Privacy Law and Policy Reporter
Compiled by Graham Greenleaf and Nigel Waters
The Commonwealth Government’s ‘outsourcing amendments’ to the Privacy Act 1988 (Cth), contained in the Privacy Amendment Bill 1998 (see (1998) 4 PLPR 181) have been referred by the Senate to its Legal and Constitutional References Committee. The wide-ranging terms of reference require the Committee to report on virtually all aspects of privacy regulation and the private sector, including the need for Commonwealth privacy legislation to be extended to the private sector, the effectiveness of any privacy scheme without legislative backing, the appropriateness of the Privacy Commissioner’s ‘National Principles’ as the basis for co-regulation, and the appropriateness of the outsourcing amendments in light of all of that.
Submissions are due by 1 July, and the Committee will then hold hearings from mid-July and is required to report by 12 August 1998. It’s a short time frame for an important inquiry.
The Privacy Commissioner’s attempt to develop a national approach to privacy self regulation has taken another step, though one would hesitate to call it ‘forward’. The Commissioner called a meeting in May to consider methods of implementing her ‘National Principles’ (see (1998) 4 PLPR 161) through self-regulation. As they had previously indicated they would do, all privacy, consumer and civil liberties organisations boycotted the discussions since legislation-backed schemes were not under discussion. This left a small number of business representatives to continue discussions with the Commissioner. It will be interesting to hear the Commissioner’s evidence to the Senate Committee concerning the effectiveness of schemes without legislative backing.
In contrast, representatives of law enforcement, revenue collection and national security bodies met with business, consumer and privacy groups at a meeting called by the Privacy Commissioner earlier the same day, in order to discuss the exceptions in favour of those organisations in the Commissioner’s ‘National Principles’ (see (1998) 4 PLPR 162). Privacy and consumer advocates are continuing their involvement in discussion of principles which could be implemented by legislation as well as by other means. Further meetings are planned, and are significant as probably the first time in Australia that law enforcement interests have discussed their investigative needs directly with the sources of data (businesses) and the individuals concerned (customers).
The International Standards Organisation Ad Hoc Advisory Group on privacy (AHAG) reported to the ISO’s Technical Management Board (TMB) in June. To no one’s surprise, the group was unable to achieve consensus. The group’s recommendation concludes:
Given the increased level of interest in data protection, as well as the differing views, outstanding issues, and major initiatives expected to develop in the next six to twelve months, the AHAG is of the view that it is premature to make a determination on the desirability/ practicality of ISO undertaking the development of International Standards relevant to the protection of personal information.
The TMB has deferred further consideration until its September meeting. (Source: Chris Connolly, Australian representative on the AHAG).
At the 19 May meeting of the Group of Experts on Security and Privacy (OECD), it was agreed that a Ministerial Statement would be crafted over the northern summer for use at the Ottawa Ministerial Conference, stating that the 1980 OECD Guidelines on Privacy are still sound but need to be implemented, and that Ministers urge the private sector to apply them particularly in the context of global networks. They will ask the OECD to prepare a background report giving guidance on how to apply the Guidelines in the networked environment, and to review progress in two years time and revisit the issue. The group of Experts will develop a guidance report and explore mechanisms to measure compliance with the Guidelines. (Source: Stephanie Perrin, Industry Canada).
The ‘stakes’ in the battle of wills over privacy regulation in the US were raised even higher last month when Vice-President Al Gore called for an ‘Electronic Bill of Rights’, effectively increasing the pressure on businesses to implement effective self-regulation if they want to avoid government intervention (some 80 privacy Bills are currently before Congress). In a speech at New York University on 14 May, Gore outlined several administration initiatives. He called on Congress to pass strict medical records legislation to restrict how and when individuals’ medical records can be used; give individuals the chance to correct those records; and give patients the right to be informed about them.
Another initiative will establish an ‘opt-out’ Web site (at http://www.ftc.gov/privacy/index.html), where consumers can register to have their names permanently deleted from ‘spam’ email and telemarketing lists. Gore also called for all federal agencies to have a privacy officer in place to ensure that existing privacy laws were being complied with, and the President will direct all agency heads to review their departments’ privacy practices.
The Commerce Department is sponsoring a privacy conference on 23 June, and the Federal Trade Commission is expected this month to present to Congress the results of a privacy audit of 1,200 Web sites, which is likely to show very limited progress from voluntary action.
Meanwhile the World Wide Web Consortium has put out a first draft of its P3P initiative for comment (http://www.w3.org/P3P/), but this is being viewed sceptically by at least some privacy advocates because it assumes that individuals want to be personally identified. Other self-regulatory initiatives which proponents hope will stave off demands for legislative controls include TRUSTe, a ratings system for web sites that shows how much privacy you’ll enjoy, and a forthcoming privacy mark system from the Better Business Bureau.
(Sources — Articles in Wired http://www.wired.com/news/news/politics/story/12312.html; the Industry Standard http://www.thestandard.net/articles/issue_display/0,1261,460,00.html the Netly News http://cgi.pathfinder.com/netly/more/1,1311,2023,00.html?pg=2&continue=0; and the New York Times http://www.nytimes.com/library/tech/98/06/cyber/articles/02privacy.html; White House press releases.