As Privacy Awareness Week kicks off this week, the Federal Government’s reforms to the Privacy Act, which began in 2006, seem to have fallen off the radar.
Roger Clarke, principal at Xamax Consultancy, attributes the slow government response to “complete apathy” and says the reason the inquiry began in 2006 was to “quieten down the backbenchers” around problems which had been identified in parliament surrounding privacy issues.
“They progressed extraordinarily slowly and they still haven’t really reached any point of resolution, and one has been brought forward from the second tranche, opportunistically and quite recently, but that one also seems to have stalled in the last few months as well,” Clarke says.
The story to date
Enacted in 1988, Clarke says the current Privacy Act reflects ideas about technology from the 1970s.
“Some of the language back in the 1970s made sense at the time with mainframes and almost no network. The only networks were specialist closed networks – private networks. Some of the terminology made sense back then, but it doesn’t anymore, so we’re hopelessly out of date with the Act,” he says.
In August 2008, the Australian Law Reform Commission (ALRC) released 295 recommendations for changes to the Privacy Act, with a government response detailing it would respond to the recommendations over two tranches.
In October 2009, the government released the Australian Government First Stage Response to the ALRC’s report, <i>For Your Information: Australian Privacy Law and Practice</i> , responding to 197 of the recommendations.
This first set of responses included integrating the public and private sector privacy principles together, creating a credit reporting framework, giving individuals rights to control their health records and strengthening the privacy commissioner’s powers.
Draft legislation was expected to be implemented for these first set of changes in early 2010. However, the first tranche of responses are still waiting to come into effect.
The following 98 recommendations will be addressed in the second stage of the government’s response, including the removal of exemptions, compulsory data breach notification and remedy for serious breaches of privacy.
Privacy commissioner Timothy Pilgrim said a bill to amend the Privacy Act is expected to come by mid-2012.
However, Clarke says the reforms have been shuffled around several ministerial hands and now lie with Nicola Roxon, “who as Attorney General would appear to have bigger fish to fry”.
Any reforms to the Privacy Act will be what the government has called ‘technology neutral’ to protect privacy across any medium.
“So basically what that means is that they are going to be able to apply in the digital world, the online world, as much as they would to traditional, old style paper-based transactions,” Pilgrim says.
However, legislators around the world are highlighting a need for technology specific language, according to Anthony Wong, principal of law firm AGW Consulting. For example, the members of the European Union had until 25 May, 2011 to implement a European directive which requires organisations to seek consent for using cookies and similar technologies. The grace period for UK organisations to implement the cookies regulation expire in May this year.
“Fortunately for us, we don’t have this problem at this stage in Australia, but that is certainly one aspect of a very particular technology-oriented directive which could have indirect impacts on people’s usage and experience of the internet,” Wong says.
The privacy commissioner
Clarke is highly critical of the role the privacy commissioner has played to date in enforcing breaches of the Privacy Act.
“The Australian privacy commissioner simply does not do his job, does not take advantage of [the] limited powers he’s got. There’s highly inadequate powers in his hands [anyway], so he’s certainly hamstrung, but he can do a lot more than what he does,” Clarke says.
However, the privacy commissioner is expected to be granted with additional powers, including the ability to develop codes for specific industries. Pilgrim says this power would be similar to the code-making power of the Australian Communication and Media Authority Act (ACMA).
“Say new technology comes into use which impacts on how organisations can collect personal information ... What that will allow me to do is say, ‘This is a specific area with a particular use of personal information which I think warrants a slightly different type of protection or additional protections’,” he says.
An industry could be asked to develop and implement its own codes around a particular technology and organisations will be required to comply with it. If an industry chooses not to develop its own code or an industry association is not in a position to create it, then the privacy commissioner could develop a code.
“I think we’re going to see even more rapid growth in technology and the way technology’s going to be able to use information, and we’re seeing that already in the development of huge, vast arrays of applications ... that we see used, particularly on mobile devices,” Pilgrim says.
“I’m sure there’s probably going to be a point at which we will see some new technology [come] into play that we think a code will be useful [for].”
The privacy commissioner will also be given the power to make determinations in cases where conciliation between a complainant and company cannot be achieved. This will allow the privacy commissioner to make a finding for financial compensation.
“So, for example, the case at the end of last year that I did, the remedy was that I required the organisation to first of all apologise to the individual. Secondly, in that case, I had them review their training and to show me how they had restructured the training processes for their staff. And thirdly, I awarded the payment of [$7500] compensation,” Pilgrim says.
However, Wong says privacy breach cases reaching federal court has so far been rare and compensation has rarely been more than $10,000.
Pilgrim says he will also be able to conduct an own motion investigation against companies when no formal complaint has been made (previously he could not force organisations to make changes, even if they were found to be in breach of the Act).
If a company is found to be in breach of the Privacy Act, the commissioner will be able to order a company to make changes. If it fails to do so, the commissioner will then be able to take the company to court and have the undertakings enforced and seek civil penalties for serious and/or repeated breaches.
The privacy commissioner will have also organisations’ security systems and protocols for technology on his radar.
“What has concerned me in the past is that privacy and the protection of personal information is often seen as an add-on at the end, rather than something that’s considered upfront when organisations are building large-scale systems to handle the personal information they get in place,” he says.
“We have seen a number of cases where there have been some fairly basic flaws in security that, for example, have allowed people to go online ... [where they might have] an account with a particular organisation online, they go into [its] URL and by simply putting in an extra digit at the end, they’ve found they’ve been able to find other people’s information other than their own.”