Privacy: What's ahead in 2012
Timothy Pilgrim - presentation to iappANZ Annual Summit, 30 November 2011
I would like to begin by acknowledging the Wurundjeri peoples of the Kulin Nation, the traditional owners of the land on which we meet today, and to pay my respects to their ancestors, both past and present.
Firstly, I will read you a quote about community perceptions of privacy. As I am reading it, I would like you to see if you can work out when you think this quote was written.
"Recent inventions and business methods call attention to the next step which must be taken for the protection of the person....photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the house tops."
Given recent media reporting of the impact of new technologies on people's privacy, and incidents like the News of the World phone hacking scandal, you could be forgiven for thinking that this quote is contemporary.
You may be surprised to learn that it is actually from the late 19th Century. These words were written by Samuel D Warren and Louis D Brandeis (who later become a US Supreme Court judge), and show the impact of the emergence of new technologies, such as instantaneous photographs, and the rise of the newspaper enterprise on people's privacy.
They also quoted Justice Cooley, who a few years previously had pioneered the idea of a right to privacy-a right to be "let alone".
Jumping nearly 80 years later from Warren and Brandeis and across the Pacific to Australia, in 1969 Sir Zelman Cowen, an eminent Australian jurist and scholar, delivered six lectures entitled The Private Man - as part of the ABC's annual Boyer lecture series in which he observed that:
" ... A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars."
Privacy - a human right
In the late 1970s and 80s, Australia made a conscious decision to consider the legal standing of privacy as a party to the International Covenant on Civil and Political Rights, of which Article 17 states:
No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
Everyone has the right to the protection of the law against such interference or attacks.
This recognition of privacy as a human right and deserving of the protection of law is one of the reasons why we have the Privacy Act.
Privacy in a changing world
As you can see, for many years, community concerns about privacy have kept pace with emerging technologies.
More recently, however, some have proclaimed that "Privacy is dead!" as people embrace new information-sharing technologies with abandon.
Does the unprecedented take up of social networking sites indicate that privacy is no longer a matter of concern for the community?
From my experience as Australian Privacy Commissioner, I can say definitively that Australians do care about their privacy. This has been shown by the results of the Community Attitudes to Privacy survey, which the Office has run in previous years and will be running again in 2012.
While it is true that many people are sharing a great deal more information about themselves online, it is also true that there is a growing awareness that in a world of mass databases and online data storage, data breaches are possible on a larger scale than ever before.
In fact, I would argue that in a rapidly changing world, community concern about privacy protection is a determined constant.
For example, in Australia:
- Our media devotes more column inches to privacy related stories now than at any time in recent memory.
- More people are coming to the OAIC to complain about alleged interferences with their privacy than for many years.
- And more and more, we are hearing calls for our privacy laws to be strengthened.
At the same time the Australian Government is seeking to respond to the challenges posed by technological change and increasing community concern about privacy.
The Australian Government is canvassing a range of possible privacy law reforms, including the introduction of mandatory data breach notification and a statutory cause of action for serious invasion of privacy. The Government has also signaled that it intends to strengthen the powers of the Privacy Commissioner.
This is why I am here to speak to you today.
Privacy law reform
In 2006, almost 20 years after the Privacy Act was introduced, the Government asked the Australian Law Reform Commission (ALRC) to conduct an inquiry into how well Australia's privacy framework was functioning.
In 2008, after significant public consultation, the ALRC concluded its inquiry with the release of its report, For Your Information: Australian Privacy Law and Practice, with 295 recommendations for reforms to the Commonwealth privacy regime.
In its consultations, the ALRC found that Australians care about privacy. They want a simple, workable system that provides effective solutions and protections. Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world.
While the ALRC report concluded that the Privacy Act had worked well, it called for refinements to bring it up to date. These included:
- a new set of harmonised privacy principles to cover both the public and private sector
- provisions introducing comprehensive credit reporting to improve individual credit assessments and supplement responsible lending practices
- provisions relating to the protection of health information
- a review of the exemptions to the Act
- mandatory data breach notification
- a statutory cause of action for a serious invasion of privacy.
Given the significant size of the ALRC's report, the Australian Government decided to respond in a two-stage process. It released its first stage response to 197 of the 295 recommendations contained in the Report in October last year, and is in the process of implementing these changes. These include the harmonised set privacy principles, credit reporting and strengthening and clarifying the Commissioners' powers and functions.
Many of you have probably heard me speak about these areas on a number of occasions in the past. Because of this, I would like to discuss two of the recommendations that were to be considered in the second stage of the Government's response-data breach notification and a statutory cause of action.
Current law and data breach notification
There have been several significant data breaches covered by the media in recent times - among them Google Street View, Telstra, Vodafone, Dell, Epsilon and Sony - many of them notable because of the large numbers of people affected and the sensitivity of the information disclosed.
In the last financial year, organisations and agencies came to us on 56 occasions to let us know that they had been subject to a data breach. This is called ‘data breach notification', or DBN. This was an increase from 44 in the previous year. We also initiated 59 own motion investigations - and it is highly likely that among these are matters that should well have been DBNs.
These cases provide not only an insight into how companies are using our personal information, but also how data breaches can occur.
While the Privacy Act does not impose an obligation on organisations to notify individuals whose personal information has been compromised, the Act does require that agencies and organisations take reasonable steps to maintain the security of the personal information they hold. Failure to do so constitutes a breach under our current laws.
Despite the current absence of a legal requirement for DBN, it is my view that notification should be considered as a matter of course in any situation where a data breach has the potential to harm individuals whose information has been disclosed.
Support for DBN was not, however, unanimous during the ALRC's consultation process.
For example, some stakeholders argued that there was simply no need for a data breach notification requirement and that there are sufficient ‘commercial incentives' for organisations to secure data.
In response to these claims, the ALRC emphasised that the provisions are not aimed at ‘punishing' bodies when a breach occurs.
Rather, the rationale for DBN laws is that notifying people that their personal information has been breached can help to minimise the damage caused by the breach.
Notification acknowledges the fact that a data breach potentially can expose an individual to a serious risk of harm.
By arming individuals with the necessary information, they have the opportunity, for example, ‘to monitor their accounts, take preventative measures such as new accounts, and be ready to correct any damage done'.
I would argue that in many cases, there is serious potential for harm as a result of data breach, and prompt notification of a breach after it has occurred may prevent further harm from occurring.
Importantly, as we have seen with recent DBNs, notification also plays a role in keeping the community informed of the privacy practices of organisations.
Prompt notification is an important way of reducing the harm that data breach can cause to individuals.
It protects an individual's personal information from any further exposure or misuse, and encourages organisations to be transparent about their information-handling practices.
Before I discuss a data breach that could have been better handled, I will give you some background about the OAIC's approach to privacy enforcement and proposals to strengthen our enforcement powers.
Under the current Privacy Act, we are unable to impose a sanction on an organisation when we have initiated an investigation on our own motion, without a complainant. Our role is to work with the organisation to ensure ongoing compliance and better privacy practice.
The Government has not yet released exposure draft legislation in this area, but it has stated that it intends to make amendments so that the Commissioner can:
- make an enforceable determination on an own motion investigation
- accept undertakings from agencies or organisations and, if necessary, enforce those (through a court).
The Government has also agreed in principle to the Commissioner being able to seek (through a court) a civil penalty for serious or repeated privacy breaches.
Additional powers will provide added credibility for enforcement of privacy law, reinforce the significance of privacy compliance, and give departments and agencies an even greater incentive to take their privacy responsibilities seriously.
Overseas experience has indicated that regulators with the power to pursue large penalties will often do so. The United States is perhaps the best example of this. One of the most notorious data breaches in the US has been the disclosure by ChoicePoint, a large identification and credential verification organisation, of sensitive information it had collected on 145,000 individuals. In this case, a Federal Trade Commission investigation led to the imposition of a $15 million fine.
As it stands, the Privacy Act only gives me the power to make determinations on complaints we receive from individuals. In these complaints, we usually adopt a conciliation-focused approach.
However, I should let you know that for particularly serious privacy breaches, or where conciliation is not appropriate, we are prepared to use our power to make determinations directing how complaints should be resolved. Our determinations are enforceable in the Federal Court.
I recently held a hearing and will soon be issuing the first determination under section 52 of the Privacy Act in seven years. The determination arises from a complaint by an individual against a private sector organisation. I hope to make the determination and publicly release my findings within the next week.
Recently the OAIC has been changing the way it handles particularly serious or high profile complaints.
We have started to publish investigation reports to increase transparency in our investigation process and to help organisations and agencies to better understand their privacy responsibilities.
There are now three investigation reports available on our website that provide information about investigations into incidents involving Vodafone, Telstra and Sony.
Sony PlayStation Network incident
The most recent report we published was the report about the Sony PlayStation Network investigation, which concluded in September.
We opened this investigation in April after a media report stated that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network, including customers in Australia.
It was alleged that individuals' names, addresses and other personal data potentially including credit card details had been compromised by the incident.
Our investigation looked at Sony's data security practices.
We concluded that Sony had not breached the Privacy Act when it fell victim to a cyber-attack because it had taken reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place.
However, while I found no breach of the Privacy Act by Sony, I was concerned about the time that elapsed-seven days-between Sony becoming aware of the incident and notifying customers and the OAIC.
Immediate or early notification that financial details have been compromised can limit or prevent financial loss for individuals, by enabling them to re-establish the integrity of their personal information.
Evidence shows it can be very difficult for individuals to re-establish the authenticity of their identity when their personal information has been stolen and used fraudulently
I raised this concern publicly, both in a media release and in my investigation report, by stating that I would have liked to have seen Sony act more swiftly to let its customers know about this incident.
While there is no requirement in Australian law for organisations to notify individuals or the OAIC of a data breach, I strongly recommended that Sony reviews how it applies the OAIC's Guide to handling personal information security breaches.
If ever your organisation finds itself in the same position as Sony, I strongly encourage you to review the OAIC guidance material on data breaches, and if appropriate, to notify individuals or the OAIC of the breach.
Statutory cause of action
The final matter that I would like to discuss today is the ALRC's recommendation that there be a statutory cause of action for serious invasion of privacy.
This recommendation was originally scheduled to be considered in the second stage of the Government's response to the ALRC report, but the Government decided to bring forward its consideration of this issue.
The ALRC's proposed statutory cause of action would be applicable in situations where there was a serious invasion of privacy and where there was a reasonable expectation of privacy.
The ALRC also proposed that the court should take into account whether the public interest in maintaining the claimant's privacy outweighs other matters of public interest or public concern and the public interest in allowing freedom of expression.
A few months ago, the Australian Government released an Issues Paper seeking submissions on a statutory cause of action.
The consultation period closed on 18 November, and the OAIC made a submission that is available our website if you would like to read it.
In our submission, we acknowledged that a statutory cause of action for invasion of privacy may complement the Privacy Act reforms that are underway by addressing areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals.
However, we believe it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute: it must be balanced against competing rights including the right to freedom of expression.
One of our concerns with the ALRC proposal is that a cause of action through the courts may pose access to justice issues and therefore deliver limited benefits.
We suggest that consideration be given to a proposal whereby an individual alleging a privacy invasion initially complains to the OAIC under a model similar to that currently used for complaints of privacy interference in breach of the Privacy Act.
An option to proceed to court could be available in limited circumstances, such as permitting the OAIC to refer a question of law to the Federal Court for guidance.
This option would also allow a party to commence court proceedings where the OAIC declines to make a determination following an unsuccessful conciliation.
Given the OAIC's current role in privacy regulation and complaints, consideration should be given to creating intervener and amicus curiae roles for the Australian Information Commissioner in relation to privacy invasion actions in the courts.
This would mean that if the Court gave special leave to do so, the Commissioners could act as "friends to the court" who assist the court on points of law in a particular case.
We look forward to seeing other responses to the Issues Paper, and seeing the Government's response, in due course.
It is likely that privacy issues will continue to feature prominently in news headlines as the statutory cause of action is discussed.
The media response to the Issues Paper has been mixed. For example, some recent newspaper articles have raised concerns that a statutory cause of action could impact upon on free speech.
I would just like to repeat that privacy rights are not absolute - as I mentioned earlier, they must be balanced against other important rights and ideals, one of which is the freedom of the expression.
It is very important that Australia has an independent and active media, and that Australians continue to enjoy freedom of expression. Any changes to the law will need to strike a balance between privacy and freedom of expression.
Through the issues paper and the submissions it receives, I am confident that the Government will ensure that the views of the media and the wider community are heard as these reforms progress.
So what's ahead for privacy in 2012?
As you can see, there has been a great deal of activity in the privacy sphere during 2011. So how will be the privacy landscape look in 2012?
In the year ahead, as the Australian Government's privacy law reforms progress, we may see further debate over how Australia's privacy framework should develop. We may also see further discussion of a statutory cause of action for serious invasion of privacy, following on from the recent Issues Paper. We will also be conducting the Community Attitudes to Privacy Survey to take stock of Australians' perceptions of privacy, building on research we have conducted in previous years.
As I mentioned earlier, we have also changed the approach we take to high profile matters, and are now publishing investigation reports on serious or high profile investigations, and we are prepared to use our determination power.
I would encourage you to be prepared for the possibility of stronger powers for the Commissioners, possibly including the ability to accept enforceable undertakings and to impose civil penalties, as well as greater use of the Commissioners' existing determinations power.
In this environment, I would encourage you all to review your business practices to make sure that they continue to be relevant as the privacy landscape evolves.
As technology rapidly evolves, and vast amounts of data are transported instantaneously across jurisdictions, it is likely that privacy protection will continue to be a matter of community concern in Australia and around the world.
Whether it's the development of instantaneous photographs, as was the case in the 1890s, or the emergence of social networking sites, cloud computing and new technologies enabling the transfer and storage of masses of personal information, or even new technologies that we haven't yet contemplated, individuals will continue to care about their privacy and their right to be let alone.
This is why privacy is a human right, protected by the International Covenant on Civil and Political Rights.
Ultimately, privacy is about what we think, what we believe and value, what we want and what we want to do ... basically, who we are - it is the detail of what makes us unique.
It is also about having the greatest ability to control who gets to know these things about us.
But it can't be an absolute in the society in which we live-and in that sense, privacy law reform is about trying to find the balance.
 See, for example, Cooley on Torts, 2d ed., p. 29 and Louis Brandeis & Samuel Warren," The Right to Privacy," 4 Harvard Law Review 193-220 (1890-91) http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html