Privacy Law and Policy Reporter
This submission goes mainly to the Committee’s term of reference (f) — the current framework for consumer protection. The Charter Council’s main concern is to ensure that internationally recognised privacy principles and fair information practices are applied to electronic commerce over the Internet. Because of the absence in Australia of comprehensive privacy law applying to the private sector, there is currently inadequate protection for consumers against the misuse of their personal information, including information relating to their financial interests.
Furthermore, there is also a danger that in pursuit of other legitimate public interests such as revenue protection and law enforcement, government authorities will over-react and introduce levels of monitoring of Internet transactions which impinge on important rights and freedoms which are essential characteristic of a free society.
It has been widely recognised by expert opinion both in Australia and overseas that a comprehensive and consistent framework of privacy or data protection law is an essential pre-condition for consumer confidence in electronic transactions. This is turn makes such a framework a pre-condition for business investment in new technology and services, and for acceptance of electronic delivery of government services.
If Australia is to gain the benefits of electronic commerce, adequate privacy protection must be guaranteed, and the Charter Council calls on the Committee to lend support to the establishment of a national statutory framework for fair information practices.
The Charter Council shares the widespread enthusiasm for the potential of the Internet as a new channel of communication which can enrich the social, cultural, educational and economic life of all Australians.
Specifically, Internet commerce can offer new levels of choice and convenience to consumers and citizens. Others are better placed to estimate the exact potential of the medium and its likely growth rates.
It is clear from numerous research studies, as well as from anecdotal evidence, that the public’s enthusiasm for Internet, and other forms of electronic commerce and service delivery, is qualified by a range of fears and suspicions. Some of these, such as concerns about unsuitable content on the world wide web, are ill-informed and exaggerated, as the Australian Broadcasting Authority’s 1996 report on Online Content demonstrated. Federal and State governments have so far displayed a sensible and mature attitude to these aspects and avoided a disproportionate regulatory response.
Concerns about privacy are most obviously directed to a fear of unauthorised access and use of personal information, in other words about confidentiality and security of on-line transactions. Users of the Internet understandably want guarantees that their transactions cannot be intercepted or interfered with by third parties. (Important issues about interception by government authorities are dealt with separately below). The most common manifestation of this concern is consumers unwillingness to give their credit card numbers over the Internet. While this fear may well be exaggerated, it is an important perception which needs to be addressed before consumers will feel comfortable about making payments over the Internet, whether by credit card or by the new generation of smart or stored value debit cards.
It is important to recognise however that privacy concerns extend well beyond confidentiality and security. People are also increasingly wanting to know how organisations they are dealing with propose to use any personal information they obtain from them, and demanding some control over those uses. In particular, there is strong resistance to the idea that businesses should be able to sell or give away personal details for marketing, or even to use them ‘in-house’ for selling unrelated products or services, without the consent of the customer. People also want a right of access to personal information held about them and an ability to challenge its quality, and have corrections made where necessary.
All of the rights explained above, and the associated obligations on organisations, are covered by most sets of privacy principles, including the Australian Privacy Charter principles and the Information Privacy Principles in the Commonwealth Privacy Act 1988. Commonwealth agencies are obliged to comply with the latter principles, and the government is committed to extending this protection to private sector contractors providing services to the Commonwealth. Given that this will result in a very large number of businesses having to comply with the principles for at least some of their activities, it is becoming increasingly anomalous that the same rules do not apply across the board. Members of the public find it inexplicable that they have privacy safeguards when dealing with Commonwealth agencies, but not when conducting transactions with businesses.
Most nations with advanced industrial economies now have comprehensive privacy laws. In our own region, NZ, Hong Kong, Taiwan and South Korea have passed laws which apply to the private sector. European Union members will have consistent laws by October 1998 and these will include provisions which will restrict the transfer of personal data to third countries without adequate privacy protection. Malaysia and Singapore are known to be preparing legislation to ensure that they are not disadvantaged by the European Union initiative. In the US, where there is resistance to the concept of a uniform privacy law, there is nonetheless a wide range of statutory controls in particular sectors and jurisdictions, and pressure is building for a more comprehensive response, not least to respond to the European laws. The US Administration has clearly flagged privacy as a key issue to be dealt with as part of the key infrastructure for the Information economy, and the private sector has effectively been given until mid-1998 to show that it can provide effective self-regulation. Japan has advisory guidelines for privacy protection in business, but is also closely following international developments. APEC Information Ministers have also acknowledged the privacy issue.
In short, Australia is in danger of becoming isolated in its response to privacy concerns, with potentially serious consequences for business confidence and investment and international trade, as well as leaving its citizens with a sub-standard privacy protection regime which will inhibit the acceptance of electronic commerce and service delivery.
It is particularly frustrating to find ourselves in this position when only a year ago there was a clear cross-party consensus on the need for a legislative response, with the Federal government clearly stating in its 1996 election policies that it would act to bring Australia up to international best practice standards.
The Charter Council can only attribute the Prime Minister’s March 1997 rejection of legislation to poor and ill-informed advice from a minority of the business community. Understandable concerns about compliance costs and red-tape can easily be satisfied with a well-designed light-handed statutory scheme such as that which has been operating for several years in NZ without significant adverse effects on business. On the other hand, businesses need to realise that the standard of privacy protection which the community is demanding, and which is necessary to engender confidence in electronic commerce, will require some effort and cost, in review of systems, training, and the provision of effective complaint handling mechanisms. These costs will be incurred even under the Prime Minister’s preferred voluntary self-regulatory alternative, but with the difference that all the costs will fall directly on business, rather than being spread across the whole community as would be the case with a statutory scheme. As the Privacy Commissioner’s exploration of the self-regulatory option has progressed, mainstream businesses are in any case increasingly coming to the realisation that a self-regulatory approach cannot work in this area since there is no way of ensuring compliance by irresponsible ‘maverick’ companies.
Concerns about privacy on the Internet are in some ways simply a subset of more general community concerns, and the obvious solution is the same consistent national statutory framework as is required for a range of other reasons.
However, there are some specific concerns that arise from the nature of the Internet and the proposals in relation to other public interests, about which the Charter Council would like to comment.
The Council welcomes the recent (October 1997) draft principles for consumer protection in electronic commerce issued for comment by the National Advisory Council on Consumer Affairs (NACCA), and in particular Principle 9 ‘Sellers must respect customer privacy’. NACCA expands on this general principle by reference to the OECD Guidelines (a general set of Information Privacy Principles on which the IPPs in the Privacy Act are based).
The NACCA also specifically recommend that ‘Selling or sharing of data with third parties must not occur without prior consent of the consumer’, and that Internet users should be informed about the proposed installation so-called ‘cookies’ (programs installed on an Internet user’s computer by a world wide web site they have visited, which conveys information back to the Web site), and given the choice of not receiving them, preferably on an opt-in basis.
The Council supports both of these specific recommendations, which start to address some of the more common abuses of privacy on the Internet. However, the Council is disappointed that the NACCA appears to believe that it is sufficient to rely on voluntary industry codes of practice to implement its privacy recommendations, when all the evidence is that statutory backing is required to ensure that all businesses operating through the Internet comply with these standards.
Clearly there are jurisdictional difficulties in regulating Internet commerce, as many businesses offering goods and services are located in other countries with no legal presence in Australia. However, the Charter Council believes that the best way of avoiding these difficulties in relation to privacy is to ensure that Australia joins other countries in legislating comparable enforceable standards, so that complaints can be referred to regulators in the country where a business is legally constituted, and consumers world-wide are able to obtain redress irrespective of the location of the organisations they deal with.
The ATO’s recent report Tax on the Internet includes the following recommendation principle:
well defined limits should be placed on transactional or user anonymity in electronic payment systems to ensure these do not become vehicles for tax evasion. This principle seeks to balance the right to privacy with effective administration of the tax law.
This principle conflicts with the Privacy Charter Council Principle 10 which states:
People should have the option of not identifying themselves when entering transactions.
However, the Charter Council recognises that this ‘Anonymous transactions’ principle is not absolute and will sometimes need to be qualified, in order to satisfy other public interests. The principle seeks to ensure that, wherever possible, anonymous options are provided. Revenue protection is clearly an important public interest, but the Council does not believe that it follows automatically that all transactional anonymity in electronic commerce has to be sacrificed.
For instance, the balance which the Tax Office paper refers to may well be struck by the use of threshold limits on the amount of a transaction, above which some record of the user’s identity needs to be kept. The use of such thresholds is already commonplace in the taxation, law enforcement (cash transaction reporting), and benefit administration areas of government. The Council would expect it to be possible, for instance, to exempt low value limit stored value cards and electronic purses (whether re-chargeable or not) from any record keeping or proof of identity requirement.
Another way of reducing the degree of monitoring and surveillance required to protect the integrity of the revenue base would be through changes in the tax mix. While the Charter Council would not claim any particular expertise in the area of tax reform, it is clear that some tax regimes require more detailed record-keeping than others. The Charter Council urges governments to consider the privacy implications of different regimes as part of the balance sheet in weighing up the pros and cons of tax reform options.
Pressure on the privacy of electronic transactions is also coming from law enforcement agencies, concerned about their ability to intercept communications and monitor transactions for a range of purposes, from speculative intelligence gathering to the collection of evidence for court proceedings.
The Charter Council is concerned about the current trend to grant law enforcement agencies increased powers to monitor the private affairs of individuals and the weakening of existing safeguards such as the need for judicial warrants.
One worrying example is the new arrangements for access to information held by telecommunications carriers and service providers under the Telecommunications Act 1997. The new regime involves a procedure for disclosure of customers personal information on production of a ‘certificate’ from a designated agency, which encroaches significantly on customers privacy and undermines the traditional protection offered by the warrant issuing process. Also, as a result of recent amendments, there is a requirement on telecommunications businesses to provide an interception capability, and, it is suggested, a de-cryption capability as well. This requirement pre-empts an urgently needed public debate on encryption policy, which the government shows every sign of wishing to avoid. At stake is the important balance in a free society between the confidentiality of private communications and the recognised need for access by the authorities, but only in strictly defined circumstances and subject to rigorous safeguards.
There is some evidence of a prevailing ‘just in case’ mindset amongst law enforcement agencies who are constantly seeking additional powers in anticipation of perceived but as yet unspecified and unquantified risks and threats. The report last year by former ASIO Deputy Director Gerard Walsh on encryption policy, which was only reluctantly released by the government in response to a Freedom of Information Act request, cautioned against an over-reaction. Mr. Walsh suggested instead a careful monitoring of the actual effect on law enforcement capabilities and effectiveness before any further restrictions are imposed or co-ercive powers adopted.
The Charter Council urges the Committee to recognise the importance of a well-informed debate about the acceptable parameters of access by government authorities to personal information generated in the course of electronic commerce, and to recommend that the federal government initiate such a debate before implementing any further changes to the powers of the state to intrude on individuals private affairs.
In this submission, the Charter Council has touched on some specific concerns about the privacy of consumers engaging in electronic commerce. It has also emphasised the need for a consistent national regulatory framework to create consumer and business confidence and unlock the potential for electronic transactions and service delivery.
The most urgent need is for the Federal government to recognise that a statutory framework is needed to provide certainty, consistency and enforceability for the implementation of privacy protection across all sectors. Sectoral codes of practice can play a valuable role in implementing the protection which consumers are demanding, but are not a substitute for a legislative foundation.
The Charter Council calls on the Committee to join the growing consensus, both within Australia and overseas, that a light-handed legislative response on privacy protection is an essential part of the legal infrastructure required to maximise the benefits of electronic commerce.