Sen­ate Com­mit­tee report: The ade­qua­cy of pro­tec­tions for the pri­va­cy of Aus­tralians online

In brief — Pri­va­cy rec­om­men­da­tions could have a pro­found impact on all businesses

A Sen­ate Com­mit­tee report has made nine rec­om­men­da­tions for changes to Aus­trali­a’s pri­va­cy régime. If imple­ment­ed, three of these will lead to sig­nif­i­cant changes to Aus­trali­a’s pri­va­cy laws, affect­ing all busi­ness­es. These are the change to the small busi­ness exemp­tion, the abil­i­ty of web users to opt out of online behav­iour­al track­ing and the cre­ation of a cause of action for seri­ous inva­sions of privacy. 

Sen­ate Com­mit­tee exam­ines pri­va­cy protections

On 24 June 2010, on the motion of Greens Sen­a­tor Lud­lam, the Sen­ate referred the ques­tion of the ade­qua­cy of pri­va­cy pro­tec­tions for Aus­tralians online to the Sen­ate Envi­ron­ment and Com­mu­ni­ca­tions Ref­er­ences Com­mit­tee. The Com­mit­tee’s report, The ade­qua­cy of pro­tec­tions for the pri­va­cy of Aus­tralians online was released in ear­ly April 2011

The terms of ref­er­ence for the Committee‘s con­sid­er­a­tion were:

  • Pri­va­cy pro­tec­tions and data col­lec­tion on social net­work­ing sites
  • Data col­lec­tion activ­i­ties of pri­vate companies
  • Data col­lec­tion activ­i­ties of gov­ern­ment agencies
  • Oth­er relat­ed issues

The report rais­es a diverse range of issues that relate to the ade­qua­cy of the exist­ing pri­va­cy frame­work for pro­tect­ing the pri­va­cy of Aus­tralians online and the chal­lenges for law enforce­ment aris­ing from tech­no­log­i­cal advances.

Change to small busi­ness exemption

The Com­mit­tee rec­om­mends that the small busi­ness exemp­tions should be amend­ed to ensure that the small busi­ness­es which hold sub­stan­tial quan­ti­ties of per­son­al infor­ma­tion or which trans­fer per­son­al infor­ma­tion off­shore are sub­ject to the require­ments of the Pri­va­cy Act 1988. Cur­rent­ly, busi­ness­es which have a turnover of less than $3 mil­lion and do not trade in per­son­al infor­ma­tion are exempt from the pri­va­cy régime. 

As a result, over 90% of Aus­tralian busi­ness­es are cur­rent­ly not required to com­ply with the pro­vi­sions of the Act and many of these busi­ness­es col­lect per­son­al infor­ma­tion online. The Com­mit­tee is con­cerned that many indi­vid­u­als may not appre­ci­ate that the busi­ness­es they are deal­ing with are not cov­ered by the Act, that these busi­ness­es now hold sig­nif­i­cant quan­ti­ties of per­son­al infor­ma­tion which is col­lect­ed online and that the activ­i­ties of these busi­ness­es are not sub­ject to any regulation.

Trans­fer of per­son­al infor­ma­tion overseas

The Com­mit­tee also rec­om­mends that all Aus­tralian organ­i­sa­tions which trans­fer per­son­al infor­ma­tion over­seas, includ­ing small busi­ness­es, must ensure that the infor­ma­tion will be pro­tect­ed in a man­ner at least equiv­a­lent to the pro­tec­tions pro­vid­ed under Australia’s pri­va­cy framework. 

At the moment, the oblig­a­tion is lim­it­ed mere­ly to form­ing a rea­son­able belief” that the infor­ma­tion will be pro­tect­ed under a régime that is sub­stan­tial­ly sim­i­lar” to Aus­trali­a’s oblig­a­tions. If this rec­om­men­da­tion is accept­ed, all busi­ness­es that trans­fer infor­ma­tion off­shore will have to under­take a much more rig­or­ous due dili­gence on the pri­va­cy pro­tec­tions pro­vid­ed by the over­seas recipient.

Do not track” — abil­i­ty to opt out of online behav­iour­al tracking

Devel­op­ments in online tech­nol­o­gy have cre­at­ed lucra­tive new oppor­tu­ni­ties for adver­tis­ers to pro­vide rel­e­vant, tar­get­ed adver­tis­ing to online audi­ences. While tar­get­ed adver­tis­ing can improve the user expe­ri­ence by ensur­ing that a user is not dis­tract­ed with adver­tis­ing that is of lit­tle or no inter­est, the Com­mit­tee has expressed con­cern that there are now sev­er­al ways in which web ser­vice providers can col­lect data about indi­vid­u­als for the pur­pos­es of tar­get­ed advertising. 

At the moment, the Pri­va­cy Act 1988 does not apply to behav­iour­al adver­tis­ing if the infor­ma­tion gath­ered is not per­son­al infor­ma­tion”. Much of the infor­ma­tion that is col­lect­ed as part of online behav­iour­al adver­tis­ing does not iden­ti­fy an indi­vid­ual — rather, it links the activ­i­ty to a brows­er installed on a device and so is not per­son­al infor­ma­tion”. The Com­mit­tee rec­om­mends that the Office of the Pri­va­cy Com­mis­sion­er holds con­sul­ta­tions with web brows­er devel­op­ers, ISPs, the adver­tis­ing indus­try and oth­er stake­hold­ers to devel­op and imple­ment a code which includes a Do Not Track” model.

The Com­mit­tee also strong­ly sup­ports the rec­om­men­da­tion made by the Unit­ed States Fed­er­al Trade Com­mis­sion in response to its recent inquiry into the devel­op­ment of a Do Not Track” mech­a­nism for online behav­iour­al adver­tis­ing, allow­ing con­sumers to con­trol and man­age the infor­ma­tion col­lect­ed about them online.

Best prac­tice guide­line for third par­ty OBA

In response to this rec­om­men­da­tion, an indus­try-wide best prac­tice guide­line has recent­ly been released, out­lin­ing how organ­i­sa­tions should act when engag­ing in third par­ty online behav­iour­al adver­tis­ing (OBA). (Please see our ear­li­er arti­cle Online behav­iour­al adver­tis­ing code released.) This is a joint ini­tia­tive of many of the online and adver­tis­ing indus­try bod­ies, includ­ing the Aus­tralian Asso­ci­a­tion of Adver­tis­ers and major organ­i­sa­tions includ­ing Google and Microsoft. The guide­lines require any third par­ty OBA to give the user the oppor­tu­ni­ty to opt out of tracking.

It is not clear from the rec­om­men­da­tions whether the Com­mit­tee prefers the opt-out method set out in the guide­line, or will instead require an opt-in mod­el. How­ev­er, any opt-in mod­el would be cum­ber­some and unwork­able. If an opt-in mod­el were to be imple­ment­ed, this would have sig­nif­i­cant adverse effects on the con­tin­ued use of OBA and would severe­ly lim­it the ben­e­fits that OBA brings to web users.

Cause of action for seri­ous breach of privacy

The Com­mit­tee also rec­om­mends that the gov­ern­ment accept the Aus­tralian Law Reform Commission’s rec­om­men­da­tions to cre­ate a cause of action (the basis of a legal claim) for seri­ous inva­sion of privacy. 

In 2008, the ALRC rec­om­mend­ed the devel­op­ment of a statu­to­ry cause of action for seri­ous inva­sion of pri­va­cy. The gov­ern­ment is still con­sid­er­ing that rec­om­men­da­tion. If it is adopt­ed, it will sig­nif­i­cant­ly change the con­se­quences of a breach of the Nation­al Pri­va­cy Prin­ci­ples and give those affect­ed a right to sue for loss and dam­age suf­fered as a result of the breach. 

We are con­tin­u­ing to fol­low this impor­tant issue and will pro­vide fur­ther updates as the mat­ter pro­gress­es. If you would like to know more about how these changes may affect your busi­ness, and your infor­ma­tion han­dling prac­tices, please con­tact Swaab Attorneys.

Co-authored by M Hall.