Privacy law reform: challenges and opportunities
Timothy Pilgrim, Australian Privacy Commissioner - Presentation to Emerging Challenges in Privacy Law Conference, 23 February 2012
I would like to begin by acknowledging the peoples of the Kulin Nation, the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present. I'm delighted that I have been invited here today to speak to you on the topic of 'Privacy Law Reform: Challenges and opportunities', because as most of you would know, we are at a crossroads in the development of privacy law in Australia.
The Government has recently announced its intention to introduce a Bill into Parliament to implement a number of significant reforms. This is an important step in the broader privacy law reform process, and later I will focus on some of the opportunities that these reforms will bring about. I will also focus on some of the challenges presented not just by privacy laws, but also by rapidly changing technology, which is revolutionising the way that Australians' personal information is handled. Finally, I will speak about the way that the Office of the Australian Information Commissioner, or 'OAIC', is changing its approach to privacy law enforcement, and the way that this appears to be changing the way that businesses and government respond to privacy incidents.
Before coming to that, I need to make an important point. While Australia's privacy framework may be undergoing reform, and while we may be witnessing revolutionary new technologies that are changing the way we think about the handling of personal information, community concern about privacy is a determined constant.
To illustrate my point, I will read you a quote about community perceptions of privacy. As I am reading it, I would like you to see if you can work out when you think this quote was written.
“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person….photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the house tops.”
You may be surprised to learn that it is actually from the late 19th Century. These words were written by Samuel D Warren and Louis D Brandeis (who later become a US Supreme Court judge), and show the impact of the emergence of new technologies, such as instantaneous photographs, and the rise of the newspaper enterprise on people's privacy.
Compare that view to the following more contemporary comments:
"...people have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time."
"You have one identity. The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly." And: "Having two identities for yourself is an example of a lack of integrity."
These comments were made by Mark Zuckerberg who I am sure you have all heard of. And of course, Scott McNeally, co-founder of Sun-Microsystems famously said in 1999 that "You have zero privacy – get over it".
Privacy – a human right
How do views such as these, which it could be said are being driven from the perspective of particular business models, sit with the concept of privacy as a human right?
I have no doubt that, innately, people continue to feel strongly about their right to have their privacy protected. That is why privacy is recognised as a basic human right, enshrined in Article 17 of the International Covenant on Civil and Political Rights.
At a time when Australia was signing up to being a party to the ICCPR the late Sir Zelman Cowan delivered six lectures entitled The Private Man – as part of the ABC's annual Boyer lecture series in which he observed that:
“ … A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars.”
This recognition of privacy as a human right and deserving of the protection of law is one of the reasons why we have the Privacy Act. The reason I mention this is because today, this is mainly the prism through which we view the concept of privacy. All too often, privacy is seen as an impediment to business practices or an administrative inconvenience—another box that needs to be ticked on a compliance checklist. It is important to remember that privacy is a fundamental human right, and is of key importance to the preservation of our free and democratic society.
Of course, we also recognise that privacy rights are not absolute – they must be balanced against other important rights and ideals, such as freedom of expression and national security.
Privacy law reform
As most of you would be aware, in 2006, almost 20 years after the Privacy Act was introduced, the Government asked the Australian Law Reform Commission (ALRC) to conduct an inquiry into how well Australia's privacy framework was functioning.
In 2008, after significant public consultation, the ALRC concluded its inquiry with the release of its report, For Your Information: Australian Privacy Law and Practice, with 295 recommendations for reforms to the Commonwealth privacy regime.
In its consultations, the ALRC found that Australians care about privacy. They want a simple, workable system that provides effective solutions and protections. Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world.
While the ALRC report concluded that the Privacy Act had worked well, it called for refinements to bring it up to date. These included:
- a new set of harmonised privacy principles to cover both the public and private sector
- provisions introducing comprehensive credit reporting to improve individual credit assessments and supplement responsible lending practices
- provisions relating to the protection of health information
- a review of the exemptions to the Act
- mandatory data breach notification and
- a statutory cause of action for a serious invasion of privacy.
Given the significant size of the ALRC's report, the Australian Government decided to respond in a two-stage process. As you would likely be aware, the Government released its first stage response to 197 of the 295 recommendations contained in the Report in October 2009, and is in the process of implementing these changes. These include the harmonised set of privacy principles, credit reporting and strengthening and clarifying the Commissioners' powers and functions.
Many of you have probably heard me speak about these areas on a number of occasions in the past. Because of this, I won't go into too much detail about the elements of each of these reform proposals.
Government's first stage response
Of course, the Privacy Law Reform agenda is ultimately the responsibility of the Government, not the OAIC, so there is only so much I can tell you about the progress of the reforms. What I can tell you is that the Government announced late last year that, subject to its broader legislative program, it intends to introduce a Bill into Parliament during the Autumn 2012 Sitting, and that this Bill would include the Australian Privacy Principles, changes to credit reporting and a strengthening the Commissioner's powers.
The Autumn Sitting began earlier this month and the last sitting day will be 22 March, so we hope to see the Bill introduced soon. While the draft Bill hasn't been publicly released, we have seen exposure draft legislation of a number of the elements that the Government has said it will include. For example, there was wide consultation on the Exposure Draft of the Australian Privacy Principles, or APPs.
The APPs will replace the two separate sets of principles which currently cover the public sector and the private sector in Australia. Having a consistent set of privacy principles covering business and government will simplify compliance obligations, particularly in the context of private sector contracted service providers to Australian Government agencies.
The changes proposed to the credit reporting provisions will allow for more comprehensive credit reporting. For example, it may be that the changes would allow credit reporting agencies to report on data sets including credit limits on accounts, dates that accounts were opened and closed, and limited information on repayment history.
In October 2009, the Government stated that it intended to give the Commissioner a range of new powers, including accepting enforceable undertakings and seeking civil penalties in the case of serious or repeated breaches. It also accepted the ALRC's recommendation that the Commissioner be empowered to make enforceable determinations following own-motion investigations.
No exposure draft legislation has been released in relation to what changes will be made to the Commissioner's powers at this stage. The former Minister for Privacy and Freedom of Information stated late last year that changes that would be included in the upcoming Bill would likely include new powers to approve external dispute resolution services and to implement the proposed new Credit Reporting Code of Conduct.
If the Commissioner is given stronger enforcement powers, this would have significant implications for privacy compliance in Australia. This is because, as the Privacy Act currently stands, we are unable to impose a sanction on an organisation when we have initiated an investigation on our own motion, without a complainant. Our role is to work with the organisation to ensure ongoing compliance and better privacy practice. Additional powers would provide added credibility for enforcement of privacy law, reinforce the significance of privacy compliance, and give departments and agencies an even greater incentive to take their privacy responsibilities seriously.
Overseas experience has indicated that regulators with the power to pursue large penalties will often do so. The United States is perhaps the best example of this. One of the most notorious data breaches in the US has been the disclosure by ChoicePoint, a large identification and credential verification organisation, of sensitive information it had collected on 145,000 individuals. In this case, a Federal Trade Commission investigation led to the imposition of a $15 million fine.
There have been many others. Last year, Massachusetts General Hospital was fined $1 million for losing 193 patients' medical records, and in 2009, HSBC Bank was fined £3 million by the Financial Services Authority in the UK for failing to secure customer data.
However, it is important to realise that privacy enforcement is about more than just financial penalties. In November last year, the Federal Trade Commission in the USA reached a settlement with Facebook over allegations of deceptive conduct in relation to its privacy practices. As part of the settlement, Facebook needs to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order every second year for the next 20 years. The FTC accepted an undertaking in similar terms in settlement of a matter involving Google Buzz earlier in 2011.
On the other hand, the French Data Protection Authority issued a €100,000 fine to Google due to breaches of French law caused by Google Street View. It is interesting to compare and contrast these approaches to enforcement. One wonders how effective a €100,000 fine would be for a multi-billion dollar organisation like Google.
Enforcement by the OAIC
Regardless of whether the Government decides to strengthen the Commissioner's powers, we have been changing our approach to privacy law enforcement.
In its current form, the Privacy Act only gives me the power to make determinations on complaints we receive from individuals. In these complaints, we usually adopt a conciliation-focused approach.
However, I should let you know that for particularly serious privacy breaches, or for example, where conciliation is not achieving an outcome, we have demonstrated that we are prepared to use our power to make determinations directing how complaints should be resolved. Our determinations are enforceable in the Federal Court.
In late 2011, I held a hearing and issued the first determination made under section 52 of the Privacy Act in seven years. The determination arose from a complaint by an individual against a club.
The complainant gambled at the Club. The complainant and their ex-partner were undergoing child custody proceedings. The complainant's ex-partner provided the club with a subpoena requiring information about the complainant's gambling to be given to the court. Instead, the Club gave the information directly to the complainant's ex-partner. The complainant alleged that this was an improper disclosure of their personal information. I found in the complainant's favour. I determined that, to redress this matter, the Club needed to:
- apologise in writing to the complainant within three weeks
- review its training of staff in the handling of personal information and legal requests for personal information including court subpoenas no later than six months from the date of this determination confirm that this review of training has been completed and advise me of the results of review and
- pay the complainant $7500 for non-economic loss caused by the interference with the complainant's privacy.
The full detail of the determination is available on the OAIC's website and on AustLII.
Since I became Privacy Commissioner in mid-2010, I have been telling businesses and government that, while it will still be my focus to resolve most complaints via conciliation, I will not shy away from using my determination powers where it is appropriate to do so.
Determinations are important not just because they provide an avenue for resolving complaints where conciliation fails, but because they provide a public record of the OAIC's views on how privacy laws should be interpreted, and can assist complainants and respondents to better understand how privacy laws will apply.
To this end, I am now in the process of bringing a number of other complaints to determination. I encourage you to monitor the OAIC's website over the coming months for more details of these.
In addition to using our determination powers, we are also changing our approach to particularly serious or high profile privacy incidents. We have started to publish investigation reports to increase transparency in our investigation process and to help organisations and agencies to better understand their privacy responsibilities.
There are now four investigation reports available on our website that provide information about investigations into incidents involving Vodafone, Telstra, Sony and Professional Services Review.
The most recent report we published was the report about the Sony PlayStation Network investigation, which concluded in September. We opened this investigation in April after a media report stated that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network, including customers in Australia. It was alleged that individuals'names, addresses and other personal data potentially including credit card details had been compromised by the incident. Our investigation looked at Sony's data security practices.
We concluded that Sony had not breached the Privacy Act when it fell victim to a cyber-attack because it had taken reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place. However, while I found no breach of the Privacy Act by Sony, I was concerned about the time that elapsed—seven days—between Sony becoming aware of the incident and notifying customers and the OAIC.
Immediate or early notification that financial details have been compromised can limit or prevent financial loss for individuals, by enabling them to re-establish the integrity of their personal information. Evidence shows it can be very difficult for individuals to re-establish the authenticity of their identity when their personal information has been stolen and used fraudulently. I raised this concern publicly, both in a media release and in my investigation report, by stating that I would have liked to have seen Sony act more swiftly to let its customers know about this incident.
While there is no requirement in Australian law for organisations to notify individuals or the OAIC of a data breach, I strongly recommended that Sony review how it applies the OAIC's Guide to handling personal information security breaches.
An interesting challenge that we faced was establishing whether we had jurisdiction to investigate this matter. This is due to Sony's corporate structure. We sought information from Sony Computer Entertainment Australia Pty Ltd. SCE Australia is a subsidiary of Sony Computer Entertainment Europe Limited (SCE Europe). A separate subsidiary of Sony Computer Entertainment Europe—Sony Network Entertainment Europe Limited (SNEE)—operates the PlayStation Network for individuals in Australia, holding their information in a data centre in San Diego, California.
The investigation involved a review of the acts and practices of both SCE Australia and the other Sony companies I mentioned. As the incident occurred outside of Australia, the Privacy Act will only apply where the requirements of the extraterritorial application provisions in section 5B of the Act are met.
Section 5B of the Act prescribes that an act or practice engaged in outside Australia will be covered by the Act if that act or practice relates to personal information about an Australian citizen and the organisation responsible for that act or practice has an organisational or other link to Australia. Where an entity does not have an organisational link with Australia, the Act will only apply to the handling of personal information about Australian citizens where the organisation carries on a business in Australia, and the personal information was collected by, or held by the entity in Australia.
Whether the conduct of Sony Network Entertainment Europe falls under the jurisdiction of the Australian Privacy Act in this case is a complicated question. However, as the conduct in question by the Sony companies did not constitute a breach of the Act, we were not required to come to a settled view on jurisdiction.
If ever your organisation finds itself in the same position as Sony, I strongly encourage you to review the OAIC guidance material on data breaches, and if appropriate, to notify individuals or the OAIC of the breach. If you are subject to a significant data breach, there's a significant chance that this will eventually become public knowledge.
It seems that some organisations and agencies are already taking this advice. In 2009–2010, organisations and agencies came to us on 44 occasions to report that they had been subject to a data breach. This increased to 56 in 2010–11, and we are on track to receive a similar number in 2011–12. We now receive more data breach notifications than own-motion investigations. This shows that, increasingly, it is the organisation or agency subject to a breach rather than a tip-off or media report that brings our attention to these kinds of issues.
Industry is standing up and taking notice
Since we've adopted our new approach to privacy compliance, we've been pleased to see businesses standing up and taking notice. For example, we've seen articles in major law firm newsletters. A partner from Allens Arthur Robinson wrote an article in December, following my determination, saying:
“If there was ever any doubt, it is clear that there is now a real and present need for the private sector to adhere to the National Privacy Principles (the NPPs)”.
Similarly, in its December 2011 Privacy Update, Minter Ellison wrote:
“the Privacy Commissioner is prepared to take a more robust approach to the exercise of his powers to direct organisations on the steps they must take to remedy substantiated complaints and pay compensation.”
As I have mentioned, my preference will always be to resolve complaints through conciliation where this is appropriate, but where conciliation fails or is not appropriate, or where there is a strong interest in a determination being made, I will consider using this power.
Since making my determination last year, we have noticed that some respondents have adopted a more proactive approach to conciliation of privacy complaints and have showed a greater willingness to offer compensation. Of course, this is only anecdotal evidence gathered over a short period of time, but I think that it bodes well for the future of privacy compliance in Australia.
So this is perhaps the first challenge that I make to business and government in Australia: ensure that your privacy practices and procedures are rigorous, and that they will stand up to scrutiny if you do suffer a data breach. Take all privacy complaints seriously, and when they arise, genuinely try to resolve them by way of conciliation. Be aware that if you do not, the matter could end up going to determination.
Other challenges and opportunities
To describe some of the other challenges and opportunities that organisations and agencies are facing in the privacy sphere, I would like to return to the theme that I opened with today—that rapidly evolving technology is a game-changer when it comes to the way we think about privacy.
The Privacy Act was conceived in another era. Back in the 1980s, when it was introduced, fax machines were still a relatively new addition to the office environment. The term 'hacking' meant having a bad round of golf. The commercialisation of the internet was still a decade away. The vast majority of filing was physical, and personal information was held largely in paper records. Securing these documents was relatively easy—all you really needed was a lock and key.
In our modern world of cloud computing, portable storage devices, electronic databases and hackers, the parameters around data security and document storage have shifted immeasurably. All it takes is a single careless incident to cause a massive data breach. You may recall that in the UK in 2007, two computer discs belonging to Her Majesty's Revenue and Customs went missing. The discs were thought to contain names, addresses, national insurance numbers and banking details of approximately 25 million people in the UK. A data breach on this scale would have been inconceivable when the Privacy Act was introduced.
Sometimes, your records can be compromised even without a careless mistake. The Sony incident, which I have already mentioned, involved hackers compromising records relating to 77 million people. Again, a breach of this kind could not have been imagined when the Privacy Act came into existence.
Data security has emerged as a major challenge for organisations and agencies. They must ensure that they have implemented robust information-security measures. But this alone is not enough. Data breaches can occur even when all reasonable steps have been taken to protect information. Organisations and agencies need to have contingency plans in place so that if a data breach occurs, they can deal with it swiftly, mitigating any risk of harm that the breach may cause.
While a data breach alone can cause reputational damage, recent experience shows that customers can be quite understanding if an organisation openly acknowledges a breach, apologises and acts promptly to resolve it. Greater reputational damage can occur if an organisation is seen to try to cover up a breach. Having the courage to acknowledge your mistakes, knowing when to notify affected individuals or the OAIC, and acting quickly to resolve them is another important challenge.
Communicating with clients about privacy is another key challenge for businesses. Too often, privacy policies are unwieldy documents, littered with legalese, which the average consumer is unable to engage with.
In 2010, as an April Fool's prank, the British gaming retailer Gamestation.co.uk slipped an "immortal soul clause" into its privacy agreement, knowing full well that most people would never read it. It was proven right—thousands of people unwittingly sold their souls to the company. My point is not that privacy policies are insignificant—this is far from the truth. The challenge for organisations is to ensure that their privacy policies are clear, relevant and easily understandable.
Globalisation of information flows is a particular challenge for privacy regulators. In our globalised world, a company might be based in the USA, hold information in databases in Europe and provide services online to customers in Australia. If that information is compromised, it can be very difficult to establish which country's privacy regulator has jurisdiction to investigate the matter.
Australia's Privacy Act only applies to Australian organisations and to organisations with an organisational link to Australia. In the scenario I have just mentioned, it may be that the organisation concerned is not covered by the Privacy Act.
Privacy commissioners from across the world are working together to address this issue. For example, APEC economies have recently established the APEC Cross-border Privacy Enforcement Arrangement, under which privacy regulators can cooperate and share information to assist in the enforcement of laws in cross-border privacy matters. The Global Privacy Enforcement Network, established in response to an OECD recommendation, is an informal network that facilitates cross-border cooperation in the enforcement of privacy laws. A particular challenge in this area is that there are subtle differences between privacy laws in different countries. An act or practice that breaches one country's privacy laws might be lawful in another country.
Cross-border cooperation in privacy enforcement is still a relatively new concept, and I expect that, as we gain more experience in this area, we will unlock the opportunities presented by the prospect of greater global collaboration.
Finally, privacy law reform in Australia presents a number of challenges and opportunities. As well as the key aspects of the government's first stage response to the ALRC report—the APPs, credit reporting, and powers and functions—there are a number of other changes on the horizon. Once the Government has progressed its first stage response, it will address its second stage response, which includes the prospect of mandatory data breach notification consideration of the exemptions in the Privacy Act.
As many of you will recall, the Government released an Issues Paper on the introduction of a statutory cause of action for serious invasion of privacy in September last year. The Government received more than 70 submissions from a variety of stakeholders. How these will be responded to is a matter for the Government.
When or whether these reforms will take place is still not entirely clear, but depending on how the process unfolds, they could present both challenges and opportunities, as individuals, business and government come to grips with these new rights and responsibilities a further step in the evolution of privacy law in Australia.
Privacy Awareness Week
And last, but certainly not least, I would like to take this opportunity to let you all know that Privacy Awareness Week, our major awareness-raising initiative of the year, is only a few months away. Privacy Awareness Week, or 'PAW', will be taking place from 30 April until 5 May. PAW is a joint initiative run by the Asia Pacific Privacy Authorities – a group of 12 data protection authorities from countries including Mexico, the USA, Canada, Hong Kong, Japan and New Zealand.
Each year, we join with our partners across the region to work together to build awareness of privacy–an important human right. This year, we are calling upon industry to help us spread the word about privacy to their staff, clients and other stakeholders. Specifically, we are asking businesses to become'PAW partners'.
Our theme for Privacy Awareness Week is Privacy: It's all about you. This message is directed both at individuals and organisations. It reinforces the idea that individuals can take responsibility for their own privacy by taking some common sense steps, like updating their privacy settings when they use social media, or not sharing passwords. It also shows that organisations have a responsibility to treat their customers' personal information with respect, by only collecting as much information as they actually need and by appropriately securing that information.
I can't encourage you strongly enough to join with us to help to promote the fundamental human right of privacy. If you would like to become a PAW partner, simply send an email to firstname.lastname@example.org to express your interest, and we'll be in touch with you.
 Louis Brandeis & Samuel Warren,"The Right to Privacy", 4 Harvard Law Review 193-220 (1890-91) http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html