The Senate Environment and Communications References Committee has released its report on "The adequacy of protections for the privacy of Australians online". If adopted, its recommendations would mean businesses here and overseas would need to change their online privacy, information and advertising practices.
The report is timely. In the United States, the Obama administration, via Assistant Commerce Secretary Lawrence Strickling, has urged Congress to enact a consumer data privacy framework which would set out baseline consumer data privacy protections, and Senator John Kerry is preparing a bill to protect online and offline commercial privacy.
The committee recommends that the Office of the Privacy Commissioner examine the issue of consent in the online context and develop guidelines on the appropriate use of privacy consent forms for online services.
Online behavioural advertising and a "Do Not Track" model
A lot of personal information is now available online to advertisers, including via social networking, cookies, browsing history as tracked by search engines, or web-based email services. As a result, advertising is increasingly targeted to an individual's interests and location.
In the US, the Federal Trade Commission has recommended a "do Not Track" mechanism be available, such as a setting similar to a persistent cookie on a consumer's browser which would tell sites the user visits whether or not the consumer wants to be tracked or receive targeted advertisements.
The Committee thus recommends that the Office of the Privacy Commissioner in consultation with web browser developers, ISPs and the advertising industry, should develop and impose a code which includes a "Do Not Track" model.
What's an Australian link?
The Privacy Act applies to companies incorporated in Australia, or overseas corporations with an Australian link, which means:
- there is an act or practice of the organisation which relates to the personal information of an Australian citizen or permanent resident; and
- the organisation carries on business in Australia and collects or holds the information in Australia.
If an Australian submits information online to an overseas organisation, however, it's currently unclear if the information has been collected at the point of upload (Australia), or wherever the organisation is based.
The Committee has recommended clarifying this in the exposure draft of amendments to the Privacy Act 1988, so that an organisation has an Australian link if it collects information from Australia.
Offshore data transfers
The Committee has recommended that all Australian organisations that transfer personal information offshore are fully accountable for protecting the privacy of that information. This would also require consideration of the enforceability of these provisions and possibly the Australian Privacy Commissioner's power to enforce offshore data transfer provisions.
Mandatory data retention proposal
In the European Union, Member States are required to adopt measures to ensure that metadata related to email, telephony and internet access is retained for between six months and two years (EU Directive 2006/24/EC). This measure is still being implemented in Member States.
Although the Australian Government has not announced a similar policy, there are rumours that it will do so, prompted by some limited industry consultation undertaken by the Attorney-General's Department.
The Committee has recommended that before it pursues any mandatory data retention proposal, the Government must:
- "undertake an extensive analysis of the costs, benefits and risks of such a scheme;
- justify the collection and retention of personal data by demonstrating the necessity of that data to law enforcement activities;
- quantify and justify the expense to Internet Service Providers of data collection and storage by demonstrating the utility of the data retained to law enforcement;
- assure Australians that data retained under any such scheme will be subject to appropriate accountability and monitoring mechanisms, and will be stored securely; and
- consult with a range of stakeholders."
A new way to sue for invasion of privacy
In 2008 the Australian Law Reform Commission recommended that the Government look at creating a statutory cause of action for serious invasion of privacy. The Committee thinks that the Government should act on this recommendation.
Amending the small business exemption
Small businesses which hold significant quantities of personal information, or which transfer personal information offshore, ought to be subject to the provisions of the Privacy Act.
The Committee recommends that the Government consider and respond to the recommendations in the Cyberspace Law and Policy Centre’s report: Communications privacy complaints: In search of the right path, which included:
- more co-ordination between the three agencies that handle privacy complaints in the communications sector: the Australian Privacy Commissioner, the Australian Communications and Media Authority (ACMA) and the Telecommunications Industry Ombudsman;
- consistent messages to consumers and industry; and
- providing each agency with a full range of regulatory tools.
It also recommends that the Australian Privacy Commissioner's complaint-handling role be expanded to more effectively address complaints about the misuse of online privacy consent forms.