Privacy Law and Policy Reporter
This is an edited and abridged version of Telecommunications Industry Ombudsman, John Pinnock’s paper to the 1997 Australian Privacy Summit organised by IBC Conferences and held in Sydney on 21 October 1997. (Ed)
The co-regulatory model (under the Telecommunications Act 1997) reflects a more sophisticated and comprehensive set of checks and balances than existed under the previous legislation so far as privacy protection is concerned. However, the question — how successful will the new regime be in grappling with the challenges posed to privacy by emerging and new forms of technology — can only be answered in the longer term. This fact serves to highlight the dilemma posed by the juxtaposition of national legislation on the one hand and industry regulation on the other. There is no doubt that, as industry sectors move closer under the influence of converging technologies, there is a strong argument in principle for a national legislative approach to privacy.
Under the previous regulatory model, privacy protection was both fragmented and uneven in its application, leading to largely ad hoc responses to specific problems. Nevertheless, it contained a number of important legislative protections as well as non-legislative ones.
Although itself ad-hoc in nature, the Privacy Advisory Committee established by the former industry regulator, AUSTEL, made a significant contribution to the issue of privacy protection in the telecommunications sector with reports on:
While these reports were recommendatory only, they were highly persuasive [but see Tim Dixon’s article in this issue. (Ed)].
Further, the earlier creation of the TIO Scheme cast specific privacy protection obligations on the then carrier members of the Scheme.
While the carriers, — Telstra, Optus and Vodafone — were required as a condition of their licences to establish, maintain and comply with an Ombudsman scheme, the content of the scheme, or jurisdiction of the Ombudsman, was left to the carriers. For present purposes, the most relevant jurisdiction given to the TIO was investigating and facilitating the resolution of complaints concerning:
interference with the privacy of an individual in terms of non-compliance with the Information Privacy Principles contained in s 14 of the Privacy Act or any industry specific privacy standards which may apply from time to time.
However, the level of protection was far from satisfactory, because only the three carriers were required to be members of the TIO scheme. Only 16 service providers had joined the TIO scheme voluntarily by 30 June 1997.
As the following table shows, initially complaints about breaches of privacy proved to be a significant concern for the TIO, before falling off over recent times [as a share of all complaints (Ed)].
It is not possible to be certain as to the reasons for this relative decline in privacy complaints, although it should be noted that the majority of privacy related complaints concern Telstra. The figures therefore suggest some improvement by Telstra in this area.
The limits on the privacy ‘reach’ of the TIO were removed by the Telecommunications Act 1997, Pt 10 of which requires all carriers, as well as ‘eligible carriage service providers’ to join the scheme. Section 245 of the Act defines eligible carriage service providers as those service providers who:
It is estimated that there are between 70 and 90 ‘traditional’ service providers in the industry, and in excess of 500 Internet Service Providers [ISPs]. The membership of the TIO scheme has increased from 19 at 30 June to more than 250.
While the TIO is a key element in the co-regulatory approach under the new legislation, it is only one element.
[See Codes of Practice section of Frances Wood’s article in this issue for a summary of the Codes of Practice provisions, which John Pinnock’s paper also covered. Pinnock points out that Codes may confer powers and functions on the TIO, who must also be consulted before a Code is registered by the ACA. Pinnock goes on to comment about the new regime in general: (Ed)]
One thing that can be said about this co-regulatory model is that it is not cheap. Indeed, as an example of a model which might reduce the costs of compliance in relation to privacy protection (or the host of other industry issues), it is a matter of debate whether the cost will be any less than those associated with a fully comprehensive national privacy scheme.
Without a doubt, the greatest challenges to the protection of personal information in the communications industry are those posed by new technologies. The issues, however, are not new. They are the very same ones that have confronted everyone interested in the appropriate limits on the collection, storage and release of personal information in recent years. It is worth remembering this fundamental point as an antidote to the often repeated refrain that the speed of technological changes outstrip the ability of society to accommodate them.
Nonetheless, it is true that new technologies usually bring new problems in applying privacy protection principles quickly and successfully. For that reason, it is essential that those principles be taken into account when developing technology.
[Pinnock then commented on Calling Number Display — see Tim Dixon’s article in this issue. Specific points made by Pinnock include: (Ed)]
While there seems to be a strong demand for CND from parts of the commercial sector, from the point of view of many consumers, CND, at least at first sight, appears to be an example of technology-push, rather than demand-pull.
The AUSTEL Privacy Advisory Committee’s recommendations for introduction of CND included that:
In view of the decision by the Commonwealth Government not to extend the Privacy Act into the private sector, this (last) point is of crucial importance.
[Commenting on the 80 per cent public awareness target for the CND campaign, Pinnock says: (Ed)]
It is interesting to note that research conducted at the time of Telstra’s CND trial in Wauchope showed that, by the end of the trial, 74 per cent of ‘send-only’ participants [that is, those without display phones (Ed)] knew that they were sending their phone number with every call.
[Pinnock’s paper continues: (Ed)]
Although I have previously used the more common term of Internet Service Provider, from the point of view of the TIO the Ombudsman’s jurisdiction commences with access to the Internet, and so the more appropriate term is Internet Access Provider (IAP).
The case statistics for the TIO scheme for the last quarter, July-September 1997, since IAPs have been required to be members, are far too small a sample from which to draw reliable, or indeed any conclusions. The TIO handled 11,788 cases in that quarter, of which 249 cases (about 2%) concerned IAPs. Only 1.61 per cent [4! (Ed)] of those cases were privacy related.
At this stage, a better guide to the likely impact of the Internet on privacy is shown by the research conducted by www.consult in its online survey for the June quarter 1997. This showed that privacy related issues were of concern to almost 20 per cent of Internet users. The TIO’s case statistics largely reflect the public level of awareness of the TIO and of its role. As Internet access is a relatively new jurisdiction for the Scheme, it is quite likely that there will be an increase in the level of privacy related complaints to the TIO.
It is imperative, therefore, that the Internet industry comes to grips with both the Information Privacy Principles contained in s 14 of the Privacy Act, and is actively involved in the development of the Consumer Privacy Code being developed by ACIF.
In summary, the co-regulatory regime developed for the telecommunications industry provides a framework for a more comprehensive approach to privacy protection.
While it is too early to say whether this approach will be successful in meeting the challenges of new and emerging technologies, the model does have the advantage of covering a broad spectrum of participants and being sufficiently flexible to accommodate issues arising from the convergence of technology.
John Pinnock, Telecommunications Industry Ombudsman.