Privacy Law and Policy Reporter
The newly re-established Victorian Law Reform Commission is to have privacy as one of its first areas of reference. In launching the Commission in April, Attorney General Rob Hulls asked that it ‘examine the coverage of privacy legislation for Victorians and to advise on priority areas for reform’. The Commission, chaired by Professor Marcia Neave, has issued an information paper entitled Privacy Law: Options for Reform. An expert advisory committee has been formed, comprising Brian Perry, the Victorian Ombudsman; Chris Maxwell, President of Liberty Victoria; Victoria Marles, Communications Law Centre; Moira Paterson, Monash University; Scott Beattie, Victoria University; Breen Creighton, Corrs Chambers Westgarth; Tim Dixon, Australian Privacy Foundation; and Nigel Waters, Australian Privacy Charter Council.
On 28 June, the NSW Attorney General Bob Debus announced that the Government will legislate to control surveillance practices, substantially adopting the finalised but yet to be released recommendations of the NSW Law Reform Commission. Speaking at a Communications Law Centre seminar on email surveillance, the Attorney outlined the Government’s intentions, which seem to be to follow the approach already adopted in the Workplace Video Surveillance Act 1998 (NSW). This involves a distinction between overt and covert surveillance — covert surveillance will require a warrant from a magistrate, while overt surveillance (where the people under surveillance are aware) will have to be conducted in compliance with a set of principles and safeguards partly drawn from the Information Protection Principles in the Privacy and Personal Information Protection Act 1998 (NSW). The new law will replace the Listening Devices Act 1984 (NSW), but it is not yet clear if the Workplace Video Surveillance Act will be subsumed.
Watch out for the report at <www.lawlink.nsw.gov.au/lrc>.
The Victorian Parliament’s Scrutiny of Acts and Regulations Committee has issued a report on an Interim Privacy Code for Victorian members of parliament, pursuant to a Ministerial reference arising from the debate in December 2000 on the then Information Privacy Bill. The Bill applied to MPs initially, but they were exempted by cross-party agreement on condition that a ‘voluntary’ code of conduct be drawn up during 2001. The Committee invited comments on the draft Code contained in its report by 20 July, and will be sonculting widely in the development of a final version.
See <www.parliament.gov.vic.au/sarc> .
A consultative group has formed to review existing Commonwealth privacy laws to consider whether there is a need for more specific protection of children’s personal information. The group includes Federal Privacy Commissioner Malcolm Crompton, Human Rights Commissioner Dr Sev Ozdowski, President of Perth Children’s Court of WA Judge Valerie French, Australian Direct Marketing Association chief executive officer Rob Edwards, Andersen Legal partner Duncan Giles, WA Association of Independent Schools executive director Audrey Jackson, NetAlert representative Helen Bassett, National Children’s and Youth Law Centre UNSW director Louis Schetzer, Suzanne Shippard from the Australian Broadcasting Authority, Walt Disney Internet Group International senior producer Christina Thurn and representatives of the Attorney General’s Department.
The group will consider a discussion paper on children’s privacy prior to its release for public consultation to ensure that all relevant issues have been fully canvassed.
Source: < law.gov.au/aghome/agnews/2001newsag/980_01.htm>.
The Council of Europe has amended the text of its draft cybercrime treaty to tighten provisions protecting privacy online, and to ensure police respect privacy rights when they follow digital trails to fight online crimes such as hacking, spreading viruses, using stolen credit card numbers or defrauding banks. The revised text was due for consideration by the Committee on Crime Problems (CDPC) at its plenary session 18-22 June 2001 and will then be submitted to the Committee of Ministers for adoption.
See Draft Convention on Cybercrime at <conventions.coe.int/treaty/EN/projects/cybercrime27.doc>.
Source: Reuters, 28 May 2001.
The European Parliament is to debate its report on the Echelon system operated by the US, UK, Canada, Australia and New Zealand under the UK-US agreement. Echelon has been alleged to involve unauthorised interception of international and domestic commun-ications around the world. A motion tabled in the Parliament on 4 July calls for investigations of the legality of the system under various European laws and Human Rights Conventions, and action by European governments to protect citizens from surveillance.
The Parliamentary motion is at <cryptome.org/echelon-epmr.htm>.
A revised version of the Parliament’s draft report on investigation of Echelon, dated 18 May 2001 is at <www.europarl.eu.int/tempcom/echelon/pdf/prechelon_en.pdf>.
The US Federal Trade Commission (FTC) has cleared internet retailer Amazon.com of violating federal privacy laws when it allowed personal information about its customers to be sold to other companies. Two privacy groups — Junkbusters and the Electronic Privacy Information Center — filed a complaint alleging deceptive conduct on the basis that Amazon had informed customers that it would not ‘sell, trade or rent’ information like names and email addresses to third parties, but unilaterally altered the policy in September 2000. The FTC held that Amazon had alerted customers in its original policy statement that it may allow information to be sold in the future. Amazon said it has never sold personal information to third parties and would not do so in the future without first getting customer consent. It said its new policy only allows it to share transaction information with co-branded or jointly owned companies, which the company said was necessary to complete purchases. Despite the clearance, the FTC said Amazon’s new policy was vague and urged the company to notify and get consent from customers if they change the policy in the future.
Source: Peter Spiegel, Washington, 25 May 2001.
The Cybercrime Bill 2001 (Cth), currently under consideration by the Senate Legal and Constitutional Legislation Committee, is intended to give effect to the Model Criminal Code Damage and Computer Offences Report of January 2001. The Bill has two main components — changes to the definitions of computer offences; and new investigatory powers for the federal police and other law enforcement agencies. Both parts have been strongly criticised — not only by privacy and civil liberties groups but also by the information technology industry and professionals. Technologists say that the new computer offences are so broadly drawn that they will inadvertently criminalise many innocuous and even essential activities. Concerns about the investigatory powers go both to their justification and to their breadth.
No firm evidence has been provided of the number of cases in which the absence of the new powers have inhibited investigations. The scale of the alleged problem is also cast into doubt by the available statistics — the AFP apparently received only 320 electronic crime referrals between July 2000 and March 2001, over a third of these from the Broadcasting Authority regarding potentially prohibited internet content.
Even if a case can be made for some new powers, there are serious reservations about the breadth of those proposed, which would allow law enforcement agencies to remove computer equipment for examination, copy (image) the entire content of hard disks, and access other servers remotely from a subject computer without separate authorisation.
Several submissions to the Committee have highlighted the potential for abuse of these new powers, and the consequential erosion of confidence of the integrity and reliability of computer systems. Given that defending this integrity appears to be one of the main justifications for the Bill, it is bizarre that the provisions could have exactly the reverse effect. If law enforcement agencies are given the power to alter data without adequate oversight, the evidentiary value of the data must in any case be called into question.