pdf (124.56 KB)

Submission by the Office of the Federal Privacy Commissioner

To the Copyright Digital Agenda Review: Carriers and Carriage Service Providers Issues Paper

October 2003

The Office of the Federal Privacy Commissioner (the Office) welcomes the opportunity to provide a submission to the Digital Agenda Review (the review).

The review relates primarily to the amendments made to the Copyright Act 1968 (Cth) (the Copyright Act) by the Copyright Amendment (Digital Agenda) Act 2000 (the Digital Agenda Act). The Digital Agenda Act generally aims to ensure operational efficiencies in the online environment promoting financial rewards for creators and investors, a practical enforcement regime and access to copyright material online. It also provides for access to copyright material online to cultural and educational institutions and ensures internet technical processes are not jeopardised.

This submission is not intended to be a comprehensive discussion of the issues raised in the review. It has not been possible for our Office to consider all the relevant provisions or practices in the time available, so our comments have been limited to some privacy matters related to Issue 15 of the Carriers and Carriage Service Providers Issues Paper.

The public interest in effective law enforcement and efficient business activity can create conflicting demands in relation to the public interest in protecting individual privacy. These conflicts raise challenges for our society, particularly where the use (and the potential misuse) of technology and telecommunications is concerned.

This Office is conscious of the need to strike an appropriate balance between the privacy of individuals within the community, the need for business to fulfil its commercial functions and attendant responsibilities, law enforcement obligations and legislative compliance requirements placed on organisations. Section 29(a) of the Privacy Act 1988 Cth (the Privacy Act) requires the Privacy Commissioner to have:

… due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way.

In considering this balance, careful attention needs to be given to the extent to which continuous and rapid shifts and changes in the technological landscape have the potential to be privacy invasive.

The Office has developed a framework which aims to bring a balance and perspective to the assessment and implementation of proposed legislation or new processes and procedures which may impact on the privacy of Australians. The framework has several steps in the development, implementation and review of such measures. Briefly, the steps include:

Analysis: Careful analysis of the proposed solution should take place, including analysis of less invasive privacy alternatives and critical consideration as to whether the measure is proportional to the risk. Is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority: The authority by which the measure is implemented should be appropriate to its privacy implications. Where, for example, there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability: Transparency and accountability safeguards commensurate with the intrusiveness of the measures must be considered. What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal: Periodic appraisal of the measure including assessment of costs and benefits is the final step. Appraisal could involve a sunset clause or parliamentary review after a fixed period. Are there built in review mechanisms? Will the measure deliver what it promises and at what cost and benefit?

Issue 15: Mechanism for obtaining access to ISP subscriber details; a streamlined process

Issue 15 in the Carriers and Carriage Service Providers Issues Paper questions whether the existing discovery procedure is a sufficient mechanism for obtaining access to ISP subscriber details in actions taken in response to alleged breaches of copyright. The Issues paper also implies that it may be preferable to have a more streamlined process in respect of applications for such access. It is not clear from the paper whether such a process is designed to make the subscriber information more available or accessible to those currently authorised under law to access information or to broaden and develop an access regime to allow similar ease of access to others not currently authorised.

The Issues paper poses these questions:

Issue 15.1 - Is the existing discovery procedure under the Federal Court Rules a sufficient mechanism for obtaining access to IPS subscriber details? If not what would be a viable alternative procedure, particularly having regard to issues of cost, compliance and potential for the exercise of judicial power by an administrative body?

Issue 15.2 - Having regard to the likelihood that any applications under a specified procedure will, until a body of case law is established, be referred to the courts, would it be preferable to have a more streamlining process which would require endorsement by the courts?

This submission applies the relevant aspects of the framework set out above to these issues.

Analysis of the access to subscriber information issue

Monitoring, censoring or other intrusive behaviours on the internet is frequently interpreted by individuals as ‘interfering’ with their use of internet information or their internet practices and raise significant privacy issues for many internet users. Responses to research on community attitudes to privacy conducted by this Office in 2001, for example, showed that 90% of internet users viewed monitoring of their internet usage without consent as privacy invasive (see our research report at: www.privacy.gov.au/publications/rcommunity.html.)

As has been noted in the Issues paper (6.4.1), “the Copyright Act does not contain provisions which set out the circumstances in which an Internet Service Provider (ISP) must make available or deliver up subscriber details. Nor does it prescribe a particular method or procedure for doing so”. Other legal frameworks do, however, provide privacy protections, access and disclosure mechanisms and other legal protections to subscriber information handled by ISPs.

Part 13 of the Telecommunications Act 1997(Cth), governs the circumstances in which an ISP may be required to disclose subscriber information including customer registration details and log files. These include where the disclosure is reasonably necessary for the enforcement of the criminal law or the protection of the public revenue, to ASIO, or where it is required or is otherwise authorised under a warrant or under law.

Part 1AA of the Crimes Act 1914 (Cth), sets out among other matters, when search warrants can be issued, information to be contained in the warrant and the activities which are authorised by warrants. Warrants may be issued to law enforcement agencies where they suspect a criminal breach of the Copyright Act. States and Territories have enacted search warrant legislation containing generally similar provisions.

Generally, offences under the Copyright Act may be civil or criminal. In broad terms civil action may be undertaken by the copyright owner if copyright has been infringed. Criminal offences generally involve commercial dealings. Under Federal Court Rules, Order 15A rule 6 allows a copyright owner to obtain a court order for preliminary discovery purposes.

The Privacy Act provides baseline information handling standards which apply to many private sector organisations including ISPs. The National Privacy Principles (NPPs) set out rules as to when personal information can be disclosed by private sector organisations, including where it is required or authorised by law. Whether the Privacy Act provides sufficient privacy protection or solutions in this area is yet to be determined. The proposed review of the Privacy Act post-December 2003 may provide an opportunity to examine issues such as this in more detail.

Privacy implications of the suggested ‘more streamlined process’ for access to subscriber details do not appear to have been examined in this review. In our view, any consideration of a more streamlined process (in place of current mechanisms enabling law enforcement agency access to ISP subscriber details and logs) should entail critical analysis of its impact privacy. Consideration should be given to community expectations about what happens to subscriber information held by ISPs. A number of matters would need to be addressed.

It would be necessary, in the first instance to identify more clearly and have a broader more robust, public debate about any problems or inadequacies noted in the current mechanisms and related legislation. References in the Issues paper to current Australian methods of access as “time consuming and expensive” (6.4.6) contrasted with the “efficiency and speed” (6.4.9) of the American subpoena in bypassing the need for court orders are noted, although these efficiencies do not appear to indicate more favourable outcomes in terms of the cost or time involved in proceedings in the long-term. It is also noted (6.4.13) this procedure would have constitutional implications in Australia. The Issues paper does not appear to give due weight to the privacy issues that may arise from broader or more speedy access to subscriber details.

Appropriate consultation with relevant stakeholders, including consumer/subscribers, would need to be conducted, on the details of any proposed ‘streamlined process’. Of key concern would be the need to consider the least privacy intrusive alternative in any streamlined processes.

The Issues paper appears to raise the options of a process along similar lines to those adopted under the Digital Millennium Copyright Act (1998) in the United States. Such procedures are likely to be inconsistent with existing privacy protections in Australian legislation, in particular the Telecommunications and Privacy Acts. Further consideration is needed on the risks such procedures would pose to privacy before any such process could be proposed. This Office would be concerned if access procedures for subscribers’ personal information were proposed which had reduced checks and balances and less stringent authorisation process than those currently in place.

Educational institutions such as universities are subject to privacy obligations including confidentiality contractual obligations. These are briefly mentioned in the Issues paper (6.5.3, 6.5.4) however it is not clear how a more streamlined process would address this issue. We would be concerned about attempts to overcome privacy obligations by inducing individual subscribers to ‘sign away’ privacy protections and submit to increasingly privacy-intrusive ‘bundled-consent’[1] processes in order to access ISP services or internet information.

The capacity for any streamlined process under consideration to lead to ‘function creep’ over time should also be closely examined.

Authority for permitting access to subscriber information

It is not clear from the Issues paper how, in a more streamlined process, the authority to investigate infringements of copyright would be invested or in whom. The high level of privacy invasiveness of the activity would demand a commensurate level of authority to govern decisions on access. At present, the power is vested in the courts to rule on discovery applications and on appropriate judicial authorities to issue warrants to law enforcement agencies investigating potential criminal breaches of copyright.

Any new processes to permit access to subscriber information should include stringent rules to limit access to cases that are serious and where there are significant grounds for suspecting a breach. For example, it may not be appropriate to allow personal information collected by law enforcement agencies under warrant in the course of a criminal investigation to be subsequently used for civil actions.

Accountability of access to subscriber information

Appropriate safeguards, commensurate with the intrusiveness of a streamlined process, are essential where there is a risk of large scale privacy intrusion. It would be matter for concern if any new processes ‘lowered the bar’ on those safeguards and protective mechanisms currently in place around access to information held by ISPs.

These safeguards are of particular privacy importance where:

• large scale access may be given to information about individuals who are not transgressing copyright law
• access may be given to personal information that may be unnecessary or unrelated to any investigation
• there is a risk this information may be collected in the course of an investigation in the hope that it might be related.

Safeguards might also include recognition of different levels or scales of breaches, for example, serious criminal breaches of the Copyright Act as opposed to minor transgressions by individuals who may be caught up in any investigation.

Accountability safeguards should include rules about who may have access and in what timeframes to records of digital communication and personal information. They would also include the purposes for which the accessed personal information could be used and disclosed. Appropriate tracking and auditing mechanisms on the handling, use and security of any personal information must be in place along with a clear and transparent mechanism of complaint handling in any streamlined process. The development of clear and appropriate guidelines and other information for all stakeholders would be encouraged.

Appraisal of procedure access to subscriber information

If a streamlined process were to be developed in place of existing procedures, independent reviews of the process should take place at regular, set intervals and include a privacy impact assessment. It is recommended that the first review should take place within two years of any new process being implemented.

Conclusion

The Office would be concerned if a streamlined process allowing wider access to subscriber details in pursuit of copyright infringement were to be developed without:

• adequate steps to assess the effectiveness of current processes and legislation;
• ensuring that it is the least privacy invasive option;
• having regard to consumer privacy interests and widespread community consultation.

The Office would be opposed to any access regime which might invest in private sector industries or interests, powers to access subscriber information in a way which is currently possible only through law enforcement agencies and to further infringe on the privacy of subscribers to ISP services in order to address copyright debt concerns.

Further, any attempt to weaken the current mechanisms in place to protect access to ISP subscriber information, or diminish existing protections around disclosure of subscriber information, by implementing a streamlined process which did not provide equivalent, stringent, privacy and legal protections would be a matter of concern to this Office.