pdf (71.33 KB)

Submission by the Office of the Privacy Commissioner February 2006

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

2. Experience of the Office

The Office welcomes the opportunity to make a submission to the Department of Communications, Information Technology and the Arts (DCITA) on the legislative review of the operation of the Spam Act 2003 (Cth) and related parts of the Telecommunications Act 1997 (Cth). Where this submission addresses specific question in the Spam Act 2003 Review Issues Paper (the Issues Paper), those questions are reproduced.

The Office contributed to the development of the Spam Bill 2003, and raised issues which remain relevant in the context of this review, and these are discussed below.

The Office supports the underlying policy direction of the Spam Act. The Office also acknowledges the work by the Australian Communications and Media Authority (ACMA) as an enforcement body in upholding the principles of the spam legislation.

Submissions received in 2004-2005, during the Privacy Commissioner’s Review of the Private Sector Provisions of the Privacy Act 1988, highlighted the Spam Act as an example of appropriately specific legislation to deal with a particular challenge posed by new technology (see p. 57 of Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, hereafter referred to as “our Review”)[1].

Since the passing of the Spam Act in late 2003, the Office has seen a significant reduction in the number of complaints in relation to spam (from approximately 30 in 2002 to two in 2005). Written enquiries have also fallen over this period, but to a lesser degree (from approximately 40 in 2002 to approximately 25 in 2005). Telephone enquires about spam, on the other hand, have increased from approximately 130 in 2002 to approximately 165 in 2005. This may reflect the growing community awareness of spam legislation leading to some members of the community first contacting the Office for more information. In many cases these callers are referred to ACMA and the provisions of the Spam Act.

Generally speaking, the Office informs enquirers that the Spam Act is likely to provide a more appropriate remedy than the Privacy Act for individuals affected by spam, unless the spam arises from a misuse of personal information.

3. Achieving National Consistency

The National Privacy Principles (NPPs) in the Privacy Act regulate the acts and practices of organisations that have an annual turnover of more than $3 million, private health sector providers, and organisations that deal in personal information for a benefit, service or advantage, irrespective of turnover. Many internet service providers and originators of commercial electronic messages have obligations under the Privacy Act.

Privacy protections are also provided by other Commonwealth legislation such as the Telecommunications Act and the Spam Act. Our Review found that this can cause confusion. For example, the Spam Act requires the stricter ‘opt-in’ arrangements for direct marketing while the Privacy Act approach to direct marketing under NPP 2.1(c) takes an ‘opt-out’ approach. Our Review found that the Privacy Act has not achieved the Government’s objective of establishing a ‘single comprehensive national scheme' for the protection of personal information. The lack of national consistency contributes to the costs imposed on business, charities, individuals, and the wider community.

3.1 Unsubscribe Mechanisms

Q8 Is this [the requirement for a functional unsubscribe mechanism] a suitable requirement for legitimate commercial electronic messages?

The Spam Act requires that commercial electronic messages must only be sent with the addressee’s consent. Further, section 18 of the Spam Act requires that all commercial electronic messages contain an unsubscribe facility to ensure that recipients can opt-out of future communications.

In this respect, section 18 of the Spam Act exceeds the obligations placed upon organisations under the Privacy Act, in that it requires organisations to provide individuals with an opportunity to ‘opt-out’, regardless of whether the personal information was collected for the primary purpose of sending electronic messages. Under NPP 2, if an individual’s personal information has been collected for the primary purpose of direct marketing, then an individual does not have a right to stop uses or disclosures of that personal information for direct marketing.

Under NPP 2.1(c)(iv), if the information is not sensitive information and the use of the information is for a secondary purpose of direct marketing, then in each direct marketing communication with the individual, the organisation must draw to the individual's attention, or prominently display a notice, that he or she may express a wish not to receive any further direct marketing communications. The different approach to ‘opting out’ between NPP 2.1(c) and the Spam Act was noted by a range of submitters to the Review.[2]

Recommendation 23 of our Review says that the Australian Government should consider amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.[3] Such an amendment would align with the Spam Act requirement that all commercial electronic messages must include a functional unsubscribe facility.

3.2 Purely Factual Messages

Q16 Are the provisions relating to designated commercial electronic messages necessary?

Q17 Are these provisions appropriate as to:

(a) exemption from the prohibition on unsolicited commercial electronic messages?
(b) exemption from the requirement for a functional unsubscribe facility?
(c) other issues?

Schedule 1 of the Spam Act provides that “designated commercial electronic messages,” including purely factual messages, are permitted to be sent without prior consent, and are not required to include an unsubscribe option.

Excluding purely factual messages from the scope of the Spam Act has an impact on national consistency in the regulation of potentially intrusive marketing practices. The repeated sending of purely factual messages has the potential to cause irritation, or even greater harm among consumers, and it may also lead to confusion as to the distinction between communications which are, and are not, covered by spam legislation.

The Office recognises that some purely factual messages with a commercial element may be related to important public interests – the example of product recall notices may be such a case. However, as noted by the Office during the development of the Spam Bill 2003, this exclusion may be open to a much broader interpretation, particularly with regard to the permitted inclusion of sponsorship information in such messages.

If experience since the inception of the Spam Act has demonstrated that the exclusion of purely factual messages from the scope of the Act has been to the detriment of consumers, then the Office recommends that this exclusion be reconsidered and, in particular, that a reasonable limit should apply to prevent the sending of an excessive number of factual messages to any one electronic address.

3.3 Consent Provisions

Q18 Do the consent provisions effectively support people’s ability to choose what messages are sent to them?

Q 19 Do the consent provisions provide a clear distinction between legitimate commercial electronic messages and spam?

According to the Issues Paper, a key principle of the Spam Act is that people should be able to decide what messages are sent to them, and have that decision respected.

The Privacy Act aims to give individuals a degree of control over their personal information. Under the Privacy Act, for an individual to consent to a matter, that individual must voluntarily agree to the matter, and must have knowledge of the matter. Only a competent individual can give consent.

In our Review, the Office took a number of submissions on the issue of ‘bundled consent,’ which is the practice of bundling together consent to a wide range of uses and disclosures of personal information without giving the individual an opportunity to choose which uses and disclosures they agree to and which they do not, often sought as part of the terms and conditions of a service. The Office found that bundled consent may confuse consumers and may derogate from their rights under the Privacy Act. It is also an issue that confuses a lot of organisations.[4] The bundled consent situation is sometimes exacerbated when organisations require that the individual cannot access a good or service unless they consent to all the uses and disclosures listed.

In discussions with ACMA, the Office understands that ACMA has also come across related issues in relation to consent under the Spam Act.

The Office’s view has been that broadly worded consents deny individuals the chance to understand clearly the organisation’s information handling practices. Although individuals may be comfortable with some of these practices, they may not be with others. Broadly worded consent forms leave the discretion with the organisation, not the individual.

Since the commencement of the private sector provisions in the Privacy Act, this office has received numerous complaints and enquiries in relation to the use of bundled consent forms, particularly by finance and insurance organisations.

The Office is pleased to note that the telecommunications industry, through its self-regulatory codes framework, has recently taken steps to address this issue. The Australian Communications Industry Forum Code ACIF C620:2005 Consumer Contracts includes a provision at clause 6.2(r) that in assessing whether a term in a Contract is unfair, it is relevant to consider whether the term has the object or effect of permitting the telecommunications supplier to collect personal information from a consumer that exceeds what is reasonably required by the supplier to supply the relevant service or to perform its obligations under the contract unless the consumer has the option of not providing that additional information and still acquiring the service.

While this clause covers the collection of personal information rather than the sending of spam, it may be a useful model that can be adapted to cover contracts that require individuals to consent to receiving email communications that are not reasonably required by an email sender to supply a relevant service.

3.4 Facsimile spam

Q 20 Should commercial electronic messages sent by facsimile be covered by the Act?

Q21 Why?

Q22 Why not?

The Office has received enquiries about facsimile spam in recent years, however few of these have resulted in formal complaints. In the Office's experience, the information used to send spam facsimiles is not typically personal information, as it is usually a phone number only. Further, it is the Office's understanding that most facsimile spam is sent to businesses rather than individuals. It therefore is unlikely then that the Privacy Act would have application in relation to most incidents of facsimile spam.

Recipients of facsimile spam may be concerned by:

• the cost in receiving such unwanted messages (wasted facsimile paper, high-level graphics using up much more toner than an average transmission)
• the 'unsubscribe' mechanism, if there is one, can be a facsimile or phone number with a high call rate, thus further costing the consumer to act and
• the loss of time in transmission of other, legitimate messages, while they receive spam messages

In its recent submission to DCITA on a possible Do Not Call register,[5] the Office recommended that it may be useful to build in a mechanism within the proposed Do Not Call register to deal with facsimile contact, if this is not addressed through the review of the Spam Act 2003.

It is the view of the Office that the exclusion of facsimile spam from the Spam Act detracts from the ability of the legislation to reduce the number of unwanted commercial electronic messages. As a result, the Office recommends that individuals be provided with legislative protection from unwanted and unsolicited facsimile messages through the Spam Act, or else through a national Do Not Contact Register.

4. Cross-Border Data Sharing and the Privacy Act

Q29 There are privacy constraints and other legislative constraints on spam investigations which require the sharing of information about spam and spammers across borders. Should these constraints be addressed? How?

The Information Privacy Principles (IPPs) are the information privacy standards with which Australian Government and ACT Government agencies must comply. ACMA is regulated by the IPPs, including when performing its functions in relation to the Spam Act and the Telecommunications Act.

IPP 11 limits the circumstances in which agencies are able to disclose the personal information of an individual to a third-party. These limits apply to disclosures outside Australia.

Agencies are permitted to disclose personal information under IPP 11 where the disclosure is required or authorised by or under law (IPP 11.1(d)), or where the disclosure is reasonably necessary for the enforcement of a law imposing a pecuniary penalty (IPP 11.1(e)).

The Office understands that ACMA sees a need to clarify the law relating to disclosure of personal information in the course of cooperating with international spam enforcement agencies, for example, by providing explicit authorisation of disclosures in these circumstances.

The Office recognises that it is often necessary to balance privacy with other important social interests, such as the enforcement of law. As one means of making judgements between competing priorities, the Office has developed and refined a framework by which any new legislative measures could be assessed (see Attachment 1).

In this particular situation, the Office would recommend a careful analysis of which data flows are strictly necessary, and what safeguards will be in place. For example, the Office notes that the United States Federal Trade Commission in its Effectiveness and Enforcement of the CAN-SPAM Act: A Report to Congress (December 2005) reported that “Foreign agencies are also unwilling to share information with the FTC because the FTC cannot guarantee the confidentiality of the information provided – there may be circumstances when the FTC is required to disclose the information. The FTC believes that legislative changes are needed to address these issues…”[6]

The Office supports a careful consideration of what legislative change may be necessary in Australia to ensure the effective enforcement of spam laws and the appropriate level of assistance to international spam enforcement agencies. As part of this analysis, the Office recommends that any increased capacity to handle personal information be considered alongside increased protections for the information.

For example, legislation that authorises personal information to be disclosed to an international spam enforcement agency could include a requirement that the international agency be able to provide binding commitments carefully limiting the use or disclosure of that personal information for purposes beyond the investigation on hand. Similarly, such changes may provide ACMA (or other relevant Australian enforcement agencies) with the capacity to provide similar binding commitments to international agencies that may send personal information to Australian agencies.

5. Awareness Campaign

Q30 Are there other types of awareness activities that should be undertaken in relation to the Spam Act?

Q31 Is there scope for further government/industry collaboration in relation to education and awareness activities?

A range of submissions to our Review suggested that the relationship between the Spam Act and the Privacy Act could be further clarified.

As noted above, the different approach to ‘opting out’ between NPP 2.1(c) and the Spam Act can create confusion amongst individuals, the business sector, and the wider community. Further, organisations need to know that exemption from the Spam Act does not equate to exemption from the Privacy Act.

The Office recommends that a joint awareness campaign be undertaken by the Office and other relevant agencies to clarify the relationship between the Spam Act and the Privacy Act[7].

7. Summary of Recommendations

The Office recommends that changes to the Spam Act should be aimed at enhancing national consistency in privacy-related legislation, and in particular:

• that if experience since the inception of the Spam Act has demonstrated that the exclusion of purely factual messages from the scope of the Act has been to the detriment of consumers, then this exclusion be reconsidered and, in particular, that a reasonable limit should apply to prevent the sending of an excessive number of factual messages to any one electronic address
• that individuals should be provided with legislative protection from unwanted and unsolicited facsimile messages through the Spam Act, or else through a national Do Not Contact Register
• that any legislative change which authorises personal information to be disclosed to an international spam enforcement agency be considered alongside increased protections for the information, and
• that a joint awareness campaign be undertaken by the Office and other relevant agencies to clarify the relationship between the Spam Act and the Privacy Act

Attachment 1

Office of the Privacy Commissioner

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis – is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority – Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability – What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal – Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?