
Submission
8 January 2007
ALRC Privacy Review
Below is a copy of EFA's submission to the Australian Law Reform Commission in response to ALRC Issues Paper 31 Review of Privacy.
- Introduction
- Introduction to the Inquiry
- Overview of Privacy Regulation in Australia
- The Privacy Act 1988 (Cth)
- Examination of the Privacy Principles
- Exemptions from the Privacy Act 1988 (Cth)
- Powers of the Office of the Privacy Commissioner
- Interaction, Fragmentation and Inconsistency in Privacy Regulation
- Telecommunications Privacy
- Developing Technology
- Unique Multi-Purpose Identifiers
- Transborder Data Protection
- References
- About EFA
1. Introduction
This submission has been prepared in response to the ALRC Issues Paper 31 Review of Privacy[1], 31 October 2006 [PDF 8.1 Mb].
EFA has previously prepared submissions dealing with a considerable number of matters raised in the ALRC Issues Paper. These submissions, available on our web site, include:
- Submission[2] and supplementary submission[3] to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal & Constitutional References Committee, 24 February 2005 and 30 May 2005.
- Submission to the Review of the Private Sector Provisions of the C'th Privacy Act 1988[4] conducted by the Office of the Federal Privacy Commissioner ("OFPC"), 22 December 2004.
- Submission in response to Discussion Paper: Unauthorised Photographs on the Internet and Ancillary Privacy Issues[5] issued by the Standing Committee of Attorneys-General, 14 October 2005.
- Submission to the Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006[6] conducted by the Senate Legal and Constitutional Legislation Committee, 12 March 2006.
- Submission to the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979[7] conducted by the C'th Attorney-General's Department, 20 May 2005.
We understand from an ALRC representative that the ALRC already has a copy of (a) and (b) and that it not necessary to repeat information therein in this submission (and we note some extracts were included in the ALRC Issues Paper). Therefore, while this submission refers to relevant sections of those two submissions, the content is not reproduced herein.
2. Introduction to the Inquiry
2.1 Privacy and groups
EFA considers the Privacy Act[8] should continue to apply only to information about individuals/natural persons.
We are of the view that artificial extension of the fundamental human right to privacy to corporations and groups would undermine the core foundation of privacy protection laws and also facilitate claims of secrecy and confidentiality in circumstances contrary to the public interest. We are strongly opposed to extension of 'privacy' rights to commercial entities. We would foresee, for example, the use of any such rights by some religious cults and other cults to prevent exposure in the public arena of their dubious and/or arguably illegal activities. (We note that copyright law is currently used by some entities for the purpose of preventing exposure of information about highly publicly controversial practices and activities.)
With regard to indigenous or other ethnic groups, information in the ALRC paper indicates that Australian courts are already dealing appropriately with legitimate confidentiality claims. If this is not the case, we assume it will be brought to ALRC's attention and that the ALRC would make further information available in its next discussion paper. We are of the view that means of addressing any such issues, other than by changing the core foundation of the Privacy Act, should be sought.
2.2 Protection of a right to personal privacy in Australia
EFA considers there should be a cause of action for breach of privacy and it would be preferable that this be recognised by the legislature/s (particularly given the improbability of wide-spread recognition by the courts in the foreseeable future in the absence of legislative action by the legislature/s).
In our view the lack of such a cause of action has become seriously problematic following the introduction in January 2006 of nation-wide uniform defamation laws under which truth alone is a defence.
As stated in the ALRC's 1979 report Unfair publication: defamation and privacy[9]:
"In those jurisdictions where truth, alone, is a defence the law of defamation imposes no inhibition upon the publication of personal information. Intimate facts, having no relevance to public affairs or to the public activities of the subject, may be published without restriction provided that, if the statements are defamatory, they are accurate."
Health, private behaviour, home life or personal or family relationships
EFA considers it is high time that legislative effect be given to the ALRC's 1979 recommendation that an individual should have a civil right of action against a person who "publishes sensitive private facts concerning an individual", that is, publication of "matter relating or purporting to relate to the health, private behaviour, home life or personal or family relationships of the individual in circumstances in which the publication is likely to cause distress, annoyance or embarrassment to an individual in the position of the first-mentioned individual".
We also agree with the ALRC recommendation that defences be widely framed so as to allow a defendant to raise all matters which may legitimately excuse publication, in particular covering: consent; triviality/accident; legal authority; absolute privilege, limited privilege, protected dissemination; fair, accurate and contemporaneous report (of proceedings open to the public of any Parliament, tribunal or local government authority); reasonable protection (for the personal safety, or the protection of the property, of any person); or that the publication was relevant to a topic of public interest.
EFA also agrees with the view expressed in the ALRC report that a defence of a publication being relevant to "a topic of public interest" requires definition of that phrase to provide a significant level of certainty for publishers and reduce the potential for inappropriate privacy invasion arising from a mistaken belief that "of interest to the public" is synonymous with "in the public interest". EFA also supports the definition proposed in the ALRC's report:
"(3) For the purposes of this Act, a statement or comment shall be regarded as being on a topic of public interest and the publication of private facts shall be regarded as being relevant to a topic of public interest where the matter in the statement or comment or the private facts, as the case may be-Appropriation of name, identity or likeness (e.g. image)(a)related to the public, commercial or professional activities, including proposed activities, of a person;(4) The publication of matter or of private facts merely for the purpose of arousing prurient or morbid curiosity shall not be regarded for the purposes of this Act as being a publication on a topic of public interest."
(b)related to the suitability or candidature of a person for public, commercial or professional office;
(c)was or were relevant to a decision taken, or then likely to be taken, on a public, commercial or professional question by any person who occupied, or was a candidate for election or appointment to, an office;
(d)related to any property or services offered to the public;
(e)was or were facts the publication of which were necessary or desirable for-(i) the apprehension of an offender;(f)was or were otherwise of legitimate concern to the general public or to any section of the public.
(ii) the enforcement of the law;
(iii) the protection of public health or public safety; or
(iv) discussion on a matter relating to public administration or the administration of justice; or
EFA is also of the view, (as stated in our Section 5.2 of submission to the Standing Committee of Attorneys-General in response to the Discussion Paper: Unauthorised Photographs on the Internet and Ancillary Privacy Issues[10]) that individuals should have rights to control use of their image (when it is an image of the person in particular, not where the person is one of a crowd), and that such rights should not be limited to the context of use on a web site. Such rights should include a requirement for prior consent for some purposes (for example exploitation for commercial purposes), and an enforceable civil right to restrain use of their image (including removal from a website) in some circumstances.
EFA agrees with the recommendation in the ALRC's Unfair publication: defamation and privacy[11] Report that a person whose name, identity, reputation or likeness is appropriated should have "a right of action against the person who appropriated his name, identity or likeness and against each person who, knowing of the appropriation, has used the appropriation for his own benefit or to the detriment of the first-mentioned person". The ALRC also recommended that:
"(1) ... a person shall be regarded as having appropriated the name, identity or likeness of another person if he, with intent to exploit for his own benefit, the name, identity, reputation or likeness of that other person and without the consent of that other person, publishes matter containing the name, identity or likeness of that other person-We note the ALRC's remark that "[t]o eliminate the risk of such a provision unwittingly restricting expression it seems desirable to limit the remedy to cases of exploitation for commercial purposes, including career and public advancement" and generally agree. However, in view of the publication technologies that have emerged since the recommendations were made, it would be appropriate to consider whether exploitation for some other purposes of benefit to the publisher, or to the detriment of the individual, should be covered.(a) in advertising or promoting the sale, leasing or use of property or the supply of services; or(2) The publication of mere information or comment about a person shall not be regarded as an appropriation of the name, identity, reputation or likeness of that person."
(b) for the purpose of supporting candidature for office.
3. Overview of Privacy Regulation in Australia
3.1 National consistency
EFA considers national consistency to be highly desirable but would not support a model that would most likely result in an inadequate level of protection arising from a lowest common denominator approach, nor one that would adversely affect democracy.
In particular, we would not support the model referred to in para. 2.103 of the ALRC Discussion paper, that is, a complementary (non-applied) law scheme such as that adopted in relation to the classification of films, publications and computer games. Such a model enables a single jurisdiction to prevent changes to the legislation, notwithstanding overwhelming support from the public and other jurisdictions' governments for change. It is for this reason that Australia remains the only western democracy that bans the sale and distribution, to adults, of computer games that are classified unsuitable for children. In 2003 a proposed amendment to the National Classification Code in the Commonwealth Classification Act, which would have inserted an R18+ classification for computer games, was prevented by the South Australian Attorney-General's refusal to agree to such a amendment. The Classification Code cannot be changed without unanimous agreement of the Censorship Ministers/Standing Committee of Attorneys General.
A similar model applied to privacy principles would enable a single jurisdiction to prevent changes to the principles that all of the other jurisdictions considered necessary due to issues arising from emerging technologies or for any other reason. Furthermore, given the existing differences in Australian jurisdictions' privacy legislation and that some States have not enacted legislation applicable to State government bodies at all, the probability of agreement by all jurisdictions on a set of initial principles that would provide an adequate level of protection appears to approach zero.
Moreover, democracy is adversely affected by such a model because members of the public, whose fundamental human rights are adversely affected by the government policy of a jurisdiction in which they are not resident, have no ability to effect change because that government's probability of re-election is not affected by residents of other jurisdictions. In addition, it enables governments to decline to appropriately address issues of public concern because it enables them to merely point the finger at another jurisdiction as being the cause of the problem.
4. The Privacy Act 1988 (Cth)
4.1 The structure of the Act
The structure is not logical and overall the Act is, as EFA has said in submissions before, complex, confusing and unwieldy. The foregoing fact is further evident from the many pages the ALRC found it necessary to include in the Discussion Paper for the purpose of explaining the provisions, exemptions, exceptions and operation of the Act. The Act needs to be completely redrafted with an objective of giving people required to comply with it, and people seeking to find out what if any rights they have, a significantly better prospect of being able to understand it.
EFA is also concerned by the apparently growing number of incidents where businesses, government agencies and schools have reportedly refused to provide individuals with information that they have a legitimate interest in knowing on the grounds that it would be in breach of the Privacy Act, although it would not in fact be in breach. This situation brings the law and privacy rights in general into disrepute. While in some cases it may be that the organisation or agency is knowingly misrepresenting the Privacy Act for their own purposes, in others it appears the problem most likely arises from the complexity and/or lack of clarity of the Act.
4.2 The name of the Act
No. Unless the Act is completely redrafted and amended so as to actually protect privacy, EFA considers it should be renamed the "Collection and Disclosure of Personal Information Without Consent Act". Currently the principal purpose, or at least the principal effect, of the Act is to legitimise and authorise collection, use and disclosure of personal information without consent. This is because the Act does not regulate such activities at all in relation to personal information collected for whatever an organisation contends is their primary purpose, not even when the primary purpose is to sell or publish the personal information without the individual's consent.
Currently any legislative title that contains the terms "privacy" or personal data "protection" would be misleading. A title such as the "Personal Information Regulation Act" would be more accurate.
4.3 Some important definitions
No. See Section 5.3 of EFA's submission to the Senate Committee Privacy Act Inquiry[12].
5. Examination of the Privacy Principles
5.1 Issues related to particular principles
EFA's views in relation to problematic aspects of a number of the Privacy Principles are provided in Section 6.3 of EFA's submission to the Senate Committee Privacy Act Inquiry[13].
5.2 Uniform set of principles?
EFA considers the IPPs and NPPs should be harmonised. We would support harmonisation only if the outcome would result in the highest level of privacy protection from each of the two existing regimes.
5.3 Model of principles to be adopted?
EFA considers the principles should aim for a maximum level of protection, or at least a best practice approach. We consider the current minimum level to be inadequate.
6. Exemptions from the Privacy Act 1988 (Cth)
6.1 Private sector
6.1.1 Small business operators
The small business exemption should be deleted. At the very least, all small businesses involved in the telecommunications and Internet services sector must be required to comply with the NPPs. See Section 6.1.1 of EFA's submission to the Senate Committee Privacy Act Inquiry[14].
6.1.2 Registered political parties, and political acts and practices
Absolutely not. See Section 6.1.3 of EFA's submission to the Senate Committee Privacy Act Inquiry[15].
Political acts and practices should not be entirely exempt from the operation of the Privacy Act. The Act should apply except where compliance in relation to a particular circumstance would 'would infringe any constitutional doctrine of implied freedom of political communication' (as referred to in the ALRC's issue paper). EFA does not see any reason why politicians and their staff and contractors should be exempt from complying with the vast majority of the provisions of the privacy principles. Compliance in relation to data security, data accuracy, openness, access and correction, etc, would not in our view infringe the relevant constitutional doctrine.
We are also of the view that individuals should have the right not to have their personal information passed, by their local Member or any other politician they contact, onto a political party for inclusion in a database. Such practices have the effect of discouraging some people from participating in the democratic process arising from the knowledge that their personal information will be passed on to third parties and secretly stored potentially forever with no means of finding out whether it is accurate or not, etc.
6.1.3 Employee records exemption
The employee records exemption should not remain. Employers should be required to comply with NPPs. If any exceptions are considered to be necessary for legitimate employer purposes, they should be specified as narrowly as reasonably possible. For example, if it is considered that NPP 2 may prevent provision of a reference to a future employer, notwithstanding the reasonable expectation test in NPP 2, then an exception for the particular purpose should be specified.
Protection for employee records should be in the Privacy Act, not in workplace relations legislation or elsewhere. Further, small business employers should not be exempt.
6.1.4 Media exemption
EFA considers the breadth of media exemption has become seriously problematic following the introduction in January 2006 of nation-wide uniform defamation laws under which truth alone is a defence.
As discussed in Section 2.2 above, we consider individuals should have a civil right of action for breach of privacy in particular circumstances.
We are very doubtful that amendments in relation to the media exemption in the Privacy Act could adequately and appropriately address this issue, unless major changes were made to NPP 1 and NPP 2. This is because the media's primary purpose in collecting personal information, including sensitive privacy invasive photographs, is to publish same. Hence publication of such information would generally be exempt from regulation by NPP 1 and NPP 2 whether or not there remains a special exemption for the media.
We are very dubious about proposals to require journalists to subscribe to a binding code etc due to the potential, now or in the future, for such a requirement to restrict 'competition' by requiring journalists, including independent journalists who publish on the Internet without charging fees for access, to pay membership fees (in part to cover code adjudication costs) in order to be able to subscribe to a code.
However, due in part to the increasing number of individuals who publish 'news' and 'commentary' on the Internet, who may or may not be 'journalists', and who would not be subject to the Privacy Act in any case because they are individuals not organisations, we consider individuals should have have a cause of action for breach of privacy as discussed in Section 2.2.
6.1.5 Personal or non-business use
These matters are addressed in Section 10.2 later herein.
6.1.6 Related bodies corporate
The related bodies corporate exemption should be deleted. The same provisions should apply to related bodies corporate as to any other third party organisation. See Section 6.1.2 of EFA's submission to the Senate Committee Privacy Act Inquiry[16].
6.2 New exemptions?
We note that the ALRC Issues Paper specifically refers to valuers. EFA certainly would not support an exemption for valuers. EFA agrees with the Privacy Commissioner (as referred to in the ALRC Paper) "that individuals may reasonably expect that certain personal information collected by real estate agents in the course of selling a property-including the address of the property and the sale price-would be disclosed for valuation purposes. However, individual vendors or purchasers would not reasonably expect a real estate agent to disclose their names to valuers.". Individuals' names should not be permitted to be disclosed to valuers without the prior explicit and informed consent of the individual.
7. Powers of the Office of the Privacy Commissioner
See Section 7 of EFA's submission to the Senate Committee Privacy Act Inquiry[17].
8. Interaction, Fragmentation and Inconsistency in Privacy Regulation
8.1 Problems caused by inconsistency and fragmentation
As stated in EFA's submission to the Senate Committee Privacy Act Inquiry[18]:
The section of the OFPC Issues Paper[19] titled Commonwealth Contractors demonstrates the impracticability of having different sets of Privacy Principles applicable to government agencies and private sector organisations. Clearly the two different regimes need to be harmonised. We would support harmonisation provided that the outcome results in the highest level of privacy protection from each of the two existing regimes. We would not support an exemption for Commonwealth contractors who are small businesses or small business operators.With regard to private sector contractors (as discussed in the OFPC Issues Paper under Business efficiency and private sector contracting), we consider this situation is another reason why the exemption for small businesses and small business operators should be deleted from the PA. In addition, we consider the PA should be amended to place obligations on organisations that engage contractors to ensure the contractor only uses and/or discloses the personal information given to them for the purposes for which it is given and keep it secure, etc.
8.2 The Privacy Act and other federal legislation
8.2.1 Required or authorised by or under law
Yes. See, see for example the "authorised by or under law" provisions of the Privacy Act and the Telecommunications Act 1997[20] which are discussed in paras 21-24 of Appendix 1 to EFA's submission to the Senate Committee Privacy Act Inquiry[21].
9. Telecommunications Privacy
No, it does not provide adequate and effective protection.
9.1 Telecommunications Act 1997 (Cth)
In relation to the Telecommunications Act 1997 ("TA") see question 10-2 below concerning issues arising from inconsistencies, etc, between the TA and Privacy Act.
In addition, the TA requires amendment to appropriately address issues arising from relatively new technologies. Currently the TA either does not, or it is not legislatively clear whether it does, provide adequate and effective protection for information such as location-based information and sensitive information in ISP web server logs, etc.
9.1.1 Location based information
We note the Blunn Report on the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979[22] states:
"1.1.25. An issue which arose during the review was the use of telecommunications data for surveillance purposes. Mobile telephones provide locational data and the precision of that data can be expected to improve. That data is generated without any specific intervention. The use of that data for security and law enforcement purposes is obvious. The privacy implications are equally obvious. However it is far from clear whether access is subject to any regulation. What does seem clear is that the issue is about access to telecommunications data.1.1.26. Accordingly I recommend that the access to such data for surveillance purposes be considered in the context of the requirement for comprehensive and over-riding legislation dealing with the general issue of access to telecommunications data."
EFA agrees that "it is far from clear whether access is subject to any regulation" and we are concerned that mobile phone location data may be being disclosed (for purposes other than the provision of emergency services assistance) to agencies without a warrant, and/or to other telecommunications service providers, and/or to other organisations, without the relevant individual's consent.
In the above regard, in April 2006 the Minister for Communications released a report on the Review of the Regulation of Content Delivered Over Convergent Devices[23]. The report includes a section about location based services which discusses the potential for use of same to locate individuals and track them etc without their knowledge or consent. The report suggests that carriage service providers would probably be prevented from such use/disclosure by existing prohibitions in the Telecommunications Act 1997 (unless they had informed consent) but states that Section 291 appears to provide an exemption that would allow use/disclosure in limited circumstances. Section 291 is a section EFA has been raising for several years because it allows disclosure to other service providers (carriage or content) without knowledge or consent for purposes which were unlikely to have been contemplated at the time the exception was enacted. In addition to concern about s291, in our view it is not sufficiently clear whether informed consent under Section 289 would be necessary prior to disclosure to organisations or persons who are not carriage service providers, or whether the "reasonably likely to have been aware or made aware" element of s289 could apply.
The DCITA Report recommends that provisions be legislated to ensure location based services cannot be used to locate or track individuals without their consent, and that, in the case of people under 16 cannot be used without stringent proof that the service is being provided to the minor's parent or legal guardian. EFA considers such legislative amendments should be enacted as a matter of priority.
9.1.2 Web server log information
EFA is highly concerned that neither the Privacy Act nor the Telecommunications Act adequately or effectively protects personal information contained in web server logs and similar logs due in part to an inadequate definition of 'personal information' and/or lack of clarity in the definition which appears to result in misunderstandings as to the meaning. This matter was raised in Section 4.1.3 of our submission to the Senate Committee Privacy Act Inquiry[24]. Subsequently a private sector organisation sent a submission to the Committee stating, among other things, that "IP addresses are not considered to be 'personal information' as they do not identify a person. However, EFA appears to be claiming that an IP address can be said to identify 'some individuals' and that it should be regarded as 'personal information'. It is not clear why EFA has formed this view.".
EFA's subsequent supplementary submission to the Committee[25] advised that EFA considers IP addresses should be legislatively regarded as "personal information" because it is a fact that IP addresses can be, and are being, used to identify individuals. EFA's submission includes information about how law enforcement use IP addresses to identify individuals and points out that enforcement agencies would not be using IP addresses to identify individuals if they could not be used for that purpose.
EFA considers legislative amendments are necessary as a matter of priority to prevent the disclosure of information about Internet users' web browsing activities on the grounds of claims that IP addresses are not personal information and that therefore disclosure and use is not regulated. It should be noted that EFA remains of the view that disclosure and use is strictly regulated by the Telecommunications Act and, in the case of live transmissions, the Telecommunications (Interception and Access) Act. However, the fact that some telecommunications service providers are evidently providing access to logs to one or more private sector organisations indicates that such legislation either does not provide adequate regulation or is not adequately understood and enforced.
9.2 Telecommunications (Interception and Access) Act 1979 (Cth)
In relation to the Telecommunications (Interception and Access) Act 1979, EFA considers the 2006 amendments did not provide adequate and effective protection for the use, disclosure and storage of personal information. Issues relevant to the ALRC inquiry (as distinct from issues relating to definitions of lawful access, authorised agencies, etc) include, but are not limited to, the following recommendations of the Senate Committee (which were not implemented during passage of the 2006 Bill and the government indicated that it would give consideration to non-implemented recommendations at a later date):
3.81 The Committee recommends that the Bill be amended to specify time limits within which an agency must both review their holdings of information accessed via a stored communications warrant and destroy information as required under the proposed section 150.3.107 The Committee recommends that the Bill be amended to ensure that copies of communications can not be accessed without a stored communications warrant.
3.108 The Committee recommends that the definition of 'record' be amended so that it applies in relation to accessing a stored communication.
4.81 The Committee further recommends that the Bill be amended to introduce defined limits on the use and derivative use of material collected by B-party warrant.
4.97 The Committee recommends that:
- there should be strict supervision arrangements introduced to ensure the destruction of non-material content in any form;
For further information, see the Senate Legal and Constitutional Legislation Committee's Report on the Provisions of the Telecommunications (Interception) Amendment Bill 2006[26] and EFA's submission[27] to the Committee.
9.3 Issues raised by the interaction between the Privacy Act and telecommunications Acts
- Telecommunications Act 1997 (Cth);
- Telecommunications (Interception and Access) Act 1979 (Cth);
- Spam Act 2003 (Cth);
- Do Not Call Register Act 2006 (Cth)?
Are there acts and practices regulated by these Acts that would be dealt with better under the Privacy Act?
Telecommunications (Interception and Access) Act 1979 (Cth)
EFA is not aware of any issues raised by the Privacy Act in relation to the Telecommunications (Interception and Access) Act 1979 (Cth). We consider it clear that the latter over-rides the former and prevents disclosure etc of information that might otherwise be permitted to be disclosed by the Privacy Act.
Telecommunications Act 1997 (Cth)
Major issues are, however, raised by the interaction between the Privacy Act and the Telecommunications Act 1997 (Cth). These issues are addressed in detail in Section 4.1.1 and Appendix 1 of EFA's submission to the Senate Committee Privacy Act Inquiry[28]. The Appendix contains a detailed comparison of provisions of Part 13 of the Telecommunications Act 1997 and the NPPs in the Privacy Act 1988.
Spam Act 2003 (Cth)
With regard to interaction and inconsistencies between the Privacy Act and the Spam Act, see Section 6.1.4 of EFA's submission to the Inquiry into the Privacy Act 1988[29].
No. The high level principles in the Privacy Act, which are intended to set minimum general standards, make the Privacy Act an inadequate vehicle for addressing privacy issues relevant to specific industries and/or technologies.
For example, the telecommunications industry, and especially carriage service providers, of necessity have access to vastly more information about individuals than do most private sector organisations, including information about not only their own customers but also about members of the public in general, including the content of their communications. Part 13 of the Telecommunications Act ("TA") deals with many aspects of the telecommunications industry that are specific to that industry and that are not addressed at all, let alone adequately, by the high level NPPs. These include not only obligations to protect privacy but also detailed rules concerning use and disclosure of information for specifically authorised purposes such as to law enforcement agencies and emergency services, etc. In our view, it would be entirely impractical and undesirable to move the provisions of Part 13 of the TA to the Privacy Act.
However, EFA considers that Part 13 of the TA should be amended to address the inadequacies in privacy protection detailed in Appendix 1 of EFA's submission to the Senate Committee Privacy Act Inquiry[30].
The current involvement of the Office of the Privacy Commissioner, the Australian Communications and Media Authority ("ACMA") and the Telecommunications Industry Ombudsman results in confusion for members of the public and also inordinate delays in resolution of complaints. For example, complainants waited 3.5 years for a decision from the Privacy Commissioner (which was finally received on 22 December 2006) concerning telecommunications service providers (see Section 4.3.1(b) of EFA's submission to the Senate Committee Privacy Act Inquiry[31]). The first 1 year's delay occurred because the Commissioner declined to deal with aspects of the complaint covered by the Privacy Act until the aspects of it covered by the Telecommunications Act had been dealt with by the ACMA. The reason for the subsequent 2.5 year's delay is not known, however, it appears from communications to the complainants that the Office of the Privacy Commissioner does not have sufficient (or accurate) technical knowledge about the operations of the telecommunications industry to enable them to deal with complaints in a timely manner.
EFA cannot envisage a solution to the confusion arising from involvement of three regulators unless major changes were made to the Privacy Act and Telecommunications Act because, for example, the Telecommunications Act does not cover collection of information issues while the Privacy Act does.
However, EFA would not support the removal of the telecommunications specific regulators from the processes because we do not believe a general complaints body like the Office of the Privacy Commissioner is likely to be able acquire and maintain sufficient technical knowledge in relation to the operations of long-existing technology related industries, let alone emerging ones. Further, serious questions are arising, from dealings with the complaint referred to above, as to whether the Office of the Privacy Commissioner has sufficient knowledge and understanding of the intent and detail of legislation other than "their own", that is, other than the Privacy Act.
10. Developing Technology
10.1 New technologies impacting privacy
See Section 4 of EFA's submission to the Senate Committee Privacy Act Inquiry[32].
An additional emerging issue is the collection, use and disclosure of information by location-based services, e.g. information pin-pointing the geographical location of a person with a mobile phone. We note the ALRC states in para 11.124 that the ALRC is interested in hearing whether location information should be included in the definition of 'sensitive information'. While location information should certainly be regarded as 'sensitive information' such an amendment to the Privacy Act would not provide adequate protection due to the operation of exceptions in the Telecommunications Act which were enacted long before location-based information services existed. The Telecommunications Act needs amendment to address issues arising from relatively new telecommunications related technologies. This issue is addressed in more detail in Section 9.1.
10.2 Acts or practices of individuals relating to their personal, family or household affairs
EFA does not consider the Privacy Act (whether or not amended) to be an appropriate vehicle for application to the acts or practices of individuals relating to their personal, family or household affairs. We consider it impractical and undesirable to require individuals in their personal/private capacity to comply with the NPPs.
However, relatively new, and emerging, technologies have significantly increased the potential for individuals in their personal capacity to inappropriately infringe the privacy of the other individuals.
We believe the primary issues of concern are publication and/or public distribution and that collection and private use of information is generally of significantly less concern except under some particular circumstances. We consider these issues are best addressed by:
- introduction of a civil right of action for breach of privacy (as discussed in Section 2.2 above); and
- introduction of legislation granting individuals rights to control use of their image (as discussed in Section 2.2 above); and
- legislation prohibiting specified types of conduct in particular circumstances.
With regard to prohibition of conduct, as stated in our submission to the Standing Committee of Attorneys-General in response to the Discussion Paper: Unauthorised Photographs on the Internet and Ancillary Privacy Issues[33]:
- "EFA is of the view that offences intended to provide individuals with protection from intimate filming in circumstances in which a reasonable person would reasonably expect to be afforded privacy should be created to fill the significant gap that currently exists in the laws of most Australian jurisdictions." (For detail see Section 5.1.3 of the above mentioned submission[34]).
We note that Queensland enacted such legislation shortly after the completion of the Standing Committee's inquiry and New South Wales had similar legislation in place previously (although we do not consider the NSW legislation to be sufficient due to the need to establish that the intimate filming had a sexual purpose).
- "EFA submits that legislation regulating use of optical surveillance devices to observe or photograph individuals in private places (e.g. at their homes) is long overdue in those States/Territories that have not enacted same." (Section 5.2.1[35]).
EFA agrees with the ALRC's recommendation in its Privacy Report that it should be made an offence to "use a surveillance device to observe or photograph the activities of a person, being activities carried on in a place that is not a public place and in such circumstances that the second-mentioned person would have assumed on reasonable grounds that the activities would not be observed by the first-mentioned person".
However, to date, few States/Territories have enacted legislation restricting the use of optical surveillance devices without consent in private places.
We also draw attention to concerns raised by the NSW Privacy Commissioner in response to a NSW Law Reform Commission report on surveillance, regarding complaints about surveillance made to the Commissioner's office:
"The most common relationship between the complainant and the respondent was as the respondent's neighbour (54%), as the subject of the respondent's investigation (15%), or as an interested member of the public (15%).I am concerned by the extent to which 'domestic' users of surveillance see themselves as protecting the 'public' interest by conducting surveillance on their neighbours. It is therefore imperative that clear limits be placed upon what 'lawful functions' may be contemplated by 'domestic' users of surveillance, and the extent to which surveillance is reasonably necessary for the pursuit of those functions.
The Act (or regulations) ought prescribe that, for example, overt surveillance in the pursuit of 'protection of the person' or 'protection of property' can only operate on a person's own property, including entrances and exits. Overt surveillance of neighbouring properties (other than incidental capture) should not be permitted by 'domestic' users at all, notwithstanding the 'vigilante' stance adopted by some surveillance users currently."
10.3 Exempt agencies or organisations that use certain types of technology
No organisations should be exempt from the Privacy Act and any exemptions applicable to agencies should be limited to what is necessary to enable the particular agency to fulfil its legislated obligations, e.g. law enforcement agencies (LEAs) may need special exemptions depending on whether or not the Act becomes sufficiently privacy protective in the first place to prevent LEAs from undertaking necessary functions. It is questionable whether it would at present.
All organisations and agencies (including their contractors, e.g. private investigators) - whether or not they have particular exemptions - should be subject to legislation regulating and restricting the use of optical, listening and data surveillance devices and the use of technologies used to collect biometric information.
10.4 Amendments necessary in light of technological developments
(a) should there be any additional limits on the collection of personal information;
See questions 12-2 and 12-3 below concerning the unique identification/serial numbers in 'smart' chips and RFID chips.
Yes to both questions, and especially in the case of technologies used to collect biometric information. EFA notes the statement in the ALRC paper that "Biometric systems are being increasingly used or contemplated by organisations, including in methadone programs, taxi booking services, ATMs and online banking, and access to buildings" (para 11.43). Collection of biometric information for such purposes (and for any purpose) poses grave risks to individuals' privacy and security and we are of the view that individuals should be able to obtain such services without being forced to provide biometric information.
Yes. However, such inclusion would not result in adequate regulation and protection because, among numerous other things, the Privacy Act does not restrict collection, use or disclosure in relation to the primary purpose of collection.
Yes, provisions similar to the Californian law should be implemented.
While the Privacy Act contains high level principles setting minimum standards of general application, it would appear impractical for these to be anything other than technologically neutral. This does not mean, however, that privacy protection legislation should be technologically neutral. Separate legislation addressing privacy issues relevant to specific technologies and/or industries is necessary such as is currently the case in the Telecommunications Act, Spam Act, Do Not Call Register Act, etc.
11. Unique Multi-Purpose Identifiers
EFA considers the scheme would be effective if the government/Parliament had not changed the original law and did not keep changing it.
EFA observes that the ALRC Discussion Paper contains an overview of relevant issues and privacy concerns at paras 12.5 to 12.12. EFA considers those matters to be of serious concern.
In addition, an emerging issue of major concern is unique identification/serial numbers used by 'smart' chips and RFID chips where these numbers are fixed, not randomly generated. This issue has been of major concern around the world in relation to the contactless chips in e-Passports. EFA understands from Answers to Questions on Notice in the Senate[36] that the Australian e-Passport emits a random, not fixed, unique identification number. We consider a requirement to use randomly generated numbers in any devices/chips that will be possessed/carried by individuals should be legislatively mandated.
In EFA's view the Privacy Act is not a suitable vehicle for regulating unique identifiers created and/or used by government agencies (whether or not they are multi-purpose identifiers). However, we consider it would be appropriate for the Act to prohibit the creation, collection, use and disclosure of unique identifiers by government agencies except as specifically authorised by legislation specific to a particular identifier. The Privacy Act should contain a schedule listing such other legislation.
In relation to unique identifiers created by private sector organisations, the definition of 'personal information' in the Privacy Act should be amended to put beyond any doubt that unique identification numbers and other unique identifiers are "personal information" and the definition of "sensitive information" should be amended to include unique identifiers in order to prevent the use and disclosure of same for any purpose other than one that is directly related to the primary purpose of collection/creation. In addition, the NPPs should be amended to cover creation of unique identifiers in much the same way as collection, that is, that unique identifiers not be permitted to be created except when necessary for a particular primary purpose (e.g. credit card numbers), and use and disclosure be restricted to purposes directly related to the primary purpose of creation.
12. Transborder Data Protection
NPP 9 does not provide adequate and appropriate protection for personal information transferred from Australia to a foreign country. EFA agrees with the concerns documented at paras 13.17 to 13.23 and the suggested amendment in para 13.24 of the ALRC Issues Paper.
In relation to NPP2 and NPP 9, NPP 9 should be amended to ensure that it cover releases of personal information to organisations and government bodies as well as individuals.
Yes. EFA sees no legitimate reason why individuals' personal information should be afforded less protection merely because an organisation chooses to have some divisions of the organisation located outside of Australia.
EFA considers it may be problematic to require or expect the Commissioner's office to maintain lists of relevant countries due to the fact that any country's legislation may be changed at any time. There would therefore be a question as to whether the list was accurate at any given time. EFA considers that businesses needing to obtain legal advice in this regard prior to transferring information overseas, without the consent of the relevant individual, may be appropriately regarded as a cost of doing business.
Yes. Notice should be required to be given to individuals before they provide any personal information to the organisation by way of inclusion in, and provision of, the organisation's NPP 1.3 notice. Such notice should also be required to state the name of the country/s to which the information will be transferred. Organisations that do not so notify individuals and subsequently decide to transfer personal information outside Australia should be prohibited from transferring any personal information that was collected on the basis that it would not be transferred. Organisations that decide to change their practices in this regard should be prohibited from transferring previously collected personal information unless they obtain the explicit consent of the subject individual.
EFA considers the increasing use of overseas-based calling centres and data processing centres poses serious risks to individuals' privacy and hence organisations should be required to make known to prospective customers/clients, etc, whether or not their personal information will be transferred overseas and/or whether or not they will be required to communicate with calling centres located overseas and if so in which country/ies.
13. References
1. ALRC Issues Paper 31 Review of Privacy, 2006.
<http://www.austlii.edu.au/au/other/alrc/publications/issues/31/>
2. EFA Submission to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal & Constitutional References Committee, 24 February 2005.
<http://www.efa.org.au/Publish/efasubm-slcrc-privact2004.html>
3. EFA supplementary submission to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal & Constitutional References Committee, 30 May 2005.
<http://www.efa.org.au/Publish/efasubm-slcrc-privact2005-suppl.html>
4. EFA Submission to the Review of the Private Sector Provisions of the C'th Privacy Act 1988 conducted by the Office of the Federal Privacy Commissioner ("OFPC"), 22 December 2004.
<http://www.efa.org.au/Publish/efasubm-ofpc-privreview2004.html>
5. EFA Submission in response to Discussion Paper: Unauthorised Photographs on the Internet and Ancillary Privacy Issues issued by the Standing Committee of Attorneys-General, 14 October 2005.
<http://www.efa.org.au/Publish/efasubm-scag-unauthphotos-2005.html>
6. EFA Submission to the Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006 conducted by the Senate Legal and Constitutional Legislation Committee, 12 March 2006.
<http://www.efa.org.au/Publish/efasubm-slclc-tiabill-2006.html>
7. EFA Submission to the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979 conducted by the C'th Attorney-General's Department, 20 May 2005.
<http://www.efa.org.au/Publish/efasubm-agd-tiactreview2005.html>
8. Privacy Act 1988
<http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/>
9. ALRC Report No. 11 - Unfair publication: defamation and privacy, Australian Law Reform Commission, 1979.
<http://www.austlii.edu.au/au/other/alrc/publications/reports/11/>
10. See Note 5.
11. See Note 9.
12. See Note 2.
13. See Note 2.
14. See Note 2.
15. See Note 2.
16. See Note 2.
17. See Note 2.
18. See Note 2.
19. Issues Paper: Review of the Private Sector Provisions of the C'th Privacy Act 1988, Office of the Federal Privacy Commissioner (OFPC), October 2004.
<http://www.privacy.gov.au/act/review/index.html>
20. Telecommunications Act 1979
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/>
21. See Note 2.
22. Blunn Report on the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979
<http://www.ag.gov.au/agd/WWW/agdHome.nsf/Page/Publications_2005_Report_of
_the_Review_of_the_Regulation_of_Access_to_Communications_-_August_2005>
23. Review of the Regulation of Content Delivered Over Convergent Devices, Department of Communications, Information Technology and the Arts, April 2006.
<http://www.dcita.gov.au/broad/policy_reviews/review_of_the_regulation
_of_content_delivered_over_convergent_devices>
24. See Note 2.
25. See Note 3.
26. Senate Legal & Constitutional Legislation Committee, Report on the Provisions of the Telecommunications (Interception) Amendment Bill 2006
<http://www.aph.gov.au/senate/committee/legcon_ctte/ti/report/index.htm>
27. See Note 6.
28. See Note 2.
29. See Note 2.
30. See Note 2.
31. See Note 2.
32. See Note 2.
33. See Note 5.
34. See Note 5.
35. See Note 5.
36. Answers to Questions on Notice in the Senate, Passports (Question No. 1420), 9 Feb 2006.
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=
HANSARDS&Criteria=DOC_DATE:2006-02-09%3BSEQ_NUM:167%3B>
14. About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2005), the ENUM Discussion Group and Privacy & Security Working Group convened by the Australian Communications and Media Authority ("ACMA" formerly ACA) (2003-2006), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.