Privacy Act reforms — the implications for the digital environment

The Privacy Act reforms to create greater protection for online users

As Privacy Awareness Week kicks off this week, the Federal Government’s reforms to the Privacy Act, which began in 2006, seem to have fallen off the radar.

Roger Clarke, principal at Xamax Consultancy, attributes the slow government response to “complete apathy” and says the reason the inquiry began in 2006 was to “quieten down the backbenchers” around problems which had been identified in parliament surrounding privacy issues.

“They progressed extraordinarily slowly and they still haven’t really reached any point of resolution, and one has been brought forward from the second tranche, opportunistically and quite recently, but that one also seems to have stalled in the last few months as well,” Clarke says.

The story to date

Enacted in 1988, Clarke says the current Privacy Act reflects ideas about technology from the 1970s.

“Some of the language back in the 1970s made sense at the time with mainframes and almost no network. The only networks were specialist closed networks – private networks. Some of the terminology made sense back then, but it doesn’t anymore, so we’re hopelessly out of date with the Act,” he says.

In August 2008, the Australian Law Reform Commission (ALRC) released 295 recommendations for changes to the Privacy Act, with a government response detailing it would respond to the recommendations over two tranches.

In October 2009, the government released the Australian Government First Stage Response to the ALRC’s report, <i>For Your Information: Australian Privacy Law and Practice</i> , responding to 197 of the recommendations.

This first set of responses included integrating the public and private sector privacy principles together, creating a credit reporting framework, giving individuals rights to control their health records and strengthening the privacy commissioner’s powers.

Draft legislation was expected to be implemented for these first set of changes in early 2010. However, the first tranche of responses are still waiting to come into effect.

The following 98 recommendations will be addressed in the second stage of the government’s response, including the removal of exemptions, compulsory data breach notification and remedy for serious breaches of privacy.

Privacy commissioner Timothy Pilgrim said a bill to amend the Privacy Act is expected to come by mid-2012.

However, Clarke says the reforms have been shuffled around several ministerial hands and now lie with Nicola Roxon, “who as Attorney General would appear to have bigger fish to fry”.

Technology neutral

Any reforms to the Privacy Act will be what the government has called ‘technology neutral’ to protect privacy across any medium.

“So basically what that means is that they are going to be able to apply in the digital world, the online world, as much as they would to traditional, old style paper-based transactions,” Pilgrim says.

However, legislators around the world are highlighting a need for technology specific language, according to Anthony Wong, principal of law firm AGW Consulting. For example, the members of the European Union had until 25 May, 2011 to implement a European directive which requires organisations to seek consent for using cookies and similar technologies. The grace period for UK organisations to implement the cookies regulation expire in May this year.

“Fortunately for us, we don’t have this problem at this stage in Australia, but that is certainly one aspect of a very particular technology-oriented directive which could have indirect impacts on people’s usage and experience of the internet,” Wong says.

The privacy commissioner

Clarke is highly critical of the role the privacy commissioner has played to date in enforcing breaches of the Privacy Act.

“The Australian privacy commissioner simply does not do his job, does not take advantage of [the] limited powers he’s got. There’s highly inadequate powers in his hands [anyway], so he’s certainly hamstrung, but he can do a lot more than what he does,” Clarke says.

However, the privacy commissioner is expected to be granted with additional powers, including the ability to develop codes for specific industries. Pilgrim says this power would be similar to the code-making power of the Australian Communication and Media Authority Act (ACMA).

“Say new technology comes into use which impacts on how organisations can collect personal information ... What that will allow me to do is say, ‘This is a specific area with a particular use of personal information which I think warrants a slightly different type of protection or additional protections’,” he says.

An industry could be asked to develop and implement its own codes around a particular technology and organisations will be required to comply with it. If an industry chooses not to develop its own code or an industry association is not in a position to create it, then the privacy commissioner could develop a code.

“I think we’re going to see even more rapid growth in technology and the way technology’s going to be able to use information, and we’re seeing that already in the development of huge, vast arrays of applications ... that we see used, particularly on mobile devices,” Pilgrim says.

“I’m sure there’s probably going to be a point at which we will see some new technology [come] into play that we think a code will be useful [for].”

The privacy commissioner will also be given the power to make determinations in cases where conciliation between a complainant and company cannot be achieved. This will allow the privacy commissioner to make a finding for financial compensation.

“So, for example, the case at the end of last year that I did, the remedy was that I required the organisation to first of all apologise to the individual. Secondly, in that case, I had them review their training and to show me how they had restructured the training processes for their staff. And thirdly, I awarded the payment of [$7500] compensation,” Pilgrim says.

However, Wong says privacy breach cases reaching federal court has so far been rare and compensation has rarely been more than $10,000.

Pilgrim says he will also be able to conduct an own motion investigation against companies when no formal complaint has been made (previously he could not force organisations to make changes, even if they were found to be in breach of the Act).

If a company is found to be in breach of the Privacy Act, the commissioner will be able to order a company to make changes. If it fails to do so, the commissioner will then be able to take the company to court and have the undertakings enforced and seek civil penalties for serious and/or repeated breaches.

The privacy commissioner will have also organisations’ security systems and protocols for technology on his radar.

“What has concerned me in the past is that privacy and the protection of personal information is often seen as an add-on at the end, rather than something that’s considered upfront when organisations are building large-scale systems to handle the personal information they get in place,” he says.

“We have seen a number of cases where there have been some fairly basic flaws in security that, for example, have allowed people to go online ... [where they might have] an account with a particular organisation online, they go into [its] URL and by simply putting in an extra digit at the end, they’ve found they’ve been able to find other people’s information other than their own.”

Page Break

Data breaches

One of the key aspects to come out of the second government response will be the issue of data breach notification, which compels organisations to inform their customers if their personal data has been compromised.

In a speech to the iappANZ in November last year, Pilgrim said his department had been alerted to 56 data breaches in the last financial year, a jump from 44 the previous year. The current Privacy Act does not require government agencies and organisations to report personal information security breaches to the Office of the Australian Information Commissioner (OAIC) or to affected individuals.

However, the OAIC says the Act requires agencies and organisations to take reasonable steps to protect the personal information that they hold, which may include notifying affected individuals and the OAIC.

“It’s important that those individuals know quickly so they can take steps to minimise the potential for identity theft or identity fraud,” Pilgrim says.

However, Clarke says the idea of data breach notification is a decade out of date and has only been brought in because the US pursued this path.

“Did this solve any problems? Of course not. All it did was to make clear that there was a problem – that’s all data breach notification is for. The idea that it’s really, really vital that you and I to get told if our credit data is being leaked from a particular data base, is all very nice, but that’s not a huge, systemic piece of progress,” Clarke says.

“What we need is obligations on these organisations to have proper protections in place and sanctions against them if they don’t.

“So the idea that we might come along 10 years later and create a data breach notification law is absolute nonsense. It’s a complete waste of space. We know that organisations leak like sieves. We don’t need a law to find that organisations leak like sieves.”

Wong believes data breaches should also have civil remedies “because currently as we stand, a person whose data has been breached can complain to the privacy commissioner ... [but] only a limited amount of damages of compensation were granted,” he says.

In the US, for example, some courts have awarded damages to the tune of millions of dollars, according to Wong.

“So definitely the US is leading in this area of data notification. We certainly haven’t seen this happen [here] because we don’t have those laws here,” Wong says.

Wong says potential data breaches could include a website like Facebook releasing an individual’s photo to the public without their permission. If their reputation was severely impacted upon and it harmed their professional life, Wong says the person should be able to seek compensation.

Websites like Google may also be in breach of privacy laws under Privacy Act reforms. The French Data Protection Authority (CNIL) has launched an investigation on behalf of all European data protection authorities on the new Google policy for aggregating information across its services, such as Gmail, Picassa, GoogleMaps and YouTube. CNIL preliminary analysis suggests that Google's new policy does not meet the requirements of the European Directive on Data Protection (95 /46/CE).

The Australian privacy commissioner also recently wrote to Google on behalf of the Technology Working Group of the Asia Pacific Privacy Authorities expressing concern that combining personal information from across different services has the potential to significantly impact on the privacy of individuals, according to Wong.

“So we have to look closely in terms of [the] individual privacy statements of the different services and see how they impact on an individual when they’re combined,” Wong says.

Holding overseas companies such as Google and Facebook accountable for privacy breaches may prove to be problematic. However, Pilgrim says overseas organisations undertaking business in Australia will be required to adhere to any new reforms in the Privacy Act, even if they do not have a physical presence in Australia.

In order to help enforce any breaches, Pilgrim says Australia is part of global forums, such as the Asia Pacific Privacy Authorities (APPA), which includes New Zealand, Hong Kong, Korea, Canada and the US, which allows privacy agencies in these countries to co-operate with each other to enact enforcement.

Pilgrim says the Asia-Pacific Economic Co-operation (APEC) privacy framework also assists in cross border privacy enforcement and under the Organisation for Economic Co-operation and Development (OECD), the Working Party on Information Security and Privacy is also looking to establish a global privacy enforcement network.

Where to from here?

Wong believes the main impact of the Privacy Act reforms on the digital environment will be dealt out in the second tranche response by the government.

Ultimately, Clarke wants to see the privacy commissioner given “real power to do real things and solve problems”, and both Wong and Clarke believe seeking civil remedies for breaches will go a long way in reforming the Act and forcing companies to be more responsible.

“Everybody makes little cock ups and the answer is you fix it, and you fix it so that you don’t make the same cock ups again,” Clarke says.

Follow Stephanie McDonald on Twitter: @steph_idg

Follow Computerworld Australia on Twitter: @ComputerworldAU