Senate Committee report: The adequacy of protections for the privacy of Australians online
In brief — Privacy recommendations could have a profound impact on all businesses
A Senate Committee report has made nine recommendations for changes to Australia’s privacy regime. If implemented, three of these will lead to significant changes to Australia’s privacy laws, affecting all businesses. These are the change to the small business exemption, the ability of web users to opt out of online behavioural tracking and the creation of a cause of action for serious invasions of privacy.
Senate Committee examines privacy protections
On 24 June 2010, on the motion of Greens Senator Ludlam, the Senate referred the question of the adequacy of privacy protections for Australians online to the Senate Environment and Communications References Committee. The Committee’s report, The adequacy of protections for the privacy of Australians online was released in early April 2011.
The terms of reference for the Committee‘s consideration were:
- Privacy protections and data collection on social networking sites
- Data collection activities of private companies
- Data collection activities of government agencies
- Other related issues
The report raises a diverse range of issues that relate to the adequacy of the existing privacy framework for protecting the privacy of Australians online and the challenges for law enforcement arising from technological advances.
Change to small business exemption
The Committee recommends that the small business exemptions should be amended to ensure that the small businesses which hold substantial quantities of personal information or which transfer personal information offshore are subject to the requirements of the Privacy Act 1988. Currently, businesses which have a turnover of less than $3 million and do not trade in personal information are exempt from the privacy regime.
As a result, over 90% of Australian businesses are currently not required to comply with the provisions of the Act and many of these businesses collect personal information online. The Committee is concerned that many individuals may not appreciate that the businesses they are dealing with are not covered by the Act, that these businesses now hold significant quantities of personal information which is collected online and that the activities of these businesses are not subject to any regulation.
Transfer of personal information overseas
The Committee also recommends that all Australian organisations which transfer personal information overseas, including small businesses, must ensure that the information will be protected in a manner at least equivalent to the protections provided under Australia’s privacy framework.
At the moment, the obligation is limited merely to forming a “reasonable belief” that the information will be protected under a regime that is “substantially similar” to Australia’s obligations. If this recommendation is accepted, all businesses that transfer information offshore will have to undertake a much more rigorous due diligence on the privacy protections provided by the overseas recipient.
“Do not track” — ability to opt out of online behavioural tracking
Developments in online technology have created lucrative new opportunities for advertisers to provide relevant, targeted advertising to online audiences. While targeted advertising can improve the user experience by ensuring that a user is not distracted with advertising that is of little or no interest, the Committee has expressed concern that there are now several ways in which web service providers can collect data about individuals for the purposes of targeted advertising.
At the moment, the Privacy Act 1988 does not apply to behavioural advertising if the information gathered is not “personal information”. Much of the information that is collected as part of online behavioural advertising does not identify an individual — rather, it links the activity to a browser installed on a device and so is not “personal information”. The Committee recommends that the Office of the Privacy Commissioner holds consultations with web browser developers, ISPs, the advertising industry and other stakeholders to develop and implement a code which includes a “Do Not Track” model.
The Committee also strongly supports the recommendation made by the United States Federal Trade Commission in response to its recent inquiry into the development of a “Do Not Track” mechanism for online behavioural advertising, allowing consumers to control and manage the information collected about them online.
Best practice guideline for third party OBA
In response to this recommendation, an industry-wide best practice guideline has recently been released, outlining how organisations should act when engaging in third party online behavioural advertising (OBA). (Please see our earlier article Online behavioural advertising code released.) This is a joint initiative of many of the online and advertising industry bodies, including the Australian Association of Advertisers and major organisations including Google and Microsoft. The guidelines require any third party OBA to give the user the opportunity to opt out of tracking.
It is not clear from the recommendations whether the Committee prefers the opt-out method set out in the guideline, or will instead require an opt-in model. However, any opt-in model would be cumbersome and unworkable. If an opt-in model were to be implemented, this would have significant adverse effects on the continued use of OBA and would severely limit the benefits that OBA brings to web users.
Cause of action for serious breach of privacy
The Committee also recommends that the government accept the Australian Law Reform Commission’s recommendations to create a cause of action (the basis of a legal claim) for serious invasion of privacy.
In 2008, the ALRC recommended the development of a statutory cause of action for serious invasion of privacy. The government is still considering that recommendation. If it is adopted, it will significantly change the consequences of a breach of the National Privacy Principles and give those affected a right to sue for loss and damage suffered as a result of the breach.
We are continuing to follow this important issue and will provide further updates as the matter progresses. If you would like to know more about how these changes may affect your business, and your information handling practices, please contact Swaab Attorneys.
Co-authored by M Hall.