Privacy Law and Policy Reporter
Is the Commonwealth Privacy Act 1988 to be extended to the private sector, giving Australia a national privacy law? After the Governments 'Innovate Australia' statement (6 December) no one is still quite sure.
'Innovate Australia' contains other announcement significant for privacy, concerning encryption, public key infrastructure, interception, and censorship, some equally cryptic.
The Syney Morning Herald on 2 December contained a confident repoprt by Michael Millet:
The Federal Government is planning a radical extension of privacy legislation to the private sector to protect consumers in the information age.
The move has the backing of Federal Attorney-General, Mr Lavarch, and his junior Justice Minister, Mr Kerr. It is understood a joint submission proposing the extension of Commonwealth privacy law to the public sector was endorsed by Cabinet late yesterday.
The new legislation would set down detailed principles governing the flow of personal information in private industry and establish codes of practice in industry sectors.
This approach was adopted in NZ in it 1993 Privacy Act, which becomes binding mid-next year.
Officers of the Attorney-General's Department had for some weeks been holding consultations with industry, consumer, and privacy representatives about possible extensions of the Privacy Act to the private sector.
The Prime Minister's 'Innovate Australia' statement on 6 December, where it was expected that plans to revise the Privacy Act would be announced, was rather more cryptic. All that the statement says, after acknowledging that 'there is no general privacy scheme covering data held by non-government bodies' is that:
The government has decided to develop an effective, comprehensive scheme to protect individual privacy which does not impose unecessary burdens on business and the community.
The use of 'scheme' seems to carefully avoid and unambiguous committment to legislation. let alone Federal legislation. (The full extracts from 'Innovate Australia' which deal with issues affecting privacy are contained on the following pages.) Perhaps this is not surprising in an election climate.
A subsequent joint Press Release (10 December) by Attorney-General Lavarch and Justice Minister Kerr simply repeated the 'comprehensive scheme' formula, but added that the NZ Privacy Act was 'one model' that the Government will look at. Newspapers interpreted this as the announcement of 'sweeping new laws'.
Shadow Attorney-General Senator Amanda Vanstone was unable to announce any new policies in advance of the Opposition's release of their justice policy for the election. However, a spokesman said that privacy was important to the Coalition and will feature on their legislative agenda, and that they have been monitoring NZ's 'co-regulatory' approach.
Current Coalition policy (that is, as released from the last Federal election) does not include any committment to privacy protection concerning private sector information practices. However, there is a committment to legislate concerning 'interference with communications, optical surveillance and unsolicited communications'.
A couple of days before the Herald 'scoop', Democrat Senator Meg Lees announced in the Senate (Hansard, 29 November 1995, 4324) that the Democrats would table in the next session of Parliament a Privacy Ammendment Bill 1996, to amend the Privacy Act to extend it to the private sector.
Senator Lees cited an accumulation of factors pointing toward the need for such legislation, including international influences such as APEC's Seoul Declaration recognition of the need for privacy in the Asia-Pacific Information Infrastructure (APII), the EU Privacy Directive, and important local calls for such reform from the National Information Services Council, the Broadband Services Expert Group, the Privacy Commissioner an the Australian Privacy Charter Council.
Senator Lees tabled an outline of the proposed elements of the Democrats' Bill. It contains many innovative elements, among which are the ability of the Privacy Commissioner to issue codes of practice developed in coopoeration with industries groups and others, to replace the content of the Act's Information Privacy Principles (much like the NZ Act). Additional privacy principles are proposed, including a 'purpose justification' principle which will allow the Commissioner to make reports to Parliament where he considers that an information system or practice is against the public interest, and a principle limiting the use of unique identity numbers. The principles are based very strongly on the Australian Privacy Charter (see 2 PLPR the Australian Privacy Charter (see 2 PLPR 44).
The Innovate Australia decision to 'establish an expert group to define the form and scope of possible legislation for electronic commerce' is very significant, as that group will have a major role in determining Australian policy on encryption and the form of public key infrastructure to be adopted here. The 1990 Cabinet decision that 'all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes' (see 1 PLPR 161) implies that strong encryption will either be not allowed, or required to be subjected to some process which allows warrants to be effective to obtain private keys (for example 'private key escrow' schemes). Whether this 1990 approach is to change, or is to be accommodated into a national encryption policy, is one of the big privacy issues of the near future.
It is clear that the e-commerce expert group will not provide the only inputs, as apparently separate reviews are also envisaged of 'capacity of existing law to deal with criminal activity involving electronic networks' and 'the impact of voice and data encryption on law enforcement'. Whether this latter review is identical with the 1997 review of telecommunications interception promised by the Attorney-General in his second reading speech to the Telecommunications (Interception) Amendment Bill 1994 (see 2 PLPR 153) is unclear from Innovate Australia.
Given this background, the Government's commitment to 'work with Standards Australia to ensure security is available for all users at levels appropriate to their needs' (emphasis added) seems to be a very careful wording which leaves the door open for some 'two tiered' system of encryption where strong encryption is only allowed to 'trusted' users in business and government, whereas others must make do with weak encryption. Some statements by Attorney-General's security officers, such as Steve Orlowski's well-known conference paper (see http://www.anu.edu.au/people/Roger.Clarke/11/Orlowski.html) have been interpreted as unofficial floats of such an approach, though this has been disputed.
The extent to which censorship regimes for the Internet intrude into what would in other media be regarded as largely unregulated private communications, and the possible unintended effects of censorship regimes in destroying the previously public nature of cyberspace, are important privacy issues (see 2 PLPR 148). The potential of encryption as a means of avoiding content regulation is another area into which the encryption debate will intrude. The ABA's online services inquiry is described in Innovate Australia as 'a major investigation of the likely community impact of new services' which, together with reviews of the Broadcasting Services Act, will allow the Government to develop 'a strong and coherent framework for the regulation of content'. Whether the ABA enquiry manages to create a 'major' opportunity for rational debate in this area, in face of the headlong rush of the states to censor, remains to be seen.
Graham Greenleaf, General Editor
The following extracts are from the Government's 'Innovate Australia' Statement, in the chapter 'Information and Communications Services and Technologies', which can be found at URL http://www.dist.gov.au/events/innovate/itt.html5.2 Privacy and consumer protection
The Government will act in response to growing community concern about the effect of information services on privacy of data and personal information. The Privacy Act 1988 currently safeguards privacy in the Commonwealth public sector but there is no general privacy scheme covering data held by non-government bodies.
The Government has decided to develop an effective, comprehensive scheme to protect individual privacy which does not impose unnecessary burdens on business and the community. It will consult widely with the private sector, consumer and community groups and the states and territories regarding the development of such a scheme, and will build on work already undertaken by the Australian Law Reform Commission, the Administrative Review Council, the National Information Services Council and the House of Representatives Standing Committee on Legal and Constitutional Affairs. Consumer protection in an electronic environment is also a potential concern. Australians need to be confident that they are not at risk of fraudulent or unfair trading behaviour. The Government's consumer protection agencies are examining the current provisions of the Trade Practices Act 1974 and its applicability to electronic networks.5.4 Regulation of electronic commerce
The Government is addressing the legal framework for electronic commerce. The Government will establish an expert group to define the form and scope of possible legislation for electronic commerce and will consult extensively with interested bodies. The objective is to have electronic commerce law consistent with model laws being developed in international forums, especially of the United Nations.
Security of data and transactions will be essential if electronic commerce is to develop rapidly. However there are gaps in both the public and private sectors. The main technique for ensuring security is encryption, which protects confidentiality of data and helps to ensure authentication, integrity, and non-repudiation of electronic contracts. The Government will work with Standards Australia to ensure security is available for all users at levels appropriate to their needs. The Attorney General's Department will also examine the impact of voice and data encryption on law enforcement. Business and users need to feel confident that the criminal law and law enforcement generally has not been weakened by electronic networks. The Government will review the capacity of existing law to deal with criminal activity involving electronic networks, and to assess their impact on law enforcement and will also work with non-government bodies to address these issues.
Australia will host an OECD conference on Security, Privacy and Intellectual Property in the Information Infrastructure in early 1996.5.5 Regulation of content of online services
The availability through online services of objectionable material, such as child pornography, violent, racist or sexist material, has been a significant community concern, particularly in relation to children seeing such material. The information services industry is responding to this concern by developing software which screens out undesirable material (see Box 7 [omitted]).
The Government established a task force to consider the regulation of bulletin board systems, and a consultation paper was released in July 1995. The Commonwealth, states and territories have agreed on a regulatory framework involving self regulation by service providers through a code of practice and a complaints mechanism, together with the introduction of state and territory offence provisions to provide sanctions where necessary. An education strategy is also being considered to address the issue of access by children to inappropriate material on networks.
One area of community concern has been the exposure of children to violent or other materials which, while adults are legally allowed to view them, are considered inappropriate for children. In the US there have been proposals for development of electronic circuitry (generically known as the 'V chip') designed to allow parents or other carers to block display of TV programs with ratings unsuitable for children. These proposals, and other technological solutions, are currently being debated not only in the US but also in other countries. The Government has asked the Australian Broadcasting Authority (ABA) to investigate the nature and content of online services and to advise on measures to meet community concerns and expectations. The investigation will include examining technological solutions (such as those arising in the 'V chip' debate) for controlling access by children to violent or other unsuitable television programs.
The ABA's online services inquiry is a major investigation of the likely community impact of new services. It will provide valuable insight into the expectations the community has for the need to regulate the content of these services. This major undertaking, together with reviews of the Broadcasting Services Act by the Minister for Communications and the Arts, will allow the Government to develop a strong and coherent framework for the regulation of content in the same way that it has developed a comprehensive policy framework for telecommunications after 1997.