Last Modified 5/8/2001

Speech by the Federal Privacy Commissioner

22nd International Conference on Privacy and Personal Data Protection, 27-30 September 2000 Venice

Plenary Session III: Which rules? Integrating different tools in a global perspective

Introduction

• Overview
• Privacy and the information and communications technologies revolution
• The role for government
• Changing regulatory responses
  

• Australia's current federal privacy law
• Self-regulation to co-regulation for privacy law in private sector
• Privacy Amendment (Private Sector) Bill 2000
• Privacy protection tools in the Bill and other opportunities provided by the Bill
• New legislative tools for protecting privacy - more detail
  • Industry Codes
    • The Internet Industry Association Code
    • A code for the health sector
    • The road to a code will not be easy
  • Enforcement mechanisms

• Strategic Plan 2000 - a strategic plan for the Office of the Federal Privacy Commissioner
  • Establishing a network and developing privacy solutions
  • A comprehensive understanding
    • Current baseline research
    • Inform our service provision
    • Support the development of a privacy network
    • Inform future strategies for the office
  • Promoting Privacy to Consumers, Business and Government
  • Ready and prepared to implement the new legislation

• Project Gatekeeper
• Standards

• International agreement on standards
• Intergovernmental forums
• International voluntary standards
• Model contracts
• Web Seals - a significant private sector initiative at the global level?
  • Web Seals Project

A session titled Which rules? Integrating different tools in a global perspective calls for a response that recognises the impact of rapid technological change and economic globalisation on what it means to have personal privacy and how to maintain it. A key element depends upon individuals having some degree of control over their personal information. The challenge is to enable individuals to maintain their desired level of privacy, while at the same time, enabling business and government to utilise the new information and communication technologies to achieve their objectives efficiently. If this challenge can be met, it will help to give individuals the necessary confidence to take advantage of the opportunities offered by the information economy.

The range of tools available includes legislation, policy formulation, formal and informal standards, technology, helping individuals to help themselves and helping business and other organisations to incorporate privacy considerations into their day-to-day practices.

This paper is a practical examination of how the Office of the Federal Privacy Commissioner in Australia is seeking to promote an Australian culture that respects privacy, using the range of available tools within the resources available to it. A multi-faceted approach has been adopted that reflects the particular international, regulatory and legislative circumstances in which the Office is operating. The first part of the paper will examine the general factors that have contributed to the Office's strategy.

The major domestic factor influencing the Office's strategy is the Australian Government's extension of the current Privacy Act 1988 (Cth) (Privacy Act)¹ into a national privacy law that also covers the private sector. The Privacy Amendment (Private Sector) Bill 2000 (Cth) (Privacy Bill)² will establish a co-regulatory legislative framework that enables organisations and industry sectors to develop their own privacy codes, provided the codes incorporate core information privacy principles. The Government's "light touch" legislative approach combines a principles-based framework with enforcement based on resolving complaints. The key features of this legislation will be discussed. The Bill could be passed by the Parliament by the end of 2000.

The focus of this paper will be on the Office's strategic plan to use the legislation to promote an Australian culture that respects privacy through the integration of a range of tools, such as fostering community, government and business networks, education and research in conjunction with enforcing the law. The emphasis of the strategic plan is on engaging all stakeholders in raising awareness about privacy issues, and working with stakeholders to develop effective privacy solutions.

The global character of the Internet and e-commerce encourages individuals to engage in online activities outside their local jurisdictions. Data and communications networks facilitate an increasing flow of information across national boundaries. As a consequence, Privacy Commissioners cannot effectively carry out their functions without an awareness of the initiatives emerging internationally. The final part of the paper examines the role that Data Protection and Privacy Commissioners can take individually and collectively, to promote privacy solutions notwithstanding jurisdictional differences. Particular attention will be given to the role that co-operation between Commissioners can play in the global context.

Back to Top

Overview

The "light touch" approach to developing the Privacy Bill taken by the Australian Government reflects at least three considerations.

First, legislation, no matter how created - prescriptive or principles based - has its limitations. The law generally develops much more slowly than the Internet and this can severely limit the effectiveness of the law in practice.

Second, in Australia at least, government has been generally disposed over the last ten to fifteen years towards market based regulatory solutions. This reflects the view that the law has the potential to stifle innovation and reduce freedom of choice.

Third, Australia is part of the global economy and is a relatively small player. Its stock market capitalisation, for example, is only about three percent of the world total. As a result, Australia is rarely in a position to "set the rules", except perhaps at the margin.

Back to Top

The broad context in which the present challenges to the privacy of personal information have emerged is well known. The rapid development of information and communication technologies has accelerated the trend towards increased collection, storage, use and disclosure of personal information by business and government. The combination of computers and telecommunications enables the pooling of data and the creation of complex national and international data networks. Cheaper and larger storage media, increasing processing power and advanced data management and data mining technology have contributed to the establishment of large databases by business and government that are amenable to sophisticated manipulation and searching techniques.

The development of the Internet presents individuals with opportunities to engage in social, commercial and political activities in a borderless, digital environment. Individuals who use the Internet often leave behind "'electronic footprints', that is, digital records of where they have been, what they have spent time looking at, the thoughts they aired, the messages they sent, and the goods and services they purchased. Furthermore, these data tend to be detailed, individualised and computer-processable."³

The Internet has introduced another fundamental change to the way personal information is collected, used and stored. No longer do a relatively small number of large collections of personal information present the sole challenge. Instead, the Internet has also produced a very large number of small and medium sized collections of personal information. Indeed, many of Internet companies have business models explicitly built upon the collection, use and disclosure of personal information.

Technological developments have also contributed to an increasing flow of information and communications across national borders. E-commerce and online interactions potentially take individuals, or information about them, outside their local jurisdictions with an unprecedented frequency and range of purposes.

The increasing flow of information and communications across national borders has undermined the capacity of governments to protect the privacy of individuals adequately. The emergence of global information and communications networks requires rethinking of the role of governments and the role of regulators. If nothing else, it means that regulation of all holders and users of personal information by direct contact and supervision is simply no longer possible.

Even though use of the Internet is increasing exponentially, consumer concerns about the privacy and security of personal information online has emerged as a major barrier to participation in electronic commerce, as have concerns about the proliferation of databases of personal information.⁴

Within the area of privacy protection "self-regulation" has developed as an industry response to these concerns⁵, with a proliferation of industry and private sector initiatives, including some that seek to operate across national boundaries. These issues are canvassed in the US Federal Trade Commission report on Consumer Protection in the Global Electronic Marketplace, released earlier this month.⁶

The ability of the law to protect privacy in an environment of technological change and globalisation has its limitations. The pace at which technology is changing and electronic commerce is developing makes it difficult for law - whether highly prescriptive or principles-based - to remain up-to-date. There is also a fear that detailed law may stifle innovation and the market. The Deputy President of the Netherlands Data Protection Authority, Dr John Borking, has noted that "technological change is 30 times faster than the speed that the law can be changed: PC product lifetimes are about 9-24 months, Internet product lifetimes are about 4-7 months while law making can take 7-12 years." ⁷ As suggested by the Washington-based Center for Democracy and Technology, it has become evident that "the traditional, top-down methods of implementing policy and controlling behaviour" may not be the appropriate regulatory response to safeguarding privacy in the global information economy.⁸

Back to Top

The role for government

Over the past ten to fifteen years and in many parts of the world, there has been a dramatic shift in thinking about the proper role of government in rapidly changing circumstances. The shift is often portrayed as a move from government as a primary provider to government as a facilitator of the provision of goods and services through more sophisticated models of rule setting and governance. The concept of "steering not rowing", which refers to this change in the role of government, was popularised in the early 1990s by David Osborne and Ted Gaebler.⁹

Charles Raab has applied the concept of steering to the role of governments with respect to the protection of privacy. In these circumstances, Raab notes that national or international authorities are now less able to regulate effectively using conventional instruments of administration, legislation and the courts. He describes steering as a process in which a regulator seeks to attain a certain standard or goal by first understanding the boundaries within which the "course" must be steered and of what is actually happening within that system. Steering involves developing a strategy in which a regulator may move towards the desired state of affairs. The process of steering may consist of more conventional forms of intervention through monitoring, supervising, and restricting data practices that involve the use of law and the powers of a regulatory authority. It may also involve exerting influence in the policy-making process of government and business in order to incorporate privacy protection more effectively into management systems.¹⁰

For Raab, steering involves an interaction between regulation and self-regulation. He writes that:

"It is intriguing, therefore, that an important theoretical premise of the steering approach is, in fact, the recognition that what is steered by the overall regulators are the self-controlling mechanisms or sub-systems that make up the system. In this conception, there are many points of (self) control, and the overall regulator may develop, institutionalise, and work with them even though formal authoritative oversight is not abandoned."¹¹

The role of government is to identify and encourage self-policing mechanisms such as the market, which may lead a company to adopt good privacy practices to distinguish itself from competitors. Confronted with the numerous surveys indicating that the lack of privacy protection is a major barrier to consumer participation in electronic, some business sectors are beginning to take privacy protection more seriously. The capacity of self-regulation to provide adequate privacy protection continues to be widely debated.¹²

Back to Top

Changing regulatory responses

Changes in technology and globalisation have contributed to a general preference amongst governments for finding alternatives to formal government regulation such as legislation to achieve policy objectives and to remain competitive within national and international markets. Industry self-regulation is regarded in "some OECD countries as a flexible and cost-effective solution to the protection of online privacy by allowing market forces and industry-led initiatives to provide innovative solutions."¹³ In a Draft Report on Self-Regulation, the Australian Taskforce on Self-Regulation defines self-regulation broadly as including regulatory regimes developed by industry consisting of codes of conduct, standards, guidelines as well as industry-based accreditation and complaint handling schemes. Self-regulation excludes explicit government legislation and regulation.¹⁴

According to the Taskforce, self-regulation is generally regarded as more responsive to organisational and structural changes that emerge "in dynamic markets, which are influenced by globalisation, increasing vertical integration and the growth of 'hybrid' products that span traditional markets or industries".¹⁵ The ability of industry to develop codes may also encourage industry "ownership" which may foster a commitment to implementation greater than that which might be the case for rules imposed by legislation. In the appropriate circumstances, codes are recognised as being cost-effective, flexible, offering a large degree of sensitivity to the market, and conducive to international competitiveness and product innovation.

The Taskforce noted that the effectiveness of self-regulation in responding to market failure depends to a large extent on "an industry environment with an active industry association and/or industry cohesiveness".¹⁶ In these circumstances, industry participants are more likely to commit financial resources, consult with stakeholders and monitor the effectiveness of self-regulation. Where there is a broad spread of small business that does not communicate with each other, self-regulation is less effective.

The Taskforce concluded that self-regulation might not be the appropriate response to every market failure and all social policy objectives. The challenge facing governments is to develop a regulatory response that is sufficiently flexible to withstand technological and structural or organisational change while providing comprehensive privacy protection to individuals. The evolution of the Australian regulatory response reflects the challenge of finding a response that is appropriate.

Back to Top

The law as a tool

Australia's current federal privacy law

Australia's privacy law reflects, in part, the country's federal system, which comprises Commonwealth (ie federal), State and Territory Governments. The current the Privacy Act protects personal information held by the federal public sector and tax file numbers wherever held, and regulates the collection, use and disclosure of consumer credit information by private sector organisations.¹⁷ Several Australian States have laws to regulate the handling of personal information held by State public sector agencies.¹⁸

The Privacy Act creates the position of Privacy Commissioner as an independent statutory officer responsible for implementing the legislation. The principal functions of the Privacy Commissioner are to audit the compliance with privacy principles, investigate and resolve complaints, advise in relation to good privacy practice and promote awareness within the general and business community about privacy rights and obligations.¹⁹

The extension of legislative privacy protection law to the private sector has been the subject of regular debate since the Privacy Act was first passed. The focus of this early debate was on whether there should be privacy protection that is specific to particular industry sectors. For example, the credit reporting provisions of the Privacy Act were introduced shortly after the passage of the original legislation when the practices of the credit reporting industry came under public scrutiny. Although initially, there was some expectation that a sectoral approach to privacy protection would continue, the potential cost and difficulty of integrating industry-specific regimes has become more apparent in recent years. There is now more, though not complete, agreement on the need for a nationally consistent approach to privacy protection. Nevertheless, the most appropriate form that privacy law for the private sector should taken remains unsettled.

Back to Top

Self-regulation to co-regulation for privacy law in private sector

Generally speaking, the approach by successive Australian Governments to regulating business over the past decade has been to encourage industry to develop forms of self-regulation. The view is that self-regulation would lower regulatory costs on business and to improve market outcomes for consumers. Consistent with this approach, at one stage the Government's position was to protect the privacy of personal information held in the private sector by implementing a regime based on self-regulation.

During this period, the former Privacy Commissioner, Moira Scollay, developed the National Principles for the Fair Handling of Personal Information (the National Principles),²⁰ based upon the OECD Guidelines²¹ and following extensive consultation with business, privacy advocates and the community. Business was encouraged to develop voluntary codes of conduct tailored to their industry-specific circumstances that were consistent with the National Principles.

The Government recognised some of the limits of self-regulation in protecting personal information when, in 1998, it announced that it would introduce a "co-regulatory" scheme for the provision of a comprehensive privacy protection for the private sector.²² Co-regulation here means a scheme where law directly backs up codes developed by industry and requires approval by government agency.

The Explanatory Memorandum to the resulting legislation, the Privacy Bill, sets out the Australian Government's reasons for its decision to legislate to establish a co-regulatory privacy scheme for private sector. These are set out below.

1. Self-regulation does not afford adequate privacy protection to the consumer. Most voluntary codes do not provide an effective enforcement and dispute resolution mechanisms. A code can be made legally binding by including a provision in a contract that obligates the organisation to comply with the code. However, the enforcement of contractual privacy obligations would involve a cumbersome and costly process that would provide only limited forms of redress for individuals.
   
   
2. The absence of adequate privacy protection has affected consumer confidence in the information economy and participation in economic commerce. Surveys conducted in Australia and other countries have indicated that consumer confidence in on-line transactions depends largely on the level of protection given to their personal information. The lack of consumer confidence is regarded as a barrier to the development of electronic commerce.
   
   
3. Although consumer privacy is seen as a critical issue in the context of the emerging information economy, business has been slow to voluntarily take up of data protection measures and industry sectors do not set consistent privacy standards. Codes implemented to date have proved relatively ineffective because coverage within an industry is not 100%. For example, Australian Direct Marketing Association's code of practice for privacy protection only covers member organisations.
   
   
4. The absence of comprehensive privacy protection may create barriers to international trade for business. The European Union Directive on Protection of Individuals with regard to Processing of Personal Data and on the Free Movement of such Data (the EU Directive)²³ may constrain the transfer of personal information outside the Economic Union to countries that do not provide "adequate" data protection. While there is no explicit requirement that the minimum standards set out in the EU Directive be contained in legislation, self-regulation is less likely to be regarded as providing adequate protection. This is believed to create difficulties for businesses engaging in trade with EU member states under a self-regulatory regime, due to concerns about adequacy of privacy protection.

Back to Top

Privacy Amendment (Private Sector) Bill 2000

In April this year, the Australian Government introduced the Privacy Bill into Parliament to establish the co-regulatory legislative regime for protecting privacy in the private sector. The co-regulatory approach is intended to foster industry-developed codes, but these will be underpinned by legislation that will establish key privacy principles that will serve as a default framework in the absence of industry codes. As a general principle, most organisations in the private sector will be required either to adopt a code or comply with the legislative privacy principles. Either way, organisations will be required to engage in fair information handling practices.²⁴

The Government's intention is to introduce a "light touch" legislative scheme for the protection of privacy in the private sector. The key features of this "light touch" regulatory approach are as follows.

• The Privacy Bill will make a modified version of the National Principles, renamed the National Privacy Principles (the NPPs), legally binding.²⁵ The NPPs are broad legislative principles only, rather than highly specific legal rules.
  
• Industries or organisations will be given the option of complying with their own codes, provided that their codes are provide at the same or better level privacy protection provided by the NPPs.
  
• The enforcement provisions in the Bill are based primarily on responding to complaints made by individuals, although the Privacy Commissioner can also initiate investigations when appropriate.
  
• The resources made available to the Office for implementing the new legislation by the federal Government's Budget, reflects a shift in emphasis from direct intervention to influencing business practices.

The proposed legislation approach seeks to provide a reasonable balance between consistent standards and giving businesses the flexibility to develop an approach to privacy protection that is relevant to their day-to-day practice and meets community expectations about the handling of personal information. In the Privacy Commissioner's view the Privacy Bill will introduce a range of effective and adaptable privacy tools that will remain effective in changing technological and commercial circumstances.

A range of exemptions in the Privacy Bill will restrict the application of the privacy principles in relation to politicians and political organisations, media organisations, certain small businesses and employee records and they have become a highly contentious issue. In submissions to two parliamentary committees, the Privacy Commissioner has concluded that the privacy protection framework set out in the Privacy Bill is fundamentally sound, although the exemptions as currently drafted have the potential to weaken its effect unless amended.²⁶

The Privacy Commissioner has welcomed the announcement by the Attorney-General in his second reading speech that he will ask the Privacy Commissioner to review the Bill after it has been in operation for two years. The Attorney-General's announcement acknowledges the need to ensure that the regulatory approach remains appropriate during a period of such rapid change in information and communication technologies and will allow the law to be refined in light of actual experience.

Back to Top

Privacy protection tools in the Bill and other opportunities provided by the Bill

The Privacy Bill will create new rights for individuals. It will therefore modify the market place and should help alleviate current privacy concerns, including in the online environment. In particular, individuals will be in a better position to understand the information that is being collected on them and to decide whether or not to provide such information, use another transaction medium or take their business elsewhere, and to have those decisions enforced if necessary.

The Privacy Bill will be an important lever in creating an Australian culture that respects privacy. The Bill itself includes a range of privacy tools on which the Office can draw. These include:

• a basic standard in the form of the NPPs set in a basic, overall framework;
  
• flexibility to improve on the basic standard through the development of industry codes;
  
• enforcement provisions including for individuals to have complaints resolved either by the Privacy Commissioner or a code adjudicator; and
  
• provision for the Privacy Commissioner to issue guidelines on how to obtain approval of industry codes and how to apply the NPPs.

In addition, the passage of the legislation provides the Office with leverage for other means of promoting an Australian culture that respects privacy. These include:

• raising awareness among organisations and members of the public that handle personal information about the issues and about the privacy solutions that they might consider using.
  
• research on relevant privacy issues monitoring trends that can be used to assist other organisations find privacy solutions as well as to report to government.

Back to Top

New legislative tools for protecting privacy - more detail

The Privacy Bill will extend the range of tools available to the Privacy Commissioner and to individuals and encourage organisations to adopt fair information handling practices. It is anticipated that industry or organisational privacy codes will be an important tool in encouraging business to incorporate privacy considerations in their management practices.

Under the Privacy Bill, the Privacy Commissioner is conferred with the authority to approve codes provided that the code sets out obligations that are at least the equivalent of all the obligations in the National Privacy Principles and specifies which organisations are bound by the code. The code may establish a code adjudicator to handle complaints about organisations bound by a code. Where a code does not set out a complaint handling mechanism, the Privacy Commissioner will be responsible for resolving complaints. Once approved by the Privacy Commissioner and voluntarily adopted by an organisation, a privacy code replaces the privacy framework provided by the National Privacy Principles. The Privacy Commissioner will also have the power for revoke approval to a code, upon his or her own initiative, or upon application by an organisation bound by the code. The Privacy Commissioner must follow a consultation procedure before revoking a code.²⁷

The Privacy Commissioner is also authorised by the Privacy Bill to issue written guidelines to assist organisations to develop privacy codes and the matters that the Privacy Commissioner may consider in deciding whether to approve a privacy code.²⁸

The use of privacy codes under the Privacy Bill could enable an organisation or industry to:

• respond to technological developments that may present new privacy risks;
  
• adopt higher or more specific standards than the NPPs in relation to particular types of information, such as health information;
  
• amend the NPPs or include new principles; and
  
• encourage a higher level of "ownership" of a code and commitment to the fair handling of personal information by allowing self-regulation.

It is uncertain at this stage how many industries will develop codes of practice when the Privacy Bill comes into effect. As suggested earlier in the paper, this will depend on a range of factors, including the cohesiveness of industry sectors and whether they would have the resources and commitment to devote to develop its own code, with or without its own complaints mechanism.

Australia already has some experience of privacy codes in the private sector. The direct marketing, Internet, insurance, banking and telecommunications industries have adopted privacy codes that have been substantially based on the National Principles, although there may be some amendment to the National Principles to accommodate some aspect of the industry. This may reflect the extent to which the former Privacy Commissioner had consulted with interested parties in developing the National Principles. Other sectors, such as the superannuation industry and various groupings within the health sector, are developing privacy codes or incorporating privacy obligations into existing codes of professional practice. Examples of industry codes are discussed below.

Back to Top

The Internet Industry Association Code

The Internet Industry Association (IIA) has produced a code of practice for its members and has indicated that it will seek to have the code approved by the Privacy Commissioner if the Privacy Bill becomes law.²⁹ The code of practice prohibits the sending of unsolicited email, except to existing customers or persons who have previously consented to receiving information. The IIA has surveyed its members and found that "most (75%) believed an 'opt-in' approach to email marketing would not burden their organisation economically."³⁰ The survey results were reported in a press release that went on to say that the results affirmed the basic belief that "respecting your customer privacy is simply good business."³¹ This approach is a step up from the "opt out" minimum that the Privacy Bill would require.

The Office has not yet assessed the code of practice against the NPPs. In any event, the Office will not be in a position to finalise its procedure for code approval until the Privacy Bill is passed. However, it is interesting to note that the IIA's intention is that "provisions of [the] Code are in addition to and not in reduction of the obligation of Code Subscribers under [the National Principles]."³²

Back to Top

A code for the health sector

The health sector is an area where a privacy code may increase the scope and stringency of privacy protection afforded to health information to a level higher than that the National Privacy Principles. There are several factors that may lead to a health-specific privacy code. Within the Australian community, there is general recognition of the particularly sensitive nature of health information and the need for additional privacy safeguards in its handling. Privacy issues are currently being raised in relation to Government initiatives to encourage the health industry to take advantage of technological developments in the management of health information. A taskforce under the auspices of the federal Department of Health and Aged Care has recently produced a report on electronic health records and has recommended the establishment of an online health network for Australia, to be known as HealthConnect.³³

Amongst stakeholders, there is a strong interest in establishing a nationally consistent privacy regime in the face of conflicting views about the appropriate level of privacy protection and the risk that different health privacy laws may emerge at federal, State and Territory level. There is presently specific legislation regulating the handling of personal health information in the public and private sectors in the Australian Capital Territory.³⁴ Victoria is currently considering a similar health records bill. As well the Information Privacy Principles in the Privacy Act regulate the handling of all personal information held by federal agencies, including personal health information.³⁵

Health issues were given particular attention in the course of the development of the Privacy Bill. The Attorney-General asked the Privacy Commissioner to consider if the general privacy principles that were to form the basis of the Bill would provide the appropriate level of protection for personal health information. Following broad consultation with key stakeholders, the Privacy Commissioner concluded that, with modification in a few areas, the National Principles do provide an adequate framework for the protection of personal health information.

As yet, there is no agreement in the various jurisdictions about the appropriate level of protection and how to achieve this. However the Australian Health Ministers Advisory Council has recently established a joint federal/State/Territory health information privacy working group.³⁶ The aim of this working group is to establish a nationally consistent regime for the protection of health information that applies to both the public and private sectors of the health industry. This could to take the form of a national "health code" established under the amended Privacy Act that would recognised by States and Territories. This approach may potentially lead to greater consistency than is likely to be achieved by each jurisdiction having its own health privacy legislation.

Back to Top

The road to a code will not be easy

It is important to recognise that while they have great potential, codes are not necessarily easy to develop. For example, the complexity of the issues and the number of stakeholders, particularly where stakeholder interests are divergent, will have a direct relationship with the length of time it will take for an industry to develop and reach consensus upon a code.

In the Australian telecommunications industry, self-regulation is encouraged by legislation. The Telecommunications Act 1997 encourages the industry to develop self-regulatory codes of practice (which may cover privacy protection) and provides a mechanism to achieve this. The industry has established a company, called the Australian Communications Industry Forum (ACIF), to develop codes of practice. Over the past few years, ACIF has developed a range of consumer protection, operational and technical codes, including a code for the protection of personal information that is based on the National Principles.

It is generally agreed that ACIF's code development work is achieving valuable standards and protections for the telecommunications industry. ACIF reports that the development and finalisation of a code takes considerable time and involves a substantial investment of skills and resources. However, ACIF concludes that the development of a code that is consensus based and implemented by the industry is in the best interests of consumers.³⁷ It therefore appears that despite possible difficulties, codes do have the potential to play an important role in the Australian privacy protection framework. They are more flexible than law, more easily changed, and they can evolve over time.

Back to Top

Enforcement mechanisms

The Privacy Bill will give individuals new rights to exercise greater control over the way in which private sector organisations handle personal information concerning them. In particular, individuals will be give rights to have interferences with privacy investigated either by the Privacy Commissioner, or where the Privacy Commissioner has approved a code that establishes an industry complaints adjudicator, to that body. The Privacy Act also allows the Privacy Commissioner to initiate investigations where there may be an interference with privacy and the Commissioner thinks it is desirable that an act be investigated.

Other enforcement powers built around the use of the federal Court and federal Magistracy include enforcement of determinations and applications for injunctions to obtain compliance with the legislation. The way that the Office uses the enforcement powers will be crucial to the success of the legislation. The approach can send powerful signals to both individuals and to organisations that handle personal information.

The Office intends to use the legislation as leverage in using other powerful tools to promote a culture that respects privacy. Its approach to enforcement must complement and must not contradict its use of those tools and most certainly must not counteract them. Its approach will be strongly guided by the Strategic Plan that the Office recently launched.

Back to Top

The Privacy Commissioner's role and Strategic Plan

The response by the Office in implementing the Privacy Bill must recognise all the factors that have been identified so far. In other words, the Office needs to find ways of promoting an Australian culture that respects privacy that is guided by what tools will be effective and takes account of the specific environment that is likely to be created by the Privacy Bill. In particular, the Office must make sure that:

• the new rights created under the Privacy Bill are well known to individuals and to the organisations that collect personal information about them;
  
• the new rights are enforced;
  
• organisations see the Bill as a response to a strong demand for improved privacy protection, so that is not just a compliance issue but rather that "good privacy is good business";
  
• individuals are in the best position to look after themselves because they are aware of their new rights and because they have a much greater understanding of the implications of their choices, with resort to the law a last resort.

Moreover, the Office is relatively small. It has a staff of about 35 staff and a budget of about $A4.5 m (about $US 2.7m) to implement its current federal agency jurisdiction and to extend the jurisdiction to the private sector that serves a population base of around twenty million.

Back to Top

Strategic Plan 2000 - a strategic plan for the Office of the Federal Privacy Commissioner

During 1999, all the staff of the Office participated in a strategic planning process to develop our response to these challenges. We have chosen a course that emphasises that we aim to be:

• experts in understanding and applying privacy principles;
  
• partners in developing and promoting privacy solutions, in association with a range of stakeholders including consumer and privacy advocacy groups, other regulators and business; and
  
• a clear and balanced voice on privacy principles.

The Plan, launched in March this year, sets out the Office's purpose. The Plan identifies the main areas of focus and what the Office wants to be known for in its roles with both public and private sectors.³⁸

The Plan commits the Office to four key result areas:

1. establishment of the Privacy Connections network that will support organisations and individuals in the development and implementation of privacy solutions;
   
2. development of a comprehensive understanding of current community perceptions of privacy to ensure the solutions we develop are meeting the needs of our stakeholders;
   
3. reflection of strategic themes in the roles of everybody in the Office; and
   
4. ensuring that the Office is ready and prepared to implement the new legislation.

Given their importance to the range of tools that the Office will be employing, it is worthwhile expanding on points one, two and four and the associated promotion campaign that we expect to develop. The discussion will further illustrate why the Office has chosen to focus on some particular tools and ways of operating.

Back to Top

Establishing a network and developing privacy solutions

Although the Office has a stock of expertise on the current Privacy Act and privacy principles it is not expecting that it will have all the answers or that it could generate all the possible solutions to privacy issues arising in the private sector. Moreover, for Office to do its job effectively it will need to understand the issues facing organisations and to work closely with them. The use of networks will allow us to share our expertise and to work as partners with organisations interested in developing privacy solutions. Networks also provide a way of sharing innovative solutions more widely than would be possible if the Office interacted with organisations on a one-to-one basis.

To these ends the Office has started a network, Privacy Connections, that we expect will build an interconnecting set of relationships across sector boundaries and organisations to exchange good practice or to develop and exchange privacy solutions. Privacy Connections may involve (but will not be restricted to):

• regular meetings and communications - face to face or virtual - between industry organisations, consumer groups and other within an industry sector or across sectors;
  
• groups formed to work on the development of codes, guidelines and other privacy solutions;
  
• access to information and resources prepared by the Office; and
  
• access to privacy training opportunities

Privacy Connections was launched with the Strategic Plan at the end of March 2000 and, although the Privacy Bill has not yet passed, it now has over 120 members. The Office is also planning a series of national seminars in November 2000 aimed at network members, to provide some basic information on the Bill and to develop the Office's understanding of the issues and concerns for organisations.³⁹

The Office has also commenced, in a limited way, meeting with industry peak bodies. These organisations so far have been more than happy to share information about their industry, what they are currently doing about privacy issues, their existing knowledge of privacy issues and so on. In return, they seem to be looking for an understanding about the Office's position in the market, which the Office is describing as facilitator of good privacy practice first and hard-nosed regulator second when facilitation is not working.

A challenge for the Office will be to be seen as an enabler of good privacy practice and privacy solutions - and not just the tough regulator. We have to consider how to encourage organisations and peak bodies to talk to us without being afraid that they will get into "trouble" for revealing a less than perfect privacy practice. The opposite risk is that organisations see the Office as a "soft touch" when it comes to enforcement, for example when dealing with complaints.

Flexibility will be necessary in gaining the support and involvement of industry bodies. We cannot be locked into one model or mode of thinking in the networking idea. Some industry groups would like our involvement on a small scale - some advice and guidance - while others may need our more active involvement within the limits of our resources. Other groups and organisations will be more than happy with a program of seminars and accessible training options (not necessarily delivered by us). We cannot reinvent the wheel in terms of our communication efforts. We will have to utilise existing channels of communication for an industry or risk missing our target audience or worse still, ignored.

Mutual Responsibility is another strong theme upon which we expect to build. Obviously business must be encouraged to take responsibility for modifying their privacy practices and complying with the new legislation but this will be difficult unless we take responsibility for understanding the particular issues and difficulties facing the different industry sectors. We cannot simply say "here is the legislation, now obey", especially when the law often clearly provides for a balancing of the relevant considerations. If we can prove our credentials to an industry by showing them we have taken the time to research their industry and have a realistic grasp of the challenges facing them, it will be easier for us to then ask for a responsible response.

Back to Top

A comprehensive understanding

In order to implement the Privacy Bill effectively, the Office will need to develop expertise in relation to the private sector and an understanding of the community's privacy expectations with respect to how their personal information is used by business. Apart from the information gleaned through the network, the Office will soon be conducting a program of research in order to generate a sufficiently detailed picture of the community and its expectations of privacy.

The key objectives of the research will be to:

• identify and analyse community perceptions of privacy including perceptions of costs and benefits;
  
• identify and analyse federal government agency perceptions of privacy and compliance with the current Privacy Act;
  
• identify and analyse business perceptions of privacy and current practices;
  
• identify business barriers and needs in relation to complying with the proposed legislation, and adopting a privacy best practice approach;
  
• identify key stakeholder concerns;
  
  test our current positioning concepts/messages - see below; and
• identify channels through which consumers and businesses may be reached for the provision of information, training, and products.

The information generated by the program will be used for a range of purposes. These are set out briefly below.

Back to Top

Current baseline research

The Privacy Commissioner commissioned community attitude surveys for each year between 1990-1994. These surveys are now considerably out of date. The results of research from this project will be used as a benchmark for future studies and used as baseline data for the evaluation of our marketing and communication strategy; our strategic plan; and key stakeholder management.

Inform our service provision

The results of the research will guide the delivery of services to our client groups and product development.

Support the development of a privacy network

Inform future strategies for the office

The research will provide guidance about emerging issues of concern within the community. It will inform the development of a marketing and communications strategy for the office. Pertinent to this is the identification of messages and their packaging, and viable communication channels for both individuals and the business community.

Back to Top

Promoting Privacy to Consumers, Business and Government

As noted in the OECD's Working Party on Information Security and Privacy "the nature of the global information network makes educating users and commercial entities about privacy issues an important step for the protection of personal privacy."⁴⁰ The Office has had a role in raising community awareness of privacy issues and in providing information and advice about the Privacy Act since its inception a decade ago. With the passing of the Bill, a key strategy for the Office will be to develop a communication program to inform Australians of their new privacy rights and responsibilities, and the role the Office can play in developing privacy solutions.

In the research program described above the Office will be testing four messages that we think could be the focus of the Office's communications strategy. These are set out below.

• My Privacy, My Choice - This targets the individual, and seeks to build a sense of control, empowerment, and security for individuals dealing with situations where the security of personal information may be threatened.
  
• Good Privacy equals Good Business - This targets business and government. The key message is that organisations that work to build an atmosphere of trust and equal dealing between themselves and their customers, employees and/ or clients will benefit through increased efficiencies, profits, and simpler dealings with their client base.
  
• Privacy Solutions - This is a more complex message that targets Agencies, private sector organisations, and individuals. It suggests that privacy is not an absolute concept, and privacy solutions must be brokered that meet individual needs and expectations, yet also permit business and government to meet their broader responsibilities of providing efficient, accountable service. This message seeks to position the Office as the facilitator of privacy solutions and as experts in the application of privacy principles.
  
• Respecting Privacy - This targets business and government. It builds on the existing message of good privacy equals good business, to encourage good privacy practice and adherence to privacy legislation. However, the message goes one step further to point out that if privacy is not respected, the Privacy Commissioner will step in. The main focus is Office as the regulator.

In mid to late 2001, the Office expects to commence a marketing and communication strategy in full strength. We have up until now been undertaking a number of communication and marketing activities guided by our strategic plan, including:

• highlighting IT and Internet issues on the website, with detailed advice on threats to privacy, and means by which privacy can be protected;
  
• actively seeking and gaining media coverage on basic privacy concepts, and more sophisticated, topical issues such as on-line data bases
  
• promoting and distributing the Guidelines on Workplace E-mail, Web Browsing and Privacy⁴¹ to encourage good practice in managing IT communications and information flows via a high profile launch, the website and a series of presentations
  
• a broad range of speaking engagements with business organisations
  
• provision of advice over the Hotline.

The Office's communication strategy is currently focusing on the Good Privacy Good Business message to skill up organisations to understand their obligations and the benefits of meeting them under the anticipated changes to the legislation.

Next year will see a far more targeted approach, with specific messages being targeted to specific audiences through appropriate channels. We will retain our emphasis on a partnership approach, as this will facilitate our relationships with key privacy providers and clients and their representatives.

Resource constraints necessarily require targeted and co-operative strategies. We expect to be working closely with the media, and working through key business and community organisations to get our message out. Mechanisms may include the website, seminars & conferences, including appropriate information in educational pathways: schools, tertiary, and post graduate courses, joint ventures with high profile organisations, information kits, and very targeted use of the media.

Back to Top

Ready and prepared to implement the new legislation

The Office has already identified that in implementing this key result area, we will have to be able to offer assistance and facilitate the development of codes. In addition to guidance material the Office will produce we see the Privacy Connections as playing a key role here.

At this point, in the period before the Privacy Bill passes, the Office is focusing first on preparing itself to carry out its role under the Bill to approve codes. In the next six months, presuming that the Bill passes in its current form, we will need to have clear views and procedures at least on:

• how we assess if proposed variations to the NPPs to code are overall the equivalent of all the obligations set out in the NPPs;
  
• how the views of the public should be taken into account in the development of a code;
  
• what might indicate that organisations have agreed to be bound by a code;
  
• how consumers will be made aware that organisations are bound by a code, rather than being subject to the Privacy Act; and
  
• how consumer will know whether they should make a complaint to a code adjudicator, if the code sets up this mechanism, or to the Privacy Commissioner

We plan to consult with both consumer and business organisations as we develop our approach. We also anticipate that organisations will look for more detailed guidance on the application of the NPPs. Whether this is the case, and if it is the type of guidance that is needed, is something we will be talking to industry sectors about in the next few months.

Another crucial element of being ready and prepared will involve refining our approach to compliance and enforcement. The Strategic Plan identifies that we will have to have a clear risk assessment and risk management framework. Using this framework we will then approach particular cases as they arise in a way that reinforces the approach outlined earlier - facilitating first but regulating with a firm hand if facilitation is not working.

Back to Top

Other tools with a domestic focus

If the Office is to be most useful to both individuals and organisations in Australia, it needs to be aware of the latest developments, both those that can compromise personal privacy and those that can provide privacy solutions. Without this understanding, our position with these stakeholders, including members of the Privacy Connections network, will become marginalised.

There is little need to repeat the current list of emerging developments in any detail here. Other Conference papers are likely to do so very comprehensively and the Office has briefly described the issues in a Submission to the Australian Senate Select Committee on Information Technologies.⁴²

Given the resources available to the Office and the primary focus over the next few years on the forthcoming legislation, the Office is probably in a position only to make key interventions. The Office will therefore:

• maintain a monitoring role;
  
• catalyse the exchange of promising privacy solutions;
  
• assist the general public in understanding the latest developments and encouraging them to adopt promising solutions; and
  
• become involved more deeply because of the scale of the impact or when the Office can clearly provide unique added value.

Back to Top

Project Gatekeeper

This is one example where the scale of impact justifies the Office becoming involved.

Governments in Australia have been strongly promoting the provision of Government services online.⁴³ A major component of the supporting infrastructure at the federal level has been the development of a comprehensive Public Key Infrastructure (PKI) through Project Gatekeeper.⁴⁴

The PKI project could operate on a very significant scale, potentially right up to making multiple keys available to all 19 million Australians. It therefore has correspondingly significant potential both to compromise personal privacy in Australia or, if properly developed, to facilitate online privacy.

The Office has therefore been advising the project for some years. Work is now about to commence on Privacy Guidelines for Individual PKI Certificates and the Office is likely to take an active role in their drafting.

Back to Top

Standards

The Office also sees a role for the use of formal Standards in providing privacy solutions. A number of the NPPs, for example, are couched in terms of providing "reasonable" levels of protection, such as the Security Principle that states that:

"An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure."

Standards have considerable potential for allowing organisations to demonstrate that they are taking reasonable measures. In recent years Standards Australia has been active in producing standards with privacy relevance particularly on security issues, and in the area of health privacy.

For example the organisation is currently working closely with the federal Department of Health and Aged Care on standards that will tie into the proposed electronic health record structure.

Working groups are starting up, or continuing, in a range of areas including:

• System and Data Security, Integrity and Privacy;
  
• Health Records and Modelling Coordination;
  
• Electronic Health Records; and
  
• Patient Identification

The Office has assisted in some of these projects and has been invited to participate in these latest processes. It is currently assessing the extent to which the Office's expertise could add value. At this stage, it appears that experts best continue this work. The Office will clearly be assessing the value of Standards that are developed and where appropriate, encouraging their use.

Back to Top

The international perspective

As already established earlier in the paper, focusing only on local or Australian developments and solutions will not deliver comprehensive privacy solutions to the people of Australia. Among the many statistics, one is sufficient to make the point. About half of the online purchases made by Australians for Christmas 1999 were made from offshore Web sites⁴⁵ and many other jurisdictions would report similar statistics.

In short, the global character of the Internet and e-commerce encourages individuals to engage in online activities outside their local jurisdictions. Privacy Commissioners cannot effectively carry out their functions without an engagement with the inter-governmental, industry and technological privacy protection initiatives emerging internationally.

The Australian Privacy Bill provides an apt example of the global nature of communications and data networks posing a major challenge to governments seeking to protect the privacy of their citizens. It will apply in some circumstances to practices outside Australia that involve personal information about Australian citizens or permanent residents:

• Where an Australian organisation deals with information about Australians citizens, the Privacy Bill will apply both inside and outside Australia.
  
• The Privacy Bill will also apply to the information handling practices of foreign organisations that carry on business in Australia and deal with information about Australians.

In this way, the Privacy Bill gives the Privacy Commissioner some power to take action in relation to complaints received about practices that occur overseas. However, the legislation is unlikely to provide any protection for Australians who transact with overseas Internet service providers that have no organisational link with Australia.

Clearly, Data Protection and Privacy Commissioners acting alone are limited in their capacity to provide privacy protection to personal information that flows outside their national borders. There are clear imperatives for dealing with privacy issues relating to international information flows.

Commissioners can overcome jurisdictional differences and resource limitations by establishing strategic alliances. Co-operative approaches to international developments affecting privacy would facilitate the pooling of resources, expertise and information. It is also likely that collective policy-making will have a greater influence on the privacy practices of online companies and private standards organisations.

International co-operation should therefore be seen as an important tool available to Commissioners to promote privacy on global communications and data networks. Indeed, at the 21st International Conference on Privacy and Personal Data Protection held in September 1999, Privacy Commissioners agreed that they needed to work together in order to address privacy issues.

The next section of this paper notes a number of the tools that are available at the international level and makes some comments on how Privacy and Data Protection Commissioners might draw on them.

Back to Top

International agreement on standards

As mentioned earlier, Australia is part of the global economy and is a relatively small player. Its stock market capitalisation, for example, is only about three percent of the world total. As a result, Australia is rarely in a position to "set the rules", except perhaps at the margin.

The OECD Guidelines or their equivalent, form the basis of most approaches to privacy or data protection around the world. However, there is much divergence in the implementation of fair information principles between countries. The European Union requires its Member States to provide comprehensive statutory protections for citizens and centralised enforcement mechanisms.⁴⁶ However, the United States has shown a strong preference for self-regulatory, market-dominated policy for the protection of personal information and provides limited statutory protection at state and federal level on a sectoral basis. Many other nations of the world also have little data protection in place.

International agreement on minimum data protection standards will become increasingly important in achieving an effective and comprehensive privacy protection that can operate across jurisdictional boundaries and legislative differences. The recent Global Privacy Summit held in Washington earlier this month, for example, heard repeated calls for a single, consistent privacy framework and was very critical of the country by country approach that has developed to date.⁴⁷

Although the OECD Guidelines are being increasingly used as the world standard some critics maintain that the OECD Guidelines should be revised in light of technological change and developments in the collection and use of personal information. It has been suggested that additional data protection principles are needed such as the right not to be indexed and a right to encrypt personal information effectively.⁴⁸

From the point of view of data protection Commissioners, there are several reasons why the OECD Guidelines provide the best available basis for co-operative projects focused on privacy in global networks. Although the OECD Guidelines were developed in 1980, they continue to represent an international minimum standard for privacy protection. As well, the Guidelines have been the basis of or have strongly informed the data protection legislation of most OECD Member States. As Ann Cavoukian⁴⁹ has argued, the focus of data protection authorities should be on putting the established principles into practice on information and communications networks, rather than continuing to debate the value of the principles themselves.

Back to Top

Intergovernmental forums

In recent years, the OECD has put renewed emphasis on assisting the development of privacy solutions. It has, for example, recently launched a revised Privacy Statement Generator, has undertaken surveys of approaches taken on privacy protection around the world and looked at various other options such as the use of contracts to protect personal information that form part of international transactions. In each case, the OECD work is premised on the continuing applicability of the Guidelines, particularly in light of technological change and the emergence of industry and private sector initiatives.⁵⁰

Australia contributes to the work of the OECD through agencies other than the Office. The Australian Attorney-General's Department monitors developments and contributes to international developments in relation to privacy and data protection. A senior officer from the Department chairs the OECD's Working Party on Information Security and Privacy. The Department is engaged in ongoing discussions with the European Commissioner concerning the implications of the EU Directive for Australia. The Department is also closely monitoring developments with respect to the EU Directive, particularly the "Safe Harbor" arrangement that has been negotiated between the European Commission and the United States.

Clearly, Privacy Commissioners should focus their limited resources on complementing or contributing to this work and not duplicating it. Given the contribution by other Australian agencies, the Office to date has not placed a strong emphasis on contributing to these forums.

Back to Top

International voluntary standards

The development of international standards of best practice by international standards setting organisations could help to harmonise privacy protection standards on a global basis. In response to increasing globalisation and as governments move away from prescriptive laws in favour of de-regulation, there is an increasing number of bodies seeking to do this work.

In general terms, international standards have no legal status and are voluntary, unless an individual country has passed specific legislation requiring the product to be made to the standard. However, even where not incorporated in law, standards are often adopted by governments or become recognised as international best practice so that companies who want to compete in the relevant marketplace have a great incentive to adopt them.

One advantage of international standards is that they can be a useful means to translate legal norms or general principles into technical specifications and to promote greater awareness. However, it is less clear that standards are appropriate at the level establishing a general framework.

In 1996, the International Standards Organisation⁵¹ (ISO) passed a resolution in favour of a proposal to develop an international standard on privacy based on the Canadian Standard Association Model Code for the Protection of Personal Information. An Ad Hoc Advisory Group on Privacy (Advisory Group) was formed to advise the ISO on whether there was a need for an international standard to address information privacy, assess privacy protection and ensure global harmonisation.

The Advisory Group considered what measures could be taken to develop an "international consensus on privacy standards as a means of facilitating implementation at the company level and harmonisation of privacy rules across jurisdictions"⁵². The goal of the Advisory Group was to decide whether the ISO should develop voluntary codes and standards to assist industries and organisations to implement fair information principles in practice. Such a standard would resemble management systems standards that would meet existing national and international instruments and laws.

The Technical Management Board of the ISO disbanded the Advisory Group in October 1999 after concluding that there was no consensus concerning the development of International Standards.

The Office recognises that organisations such as the ISO can play an important role in the development of international voluntary standards for privacy and self-regulation through standardised codes of conduct for the specific data processing operations within an industry sector. While international standards would constitute an authoritative basis for self-regulation in the global context, the ISO experience illustrates the limits of standardisation. The primary obstacle appears to be the incompatibility between the time required for developing rigorous, technical standards may and the pace of technological and commercial change in the information economy.

In light of experience to date, the Office is continuing to monitor developments in this arena, but to date has only had very limited involvement.

Back to Top

Model contracts

Contracts governing the transfer of personal information between an organisation in one country with an organisation in another have been promoted as one tool that may be used to safeguard the privacy of personal information. Contractual clauses may be used, for example, to ensure that both parties are subject to the same privacy obligations. The Council of Europe, the Commission of European Communities and the International Chamber of Commerce developed a model "transborder flow contract"⁵³ (Model Contract) in the early 1990s.

The Model Contract is a collection of model clauses drafted to ensure "equivalent protection" to the data exporter and data importer.⁵⁴ This means that both parties warrant to comply with the same privacy law, usually that of the data exporter. The model clauses can be tailored to reflect the particular requirements of the data importer/exporter and of the governing privacy laws or regime.⁵⁵

The OECD has reviewed of the use of contracts for the protection of privacy on global networks.⁵⁶ The central issue is the availability of means of individual redress for a privacy breach. The OECD reports that a range of "business to business contracts" have been in use since the early 1990s for a range of uses, primarily for the supply or exchange of personal information between business units or divisions within the same organisation.

In relation to business to business contracts, the law of contract generally prevents third party beneficiaries, such as individuals affected by the actions of the contracting parties, from enforcing contractual obligations. This depends on whether there are workable complaint and investigation process and the provision of dispute resolution mechanisms under the contract.⁵⁷ An encouraging sign is a trend for countries to enact laws to recognise third party beneficiary rights under a contract, to avoid concerns over the lack of privy to a contract.

Contracts also do not easily accommodate a large proportion of consumer to business transfers of information that occur through interactions online such as Web browsing.⁵⁸ Simply browsing on the Web can result in a substantial amount of information available to the site visited, even if much of this information is needed to enable Internet interaction.⁵⁹ Much of the data collection occurs and privacy issues arise prior to the time of the formation of any contract.⁶⁰ The OECD recommended that "consumer to business contracts" should ideally be used in conjunction with other privacy tools, particularly in relation online transactions. Privacy policy statements could be used as a basis for establishing the terms or conditions governing electronic transactions.

The individual or data subject would face considerable some difficulties in taking legal action against an online business for breach of privacy through conventional litigation. This is a costly, cumbersome and complex process, particularly if the business is based in a different jurisdiction from the individual. The OECD recommended that, from the individual's perspective, it might be more efficient to focus less on contractual solutions and more on developing online, self-regulatory dispute resolution measures. In conclusion, the report of the OECD stated:

…the very nature and scope of the medium in consumer to business transfers challenges the proposition that a "contract" could solve all the issues. Rather, it should be considered to take a macro approach and develop responses suited to a global privacy protection strategy.⁶¹

The Office is closely monitoring the work of the OECD in this area. However, it seems that there are two basic requirements before contracts are likely to be effective. First, the contract should embody agreed minimum standards such as the OECD Guidelines. Second, provision should be made for complaints and dispute resolution mechanisms for individuals whose privacy has been breached.

The Office will be able to feed the results of the OECD work on contracts into its networks and encourage evaluation and use of such a tool.

Back to Top

Web Seals - a significant private sector initiative at the global level?

Among the self-regulatory initiatives that have emerged recently, one in particular is receiving significant backing. This development is the concept of a "Seal" of assurance to indicate that a Web site offers a specified level of privacy protection.

A commercial Website can include a seal in the form of a graphical link that connects to the third party seal provider. By clicking on the link, an individual can confirm that the Website is operated in a way that is consistent with the seal provider's privacy statement. Some seal programs provide complaint and dispute resolution mechanisms. Building consumer confidence depends on the Seal requiring sufficiently high standards, establishing mechanisms to ensure that Websites comply with stated privacy policies and providing redress if they are breached.

According to web seal providers such as TRUSTe⁶² and BBBOnline⁶³ and WebTrust,⁶⁴ they can independently validate that an Internet service provider complies with stated minimum practices for protection of privacy. However, it must be noted that the organisations that provide privacy assurances are not subject to independent monitoring according to objective standards and are more of a privacy advocate for the industry than for consumers". Privacy advocates such as EPIC and Junkbusters have also heavily criticised the Seals for offering inadequate enforcement of inadequate standards.⁶⁵

In contrast to standards and model contracts, the development of self-regulatory initiatives by the private sector and non-profit organisations are promoted as being more responsive to changes in technology or the marketplace and to consumer choice.⁶⁶ Just as importantly, Seals may have the potential to fill the regulatory gap that currently exists at the global level.

Thus, the question arises as to whether Seals offer the promise of a new privacy solution. However, to date, there has been little objective and thorough analysis of what they have to offer. This is an ideal opportunity for Privacy Commissioners to work together as authoritative experts on privacy solutions to assess Seals. Such work has the potential for Commissioners to help Seals improve on any deficiencies and to help individuals assess which, if any, of the Seals offers acceptable and enforceable privacy protection.

Back to Top

Web Seals Project

As mentioned earlier in this paper, Privacy Commissioners at the 21st International Conference on Privacy and Personal Data Protection agreed to work on increasing the coordination of their effort at the international level. Within this context, the Australian and Ontario Privacy Commissioners agreed to undertake jointly an assessment of the major Web seal programs: BBBOnline, TRUSTe and WebTrust. A wider group of Privacy Commissioners provided advice and support for the project.

The major objectives for the evaluation of the Web seal programs by the Ontario and Australian Privacy Commissioners were to:

1. assess the effectiveness of the major Web seals in providing online users with protections for their personal information;
   
2. engage in open discussions with the seal programs in relation to improving the overall privacy framework, as well as their dispute resolution and compliance and enforcement mechanisms;
   
3. demonstrate that Privacy Commissioners from different jurisdictions and legislative frameworks could work co-operatively to promote the protection of privacy at a global level.

In undertaking the evaluation of the Web seals, the project identified three key components for an effective online seal program.

1. The program must be based on adequate privacy principles to which the "sealed" Web site must adhere. The OECD Guidelines were selected as the standard to evaluate the adequacy of the seal's privacy principles.
   
2. There must be a sound method for resolving disputes between users and Web sites. To evaluate the dispute resolution mechanisms of each seal program, the Australian Benchmarks for Industry-Based Customer Dispute Resolution Schemes was used as the standard.⁶⁷
   
3. There must be a rigorous mechanism for ensuring that the "sealed" Web site complies with the Web seal's standards.

The report on this project, Web Seals: A Review of Online Privacy Programs, is being released at this Conference. The report concludes that Seals have evolved rapidly in the very short time since they appeared, but that the need to improve further before they offer acceptable and enforceable privacy protection. However, the Privacy Commissioners involved were also most encouraged by the willingness of the three Seals to work with them to close the gap. Privacy Commissioners, as well as the wider community of participants, are invited to assess the value of the project against the espoused objectives, but the paper proposes that Commissioners continue the work that has been commenced.

Back to Top

Conclusion

The challenge that Privacy Commissioners face in deciding on "Which Rules" and how to integrate the different tools available to them is clearly complex. In some instances, the decisions are taken for them, for example in the legislation that they are asked to administer. Even there, however, Commissioners often have the opportunity to influence the construction of the legislation.

This paper has described the circumstances in which the Office of the Federal Privacy Commissioner in Australia currently finds itself, the mix of rules and tools that it has chosen and sought to explain why. Given the imminent commencement of new legislation to provide privacy protection in the private sector for the first time in Australia, the focus of the Office will clearly be on taking maximum advantage of the opportunities that the new legislation offers to promote an Australian culture that respects privacy. However, while a legal foundation for protecting privacy is absolutely essential, it is insufficient and the Office is taking a selective approach to the other tools it will be using over then next few years.

Footnotes

[1] Available at http://scaleplus.law.gov.au/html/pasteact/0/157/top.htm
and www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/

[2] Available through www.law.gov.au/privacy/.

[3] Organisation for Economic Co-operation and Development, Working Party on Information Security and Privacy Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks May 1999 (referred to below as the OECD Inventory of Instruments), page 7.Available at:
www.olis.oecd.org/olis/1998doc.nsf/linkto/dsti-iccp-reg(98)12-final

[4] These concerns emerge from any number of surveys, including:

The IBM Multi-National Consumer Privacy Survey of October 1999 at
www.ibm.com/services/e-business/priwkshop.html

Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy of April 1999, AT&T Labs-Research Technical Report TR 99.4.3 at
www.research.att.com/projects/privacystudy/

“Big Brother”; Bothers Most Australians , Roy Morgan Research Centre Finding No. 3221 of August 1999 at
www.roymorgan.com/polls/1999/3221/

[5] See, for example, www.privacyalliance.org/.

[6] Consumer Protection in the Global Electronic Marketplace: Looking Ahead, US Federal Trade Commission Report on Consumer Protection In The Global E-commerce Marketplace, released on 6 September 2000 and available via: www.ftc.gov/bcp/icpw/lookingahead/global.htm

[7] Remarks at the 21^st International Conference on Privacy and Personal Data Protection, Hong Kong, China, September 1999.

[8] Berman, Jerry & Mulligan, Deirdre “Privacy in the Digital Age: Work in Progress” Nova Law Review, Volume 23, Number 2, Winter 1999, page 4 and available at: www.cdt.org/publications/lawreview/1999nova.shtml

[9] Osborne, David E. and Gaebler, Ted Reinventing Government: How the Entrepreneurial Spirit is Transforming the Public Sector Reading, Massachusetts, Addison-Wesley Pub. Co., (1992)

[10] Raab, Charles D. “From Balancing to Steering: New Directions for Data Protection” in Bennett, Colin J. and Grant, Rebecca Visions of Privacy: Policy Choices for the Digital Age University of Toronto Press, Toronto, page 85.

[11] Raab, page 86.

[12] Strongly argued cases against self-regulation abound on the Internet.  Three examples are at: www.anu.edu.au/people/Roger.Clarke/,
www.epic.org and www.junkbusters.com.

[13] OECD Inventory of Instruments, page 9.

[14] Department of Treasury Draft Report of the Taskforce on Self-Regulation, June 2000, Commonwealth Government of Australia, page i, available @:
www.treasury.gov.au/publications/
consumeraffairs/industryself-regulation/
taskforceonindustryself-regulation/index.asp

[15] Taskforce on Self-Regulation, June 2000, page i.

[16] Taskforce on Industry Self-Regulation, page 43.

[17] The Privacy Act gave effect to Australia’s agreement to implement the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data , adopted by the Council of the Organisation for Economic Cooperation and Development (OECD) on 23 September 1980, as well as to Australia’s obligations under Article 17 of the International Covenant on Civil and Political Rights.

[18] A summary of the legal situation in the Australian states is available at www.privacy.gov.au/act/states.html

[19] Sections 27, 28 and 29 of the Privacy Act.

[20] Available at www.privacy.gov.au/publications/index.html.

[21] Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at
www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM

[22] Attorney-General’s joint press release with the Minister for Communications, Information Technology and the Arts of 15 December 1998, available at: http://law.gov.au/aghome/agnews/1998newsag/Joint_13_98.htm

[23] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, available at
http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html

[24] Privacy Amendment (Private Sector) Bill 2000, Explanatory Memorandum, page 13 available through www.law.gov.au/privacy

[25] Available at www.law.gov.au/privacy/NPP.html

[26] Submission to the House of Representatives Standing Committee to Legal and Constitution Affairs, May 2000 available from www.privacy.gov.au/publications/pg1pubs.html#8.3; and Submission to the Senate Legal and Constitutional Legislation Committee, September 2000 available from www.privacy.gov.au/publications/pg1pubs.html#8.5

[27] Privacy Amendment (Private Sector) Bill 2000, Part IIIAA, pages 35 -50.

[28] See note [27]

[29] The Internet Industry Association Web site is found at www.iia.net.au/index2.html. The IIA codes are at www.iia.net.au/code.html. The privacy element of the code is in Code Version 5 which is at www.iia.net.au/Code5.html

[30] Internet Industry Association News release 18 May 2000, available at www.iia.net.au/news/000502.html

[31] See note [30].

[32] IIA Code of Practice – provision 8.2, available at www.iia.net.au/Code5.html#_Toc460304124

[33] www.health.gov.au/healthonline/ehr_rep.htm

[34] ACT Health Records (Privacy and Access) Act 1997

[35] The Privacy Commissioner argued that, to the extent that is reasonable, the protection for personal health information should be consistent with general principles for the handling personal information. This is because in many cases organisations hold both health and other personal information. The application of different privacy principles to specific types of personal information would be costly and create uncertainty for individuals and organisations. See www.privacy.gov.au/publications/pg2pubs.html#21.3

[36] An observer from the Office is on the working group.

[37] ACIF Alert, Winter 2000, page 8.

[38]  Office of the Federal Privacy Commissioner Strategic Plan 2000, available at www.privacy.gov.au/news/sp.html

[39] For details, see www.privacy.gov.au/pnet/index.html#1.5

[40]OECD Inventory of Instruments, page 68.

[41] See www.privacy.gov.au/publications/pg2pubs.html#28.1

[42] Available at www.privacy.gov.au/publications/pg1pubs.html#8.4

[43] This strategy is being co-ordinated by the Office of Government Online and is available at:
www.ogo.gov.au/projects/strategy/index.htm

[44] For details, refer to

www.ogo.gov.au/projects/publickey/index.htm

[45] “Shoppers flock to Cyberspace”, The Australian Financial Review, 29 December 1999, at
www.afr.com.au/content/991229/news/news3.html

[46] Reidenberg, Joel R Resolving Conflicting International Data Privacy Rules in Cyberspace, Stanford Law Review, Vol 52, May 2000, page 1318.

[47] The web site for the Global Privacy Summit is
www.privacysummit.com

[48] Kirby, Michael D “Privacy Protection – a New Beginning” 21^st International Conference on Privacy and Personal Data Protection - Conference Proceedings 5. Available at:
www.pco.org.hk/conproceed.html

[49] Cavoukian, Ann Can the OECD Guidelines Apply Online? Ontario Information and Privacy Commissioner, September 2000

[50] Much of this work can be found through:
www.oecd.org/subject/e_commerce/ and www.oecd.org/dsti/sti/it/consumer/index.htm

[51] The ISO is a global federation of national standards bodies from about 130 different countries.  The ISO’s work results in international agreements that are published as International Standards.

[52] Standards Council of Canada International Meeting/Workshop on Privacy and the Protection of Personal Data, “Final Minutes”, September 16 1999, Hong Kong, China, page 8.

[53] The full title is the Council of Europe Model Contract to Ensure Equivalent Data Protection in the Context of Data Flows 1992 .

[54] As applicable to the equivalent protection clause of the OECD Guidelines and the requirement for “adequate protection” under the EU Directive.

[55] The 1992 Council of Europe Model Contract was revised by the ICC in light of the EU Directive’s requirement of “adequate protection” in data exchanges.  The result was the ICC Model Clauses (For Use in Contracts Involving Transborder Data Flows).

[56] Organisation for Economic Co-operation and Development, Working Party on Information Security and Privacy Draft Report on Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection in Global Networks (Report on Transborder Data Flow Contracts) 1999 DSTI/ICCP/REG(99)15/REV3, page 13.

[57] OECD Report on Transborder Data Flow Contracts, page 42.

[58] It is difficult to establish a contractual relation between an individual browsing a Web site and the data controller of that Web site, until the individual selects goods or services advertised on the Web site for purchase, or provides payment details.

[59] OECD Inventory of Instruments, page 7.

[60] OECD Report on Transborder Data Flow Contracts, page 24.

[61] OECD Report on Transborder Data Flow Contracts, page 43.

[62] Information available at www.truste.org.

[63] Information available at www.bbbonline.com.

[64] Information available at www.cpawebtrust.org

[65] See www.epic.org and www.junkbusters.com respectively.

[66] Alderman, Ellen and Kennedy, Caroline normal The Internet, Consumers and Privacy Internet Policy Institute, July 2000, at www.internet.policy.org/briefing/current.html.

[67] Click here to go to Benchmarks For Industry-Based Customer Dispute Resolution Schemes.

Back to Top