Privacy Law and Policy Reporter
In 2 PLPR 189-191, (at 195), and at http://www.anu.edu.au/people/Roger.Clarke/DV/SMSC.html, I reported on a project being undertaken by the Asia-Pacific Smart Card Forum - Australia (APSCF) to produce a Code of Conduct in relation to the application of smart cards.
The Code was launched at Parliament House on 27 November. This article provides a brief overview of the document, followed by some evaluative comments relating to both the Code and the Code’s legal context.
Australia has a significant number of information technology provider companies in the area of cards, card-accepting devices and network applications software. They are highly innovative, and have achieved considerable export success.
Those companies, aided and abetted by the Department of Industry, Science & Tourism, are eager to see this industry sector expand, and believe that a strong local market for smart card technology will be a valuable springboard for further success in export markets.
They are well aware how vital it is that the public feel confident in smart card schemes. They have therefore developed a Code of Conduct for the smart card industry, in order to set a the framework within which schemes are to be developed.
Development of the Code was commenced in late 1995, and continued through 1996. It was undertaken by a Working Group comprising an APSCF Director as Chair, three members of APSCF (one of whom was the author of this paper), and three members representing watchdog agencies and public interest groups. Public submissions were called for.
The Code was completed in November 1996. Delays were subsequently encountered, however. One was the need for the Forum to be incorporated before the Code’s release. Another was lengthy negotiations with the major banks in an attempt to gain their acceptance of the Code. They eventually declined to accede to it, on the grounds that they have arrangements of long standing in relation to privacy and consumer interests, and that they are seeking to avoid being subject to multiple regulatory regimes.
The Code binds members of the Forum, and non-member organisations that choose to subscribe to it. It is framed in such a manner that more detailed ‘Complying Industry Codes’ can be prepared.
A series of requirements are stated relating to the privacy of personal information that may be associated with an identifiable user or users of a smart card. The provisions are structured in a manner broadly consistent with, and reconcilable against, the OECD Principles.
Further provisions relate to terms and conditions applying to smart-card based services, in particular in the event of loss and misuse of a card.
Responsibilities are defined in relation to staff education and training, and dispute handling by individual companies. Sanctions procedures are specified that are to be undertaken by the Smart Cards Forum.
A mechanism is created for progressive adaptation of the Code as the technology develops. This involves a Code Advisory Committee with a similar structure to that of the Working Group that drafted the Code in the first place.
The Chair was Colin Simpson, of the Western Australian group ERG. The APSCF members on the Committee were Lin Ison of the Commonwealth Bank, Jane Drexler from Telstra and Roger Clarke from Xamax Consultancy.
The public interest representatives were Kathy Leigh, Head of the Privacy Branch of the Commonwealth Attorney-General’s Department, Chris Connolly of the Policy Network, and Ann Stringer of the Consumer Credit Legal Service.
There are many positive aspects about the Code. The process was genuinely consultative, the parties involved were united in seeking a constructive outcome, no serious arguments took place, and there do not appear to be any aspects of the Code that cause any of the participants undue discomfort.
Because the privacy provisions are readily related to the OECD Guidelines, the Code is auditable, and it fits within the privacy mainstream not only in Australia, but worldwide.
The process was undertaken sufficiently early in the life of smart card applications that scheme designers are able to factor it into their projects. In particular, the sponsor of what appears likely to be the first large-scale smart-card implementation, Telstra’s new chip-based telephone card, is subject to the Code.
It appears to be a world-first, and has attracted interest from both technology providers and regulators in other countries.
A couple of matters raised in my article in PLPR in January 1996 were not addressed. The Code applies to members of the APSCF and to organisations that choose to subscribe to it; but it does not force them to impose conformance on its associates in any given project. It therefore sows seeds, but leaves gaps in the field. How large those gaps turn out to be will depend on a number of factors.
The Code does not impose on subscribers any requirement that they conduct consultation with stakeholders as part of the scheme design process, nor that they publish a privacy or consumer impact statement. Whether these important aspects are features of forthcoming projects will therefore also depend on the interplay between advocacy organisations and the industry.
No implementation of the public access principle is included, that is, there is no provision whereby access to information about smart-card schemes needs to be freely available to any interested party. The dispute resolution process can be invoked only by card-holders; and not, for example, by consumer advocates or regulatory agencies, and perhaps not even by agents of card-holders.
Finally, meshing of the Code with pre-existing regulatory arrangements will be challenging for some industries. This was a factor in the decision by the major banks to withdraw from the Forum. Given that the major banks may be very large issuers of cards, this could undermine the Code’s effectiveness.
The significance of these weaknesses could be great or quite minor, depending on the industry’s path of development.
As the Code was being developed, the general expectation was that it would fit within a limited statutory framework. This was partly because industry and public interest advocates are in general agreement that the most effective and efficient forms of regulation include elements of corporate responsibility, industry association activities, and a background layer of legislative stiffening. Another factor was that the (then new) Government’s platform included a commitment to a ‘co-regulatory’ approach to privacy protection in the private sector.
Like many other elements of an incoming government’s nominal platform, the term ‘co-regulatory’ had a very short shelf-life. The Prime Minister jettisoned the commitment in March 1997. This has left the Smart Card Code of Conduct exposed, and with it the members of the Forum that have committed to it.
Competitors to the Forum’s members can stay outside the industry association, and thereby avoid its requirements, and the costs and efforts that they entail. The Code, like any self-regulatory instrument, will be meaningless unless it is given a context. The elements of that context are Parliamentary imprimatur, comprising obligations on all industry participants to comply with a consultative, industry association-administered Code, sanctions for non-compliance, and a watchdog agency with sufficient powers and resources to create the incentive for the scheme to work.
The Privacy Commissioner participated in the launch, and expressed her encouragement to non-member technology providers to adopt the Code. This is pleasant, but has very limited motivational force, least of all on those maverick organisations most likely to apply the technology in ways that abuse privacy.
The Attorney-General also participated in the launch. The superficiality of his messages was remarkable. He attempted to portray the Code as being the first response by industry to the Prime Minister’s call to industry to develop self-regulatory codes; whereas the words in the document he was launching were in place five months before the Prime Minister’s volte-face. He also referred once again to the Government having ‘made available the services of the Privacy Commissioner’; whereas most of the audience was well aware that no additional budget was provided to her Office, and the budget cuts of 40 per cent were left in place.
The Smart Cards Code has the potential to support a breakthrough by the Australian smart cards industry into a new level of business activity, by assuring privacy advocates, representatives of consumers, and the general public, that the public’s interests are appropriately protected.
It is an enormous disappointment that the Government is so out of tune with the sentiments of not just consumers, but also business. The good that this Code can deliver to Australian society is grossly undermined by the failure of the Government to establish the thin official layer that would ensure its effectiveness.
Copies of the Code are available from the Asia-Pacific Smart Card Forum, GPO Box 1966, Canberra ACT 2601. Contact Deborah Stanley, on (02) 6247 4655; fax (02) 6247 4840, email email@example.com .
Roger Clarke, Principal, Xamax Consultancy Pty Ltd, Canberra. This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/SMSC2.html