Presentation by Karen Curtis, Privacy Commissioner, to the Interpreting Privacy Principles Project Symposium, University of New South Wales, Sydney, 2 October 2008.

Panel Session 3:

How well do the ALRC/NSWLRC proposals contribute to providing a set of global best practice Privacy Principles which also adequately address the privacy threats and opportunities from emerging technologies?

Outline of comments:

1. Quick overview of what the threats and opportunities might be.
2. Technology not inherently good or bad.
3. Some factors that may go to technology being privacy invasive or enhancing - is consumer control and choice enhanced? Degree to which individuals must identify themselves limited to where really necessary? Degree of sharing information across systems limited to where really necessary?
4. UPPs generally positive and likely to be leading edge - principle based & technology neutral approach permits flexibility to accommodate new technologies.
5. Additional mechanisms such as codes leave open capacity for more specific regulation where necessary - note that we favoured the Privacy Commissioner having a 'power of last resort' to make codes where an agency, organisation or industry might fail to respond to heightened risks posed by a specific new technology.
6. Support statutory cause of action (though discussion is left to the session on that topic) and support in-principle data breach notification where real risk of serious harm - though shouldn't fall on Office to tell parties that they don't need to notify.
7. Regulation is one part of strong privacy protections - see afternoon speech.

Introduction

• Delighted to be here today.
• I note we are allocated 10 minutes and I will stick to it.
• In looking at the topic for this session and apart from feeling that I was answering an essay question back at school (compare and contrast the totalitarian governments of Germany, Italy and Russia), essentially there are three elements to the question:
  • Do the ALRC/NSWLRC proposals have global best practice privacy principles
  • That address the privacy threats and opportunities
  • From emerging technologies
• From my perspective, the raison d'être for the review of federal privacy laws and consequently the NSW laws, was the need to ensure our privacy laws best meet the needs of Australia in the 21st century (See Recommendation 1 in the OPC private sector review report in March 2005).
• So really at the centre, the heart, the essence of this privacy reform process is addressing privacy threats and opportunities from emerging technologies.
• It is challenging to regulate new technologies because:
  • they advance so quickly
  • it is not easy to amend legislation or regulation quickly to accommodate advances
  • depending on how they are applied, emerging technologies can straddle a fine line between offering protection and allowing invasion of privacy.
• The Australian Law Reform Commission (ALRC) has developed a set of 11 privacy principles (the UPPs) which I believe have the potential to be leading edge privacy legislation.
  • They are a natural evolution from the OECD principles
  • Indeed with better and explicit principles on pseudonomity, identifiers, direct marketing and cross border data flows, they recognise how information flows and technologies have changed over the last 30 years.

Privacy threats and opportunities

• So what are the threats, what are the opportunities, and how might the UPPs address these?
• These can be challenging questions to answer, particularly because :
  • the list of emerging technologies that have the potential to impact on information handling is long
  • the way different technologies impact on our privacy is varied
  • we simply don't know what technologies tomorrow will bring
  • We don't know how they will be applied.
• A list of technologies that have the potential to impact on privacy, it would likely include many of those addressed in the ALRC's review:
  • Biometrics (such as fingerprints, hand geometry, face, voice, iris and keystroke recognition)
  • Radio frequency identification (RFID)
  • Smart cards
  • Voice over Internet Protocol (VoIP)
  • Wireless technologies
  • Location detection technologies (like Global Positioning Systems)
  • Data-matching
  • Surveillance technologies
  • DNA based technologies
  • Encryption
• Allowing many of these technologies to interact, integrate and converge is the internet.
  • The internet brings its own challenges, such as:
  • Cookies
  • Spyware and viruses
  • Searchability (information not protected by 'practical obscurity')
  • Fluidity of electronic information - information flows easily across borders
  • Difficulty of retrieving or deleting information once posted on the net (so problems with maintaining control over information)
• Certainly, advances in technology provide for a greater capacity to store and manipulate information.
• Indeed in the digital world, one really has to assume that information can be more easily digitised, aggregated and circulated in ways that make it harder for an individual to maintain individual control and choice of their personal information.

Example of a technology deployed as a PET and a PIT

• But it's not all gloom and doom.
• Many technologies can be privacy enhancing or invasive, depending on how they are deployed.
• Biometric technologies, for instance, can create both threats and opportunities.
• Opportunity:
  • Voice recognition technology could be employed to allow secure authentication of identity for phone transactions, thus enhancing convenience and adding to identity security.
  • Individuals could be given a choice of using this feature, and could be asked on each call, whether they would like to be authenticated (before the voice recognition takes place).
  • The biometric template of the person's voice could be combined with a particular word (a password) they are required to say. If this password is compromised, a new one can be issued.
• Threat:
  • The same technology, if employed without users' knowledge, could be used to monitor private conversation on telecommunications networks.
  • In addition, there are reports that in some overseas jurisdictions there are CCTV systems with the capacity to overhear conversation, thus opening the possibility for surveillance technologies to identify and monitor ordinary people in public spaces.

• So what are the key features that make the technology privacy enhancing rather than privacy invasive?
  • Individual choice: In the first example I used before about asking someone to authenticate themselves with their voice, the individual is given the choice to participate. To participate, the individual should be adequately informed. In the second example I used where it was covert, there was no choice.
  • Individual control: In the first example, individuals are asked before their identity is authenticated using voice recognition. This is important to allow individuals to be anonymous if they choose. If anything goes wrong, they can have a new password issued. In the second example, there was no individual control - individuals could be scanned against their will and at any time.
  • Security: In the first example: a new password can be issued. In the second example, short of having plastic surgery, there are not many options available if security breaks down or biometric templates are compromised.
  • Use of information is limited to a clear purpose: In the first example, voice recognition is specifically used to accurately authenticate individuals wishing to access a particular service.

The UPPs - harnessing opportunities and addressing threats

• The proposed UPPs address many of these important privacy enhancing features: individual choice and control, security of information and limitations on use.
• The ALRC has taken a principle-based, technology neutral approach with the UPPs, an approach I advocated in submissions to the ALRC's review and I believe by and large has served Australia well for 20 years.
• The NSWLRC in proposal 2 has suggested that NSW cooperate with the Commonwealth in the development of uniform privacy principles.
• In the context of rapid technological change, it is impossible to know how technology will evolve (or what new technologies may arrive) in the future.
• Technological neutrality allows flexibility and ensures that the Privacy Act will not go out of date every time technology advances. Highly prescriptive privacy regulation would face difficulties in keeping up with change.
• What is important is that the privacy principles are also 'technology aware'. This means that the principles still need to be effective in regulating existing technologies and be able to adapt to new ones that develop, even if the principles don't refer to the technologies specifically.
• Where particular concerns arise with a new technology, I agree with the ALRC's proposal that agencies, organisations or industries should be able to develop binding codes, to be approved by the Privacy Commissioner - such a mechanism permits a degree of flexibility and responsiveness to new technologies.
• Where an agency, organisation or industry does not develop a code to respond to specific heightened privacy risks of new technology, my Office has suggested that the Privacy Commissioner should be empowered to make a binding code to address such risks.
• So all in all, I believe the UPPs are about the best in the world, there is a logical flow to them because they start with the premise of dealing with someone without collecting personal information, and they will assist in dealing with technology advances in the best way possible.
• Really, about the best outcome possible.
• I also support other important legislative elements of privacy protection such as:
  • a statutory cause of action, which I note will be discussed this afternoon in panel session 5 and
  • mandatory data breach notification in certain defined circumstances.
• On this point, my Office released last month a Guide to Handling Personal Information Security Breaches.
• While generally supporting the ALRCs proposal for data-breach notification, the details in some respects, do not align exactly with my Office's view. Specifically, my submission to the ALRC stated that the Office should not make the decision for organisations about when to notify or not notify individuals that a data-breach may have occurred.
• Aside from these important legislative approaches, I also recognise other elements of privacy protection, including consumer education and increasing cross-border protections and cooperation between regulators.
• I look forward to working with the ALRC, government, business and community stakeholders in developing further privacy protections to meet the challenges of emerging technologies in the 21st century.

Closing session: How well do the proposals meet the privacy challenges ahead?

Outline of comments:

1. UPPs and proposed other amendments provide sound base to meet challenges.
2. However, shouldn't just rely on law and regulation.
3. Multifaceted protections also require oversight arrangements, privacy enhancing technologies + good system design.
4. Oversight arrangements can include:
   • a. agency, organisational or industry arrangements, as well as ADR
   • b. with ultimate recourse to independent regulators with complaint handling and audit powers
5. Privacy enhancing technologies - for example, technologies that interact without having to identify individual where this isn't necessary.
6. Good system design - starting with basic question of whether personal information needs to be collected at all. Emphasise role of PIAs.
7. In addition, in online context, privacy should be protected through:
   • a. End-user empowerment - including drawing attention to our educative role - eg recent Spam information sheet and FAQs
   • b. Cross-border co-operation - mention forums the Office has engaged in: APPA, APEC Electronic Commerce Steering Group, OECD's Working Party on Information Security and Privacy, and Privacy Authorities of Australia forum.

So how well do the proposals meet the privacy challenges ahead?

• Even though we have been at this for a full day, we have barely touched the 295 recommendations of the ALRC and the 20 proposals and 68 issues from the NSWLRC.
• We have heard from a range of people on aspects of the privacy principles - where they may work well, where they can be improved - as well as other recommendations on areas of possible law reform.
• We cannot be certain about how well the recommendations and proposals will meet the privacy challenges ahead. We can't predict the future.
• But we can be certain that:
  • Australia is leading the world in the consideration of the foundation to data protection and privacy law, that is, the privacy principles
  • A first-class and thorough examination by the ALRC has been informed by involved and committed regulatory, government, business, community and advocacy sectors.
  • All those sectors will continue to provide advice and assistance in the next phases of privacy law reform. 
  • The government is committed to ensuring it implements appropriate privacy reform that gets the balance right between protecting individual rights and community needs.
  • By keeping the Privacy Act technologically neutral and principles based is indisputably and undeniably the best way to address future challenges
  • By having a unified set of principles for the public and private sectors is a no-brainer
  • By having national consistency and hopefully uniformity in all privacy laws against Australia is a great public policy outcome.
• So to me we are positioned well to get leading edge privacy protection for our nation.
• I would urge all of us with an interest not to get too bogged down in the detail and minutiae of each recommendation or proposal.
• But I would say, however, that whatever privacy law reform occurs over the next few years, that this is only part of meeting the privacy challenge ahead.
• It is my view that the most effective strategy for the protection of privacy in the context of ever developing technologies will be multi-faceted.
• Legislation is a very important and necessary part of this mix, but alone is not sufficient.
• This should be done through four main means:
  • legislation
  • oversight
  • technology
  • design
• The ALRC has recognised this in a number of areas, particularly in:
  • highlighting the educative role of the Office
  • emphasising the role of devices such as PIAs, and
  • drawing attention to the need for coordination between the Commonwealth and states

Legislation

• In terms of legislation, the proposals of the ALRC in respect of the new UPPs, as well as other measures, are important in ensuring a legislative framework that adequately meets the challenges ahead.
• As I have mentioned earlier today, I am in favour of the principles-based, technology neutral approach to privacy regulation, proposed by the ALRC.
• The legislation must be flexible, while still offering real privacy protection.
• I believe the UPPs have the potential to be leading edge.

Oversight

• Following on from legislation is oversight, which means having mechanisms in place to ensure that organisations comply with their legislative obligations and are held accountable for their actions.
• This includes having adequate complaint-handling bodies available to individuals.
• Under Australia's privacy regime, my Office, along with state privacy regulators, provides the ultimate oversight role, including for complaint handling and audit.
• In addition, oversight can be provided at other levels, such as by ensuring good agency and organisation internal complaint handling processes, and mechanisms such as alternate dispute resolution.

Technology

• Privacy Enhancing Technologies - 'PETs' - are another important tool in the armoury of privacy protection.
• These technologies illustrate the potentially invaluable role of technology in supporting privacy and e-security. They achieve this by meeting security and other objectives, while at the same time providing individuals with appropriate control and choice over how their personal information is handled.
• Simple examples of PETs can include encryption, public key infrastructure and logical access controls, or technologies that permit secure authentication of identity or enable the use of pseudonyms in transactions.
• Many technologies can be either privacy enhancing or privacy invasive, depending on how they are deployed.

Design

• Design is another key element in providing privacy protection. Privacy should be built in from the outset when considering a project which may deal with personal information, rather than bolted on at the end.
• A tool that can be engaged to ensure privacy is incorporated at an early design stage is the Privacy Impact Assessment (PIA) - my Office has developed a guide for conducting PIAs.
• A PIA is an assessment tool that describes in detail the personal information flows in a project, and analyses the possible privacy impacts of the project.
• A PIA may do this by helping an agency or organisation to identify when the collection of particular information is unnecessary for a given project, or where accountability or oversight processes may reduce privacy risks.
• The elements that make up a PIA (including identification, analysis and management of privacy risks) help agencies to drive good privacy practice and underpin good public policy.
• PIAs also help to engender community trust in proposals if the issues raised during the PIA are responded to adequately through the proposal's development.

Online environment

• In an online environment, there are two further approaches which can be adopted:
  • End user empowerment through education
  • Cross border cooperation

User education

• In my view, measures that empower end users to protect themselves in online and IT-enabled environments are essential to promoting effective privacy and e-security.
• These measures can include promoting education and awareness of the:
  • risks posed by various ICT environments and interactions
  • measures that can be taken to mitigate risk, whether through technology or individual behaviour
  • remedies available should something go wrong.
• My Office has promoted secure and safe online behaviour and secure information exchange by advising on social networking, online privacy tools and internet privacy. Much of this advice for individuals is provided in 'frequently asked questions', as well information sheets such as the one I recently released on Privacy and the SPAM Act.

Cross-border cooperation

• The other approach is assuring the protection of privacy when personal information crosses borders.
• In my view, the international cross-jurisdictional nature of many modern information flows, require international cooperation to foster good privacy outcomes for ICT.
• The Office has recognised the importance of actively and constructively engaging with privacy and information protection regulators in other nations and economies.
• For example, the Office is a member of the Asia Pacific Privacy Authorities (APPA) forum. APPA membership includes similar regulators from other Australian jurisdictions, as well as New Zealand, Hong Kong, South Korea and Canada, including both the Federal Office and the province of British Columbia.
• The Office, through the Australian Government, is also active at the international level as a lead participant in the work being progressed by the Electronic Commerce Steering Group (ECSG) of APEC. The primary outcome of this work has been the APEC Privacy Framework and Principles.
• The APEC Privacy Framework aims to promote a consistent approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows. The aim is to have protections consistent across the region which will assist business and member economies to be the forefront of e-commerce.

Conclusion

• So to reiterate, I think that many of the proposals put forward by the ALRC can meet the privacy challenges ahead, but that the key to effective privacy protection is having a holistic approach that encompasses design, privacy enhancing technologies, legislation, oversight, education and cross border cooperation.
• I look forward to working with the Government and stakeholders in meeting future privacy challenges, in a manner that both promotes and protects privacy in the Australia.