given to the effects of privacy legislation on news media. However, the definitions of the terms media and journalism in the draft Bill are far too broad, and the blanket exemption is considered unacceptable.
The definitions in the Bill (Schedule 1,18-19) are:
- journalism means the practice of collecting, preparing for dissemination or disseminating the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
media organisation means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
At Division 1,42:
7B Exempt acts and exempt practices of organisations
(4) An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, by the organisation in the course of journalism.
Under the proposed definition, almost any website on the Internet could be considered to qualify, given that almost all web site providers "disseminat[e] the following material for the purpose of making it available to the public: (a) material having the character of ...information...". The proposed media exemption thus appears to sanction a "media organisation" collecting and publishing personal information whether or not such publication is in the public interest.
EFA believes it is unlikely that the proposed definitions and exemption could be narrowed in a way that would not be likely to adversely affect freedom of the press. However, there is a need to provide protection for individuals whose privacy may be grossly infringed by unethical persons claiming the broad media exemption.
EFA therefore recommends that, in cases of complaint, "media organisations" should be required to demonstrate that publication of personal information was in the public interest. Such a test should represent no threat to ethical media organisations.
8. Political Parties
No justification has been provided in the Explanatory Memorandum for an exemption from the Act for political parties (Schedule 1,42). Given the cynicism and low esteem with which the public currently regards politicians and political parties, this exemption will be regarded as yet another case of favouritism, privilege, and abuse of power. Political parties should be treated no differently from any other organisation in respecting the privacy rights of Australian citizens. To do so is to send a message that the Privacy Act is only a token gesture, to be evaded when it happens to suit particular vested interests with the political clout to get their own way.
The exemption for political parties is likely to be exploited in several ways:
(a) Bogus political parties being formed by commercial marketing interests;
(b) Abuse of personal data gathered by political parties;
(c) Laundering of data obtained by and destined for commercial marketing interests by political parties.
Again, no other country which has introduced adequate privacy law has seen fit to provide such an exemption, yet their political systems manage to comply with the law. EFA therefore strongly objects to the inclusion of this exemption in the Bill.
9. Inadequate Definition of "Personal Information" for Electronic Environment
A broader definition of "personal information" must be embraced in order to adequately protect individual's privacy in the electronic information age. Aggregation of data can occur with minimal identifiers if one identifier is sufficiently unique to be cross-referenced with another.
In the Internet environment there are a wider ranger of identifiers available than off-line, such as an Internet user's machine ID, IP address, user ID, email address, passwords, etc. Identifiers such as these must be clearly incorporated within "personal information" protected by the Privacy Act and the Principles.
Internet technologies enable the collection of information about individual Internet user's behaviour across thousands of web sites. Personal profiles about them, including their habits and interests, are being compiled surreptitiously and in many cases without users being aware that this is even possible, let alone their having provided their name to such web sites.
While many people appear to believe these profiles are only used for purpose such as targeting banner advertisements at particular Internet users and consider this to be of no concern, a far more disturbing aspect is that detailed profiles about consumers can make them more susceptible to discriminatory business practices such as redlining - the practice of placing particular customers at the end of a priority queue, or, of even greater concern, simply not dealing with them at all. As reported in "Weblining" in BusinessWeek Online, 3 April 2000:
"Old-style redlining is unacceptable because it is based on geographic stereotypes, not concrete evidence that specific individuals are poor credit risks. Webliners may claim to have more evidence against the people they snub. But their classifications could also be based on irrelevant profiling data that marketing companies and others collect on the Web. How important to your mortgage status, say, is your taste in paperbacks, political discussion groups, or clothing? Yet all these far-flung threads are getting sewn into online profiles, where they are increasingly intertwined with data on your health, your education loans, and your credit history."
On the Internet, it is not necessary for businesses or any other online service to be able to reasonably ascertain the actual identity of an individual, in order to build a profile about them. All that is necessary is a sufficiently unique identifier. Such profiles may then be sold to other entities who are able to connect a "cyberspace" identifier with a name or other "real-world" identifier.
For further information on regarding online identifiers and associated privacy issues, see Privacy Principles - irrelevant to cyberspace?, Graham Greenleaf, Privacy Law & Policy Reporter (Prospect Publishing), 3 PLPR 114, September 1996.
EFA strongly recommends that the definition of "personal information" in the Act be amended to include wording such as "any information which enables interactions with an individual on a personalised basis".
10. Enforcement Issues
EFA finds the enforcement provisions in the Bill confusing and unclear, like much of the rest of the document. One is invited to question whether Members of Parliament can adequately research and exercise their democratic responsibilities when legislative drafting borders on the incomprehensible. Thanks to the Internet, the law of the nation is no longer the exclusive preserve of lawmakers, lawyers and the courts. It therefore behoves the drafters of new legislation to strive for ease of comprehension by those who are subject to the law.
Given that the Bill purports to encourage self-regulation by industry, presenting a Bill that requires industry to seek legal interpretation and development of compliance strategies adds to the impression that the law is only intended to bind big business.
The Bill should contain enforcement procedures that persuade compliance from both big business and small business, notwithstanding that it is in the direct financial interests of industry to market data to the limits of the law.
What is needed is a clear statement of the responsibilities of the Privacy Commissioner or his/her delegate to approve codes, hear complaints, issue directives, make determinations, undertake privacy audits and take legal action.
Unfortunately the Office of the Commissioner has been inadequately resourced to undertake such functions even if the legislation accorded the necessary powers. Furthermore, recent incumbents in the position have been disinclined to act as independent public interest watchdogs but have instead acted as career public servants accountable to the government of the day rather than the Parliament.
Another weakness in the Act is that there are no requirements for organisations subject to the Act to provide a complaints mechanism. Such a mechanism should also be part of any approved privacy codes.
Without adequate complaints handling procedures, backed up ultimately by strong legal sanctions, the Bill will be a totally ineffective and token piece of legislation.
11. E-commerce implications
Survey after survey has indicated that privacy and security concerns are the main reason for reluctance of Internet users to engage in online transactions.
In February 2000, the Australian law firm Freehill Hollingdale & Page released a report outlining this problem. While 41% of Australian adults have accessed the Internet, only 5% have used it for online shopping. The report found that privacy concerns for Internet users involve:
- concerns about the security of sensitive personal information
- uncertainty about how personally identifiable information will be used or disclosed by the recipient organisation
- the desire to avoid unsolicited advertising material and other intrusions into an individual's personal cyberspace
Although there were some encouraging findings about adoption of privacy practices by website operators, only 12% of respondents' websites carried privacy statements.
Other surveys (see References section) that have researched similar issues have included:
- IBM Multi-National Consumer Privacy Study, November 1999, which reported "a study from more than 3,000 who responded in the United States, the United Kingdom and Germany shows a universal consumer interest in online privacy protection." 78% of users refused to provide personal data online.
- A Roy Morgan survey, published in August 1999, found that "the majority of Australians (56 percent) are worried about invasion of privacy issues created by new information technologies."
- Internet.com's E-Commerce Guide, August 16, 1999 reported:
"The No. 1 reason among online users who have yet to make an e-commerce purchase: lack of trust. In a new survey, a staggering 69.4 percent of reluctant e-shoppers cited fear that personal information would not be kept private by e-tailers as the major reason they shy away from purchasing via the Internet."
- in 1998, Australian Business Advisers Privacy Survey Which Australian web sites care about your privacy? reported:
"Amazingly, only 6% of the 129 web sites surveyed by Australian Business Advisers promised not to disclose your personal information. Eighty eight percent of sites did not mention anything about what they would do with any information collected from users. And disturbingly, 5% of web sites stated that any and all information collected was deemed to be non-confidential and can be used in any way they chose, including disclosure to others 'without limitation'."
- A survey carried out by Boston Consulting Group (BCG) in 1998 confirmed that privacy and security fears do inhibit the take-up of electronic commerce on the Internet. The survey concluded that as much as 6 billion US dollars would be lost between now and the Year 2000 in potential electronic commerce revenue if privacy concerns were not addressed.
In view of these concerns, it is quite astounding that Australia proposes to introduce such weak Privacy legislation, especially as it encourages secondary use of personal data for direct marketing, despite massive user concern about such practices.
If Australia wants to be a serious player in the global information economy, it will have to adopt international best practice. The current Bill is far below the standard required and indeed adopted by other countries. Even the proposed "safe harbor" concept being put forward by the USA provides stronger protection than the Australian Bill.
12. Lessons from other countries
EFA strongly urges the Committee to compare the provisions of the Australian Bill with privacy legislation enacted in other jurisdictions, especially New Zealand, Hong Kong, the U.K. and Canada.
For example, the Canadian Personal Information Protection and Electronic Documents Act (Bill C-6), received Royal Assent on April 13, 2000 and comes into force on January 1, 2001. The Act contains no exemptions for small business, political parties or direct marketing, although there is an exemption that applies to an organisation that collects data for "a journalistic, artistic or literary purpose".
The Canadian Bill applies to any commercial activity within the legislative authority of the Canadian Parliament, covering any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership of other fundraising lists.
On January 1, 2004, the law will extend to every organization that collects, uses or discloses personal information in the course of a commercial activity within a province, whether or not the organization is a federally-regulated business or not. However, the federal government may exempt organizations and/or activities in provinces that have adopted privacy legislation that is similar to the federal law.
In February 2000, Senator Alston released the Australia-Canada Joint Statement on Global E-Commerce, saying "The statement records a joint commitment to improving the international protections for intellectual property, personal privacy and consumer rights."
The joint statement included the following:
Australia and Canada will work together and through international organizations to develop a global environment which facilitates the growth of global electronic commerce by:
1. Building trust for users and consumers - ensuring that frameworks and safeguards provide confidence in the digital marketplace by addressing such issues as privacy, security, and consumer protection.
Key priorities for joint work over the next year include:
d. Privacy - Ensuring effective protection with regard to the processing of personal data on global information networks begins with domestic regimes for the protection of privacy and personal information. Canada and Australia have committed domestically to a 'light' legislative regime, based on standards developed from the OECD Privacy Guidelines, in an effort to augment self-regulatory efforts, such as voluntary codes, with independent oversight and legal redress for consumers.
Canada and Australia agree to conclude agreements on the harmonization of their respective legislative frameworks as those frameworks proceed.
It is difficult to understand how Australia and Canada can hope to harmonize their laws in this area when Canada has strong privacy legislation with no real exemptions while Australia is planning to introduce a weak set of privacy principles and to allow massive exemptions for direct marketing, small business, and other interests.
It is also questionable whether Canada will allow commercial data transfers to Australia once the weaknesses in the Australian legislation are made known internationally.
While EFA supports in principle the introduction of a co-regulatory scheme, the proposed Bill is a totally inadequate response to the protection of privacy that is out of step with world's best practice.
The major deficiencies are:
- the Bill contains too many exemptions and exceptions and totally fails to come to grips with consumer privacy needs in the 21st century.
- The exception to the Privacy Principles in relation to direct marketing is contrary to international developments and effectively legitimizes the practice of "spamming" (the sending of unsolicited E-mail advertising) on the Internet.
- The exemption for small business is unjustified
- The Bill will cause Australia to have a poor international reputation in privacy protection that will hamper attempts by E-commerce vendors to attract overseas customers.
- The exemptions for the media are too broad and could include almost every existing website. A public interest test should be applied in response to privacy complaints.
- The exemption for political parties is unjustified will lead to unintended consequences.
- The broad exemption for pre-existing data is unacceptable. A transition period should be provided for existing data uses to comply with the all Principles
- The definition of "personal information" in the Act is inadequate in context of the electronic environment.
- Enforcement provisions in the legislation are inadequate.
- Instead of empowering individuals to exercise their right to privacy of personal data, the Bill confers on certain business interests the right to invade individual privacy.
In summary the Bill is at best a token attempt to introduce privacy legislation. It is complex, unwieldy, ineffective and an insult to the citizens of Australia. The Bill needs to be re-drafted, preferably as a replacement for, rather than an amendment to, the Privacy Act 1988.
EFA strongly recommends that the Bill should be re-written as a Bill for an Act replace the Privacy Act 1988, rather than attempting to amend the existing Act.
The following changes to the existing provisions should be incorporated:
- The Privacy Principles should be re-drafted to a simple statement of the principles, without the current raft of qualifying statements and exceptions.
- Any exceptions to the principles should be codified in industry privacy codes that are subject to public review and approval by the Privacy Commissioner.
- The Privacy Commissioner's office should be properly resourced and should report to the Parliament as a truly independent public interest watchdog.
- There should be no exemptions from the Act for special interest groups such as direct marketing, small business and political parties.
- Secondary use of personal data should only be permitted with the express consent of the individual concerned.
- Media organisations should be required demonstrate public interest where the Privacy Principles are infringed.
- Any exception for existing data should be subject to a transition period, and should not except Principle 2 (Use and Disclosure) and Principle 6 (Access and Correction).
- The definition of "personal information" in the Act should be amended to include wording such as "any information which enables interactions with an individual on a personalised basis".
- Enforcement provisions in the Act should be strengthened so as to place a clear responsibility on the Privacy Commissioner to resolve complaints, and to provide for comprehensive legal remedy for infringements of the Act or approved privacy codes.
- A study should be made of international responses to privacy in terms of legislation already enacted in Canada, New Zealand, Hong Kong and the U.K.
- The implications of the EU Directive on Data Protection in respect of Australian industry should be examined in more depth.
- More notice should be taken of the need for strong privacy protection to boost Australia's participation in global e-Commerce.
OECD Privacy Guidelines 1980
Beyond the OECD Guidelines: Privacy Protection for the 21st Century - Roger Clarke, 2000
The European Union Directive 95/46/EC On the protection of individuals with regard to the processing of personal data and on the free movement of such data.
European Commission Submission to the House of Representatives Committee on Legal and Constitutional Affairs, June 2000
National Principles for the Fair Handling of Personal Information - revised edition, January 1999
Australian Privacy Commissioner
Canada-Australia Joint Statement on Global Electronic Commerce Feb 2000.
Canadian Personal Information Protection and Electronic Documents Act, Bill C-6
http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/ C-6/ C-6_4/C-6TOCE.html
Canadian Privacy Commissioner's page about the Personal Information Protection and Electronic Documents Act
A Guide to Bill C-6 - An outline of Canada's Personal Information Protection and Electronic Documents Act as of April 15, 1999 (does not include all amendments) by privacy consultant Murray Long.
The New Zealand Privacy Act 1993
UK Data Protection Act 1998
International Safe Harbor Privacy Principles
Privacy Principles - irrelevant to cyberspace?, Graham Greenleaf, Privacy Law & Policy Reporter (Prospect Publishing), 3 PLPR 114, September 1996.
Weblining, Marcia Stepanek, BusinessWeek Online, 3 April 2000
Internet Privacy Survey Report 2000 - Freehill Hollingdale & Page
E-Businesses Exhibiting Privacy Leadership Get the Sale IBM Multi-National Consumer Privacy Study, November 1999
Big Brother Bothers Most Australians - Roy Morgan Research
(Finding No. 3221. Published exclusively in the Bulletin, cover date August 30, 1999)
Consumers to E-Tailers: Don't Kiss and Tell - from internet.com's E-Commerce Guide, August 16, 1999.
Which Australian web sites care about your privacy? Australian Business Advisers Privacy Survey 1998
Electronic Commerce: Legal and Consumer Issues - Chris Connolly - reports on a survey carried out by Boston Consulting Group (BCG) in 1998