Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Greenleaf, Graham --- "National privacy laws needed, says O'Connor" [1994] PrivLawPRpr 45; (1994) 1(4) Privacy Law & Policy Reporter 63

National privacy laws needed, says O'Connor

Recently, Australian Privacy Commissioner Kevin O'Connor called for ''a national co-ordinated policy approach to privacy issues' based on the Privacy Act.

At the ATUG '94 Conference, Commissioner O'Connor argued that ''we have been getting by with a limited, piecemeal approach, but we can do so no longer'. After reviewing the patchwork of laws and codes regulating telecommunications privacy, he outlined his preferred approach as follows.

The complexities involved in the network and broadband services developments now taking place are such that clearer direction on social policy implications will need to be given by government. Though this may seem self-interested, it seems to me that a national privacy policy must be framed and set out in the obvious place, the Federal Privacy Act. The Privacy Commissioner's Office should have an ultimate role. That does not preclude the use of sector-specific, standards-setting, advisory and complaints-handling mechanisms.

My experience as Privacy Commissioner suggests to me that industry and competitive pressures to take risks with individual privacy in order to gain market advantage will be strongly present in the environment of these new technologies. Reliance on industry-based groups to get the social policy equation right will produce controversy, uncertainty and dissatisfaction.

Individuals will, I believe, expect government to articulate a national policy and to participate positively in supra-national policy endeavours. The policy needs to be one which deals consistently with interferences with privacy regardless of who is responsible for them in the new environment. Individuals will expect that the system of privacy regulation will be overseen by a neutral regulator, having an explicit privacy focus.

The privacy protection framework that accompanies the development of new communications services should avoid a fragmented approach and one which rests the oversight role in bodies with only a marginal involvement in privacy issues, both of which are obvious problems of the current regulatory approach.

Moreover, my experience as Privacy Commissioner also suggests that Australian businesses that belong to sectors which use personal information intensively (for example, direct marketing, credit reporting, financial services) recognise the increasing extent of national and international concern among relevant policy-makers over privacy issues. They are looking, for obvious efficiency reasons, for a coherent, uniform, national response reflecting the seamless nature of the new technologies.

Domestically the nine governments in Australia are being required by considerations of logic and efficiency to minimise duplication of activity and to take co-operative approach in areas such as law enforcement and the provision of health and other human services. In my area of responsibility these pressures manifest themselves in increasing pressure for the sharing of personal information held on citizens for official purposes. For example, I have pointed out on a number of occasions that it is unfair for data first acquired by the Commonwealth, and at that point subject to the protection of the Privacy Act1 988 (Cth), to lose that protection once it passes into the hands of a State authority.

It seems unlikely that Australians will ever have the same privacy rights unless governments commit themselves to introduce nationally-consistent data protection legislation.

I consider that the Commonwealth is well-placed, despite the complications of Federal-State distribution of powers, to act in a coherent way in this area. The telecommunications power (Constitution, s51(v)) provides in my view the legal basis for the Commonwealth taking charge of many of the issues that I have raised.

If we do not act in response to the local demand, international pressure may force action. Apart from its work directly related to the information infrastructure, the Commission of the European Union is seeking to achieve an equivalent level of data protection throughout the Union. It has prepared a draft directive on data protection which sets out principles, and sets out a balance of interests between collectors, users and data subjects. It is likely to be finalised and brought into force in the next 12 to 18 months. Data would only be likely to be transferred to countries outside the Union where protection is adequate or where other appropriate safeguards exist. Moreover, it has been reported recently that the US and Europe plan to set up a joint working group to co-ordinate laws and technical standards for regional information superhighways.

(Extract from Commissioner O'Connor's speech to the ATUG'94 Conference, Melbourne, 2-5 May 1994.)

A new approach to a national policy

At the Privacy Issues Forum in Auckland, Commissioner O'Connor outlined some of the problems in developing a national policy appropriate to technological developments.

Framing a national policy will raise some new questions. The new interactive, multimedia communications technologies and the information superhighways, of which they will form part, involve ways of handling, storing and moving information which may place particular stress on some of the assumptions on which current information privacy principles are based. The assumptions under pressure from these new technologies include:

(a) that it should be possible to identify a single record-keeper who is responsible for controlling the data in accordance with the principles;

(b) that comprehensive blocks of data are organised within separate self-contained systems controlled by separate organisations;

(c) that most, if not all, of the data concerning the performance of an organisation's key functions are held by the organisation itself; and

(d) that an organisation has the capacity to amend and rectify the data upon which it relies in dealing with individuals.

Increasingly the information on networks will neither originate from, nor reside in, a single point.

A recent US study has suggested that it may, as a result, be unworkable in the information environment of the future to rely on the ''home' institution to bear all information privacy responsibilities.

So while the Australian and New Zealand laws (shortly to be joined in the Antipodes by one in NSW), make important advances in protecting the privacy of citizens, the exigencies of the new information environment will continue to test the adequacy of the current frameworks and the technical assumptions on which they are built

(Extract from Commissioner O'Connor's speech to the Privacy Issues Forum, Auckland, 12 May 1994.)

Graham Greenleaf