Privacy Law and Policy Reporter
Corporations and government agencies in many different sectors are currently considering applying chip-cards to their business needs. Many of these organisations recognise that the technology has significant implications for social values such as privacy, and for consumer acceptance of their products and services. This message was clearly conveyed by the public appearance in December 1995 of a draft Code of Conduct (see The Key Privacy Provisions on p 190 in this issue).
The draft Code was prepared by a consortium comprising representatives of the Asia-Pacific Smart Card Forum (APSCF), which is a recently formed industry association hosted by the Australian Electrical and Electronic Manufacturers' Association (AEEMA), the Commonwealth Department of Industry, Science & Technology (DIST), and the Warren Centre for Advanced Engineering at the University of Sydney.
Promises to develop self-regulatory schemes are standard procedure for industries that feel themselves under threat of regulation by parliaments, and many of the proposals which emerge in this way are still-born, entirely token, or ineffectual.
On the other hand, complex and quickly-changing technologies are not amenable to the slow and turgid processes of conventional law-making, and codes of conduct can provide valuable learning experiences for regulators. Moreover, the most practicable schemes to protect the public interest may comprise limited statutory frameworks, public 'watchdog' agencies, and codes established, maintained and administered by the industry under the watchful eyes of regulators and public interest advocates.
Is the smart card industry's draft Code of Conduct a token defensive manoeuvre or a worthwhile building block for a regulatory regime? The jury will remain out for some time yet, until the final version of the Code is published. There are some positive signs, however. The initial draft demonstrates considerable understanding of the nature of public concerns, and its prescriptions are moderately consistent with privacy and data protection guidelines.
As could be reasonably expected of an industry-designed code, its implementation would not be unduly onerous on the corporations and agencies which will be applying the technology. But then this is desirable not only from the perspective of those organisations, but also from the viewpoint of the public, because it increases the likelihood of compliance.
Briefly, the Code is intended to commit members of APSCF, and other organisations which choose to be bound by its provisions (the 'Code subscribers'), to a set of good practices. These primarily relate to the handling of personal data, although some deal with other consumer rights issues, in particular the loss, theft and unauthorised use of smart cards. It contains sets of general and specific principles, reproduced adjacent to this article. Terms and conditions for holders of smart cards are to be consistent with the Code. Dispute resolution and sanctions procedures are specified.
The detailed design of the draft Code contains some features of significance, such as the clear statement of consent provisions ('freely-given, specific and informed') and the reference to disclosures 'compelled by law', rather than the more common and much looser formulations such as 'authorised by law', and 'consistent with law'.
There are areas in which the draft Code needs to be improved, if it is to achieve its aim of satisfying public needs, and clearing the way for implementation of schemes. One difficulty is that the structure of the Code does not 'map' readily across to the key sets of privacy principles, in particular the OECD Guidelines to which Australia is a signatory.
Another concern is that protections are needed not just for card holders, but for people generally (for example, the parents, children, employees and employers of card holders). Similarly, access to information about smart card schemes and the ability to submit complaints to the dispute-resolution procedure need to be freely available to any interested party (including, for example, consumer advocates, regulatory agencies and parents of card holders).
To represent an effective control, the applicability of the Code must extend beyond each scheme's sponsor to all parties involved in services delivery, and even to manufacturers of the devices and software used. There needs to be a requirement that a set of measures be implemented in each company to ensure that staff practices reflect the corporate commitment.
It is also highly desirable that communications exist back to the research laboratories and the standards committees which originate and articulate the technologies on which the schemes are based. It is highly desirable that sponsors recognise that their schemes have wide implications and that many different stakeholders are affected. The most effective way to evidence that awareness is to prepare and publish impact statements, at least in relation to privacy, but preferably also in respect of consumer rights and such other social impacts as may be significant in each particular project.
It remains to be seen whether the industry will be able to achieve a consensus, and establish a meaningful Code. In the normal course of events, it is to be expected that the late adopters of a potentially successful technology will seek to slow down the pioneers and early adopters; and obstruction to the process of development of this Code would be one way to achieve that aim.
There are also substantive issues to be resolved. Can a Code be expressed in sufficiently general terms that it can apply to such distinctly different application areas as financial services, transport, health, building access and community services; and yet with sufficient specificity to represent a genuine and a credible protection of human interests?
Can a Code that relates to chip-cards be meshed with pre-existing laws, policies, procedures and practices? This requires particularly careful consideration in the financial services sector, where the Privacy Act already has some impact, and the initiative needs to be reconciled with the EFT Code of Conduct and the Banking Industry Ombudsman, and with developments that are proceeding slowly in each of those areas.
It is understood that the Smart Cards Forum is in the process of establishing an advisory committee which will augment the four-person drafting team. It will continue to seek, receive and consider submissions from industry, regulatory agencies, consumer and privacy interest groups, and the public generally. An early and ambitious target of finalising the Code by March 1996 has been eased, and a mid-year date has been set.
Roger Clarke, XamaX Consultancy Pty Ltd Canberra (tel +61 6 288 6916 , e-mail Roger.Clarke@anu.edu.au)