Convergence Review: Emerging Issues Paper
Submission to Convergence Review (October 2011)
Submission by Timothy Pilgrim, Australian Privacy Commissioner
 Committee (the Committee) for the opportunity to comment on the Convergence Review Emerging Issues Paper (the Paper).
The OAIC's recommendations to the Committee are set out below.
- Australia's treaty obligations under Article 17 of the International Covenant on Civil and Political Rights with respect to the right to privacy and the public's reasonable expectation of privacy, when considering the construction and effect of the terms 'public purpose' and 'public interest', as referred to by Principles 1 and 3 respectively, or as part of any test involving those concepts,
- the public's reasonable expectation of privacy when interpreting the phrase 'community standards and the views and expectations of the Australian public' as referred to by Principle 7, and
- the requirements of the Information Privacy Principles and National Privacy Principles (as set out in the Privacy Act 1988 (Cth)) when interpreting Principle 9, particularly with respect to the issues of transparency in service provision and the handling of personal information by service providers.
The OAIC also suggests that the Committee consider the following issues regarding the convergence of traditional media platforms such as print, television and radio with the Internet, having regard to the web 2.0 environment:
- the longevity and durability of online information, the ease of data linkage afforded by the Internet, and the ramifications of those issues for personal privacy,
- whether there is a need for clarity regarding the legality and ethics of the republishing of content obtained from social media sites by media organisations, and
- whether there is a need for guidance regarding the use of web 2.0 tools by media organisations.
The OAIC's recommendations are discussed in more detail below.
The OAIC was established by the Australian Information Commissioner Act 2010 (Cth) (the AIC Act) and commenced operation on 1 November 2010.
The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
The former Office of the Privacy Commissioner was integrated into the OAIC on 1November 2010.
The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
The Commissioners of the OAIC share two broad functions:
- the FOI functions, set out in s8 of the AIC Act - providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
- the privacy functions, set out in s9 of the AIC Act - protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and other legislation.
The Information Commissioner also has the information commissioner functions, set out in s7 of the AIC Act. Those comprise strategic functions relating to information management by the Australian Government.
The Privacy Act regulates the handling of 'personal information'.
Specifically, the Information Privacy Principles (the IPPs), set out in s14 of the Privacy Act, regulate the way that most Australian, ACT, and Norfolk Island Government agencies (agencies) handle personal information. The IPPs cover the collection, storage, security, use, disclosure, access and correction obligations of the agencies covered by the Privacy Act.
The National Privacy Principles (the NPPs) are set out in Schedule 3 to the Privacy Act and regulate the way that private sector organisations (organisations) handle personal information. The NPPs cover the collection, storage, security, use, disclosure and access and correction obligations of organisations covered by the Privacy Act. In general, the NPPs apply to all businesses and non-government organisations with an annual turnover of more than $3million, all health service providers, and a limited range of small businesses.
Individuals (acting in a non-business capacity) are not subject to the Privacy Act.
The OAIC notes that the subject of the Convergence Review includes the broadcasting, radiocommunications and telecommunications industries. Those industries include 'media organisations' whose activities include journalism and news reporting.
Section 7B(4) of the Privacy Act provides that an act or practice of a media organisation is exempt from the application of the Privacy Act if the act or practice is done:
- in the course of journalism, and
- at a time when the organisation is publicly committed to observe privacy standards that have been published in writing by the organisation or a person or body representing a class of media organisations.
Accordingly, whether the Privacy Act applies to an entity (and the extent of that application) depends on a number of factors including whether the entity in question is an agency or organisation, whether the entity is specifically exempted from the application of the Privacy Act or is part of an exempt class, and whether specific acts or practices of the entity are exempted.
Meaning of 'citizen'
Principle 1, as proposed by the Paper, provides:
"Citizens and organisations should be able to communicate freely, and where regulation is required, it should be the minimum need to achieve a clear public purpose."
In this context and in the absence of a specific definition, the use of the word 'citizen' in Principle 1 could be interpreted as meaning that the freedom to communicate should be limited to native or naturalised Australian citizens.
The OAIC believes that any governing policy framework should be clear that the freedom to communicate should be extended to the entire Australian community.
Therefore, if the principles are to use the word 'citizen' to include a broader category than its established legislative meaning, the OAIC suggests that it should be clearly defined.
How privacy protections can enable freedom of communication
The OAIC also notes that privacy protections enable and facilitate freedom of communication.
Anonymity is a core component of privacy - privacy risks can be greatly reduced when individuals are allowed to remain anonymous. Currently, the Privacy Act (NPP 8) requires organisations to provide individuals with the option of not identifying themselves when interacting with the organisation, where this is lawful and practicable. The Government is currently considering extending this requirement to Government agencies, and providing for the use of pseudonyms by individuals in certain circumstances.
The ability to interact and communicate anonymously facilitates freedom of communication. In particular, anonymity enables individuals to express controversial or minority opinions without fear of reprisal. This concept was explored by the US Supreme Court in McIntyre v Ohio Elections Commission 514 U.S. 334 (1995). In that decision, Justice Stevens, speaking for the majority, noted:
"The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible. Whatever the motivation may be... the interest in having anonymous works enter the marketplace of ideas unquestionably outweighs any public interest in requiring disclosure as a condition of entry (at [II])... Anonymity is a shield from the tyranny of the majority (at [VI])."
Further, inadequate or absent privacy protections may deter individuals from freely communicating, or using certain communications channels - for example, if there is a risk associated with the disclosure of the information to be communicated, such embarrassment or identity theft.
The OAIC notes that there is concern that anonymous communication channels may be exploited by those seeking to engage in anti-social and illegal behaviour. The OAIC does not contend that any and all communications should be able to be made anonymously or pseudonymously; notably, NPP 8 only requires that individuals have the option of interacting anonymously where 'practicable and lawful'. It is also important to note that the risk that anonymous communications will enable anti-social behaviour can be mitigated. For example, the risk of anti-social behaviour in anonymous online forums can be mitigated by active and responsive moderation. Ultimately, policy makers and the operators of communications channels will need to determine the appropriate balance between privacy, freedom of communication, and security, taking into account community expectations.
Principle 3, as proposed by the Paper, provides:
"The communications and media market should be innovative and competitive, while balancing outcomes in the interest of the Australian public [emphasis added]."
Principle 7 provides:
Communications and media services available to Australians should reflect community standards and the views and expectations of the Australian public[emphasis added].
The OAIC recognises that the freedom of expression and the freedom to communicate are essential to any civil society, and are a crucial component of a robust democracy. In that regard, the OAIC notes Australia's treaty obligations under Article 19 of the International Covenant on Civil and Political Rights (the ICCPR), which Australia ratified on 13 August 1980:
"1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order (ordre public), or of public health or morals [emphasis added]."
Article 19(3) recognises that the freedom of expression is not an absolute freedom, but must be balanced with competing rights and considerations.
While the ICCPR has not been enshrined in Australian legislation, the construction of the freedom of expression as non-absolute has been adopted by the courts. For example, in James v Commonwealth (1936) 55 CLR 1, the Privy Council, hearing an appeal from the High Court of Australia, observed that '[f]ree speech does not mean free speech; it means speech hedged in by all the laws against defamation, blasphemy, sedition and so forth; it means freedom governed by law...' (at ) [emphasis added].
The courts have taken a similar approach to the freedom of communication. Freedom of communication has been long accepted as the subject of an implied Constitutional guarantee; see, for example, Australian Capital Television Pty Ltd and Ors v Commonwealth Of Australia (No 2) - (1992) 108 ALR 577. However, that freedom is also recognised as not absolute (see Australian Capital Television at p579).
As such, the OAIC recommends that, when deliberating over the proposed policy framework for media and communications services, the Committee also considers Australia's treaty obligations under Article 17 of the ICCPR, which provides:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
The OAIC recognises that privacy, too, is not an absolute right. The right to privacy must be balanced with other competing human rights and social interests, including freedom of expression and freedom of communication.
The OAIC notes that the Preamble to the Convergence Review Terms of Reference provide that the policy and regulatory frameworks that apply to the converged media and communications industry 'must ensure ... the adequate reflection of community standards and expectations and the safeguarding of privacy and other citizens' rights'.
The OAIC recommends that the Committee consider the right to privacy and the public's reasonable expectation of privacy when considering the construction and effect of the terms 'public purpose' and 'public interest', as referred to by Principles 1 and 3 respectively, or as part of any test involving those concepts.
The OAIC also recommends that the Committee consider the public's reasonable expectation of privacy when interpreting the words 'community standards and the views and expectations of the Australian public' as referred to by Principle 7.
"Service providers should provide the maximum transparency for consumers regarding their services and how they are delivered."
The OAIC agrees with Principle 9. The OAIC considers that transparency is an important tool in building and maintaining consumer trust. Where a service involves the handling of personal information, it is particularly important that service providers are transparent about their information handling processes.
Specifically, IPP 2 requires that before collection, or as soon as practicable after, an agency that collects information about an individual shall take steps to inform that individual of certain matters, including:
- the purpose for which the information is being collected,
- if applicable, the fact that the collection is required or authorised by law, and
- any entity to which it is the collecting agency's usual practice to disclose the information to.
Similarly, NPP 1.3 requires organisations that collect information about an individual to ensure that the individual is aware of:
"(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided."
NPP 5 also requires that organisations clearly express their policies on the management of personal information in a document, and make that document available to anyone on request (NPP 5.1).
Similarly, under IPP 5, agencies are required to:
- take such steps as are, in the circumstances, reasonable to enable any person to ascertain specified matters (IPP 5.1)
- maintain a record setting out a number of matters relating to the agency's handling of personal information (IPP 5.2) and
- make the record available for inspection by the public and give a copy annually to the Information Commissioner (IPP 5.4), who publishes this information annually in the Personal Information Digest.
Further, the IPPs and NPPs entitle individuals to access the records of agencies and organisations that contain their personal information (IPP 6, NPP 6).
Agencies and organisations are also obliged to ensure that the personal information they hold is accurate, and to enable correction of that information (IPP 7, NPP 6). Where an individual requests that an agency amend a record containing their personal information, and the agency is not willing to do so, the agency must take reasonable steps to attach a statement of the amendment sought to the record (IPP 7). Similarly, where an individual and an organisation disagree about the accuracy, completeness or currency of the personal information about the individual held by the organisation, the organisation must take reasonable steps to include associate the information with a statement of the individual's claims (NPP 6.6).
The OAIC recommends that the Committee is aware of the requirements of the IPPs and NPPs when interpreting Principle 9, particularly with respect to the issues of transparency in service provision and the handling of personal information by service providers.
The convergence of 'traditional' media platforms such as television, radio or print with the Internet has resulted in a number of significant privacy impacts.
Information available on the Internet may persist for long periods of time or indefinitely:
- Digital information is easily and cheaply duplicated and proliferated.
- Information may become available (lawfully or otherwise) from multiple sources, hosted anonymously, or hosted outside of Australian jurisdiction.
- Information disseminated via traditional media platforms generally has a limited publication lifespan, but information published on the Internet does not. For example, an article printed in a daily newspaper will not be available in print the next day - the same article published online may be available indefinitely.
The changed conditions for information handling inherent in the online environment can have a significant impact on the protection of individual privacy. Once information is made available on the Internet, it may be near impossible to remove or obscure that information. As such, privacy breaches that occur on or move to the Internet can be extremely difficult to address, and may be much more severe than a privacy breach effected exclusively via traditional media platforms.
The wealth of information available on the Internet, and the ease of access to that information, can have serious ramifications for the privacy of individuals. Further, that impact may magnified by the ease of location and linkage of information from multiple sources, facilitated by online search engines and data aggregation tools. Data linkage may enable individuals to be identified from linked information, or reveal further personal information about an individual. Data aggregation may also enable new uses of personal information beyond the expectations of the individual and without their knowledge or consent.
Much of the debate about the ramifications of these aspects of the Internet has focused around social networking; for example, the practice of individuals of uploading pictures and information to social networking sites that they may later regret.
An individual's reputation can have a significant impact on their work and personal life. In the current and developing media environment, an individual's reputation can be particularly affected by their online presence and profile. In some cases, individuals have been terminated from their employment on the basis of online records of personal activity outside of and unrelated to their employment, such as photos from a party or holiday. On other occasions, information posted online has led to embarrassment when the information is circulated more widely than intended, or when, months or years later, individuals wish to distance themselves from past actions, beliefs or behaviours.
Further, an individual's online presence and reputation can present a barrier to gaining employment. For example, in 2010, a survey commissioned by Microsoft found that:
- 75% of US recruiters and human resource professionals reported that their companies require them to do online research (including reviewing social media sites) about candidates, and
- approximately 70% US recruiters reported that they had rejected candidates because of information found online.
It is important that individuals understand that they have a level of personal responsibility for managing their privacy and online identity in a way that is right for them, particularly with respect to the information that they may post to social media sites. However, in the converged media environment, social media is not the only component of an individual's online identity. News or other media coverage may contain personal information about individuals, and may identify individuals or be able to be linked to identifying information. With social media, individuals have some control over what information is uploaded and (subject to privacy settings and options) who can view that information. However, with news coverage, individuals may have very little or no control over the use and dissemination of their personal information.
Prior to the movement of media organisations into the online space, individuals who garnered the attention of the media could potentially rely on a form of 'practical obscurity'. An individual's 'fifteen minutes of fame' might have been available indefinitely on paper or other physical media in an archive, but accessing that information involved a certain level of inconvenience. This created a barrier to access that discouraged, but did not necessarily prevent, access. Hence, those records were not often accessed.
The ease of access to digital archives has eliminated that barrier. Many Australian media organisations now offer free access to their digital archives, or access for a small fee. For example, the Fairfax NewsStore (which includes the Sydney Morning Herald and the Melbourne Age as well as numerous regional newspapers), offers free access to all archived articles dating from 1990 onwards.
Accordingly, news coverage that includes the personal information of an individual has the potential to have a significant impact on the individual's reputation, as a result of the effects on that individual's online presence and profile. That impact may have serious ramifications for that individual, both personally and professionally.
As such, the OAIC is of the view that the Committee should consider the longevity of online information, and ease of data linkage afforded by the Internet, when deliberating over the proposed policy framework for media and communications services.
The OAIC has noted a recent trend in media organisations using material from social media platforms in media coverage. For example, in August 2011, a Sydney teenager was held to ransom with a (fake) bomb. The story received extensive media coverage in Australia and internationally. Several Australian (news) media organisations published quotes from the subject's social media pages, and those of her friends and family, and published photographs taken from the subject's and her father's Facebook accounts. In several cases, the quotes and photographs were published without consent or, in the case of the photographs, without attribution.
The issue of whether content uploaded to social media sites is subject to the application of copyright law is outside of the jurisdiction of the OAIC. However, the OAIC notes that there is considerable confusion (on the part of both the public and news media organisations) as to the rights and protections, if any, afforded to social media website operators and the users of social media in this respect.
In the experience of the OAIC, many users of social media consider communications between themselves and their associates via social media to be 'private' conversations, notwithstanding that such exchanges may be broadly viewable. It may be that a large part of the community would not expect or agree to the republication of content uploaded to social media sites, and would consider such publication a violation of their privacy.
As such, the OAIC recommends that the Committee consider whether there is a need for clarity regarding both the legality and ethics of the republishing of consent obtained from social media sites by media organisations.
Many media organisations are now making use of 'web 2.0' tools in their online incarnations. For example, many news websites permit public commenting on specific articles, or include integrated blogs and online forums.
As in the case of social media, the use of web 2.0 tools by media organisations may have significant privacy impacts. Accordingly, policies regarding the use of those tools require careful consideration. The OAIC has previously examined this issue at length in its submission to the Senate Standing Committee on Environment, Communications and the Arts regarding the adequacy of protections for the privacy of Australians online.
Another particular privacy risk of web 2.0 implementation is that individuals may expose the personal information of someone else in the course of using web 2.0 sites. This could inadvertently impinge on the privacy of a third party, or it may be an intentional action. That risk can often be mitigated by responsive moderation.
Good outcomes will also be achieved where users are educated as to the importance of privacy online and what is appropriate in terms of the publication of personal information of others.
The OAIC recommends that the Committee consider whether there is a need for guidance regarding the use of web 2.0 tools by media organisations.
The OAIC notes that the rise of web 2.0 technology such as blogs, podcasts, and video hosting services such as YouTube has made it possible for a much broader cross-section of society to research and disseminate news stories and opinion pieces, outside the context of employment in 'media organisations'. This independent activity is sometimes referred to as 'citizen journalism'.
The Privacy Act provides that the NPPs do not apply to acts done by or practices engaged in by a media organisation in the course of journalism. That exception does not cover acts or practices of individuals engaged in journalism. Further, the Privacy Act does not cover individuals acting in a personal capacity. As such, at this time the acts and practices of 'citizen journalists' are unlikely to be covered the Privacy Act.
In the context of the increase of journalistic activity by non-professionals, it has become more difficult to define 'journalism' for the purposes of regulation. For that reason, the ALRC has recommended that the Privacy Act be amended to include a definition for 'journalism'.
The OAIC recommends that the Committee consider whether there is a need for the regulation of citizen journalism.
The OAIC would support all individuals engaged in journalism conforming to standards of conduct or codes of practice that adequately address privacy issues.
 Section 6(1) of the Privacy Act provides that 'personal information' means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
 See definition of 'agency', Privacy Act, s6(1).
 See definition of 'organisation', Privacy Act, s6(1).
 Privacy Act, s7B(1).
Section 6(1) of the Privacy Act provides that 'media organisation' means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
 See, for example, the discussion of the meaning of 'citizen' set out in Citizens and the ACMA - Exploring the concepts within Australian media and communications regulation: www.acma.gov.au/webwr/_assets/main/lib311886/citizens_and_the_acma.pdf
 Australian Law Reform Commission Report 108: For Your Information: Australian Privacy Law and Practice (2008), Chapter 20, www.alrc.gov.au/publications/report-108; Enhancing National Privacy Protection: Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (October 2009), recommendation 20-1, www.dpmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf; Exposure Draft: Australian Privacy Principles, Draft APP 3, www.aph.gov.au/Senate/committee/fapa_ctte/priv_exp_drafts/guide/exposure_draft.pdf
 For example, see Department of Prime Minster and Cabinet; Connecting with Confidence - Optimising Australia's Digital Future - A Discussion Paper (2011), p.11 http://cyberwhitepaper.dpmc.gov.au/sites/default/files/documents/connecting_with_confidence_public_discussion_paper.pdf
 Moderation refers to the active monitoring of online forums and the removal of inappropriate content (such as privacy invasive information). Moderation can be done either by the site operator or by site users.
 See, generally, Chapter 21 of the Office of the Privacy Commissioner's Submission to the Australian Law Reform Commission's Review of Privacy - Discussion Paper 72 (December 2007): www.privacy.gov.au/materials/types/download/9111/6748
 Privacy Act, s27(1)(g).
 The OAIC has discussed this issue at length in its submission to the Senate Standing Committee on Environment, Communications and the Arts regarding the adequacy of protections for the privacy of Australians online (August 2010), Part B: www.privacy.gov.au/materials/types/download/9558/7122
 'Web 2.0' is often characterised by enabling greater online interaction and user-generated content. Common web 2.0 tools include social media (such as Facebook or Twitter), blogs, wikis and information sharing sites like Flickr (http://www.flickr.com/) and YouTube (http://www.youtube.com/), which enable people to publish information, comments and images online without specialised information technology training.
 See above under 'Coverage of the Privacy Act'.
 ALRC Report 108, recommendation 42-1 is '[t]he Privacy Act should be amended to define 'journalism' to mean the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs or a documentary; or
(c) material in respect of which the public interest in disclosure outweighs the public interest in maintaining the level of privacy protection afforded by the model Unified Privacy Principles'.