Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal |
[2] Of course, there have been many
occasions when the mechanisms intended to enforce data protection have in fact
succeeded in protecting
individuals, but it is doubtful that anyone in the
profession of privacy advocacy can rationally argue that data protection, on
balance,
has worked as well as it might. In every country, privacy and, more
specifically, data protection laws have failed at several fundamental
levels to
protect individuals. In Australia, limitations on the use of data have failed to
prevent an extensive regime of public
sector data
matching;[2] in the same way, the
collection limitation principle in United Kingdom (‘UK’) law has
failed to prevent the breathtaking
growth of visual surveillance in that
country.[3] Even European data
protection laws in general, arguably the most advanced in terms of recognising
the importance of adequate data
protection, have done little to prevent the
spread of DNA testing, the use of identity cards, workplace surveillance, police
powers,
intrusion by tax authorities, Internet snooping and national security
surveillance of civilian communications in the countries that
comprise the
European Union (‘EU’).
[4] When the Australian Government introduced the Australia Card Bill 1986 (Cth), it intended to create an unprecedented regime of surveillance on the basis of lurid and quite colourful claims that impending, rampant crime and spiralling administrative inefficiency warranted increased surveillance.[5] Yet at no time did the Attorney-General’s Department (or any other authority) produce a threat analysis to justify such intrusion. After the defeat of the Australia Card proposal in 1987, the Government introduced legislation to implement both a national Tax File Number system and wholesale matching of government files.[6] Again, no comprehensive threat analysis was conducted and none was demanded, despite the passage of the Privacy Act 1988 (Cth) (‘Privacy Act’) and the creation of a Federal Privacy Commissioner in early 1989. Under existing data protection legislation, such proposals are permitted under a variety of public interest exemptions without any requirements for a threat assessment, a sound justification, or even public discussion.
[5] In the dozen years since its implementation, the Privacy Act appears to have done little to stem the number of data collection schemes or the extent of privacy invasion generally in Australia. In fact, Australia in 2001 is a more hostile environment for privacy than at any time in its history. Increased levels of telecommunication interception, email snooping, genetic intrusion and visual surveillance provide a sobering insight into the true mechanics of privacy regulation. In the absence of restrictions on the creation of information collection schemes, the Privacy Act and the principles it contains can have only limited application on the fringes of intrusion.
[6] If the principles of data protection were enforced across the information spectrum (without, for example, broad public interest exemptions), it is feasible that current legislation might offer substantial protection for individuals. However, there are three key factors that prevent this condition from occurring. First, governments generally tend to ensure that the most vital areas of their functioning are at least conditionally exempt from privacy law. Second, individuals – while consistently expressing anxiety about privacy invasion – are overwhelmed by the processes required to enforce protection of their privacy. Third, privacy and data protection regulators are frequently fatalistic, timid or under-resourced.
[7] As a consequence of these conditions, communication and information infrastructures throughout the world are exhibiting a trend to ‘surveillance by design’, in which surveillance is established as a core design component of new systems. Global cooperation by law enforcement organisations, national security agencies and technical standards bodies ensures, for example, that all forms of new communication are ‘wiretap friendly’, and that new mobile technologies are capable of incorporating geographic tracking.[7] A global Draft Convention on Cyber-crime brokered by the Council of Europe intends to place such intrusions on a legal footing by harmonising and extending national laws to increase police powers, reduce the accountability of surveillance authorities, and limit the extent to which individuals can protect their privacy.[8] These initiatives are largely immune from data protection provisions, not so much because of the nature of data protection principles, but because of the manner of their enforcement.
[8] If data protection principles were ruthlessly enforced,
it is possible that they would limit, or even paralyse, such developments.
However, in my opinion, the structure of much legislation, and the regulatory
mechanisms in place, are actually incapable of providing
the protection that
they promise.
[10] Even if everyone (including governments and law enforcement agencies) were to agree that the principles of data protection should be immutable and unchanging, the application or enforcement of those principles in the real world would need to be subjected to rigorous and dispassionate criticism. That people should, for example, be given the legal right to gain access to their data is beyond question. The issue, surely, is whether in 2001 the means of achieving this right are adequate (or, indeed, whether they have any practical value whatever).
[11] Like many privacy advocates, I often find myself instinctively defending entrenched conventions of data protection. ‘Functional separation’, ‘collection limitation’, ‘fair use’[10] – these are concepts that underpin data protection, and which must be rigorously defended and promoted. And yet such mechanisms have clearly failed to prevent the most significant and far-reaching abuses of privacy. In the face of such criticism, privacy officials (and their biographers) tend to promote success stories, adopting a ‘celebratory tone’.[11] While this is understandable, all professions are constantly at risk of sacrificing their responsibilities on the altar of pragmatism, and the area of privacy protection is no exception. Privacy officials all too often abuse the trust placed in them by dodging controversy in an effort to preserve their fiefdoms. As a consequence, governments frequently succeed in using data protection law as a thinly veiled mandate for surveillance.
[12] These are not radical or extreme views. Once a fundamental right has been agreed upon, and once basic means of protection have been established, it is the transgressors who become radical. The rigorous protection of rights is a conservative notion, yet this reality is conveniently inverted by government and the private sector alike.
[13] Perhaps for fear of being branded radical, privacy regulators are often reluctant to rigorously enforce the core principles. Given the parlous state of privacy across the world, they should be more attentive to this responsibility. In the modern age for example, notification and consent (as mechanisms of privacy protection) have largely become fraudulent notions. In theory, the collection and use of information about individuals is predicated on the idea that people should be informed as to the proposed use of their information, and that they should generally be able to withhold consent. In reality, these rights are impractical, unknown and ignored; consent has become a mechanism for guaranteeing continuous data flows, rather than a means to ensure the protection of individual rights.
[14] The most telling evidence of this failure to enforce the basic means of privacy protection was recently produced by Consumers International, a London based federation of 263 consumer organisations. In January 2001, Consumers International released the findings of a study of the privacy practices of Internet sites worldwide, which found that the vast majority of sites gave users no choice about being on the site’s own mailing list or having their name passed on to affiliates or third parties.[12] Despite EU action in this area, sites within the EU proved to be no better at informing users about how they used their data than sites based in the United States (‘US’). Indeed, some of the best privacy policies were found on US sites.
[15] Consumers International concluded that ‘too many companies
collect a lot of unnecessary, very personal information about
their customers
– and because of inadequate implementation of existing government measures
people don’t have control
over their
data’.[13] This widespread
neglect of good privacy practice is even more worrying given the speed at which
electronic technologies for the collection
of data are developing. The
implementation issue becomes crucial: for example, if companies in Europe (where
there is arguably the
greatest level of privacy regulation) can fulfil the
letter of the law by providing customers with consent forms containing
‘opt
in or opt out’ boxes that only require a tick, they can hardly
be expected to entirely fulfil (or seek to fulfil) the fundamental
European
expectation of ‘informed consent’. This standard can therefore only
become meaningful through general public
education, a process that has barely
commenced.
[17] The approach adopted by the UK Data Protection Commissioner, which involves the compilation of a register of data controllers,[16] is of similarly limited value to consumers, and appears now to be more frequently used as a commercial intelligence-gathering tool. The ‘watchdog’, non-governmental organisation Privacy International has estimated that personal data on the average resident of the developed world is located on at least 400 key databases, and that gaining access to this data – even if the existence of such databases was readily known to the individual – would consume more than eight working weeks in preparation, administration and analysis. Since only a fraction of the data holdings are derived directly from the individual, it is highly unlikely that an individual could find out which particular organisations are holding data on them.
[18] Yet these failures
should not create a motivation to eliminate the current laws but to strengthen
them. The data protection principles
that form the foundations of modern privacy
law (for example, collection limitation, limitation on disclosure and access to
personal
data) are largely sound and relevant, but they have been corrupted and
compromised through timidity and neglect. In Australia, perhaps
more than in
most developed countries, recent experience has established that action must be
taken to substantially limit the collection
of data even where authorities
provide a thorough and genuine justification. The preservation of privacy should
not be viewed as
an encumbrance that can be diluted through ‘public
interest’ exemptions, but as a public interest in itself. Further,
consent should no longer be regarded as the key mechanism for protecting
personal information. And, perhaps most importantly,
privacy regulators should
vigorously enforce both the spirit and the letter of the privacy laws. If they
fail to do so – as
many have – the public should rightly see them as
part of the problem, rather than part of the solution.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJl/2001/7.html