C:\Than Yeng\Web\New web page\Articles\Cyberspace_May_2001\Privacy_200100.jpg

Australia's New Privacy Legislation

Baker & McKenzie Cyberspace Law and Policy Centre CLE Conference
May 24-25 2001

Tim Dixon
Baker & McKenzie Global Privacy Group - tim.dixon [at] bakernet.com
Author, CCH Private Sector Privacy Handbook

Preparing for the new privacy legislation[1]


Australia's new private sector privacy legislation
The arrival of a new privacy regime in Australia in 2001 is a culmination of several developments over recent years, which have seen privacy emerge as a major social and commercial issue. Businesses are grappling with rising customer concerns, a changing regulatory environment, the choice of signing on to new industry codes, and the risk of a public backlash against technologies that put customer privacy at risk. The growth of e-commerce in particular has raised the profile of privacy issues, and has been a major factor behind the Government's decision to extend the Privacy Act 1988 to the private sector.
Managing privacy issues involves coming to grips with new legal obligations and balancing competing interests. On the one hand, businesses have a strong imperative to collect and use personal information. Customer information is critical to e-commerce, and the more that businesses "know" their customers, and know how customers respond to different aspects of their products, the better they are able to target customers with products tailored to their specific interests.
On the other hand, customers want to retain control of their personal information  a lesson which some high-profile internet brands have learnt at some expense. Customers are increasingly hostile towards businesses which collect their personal data without their consent, or are not open about how they use this information. In this environment, managing privacy issues effectively can avoid unnecessary risk and help build stronger customer relationships.
At one level, there is a deceptive simplicity about privacy legislation. It is based on a simple set of privacy principles, which outlines how organisations should as much as possible give individuals choice about how and when their personal information is collected and used amd to whom it is disclosed; recognising their rights of access to that information; keeping the information accurate and secure; giving individuals a choice of transacting anonymously, not storing government identifiers, and ensuring that information which is transferred overseas is subject to privacy safeguards. However, while these principles sound relatively simple, in practice the detail of how these are applied in specific contexts can be difficult. Some indication of the complexity of applying the legislation to specific instances is indicated by the fact that the draft guidelines for the National Privacy Principles, which were released in May, 2001, totalled 174 pages. The scope of the various exemptions to the Privacy Act are especially complex, and organisations need to understand these exemptions in order to know how to deal with other organisations.
Few people would have predicted how sharply the privacy issue has come into focus in recent years. In the early 1990s, privacy was seen largely as a slightly obscure civil liberties issue. But with the technological developments of the internet, payment systems encryption, biometrics, data mining, loyalty cards and the shift in marketing practices towards individual customer relationship management, privacy has become a major commercial issue. Privacy has also become a political agenda item, a regular news story and a potential risk to company reputations. Industry organisations in many areas have established their own privacy rules which aim to give customers confidence about how their personal information will be handled. Surveys have recorded unprecedented levels of concerns about privacy issues, which have been linked to the slower than expected takeup of e-commerce. These developments suggest that the right of individuals to control their personal information will be one of the defining social issues in the information age.
The development of privacy legislation in Australia is part of a global trend to protect personal information and legislate for fair information practices. Most industrialised countries now have legislation in place which covers the handling of personal information and extends to internet transactions. Australia, like the United States, has lagged this trend until now while many other countries have been implementing second or third generation privacy laws.

1. The Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000

1.1 Background: Coverage of privacy legislation prior to amendments

Although online developments have heightened privacy concerns, the history of specific legal measures to protect privacy in Australia reaches back into the early 1970s. The first regulatory agency to have responsibility for privacy issues, the New South Wales Privacy Committee, was established in 1975.[2] In 1976 the Australian Law Reform Commission began working on a major national report on privacy, which was released in 1983. The Privacy Act 1988 (Cth) was a delayed response to the recommendations of this report, and was initially to be introduced alongside the proposed Australia Card, the national identity card which was abandoned after an extraordinarily negative public reaction.
Prior to the recent amendments, the Privacy Act was based around a set of 11 Information Privacy Principles, formulated from the 1980 OECD Guidelines, covering issues such as the collection, use, security, disclosure, retention and destruction of personal information. The Privacy Act had only a limited scope, essentially applying to:

(a) Commonwealth Government agencies

(b) The handling of Tax File Numbers by all organisations (a set of mandatory Guidelines which restrict the use of TFNs); and

(c) The use of credit reporting information in the private sector.

At the state level, governments have implemented similar legislation with the Privacy and Personal Information Protection Act 1998 (NSW) and the Information Privacy Act 2000 (Vic).
In overall terms, personal information collected by the Commonwealth Government and some states was covered by privacy legislation, but these laws had limited impact on the private sector.
Specific statutes also address the use of particular technologies in the private sector; for example, the Telecommunications Interception Act 1979 and state legislation such as the Listening Devices Act 1984 (NSW) and the Surveillance Devices Act 1999 (Victoria) prohibit the unauthorised interception and recording of telephone conversations. The Telecommunications Act 1997 also imposes restrictions on the unauthorised disclosure of personal information related to customers of a telecommunications service provider or an internet service provider.
There is a very limited degree of common law recognition of what might be seen as a right to privacy in special situations. For example, if it is seen that a duty of confidentiality exists between two parties (eg bank and customer or a doctor and patient), then disclosure of information to a third party may be a breach of confidence.
Outside the framework of legislation, some companies and industry organisations have adopted a self-regulating approach to privacy protection:

1.2 The evolution of the current privacy legislation

The Commonwealth Government's extension of privacy legislation in Australia is the result of a process of policy development over four years:
Three main factors prompted the change in the Howard Government's position away from self-regulation:
The extension of the Privacy Act 1988 to the private sector means that from December 2001 all organisations which are not covered by an exemption will need to comply with the National Privacy Principles in how they handle personal information. This will impose upon organisations requirements relating to how they communicate with customers when they first collect information, what they do with that information, to whom they disclose that information, how they keep information secure, and how they provide access to personal information to individuals. Organisations which breach these principles may be subject to investigation in the event of a complaint, and if the complaint it upheld by the Privacy Commissioner it may lead to a determination by the Privacy Commissioner involving an award of compensation or being required to change a business practice. While the history of privacy legislation suggests that it is unlikely to lead to a stream of large payouts, given the high level of publicity being paid to privacy issues and the potentially widespread nature of any breach of privacy principles, privacy issues are now a significant regulatory issue for organisations which handle personal information.

1.3 The coverage of "personal information"

Private sector organisations must work with the same definition of "personal information" in the Act that applies to Commonwealth agencies. The definition of "personal information" is found in section 6(1):

"'personal information' means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

In short, personal information is information or an opinion that can identify a person.

The Explanatory Memorandum to the Privacy Bill 1988 noted that, "the range of information/opinion coming within the definition is infinite and would include, for example, information relating to the person's physical description, residence, place of work, business and business activities, employment, occupation, investments and property holding, relationships to other persons, recreational interests and political, philosophical or religious beliefs. The definition applies to such information or opinion whether recorded in a material form or not, including information held on databases." [Explanatory Memorandum to the Privacy Bill 1988, Paragraph 35] The definition of "personal information" is therefore broad.

Even if a record does not identify a person by name, it may constitute personal information. For example, a person might easily be re-identified through an account number, employee number, transaction number or some reference to an external record that uniquely identifies that individual. This means that simply removing a person's name from a record will not make it anonymous and stop it from being personal information.

Another important part of the scope of the Act's application to "personal information" is the definition of a record and a generally available publication. Section 16B specifies when the Act applies to personal information collected and held by an organisation, by providing that:

"(1) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to the personal information by an organisation only if the information is collected for inclusion in a record or a generally available publication.

(2) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to personal information that has been collected by an organisation only if the information is held by the organisation in a record."

Section 16B(1) applies the Act when personal information is being collected and section 16B(2) applies the Act to personal information once it has been collected. Specific provisions apply in Division 4 of Part III concerning tax file number information, Division 5 of Part III relating to credit information and Part IIIA relating to credit reporting.

The definitions of "record" and "generally available publication" are found in section 6(1) of the Act.

The definition of "record" defines the scope of what a record might, and what it might exclude:

"record" means:
(a) a document; or
(b) a database (however kept); or
(c) a photograph or other pictorial representation of a person;
but does not include:
(d) a generally available publication; or
(e) anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or
(fa) records (as defined in the Archives Act 1983) in the custody of the Archives (as defined in that Act) in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records.
(g) documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
(h) letters or other articles in the course of transmission by post."
The definition of "record" is sufficiently broad to encompass records in electronic form and includes films, videotapes, paintings, drawings, etc. of a person (under paragraph (c)).

The exclusion for generally available publications is an important limitation on the scope of the Privacy Act. The definition of "generally available publication" is found in section 6(1):

""generally available publication" means a magazine, book, newspaper or other publication that is or will be generally available to members of the public."

Thus the Act covers personal information but only applies to information that is recorded in some form, which can include personal information in an electronic record. However, it probably would not include tissue information or bodily fluids such as blood or urine samples. Although such samples might involve intensely personal information (such as unique genetic information) they would be unlikely to come within (a), (b) or (c).

1.4 Understanding the National Privacy Principles: The life cycle of personal information

In a general sense, privacy legislation seeks to protect individuals from the unfair or unauthorised use of their personal information. These rights can be understood through the life-cycle of information : from collection, through to use and disclosure to third parties, and ultimately to the destruction of the information. Privacy laws seek to protect the individual s right to control the use, storage and disclosure of this personal information, subject to other public interests such as law enforcement and the efficiency of public administration. As Professor Alan Westin first defined it, privacy legislation protects the individual s right to determine for one s self when, how, and to what extent information about one s self is communicated to others. [3] This right can protect autonomy, dignity, or health and welfare. [4]
Consumers' sensitivity about their personal information varies between individuals and according to the type of information which a business collects. For some people, even address, telephone number and email can be sensitive. Consumer sensitivity is generally higher for:
The amendments to the Privacy Act 1988 extend a set of National Privacy Principles (NPPs) to the private sector. The NPPs were originally developed by the Privacy Commissioner in 1997 through a process of consultation with industry and consumer groups. The NPPs differ from the Information Privacy Principles (IPPs) which apply to Commonwealth Government agencies.
The National Privacy Principles set out minimum standards for the handling of personal information. To a large extent these principles reflect the OECD's Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data from 1980. In the shortest form, they may be summarised in this way:
The Privacy Commissioner released a draft set of guidelines on the National Privacy Principles in May 2001, spelling out some of the factors taken into the account in the interpretation of the principles. The guidelines are open to comment until July 6 2001.

1.5 Coverage

The NPPs apply generally to all organisations (other than public sector agencies, which are already covered at a Commonwealth level by the Information Privacy Principles). The Act defines "organisation" broadly in section 6C to include an individual, body corporate, partnership, trust or any unincorporated association. The Act specifically excludes small business operators, registered political parties, agencies, state or territory authorities and prescribed state or territory instrumentalities from the definition of an "organisation" under section 6C (1). The effect of this is that these entities are exempt from the operation of the Act. The exemptions are spelt out as follows:

  • small businesses: s6D
  • media organisations: s7B(4)
  • registered political parties: s7C
  • state or territory authorities or an instrumentality of a State or Territory prescribed by regulations: s6F
  • organisations that are individuals acting in a non-business capacity: s7B(1)
  • organisations acting under a Commonwealth or State contract: s7B(2)
  • employer organisations: acting in respect of employee records: s7B(3)

(a) Small Businesses: A small business is defined as a business with an annual turnover of $3 million or less, which does not provide a health service or hold health information, which does not provide contractual services to the Commonwealth and does not transfer personal information about an individual to anyone else for any kind of benefit. In other words, small businesses are covered if they are involved in the sale of personal information. This outcome reflects some unique political sensitivities in the Australian political climate relating to small business.

(b) The Media: Acts or practices done by an organisation in the course of journalism will be exempt from the legislation. This provision explicitly aims to strike a balance between the public interest in providing adequate privacy safeguards with the public interest in allowing a free flow of information to the public through the media. The scope of this exemption is especially broad. An organisation can be classified as a media organisation if it is engaged in the provision of information to the public, and its "activities consist of ..... dissemination of ..... material having the character of news, current affairs, information or a documentary". This attracted criticism because of the possibility of it being used as a loophole.

(c) Political parties: Registered political parties will be exempt from the legislation for their activities in connection with an election, a referendum, or other participation in the political process. This was a surprise inclusion in the legislation, as it had never previously been raised during the extensive consultations over the legislation. The Government has argued that it is necessary to give this exemption in order to give effect to the implied constitutional freedom of political speech.

(d) Domestic use: This exemption applies to use of personal information related to personal, family or household affairs relating to personal information.

The Act covers all types of personal information which are not publicly available but, will exclude:

(e) Employee records: Employee records are defined as a record relating to the employment of an employee including engagement, training, disciplining, resignation, termination, terms and conditions, contact details, performance or conduct, remuneration, the union membership, health information and financial affairs. It extends to current and former employers.

(f) Personal information already in existence when the amendments come into operation will have a limited exemption.

(g) State government contractors: The acts and practices of contractors to state and territory governments and agencies in relation to handling personal information under contracts need only to comply with the applicable standards of the state or territory and will otherwise be exempt from the Act.

(h) Transfers of personal information between "related bodies corporate", as defined under section 50 of the Corporations Law. Related bodies corporate are essentially businesses which have a shared controlling interest. This might allow a large organisation with diverse businesses to pool its personal data collections without the knowledge of its customers. Restrictions still apply to the use and disclosure of this information, but as an example, an organisation which was able to conduct direct marketing to customers seemingly can conduct direct marketing in respect of all of the operations of its related bodies corporate.

1.6 Privacy Codes

By default, the NPPs apply to organisations - that is, unless the organisation is a signatory to a voluntary code which has been approved by the Privacy Commissioner. However, the legislation leaves open the option of industry groups or individual firms developing their own codes of conduct in place of the NPPs. Codes can be developed by any organisation or group, but cannot impose a lower standard or privacy protection than the NPPs. Codes must be approved by the Privacy Commissioner after a process of consultation. The codes are intended to give the legislation maximum flexibility while retaining a consistent standard of privacy protection. The Privacy Commissioner recently released a set of guidelines covering the requirements which must be met for a code to meet the Commissioner's approval.

1.7 The scope of the small business exemption

(a) Is the business a 'small business'?

A business is a small business during a financial year if its annual income from the previous financial year was $3 million or less under section 6D(1) of the Act. If no business was conducted in the previous financial year, it will be considered a small business only if its annual income for the current year is $3 million or less. The Act does not exempt small businesses, of themselves, from the coverage of the Act. The exemption attaches itself to the small business operators, ie the entity that 'carries on' the business, not the business itself.

(b) How is the $3m threshold for a "small business" calculated?

The method for determining the annual turnover of a business is prescribed by section 6DA of the Act. It defines 'annual turnover' as the sum of:

In general this figure will equate to the total of the instalment income a business notifies to the Commissioner of Taxation on its Business Activity Statement over the course of the financial year. This is significant as it means that a business should be able to use its Business Activity Statements for a financial year to demonstrate that it falls within the definition of a 'small business' under the Act.

Where business has been carried out for only part of the year, section 6DA (2) provides a formula for determining annual turnover. The formula calculates the annual turnover for such a business as being the amount of turnover generated by the business in the part of the year it operated, multiplied by the number of days in the whole financial year over the number of days in the part of the financial year when it was operating. On this basis, if a business only operated for 3 months of a financial year but had a turnover of $1m, it would not come within the definition of a small business because its annual turnover would equate to $4m.

1.8 The 'small business operator' test

(a) Does the entity carrying on the small business carry on any business that is not a small business?

Section 6D (3) excludes from the definition of a 'small business operator' any entity that operates a small business as part of a group including larger enterprises, thereby preventing large enterprises from sheltering under the small business exemption. However, it may not prevent the (unlikely) scenario of a small business operation maintaining several small businesses which each turn over less than the annual $3m threshold.

(b) Has the business ever had an annual turnover of over $3m since the business was started or since the section commenced, whichever came later?

Further exceptions apply to the rule that an individual, body corporate, partnership, unincorporated association or trust who carries on a small business will be a small business operator. Any such organisation will not be a small business operator, under section 6 (4) where they carry on a business that has previously had an annual turnover of $3 million or more in a financial year that has either ended after the business was started, or after the section commenced in December 2002 (whichever came later).

(c) Does the business maintain health information records other than in employment record(s)?

If the business provides a health service to another individual and holds any health information (other than health information in an employee record), then under 6D(4)(b) it is not exempt from the Act. This provision ensures that medical practitioners and other providers of health services are included within the coverage of the legislation.

(d) Does the business collect or disclose personal information for a gain, benefit or advantage?

The exemption does not apply where a small business either:

(e) Is the information collected or disclosed in the business's role as a contracted service provider?

If the business is a contracted service provider under a Commonwealth contract, it comes within the exemption. This provision applies whether the business is a party to the contract or not (such as where it may be a sub-contractor).

(f) Is the information collected or disclosed in connection with the personal, family or household affairs of a small business operator or for a purpose outside the normal course of a business which the organisation carries on?

An individual who does something described in section 6D (4) (b), (c) or (d) can still come within the exemption for a small business operator where such actions are carried out otherwise than in the course of business he or she carries on and only for the purposes of, or in connection with, his or her personal, family or household affairs (section 6D (5)). Similarly, a body corporate, partnership or unincorporated association that does something in section 6D (4) (b), (c) or (d), stays within the definition of a small business operator where such actions are done "otherwise than in the course of a business it carries on" (section 6D (6)).

(g) Has the business opted in to be covered by the Act?

Small business operators may opt-in to the coverage of the Act by choosing to be treated as an organisation for the purposes of the legislation. It is assumed that small businesses will do this if they believe it would improve consumer confidence in providing them with personal information. In order to allow this, Section 6EA (1) of the legislation allows small business operators to elect to come within the complete operation of the Act (with the exception of section 16D, which is excluded in order to ensure electing small business operators are covered by the legislation immediately after election: 6EA (2)).

(h) Have there been any regulations which would bring the small business operator within the coverage of the Act?

A small business operator may be treated as an organisation and therefore be covered by the Act where the Attorney-General makes regulations to that effect. Section 6E allows the making of regulations relating to:

Prior to any regulations being made, the Attorney-General must be satisfied that such a regulation is in the public interest and must have consulted with the Privacy Commissioner about the desirability of the regulations (section 6E(4)). In considering whether to make the determination, the Attorney-General has indicated that the opinions of Minister for Small Business and the Privacy Advisory Committee are likely to be taken into account.

(i) When do small businesses which are not exempt become subject to the legislation?

For those small businesses which are not exempt from the Act, an extra period of time is given to make it easier to prepare for the obligations of complying with the Act. The time delay authorised by section 16D gives most non-exempt small businesses an extra year to prepare for the legislation, with the NPPs applying from December 2002. For any organisation that carries on one or more small businesses, other than a business dealing in the provision of health services, the delayed application period begins with the commencement of the legislation or the formation of the organisation (whichever is later) and ends on December 21 2002 or sooner if the organisation begins to carry on a business that is not a small business or is a health service (section 16D (6)). In effect, this means that there is no delay in the application of the Act to small businesses operated by organisations which also operate a non-small business.

1.9 Enforcement

Once in place, an individual who believes that the code has been breached may make a complaint to the organisation concerned. If it is not resolved satisfactorily, they may make a complaint to the Privacy Commissioner, or if an independent adjudicator has been appointed to administer the code, they must make the complaint to that body.
If there is an approved code of conduct in place, the complaint will normally be handled by a code authority, who is established and funded by an industry. In practical terms, this might be the Telecommunications Industry Ombudsman, the Banking Industry Ombudsman or the code authority for the Australian Direct Marketing Association code of conduct. If there is no approved code of conduct in place, the complaint is handled by the Privacy Commissioner.
Breach of the NPPs can result in an order from either a code authority or the Privacy Commissioner to restrain an action, undertake an action, or to give monetary compensation.
A decision by a code authority can be reviewed by the Privacy Commissioner, and the Privacy Commissioner's decision can be reviewed through the process of administrative review.
A decision to give an individual a remedy can be appealed in the Federal Magistrate's Court, and can be enforced through the Court if an organisation has not complied with the remedy.

2. Developing a privacy strategy

The best response to the public concerns and changing regulatory environment for privacy issues is to adopt a strategic approach which identifies the importance of privacy issues to an organisation and the specific methods which the organisation intends to use. There are several elements to a privacy strategy, the detail of which will be determined by the nature of the information which is collected and used, the size of the organisation and the extent of the risk to customers' privacy and the reputation of the business.

2.1 A clear, detailed website privacy policy

A starting point for privacy compliance is the company's website privacy policy. The information practices of businesses should be clearly explained on the web site, and this policy should address the full range of information practices of that agency. Under National Privacy Principle 5 (Openness), organisations must make available information about their privacy practices. The Privacy Commissioner's Guidelines for Federal and ACT Government World Wide Websites sets out a range of issues which an should be considered in developing a policy, including:
In brief, privacy policies should address the requirements of the National Privacy Principles and give specific information about exactly how the organisation and its alliance partners will use personal information.

2.2 Consent clauses

Consent is a crucial principle in the implementation of privacy protection. The National Privacy Principles state that consent must be obtained if personal information is going to be used for secondary purposes, except under specific limited conditions. Consent is especially important for direct marketing and the sharing of personal information with third parties. However, the concept of consent is not altogether clear. Consent may be obtained in active or passive ways, which tend to be broadly divided as "express" and "implicit" consent.
"Express consent" or "explicit consent" involves explaining clearly to consumers the organisation's information practices and obtaining active consent, such as through a written consent form or via a secure means of communication. Consent is likely to be regarded as express if consumers are given an active choice between different privacy options, so that they are not forced into consenting into specific uses of their personal information.
Companies which rely on "implicit consent" face a higher risk of future complaints and claims, because they are assuming the consent of an individual without necessarily bringing to their attention specific details of information use and disclosure. An organisation which assumes implicit consent might argue that certain uses of information are obvious from the nature of the person's dealings with the organisation and do not require explicit consent.
The Privacy Commissioner's definitions of terms used in the National Privacy Principles define consent in the following way:
"Free and informed agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organisation seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual."[5]
The Explanatory Memorandum emphasises also that for certain categories of personal information defined as being sensitive, a more explicit form of consent (again, not specified) is required.
"NPP 2.1(b) allows information to be used or disclosed for a secondary purpose where the individual has consented to use/disclosure for that secondary purpose. Consent to the use or disclosure may be express or implied. Implied consent would be acceptable in some circumstances. Implied consent could legitimately be inferred from the individual's failure to object to a proposed use or disclosure (that is, a failure to opt out), provided that the option to opt out was clearly and prominently presented and easy to take up. If the consequences for the individual of the use or disclosure were serious, however, the organisation would have to be able to demonstrate clearly that the individual could have been expected to understand what was going to happen to his or her information. In such circumstances it would generally be more appropriate to seek express consent.
325. NPP 2.1(c) allows personal information (provided it is not sensitive information) to be used for the secondary purpose of direct marketing where it is impracticable to get the individual's consent before using the information; the organisation gives the individual an opportunity to opt out of further direct marketing communications (at no charge); and the individual has not already asked the organisation not to send direct marketing material to the individual.
326. This sub-principle allows personal information, other than sensitive information, to be used in order to establish initial contact with an individual, provided that the individual is given the chance to opt out of any further approaches. The exclusion of sensitive information from this sub-principle recognises that the opt out mechanism is not a sufficient protection in relation to this type of information. It would allow sensitive information to be used to establish contact with an individual, in the absence of consent, for purposes that may be entirely unrelated to the primary purpose of collection of the sensitive information. The exclusion of sensitive information will not prevent direct marketing organisations from using sensitive information about an individual in reliance on, for example, NPP 2.1(b) (that is, with the individuals consent) or NPP 2.1(a). The application of this sub-principle in the health context will be detailed in guidelines issued by the Privacy Commissioner."[6]

2.3 Internal compliance

Policies need to be supported by back office implementation of procedures which ensure that an organisation's internal practices are consistent with its policies and legal obligations. Many organisations have put a focus on the front-end development of website policies, but if this is not followed through and implemented throughout the organisation, businesses are at risk of misrepresenting their actual information practices. Organisations need to address how privacy safeguards will be incorporated into their internal processes, and should identify an individual who can take responsibility for the development and implementation of the program. For example, many US technology companies have appointed a Chief Privacy Officer to take this role and the Australian Direct Marketing Association has required its 500 members to appoint CPOs by April 2001.

2.4 Conduct an independent audit

Another method of building confidence in a company's information practices is to commission an independent audit of the information policies and practices of an agency. An information audit can help to highlight compliance problems and can give customers added confidence that a policy is being implemented. External audits are also a useful tool in making staff aware of their accountability for their handling of personal information and identifying any problems areas within the organisation.

2.5 Privacy impact assessments

The privacy impact assessment process represents an innovative approach to managing the strategic risk associated with privacy practices at an early stage of product development. Privacy impact assessments are now being conducted by some governments  such as in Canada, New Zealand, and in the United States  and are likely to become increasingly common in the private sector. The assessment process allows businesses to identify potential risks, and outlines options for how those risks might best be managed.
The impact assessment can help avoid nasty surprises and provide outside input into the development of new products and services. With the rapid development of e-commerce, there are thousands of new ideas, concepts and products under development. The use of personal information is often a major part of these new services. New e-commerce products can have significant impacts on privacy, and privacy concerns can have a significant impact on how consumers respond to new technologies. Businesses which ignore these issues can suffer substantial financial harm and in some cases even find the launch of the product cancelled or the product substantially modified because of a consumer backlash.
In short, the aim of the privacy impact assessment process is to ensure that new products and services build trust, rather than diminishing it.

2.6 Privacy seal programs

A popular way of proving an online business's credentials is to join a privacy seal program. Privacy seals offer an external stamp of approval for the practices of a website. They have become particular popular in the United States in the absence of legal measures to protect privacy. The best known privacy seal programs are:
Organisations considering adopting a seal should familiarise themselves with a recent evaluation of seal programs published by the Australian Federal Privacy Commissioner in conjunction with the Ontario Privacy Commissioner. This report, released in September 2000, concluded that while they had helped to improve online information practices, most of the seal programs fell short of adequate privacy standards. The report Web Seals: A Review of Online Privacy Programs (www.privacy.gov.au/publications/seals.pdf) concluded:
"The future role that Web seals might play in e-commerce is unclear. Seals are only in their early stages of development and will likely evolve and improve over time. They could come into their own as a powerful facilitator of globalization of consumer transactions if they are able to provide acceptable and enforceable privacy protection across multiple jurisdictions. Objective assessments of the extent to which seals provide true privacy protection, dispute resolution and enforcement, may be a crucial factor in determining the degree and speed with which they become more accepted by consumers. Such assessment could assist consumers and business in differentiating between the competing claims put forward by various seal providers."

2.7 Complaints handling

Complaints handling is an important part of managing privacy issues within an organisation. Effective complaints handling allows a company to identify any internal compliance problems, and is an important part of managing an organisation's privacy risks. Poor handling of complaints, such as when staff are slow in dealing with a complaint, appear to lack knowledge, do not return phone calls and appear uncooperative, can deepen the aggravation of a customer who feels their privacy has been invaded. Speedy, informal complaints resolution processes can turn a disgruntled customer into a satisfied one if they feel that the organisation takes their concerns seriously. This is particularly the case in privacy complaints which often do not require or do not involve monetary compensation (but on the other hand, can sometimes be extremely serious and cannot be in any way remedied by monetary compensation either). The Australian Standard on Complaints Handling provides a framework for organisations to develop internal procedures[7].

2.8 Consultation processes

A business which is intending to introduce a new online service which might have significant privacy implications for its customers may wish to initiate a formal process of consultation. This may be done through an industry organisation or directly by an individual company. For example, a business may make informal or formal contact with consumer and privacy groups, and any other stakeholders, who can help to identify and address potential problems or issues in the early design of the program. This approach is most relevant in industries in which a small number of companies play a dominant role, such as in banking or telecommunications. A business can also explain its plans on its website and can seek responses from its users and customers. This process can complement the privacy impact assessment.

2.9 Outsourcing arrangements

It is important that contracts with third party service providers adequately address privacy issues. Specific measures can be taken to give maximum protection from the risks associated with third party processing of personal data:
The contract should address:

(a) confidentiality undertakings - prohibiting any use or disclosure of information other than what is necessary to meet the requirements of the contract (subject to the normal exemptions, such as for legal proceedings;

(b) accepting all privacy obligations under relevant legislation (eg Telecommunications Act, Privacy Act, Code of Conduct);

(c) an indemnity for any liability arising out of the agency's breach of their privacy obligations;

(d) acceptance that the contracting party may audit either directly or through its auditors, the information practices of the contractors relating to the processing of information as set out in the contract, and that the contractor must provide all reasonable assistance to the party conducting the audit;

(e) obligations that the contractor informs the contracting party if any breaches or alleged breaches of security or of the privacy principles.

Termination provisions should also impose obligation to retain all personal information and destroy any remaining records of personal information if contract expires or is terminated.

3. Using technologies to enhance privacy

It is important to put the contractual and legal context of privacy protection into the broader context of technologies which can play a role in protecting individual privacy. Legal measures are not the only way of providing consumers with protection for their personal information. A small segment of the online community is willing to pay to take privacy protection into its own hands through the use of encryption and other software products which block cookies and preserve online anonymity. These privacy technologies are useful for email, browsing web sites and making transactions.
One of the best regarded examples of privacy enhancing technologies is the Freedom Software program from Zero-knowledge Systems (www.freedom.net). This software gives a web user anonymity by allowing them to use a pseudonym. Personal information is encrypted and routed through the company's network of servers so that it cannot be traced to a user's computer. A pseudonym costs just $US10 per year. Similar anonymising and anti-cookie software programs are available from other providers including Cookie Crusher, Cookie Cruncher, AddsOff, Cookie Cutter, AdSubtract Se, Cookie Pal, Cookie Web Kit, HistoryKill 2000, Netwatcher 2000 and Surfsecret Test.
Other companies offer to take on an information intermediary role, collecting information from a user and providing it to sites with users' approval. These "infomediaries" may rate sites according to their privacy policies (such as Eponymous.com's Eponymous Adviser software) which obtains a person's name, date of birth, billing and postal address, e-mail, phone number, credit card details and preferred method of contact. Eponymous has rated the policies of 30,000 web sites.
The World Wide Web Consortium has taken this concept further by developing P3P, the Platform for Privacy Preferences, which is intended to be built into software and allow an automatic comparison between a web surfer's privacy preferences and a web site's privacy policy. In 2000 Microsoft announced that it would implement the P3P standard in its software. P3P has met with a mixed response from privacy advocates and users, and it remains to be seen whether it will become an important element in online privacy measures.


1. Why privacy has become a major issue

The growing attention to privacy concerns reflects one of the impacts of the information revolution on individuals. The information explosion has made it possible to collect detailed information on customer purchasing patterns, to profile customers and to use data mining to build greater intelligence into business strategies. While this has offered great convenience to customers, it is also prompting a backlash. Survey research in recent years has tracked rising concerns that consumers are losing control of their personal information. While privacy concerns a decade ago were mainly focused on government collection and use of information, in recent years public concerns have shifted towards the use of personal information in the private sector.
Privacy concerns are now recognised as being more than just a concern for a small proportion of technophobic customers. Unease with the collection and use of personal information is now a significant factor holding back the uptake of e-commerce, with consumers reluctant to risk losing control of their personal information despite the convenience offered by the online environment. Analysts now estimate that billions of dollars worth of e-commerce transactions are being lost because of consumer distrust in current privacy arrangements  as much as $US2.8bn in the United States in 1999, and rising to $US18bn by 2002, according to Forrester Research. This research has given impetus to regulatory initiatives in the US and elsewhere.
These concerns have serious effects on businesses which are making e-commerce a major strategic focus. For example, internet portals need customer information to maximise advertising revenue. The push for customised marketing from web advertisers is strong: if an advertiser doubles the ad banner clickthrough rate on a website from the standard 0.5% to 1%, through targeted marketing, they can double the site's advertising revenue. But developing targeted marketing requires the collection and use of personal information, and this creates risks.

2. Consumer attitudes

Australians place a high value on the protection of their personal privacy. Throughout the 1990s a series of public opinion surveys showed consistently that privacy is a significant concern for people. For example, asked to rank a number of social issues in a Roy Morgan survey conducted by the Australian Privacy Commissioner in the mid-1990s, some 93% of Australians rated the confidentiality of their personal information as important, with 74% saying it was very important , and a further 19% as important . Privacy was ranked second only to education as a matter of concern when compared to other social issues - even ranking ahead of both the economy and the environment.[8] Research by Ernst & Young has shown a higher level of concern about online privacy and security issues than in the US or Europe.[9] New research to be released by the Federal Privacy Commissioner in 2001 should provide a deeper insight into how Australians think about privacy issues.
Australian research reflects similar trends to surveys published in other countries. These are being compiled in the Baker & McKenzie Global Privacy Attitudes Survey Review, which will soon be available on the Baker & McKenzie website (www.bakernet.com/e-commerce). The surveys reflect the conclusions of Alan Westin, a veteran US privacy expert who has conducted 26 national privacy attitudes surveys since 1978, notes that privacy concerns have been on a trend increase from a base level of around 72% in the early 1970s. The conclusions of these surveys include the following points:
  1. There is a very high level of concern about privacy issues.
  1. Privacy concerns are greatest in the online environment
  1. Consumers especially dislike the use of their personal information for direct marketing without their consent, particularly when personal information is sold to third parties for direct marketing purposes
  1. Privacy concerns affect the way in which consumers behave and transact online
  1. Consumers want to have control over their personal information and how it is collected and used
These concerns are behind the widespread adoption of comprehensive privacy and data protection legislation in developed countries over the past decade, which are discussed later in this paper. The global regulatory patchwork of privacy laws creates challenges for e-commerce which by its nature involves cross-border alliances and transactions. Some businesses are adopting the approach of jumping to the highest bar, the European Union Directive, hoping that this will be adequate for other jurisdictions. Others adapt their policies to local requirements and do not aim for a consistent global strategy. Many have an ad hoc approach which only deal with privacy issues when confronted by customer complaints, negative publicity or because of immediate legal requirements.
The challenge for business organisations is to recognise that privacy is a strategic issue which goes beyond the scope of mere legal compliance. For example:

3. Personal information in an e-commerce environment

Changing business practices have greatly increased the scope for collecting personal information. This reflects the explosion of information gathering, processing and storage in recent years. For example, telecommunications providers know the date, time, length, call number and destination of telephone calls. Pay TV services can know the viewing interests of subscribers. Internet portals can know the interests of users from how users navigate their website. With the development of interactive TV and pay-per-view services, it may also include a detailed history of a household s viewing patterns. Online financial services aggregators and bill management services can also collect a vast amount of highly sensitive information which gives a wide-ranging view of a person's finances.
While businesses were already able to collect a substantial amount of personal information on their customers before the arrival of online transactions, e-commerce creates a much larger and richer store of personal information because very few online transactions are anonymous. There are also far more points of collection of information:
The online environment allows businesses to build individual customer profiles in a way that for most businesses was simply not practicable across a wide customer base in the past. The information gathered from these profiles can be an enormously valuable resource for strategic development as well as for marketing and building customer relationships.
The online environment has also fostered the growth of joint ventures and alliance relationships, where businesses are able to leverage off each other's strengths. A significant online customer base is a highly valuable commercial asset for companies which are entering into joint ventures. In some cases, joint ventures allow companies to access the personal information held by partners and to expand their records as a result. But joint ventures can also contain risks if there is a leakage of customer information to other parties without the consent of those customers.

4. The privacy minefield

The risk of adverse media publicity has now become a major reason for businesses to review and change their privacy practices, after an unprecedented year of privacy debacles in 2000. Several high-profile businesses have had their reputations tarnished by lax, inadequate and in some cases illegal information practices. Despite the fact that for several years surveys have highlighted the importance of privacy to consumers, it is only more recently with far greater media coverage of privacy issues that privacy has been recognised as an issue which can significantly harm the public reputation of businesses.
In some respects, it is not surprising that increasing public attention on privacy issues is likely to expose some organisations for bad information practices. Survey research has indicated that many organisations do not have clearly developed or well implemented privacy policies; and while online privacy practices are improving, they fall well short of any well-accepted privacy benchmark. Even in sectors where a substantial amount of personal information is collected such as online recruitment services, many websites still do not have privacy policies. Among those that have a policy, many do not have adequate privacy standards.
As the spotlight on internet practices has intensified in recent years, a growing list of companies have come under attack for careless, unethical or even deceptive information practices. The public reputations of businesses can be damaged by:
These risks are illustrated by some of the privacy stories which hit the news during 2000.

4.1 Real Networks: Failing to disclose information practices

The year began with online software distributor Real Networks still smarting from a blitz of negative publicity after the New York Times revealed that it was collecting information about the musical tastes of 13.5m Real product users without their knowledge. Real Jukebox, software downloaded through the Real Networks site, was scanning users' hard drives and transmitting information about their musical interests and music player back to Real Networks. This information was then added to pre-existing customer profile information. Although Real Networks is a member of TRUSTe and displayed its logo on its website, TRUSTe refused to launch an investigation into Real Networks because its licence only covers information collected from consumers over a website, and since the information was actually collected by software downloaded from a website, Real Networks had not violated its TRUSTe licence. TRUSTe did announce, however, that it would review its licence agreements.

4.2 DoubleClick: Customer profiling without consent

In perhaps the best-known incident of the year, online advertising agency DoubleClick came under siege from public outrage for unlawfully obtaining and selling customers personal information. DoubleClick is the leading online advertiser, with revenues which had grown from $9m in 1995 to $258m in 1999. By the end of 1999 DoubleClick was serving 30 billion targeted ads per month, and serving ads to around 12,000 web sites. In late 1999, DoubleClick began combining and cross referencing personal information from the web browsing habits of users with the database of a direct marketing firm, Abacus, which it had recently acquired. DoubleClick planned to match home address, name and purchasing habits to individuals' web usage patterns. Following extensive publicity, a consumer backlash, legal action by the Michigan State Attorney-General, an FTC investigation and a drop of one third in its share price, DoubleClick suspended its matching practices in March 2000. Estimates of the cost to DoubleClick of the incident  which occurred at the time of its second capital raising  range as high as $2.2 billion.

4.3 PSINet: Pink contracts for spammers

Controversy erupted for internet service provider PSINet when CNetNews.com claimed that PSINet was covertly profiting from spamming while publicly opposing it. CNet News.com obtained a 'pink contract' which indicated that a marketing firm in Louisiana was paying PSINet an extra $27,000 in a one-off payment for "increased risks associated with this agreement". Cajunnet, the marketing firm, sent out 5-20 million spam messages at one time, helping to explain the additional payment given the likelihood of a large number of complaints and the risk of damage to PSINet's reputation if the arrangement came to light. At the same time, PSINet's stated policy on spam had indicated that customers would be cut off if caught using spam. PSINet subsequently terminated the relationship and embarked on new compliance and training efforts internally to avoid the repetition of any such incidents.

4.4 Toysmart  selling a bankrupt business's database

American toy e-tailer Toysmart drew criticism when it announced that it intended to sell off its customer database after the company filed for bankruptcy on May 19. The decision to sell off the 250,000 customer records contradicted an express promise on Toysmart's web site never to sell customer information. This reversal in policy prompted the intervention of the Federal Trade Commissioner (FTC) who sued Toysmart for engaging in deceptive conduct. 42 states also sought a court injunction from the Federal Court to prevent the sale taking place for violations of their individual consumer protection schemes. The FTC eventually came to an agreement with the company that precluded the sale of the database as a separate asset, such that Toysmart could only sell the customer database as part of the sale of the whole web site. No company came forward to buy Toysmart, and in early January 2001 Toysmart's majority owner, Disney, paid $50,000 to destroy the database.

4.5 Amazon  Revising a privacy policy

Amazon.com created a storm of protest when it informed customers that it was revising its privacy policy in light of the confusion about the capacity of businesses to sell their databases after the Toysmart.com debacle. The revisions to Amazon's policy stated that the 23 million strong customer database is an asset of the business which may be sold to a third party in the future, without obtaining any further consent from customers. Amazon's changes provoked widespread criticism and several complaints have been filed against Amazon's subsidiaries in Europe were made for breaching local European privacy standards.

4.6 Toysrus.com  Failing to inform consumer of third party use

The toy store e-tail industry was rocked by a further privacy debacle in August 2000 when it was revealed that Toysrus.com, the e-commerce web site of the Toys R Us chain, was outsourcing data analysis of its consumer database to a third party company, Coremetrics, which was then retaining and using the data for its own data analysis purposes. The company's privacy policy made no mention of the outsourcing relationship, which involved the provision of customers personal details including names, postal and email addresses, and phone numbers to Coremetrics. Toys R Us had reserved the right to gather and analyse customer information in its privacy policy, however its failure to disclose the fact that this analysis would be done by another company (which retained the data after analysis) prompted numerous complaints. Two separate class actions were launched against Toys R Us and Coremetrics, forcing the companies to terminate their business relationship in the wake of overwhelming negative publicity.

4.7 Security breaches

Stories of website security security breaches which placed customer information at risk became a familiar story during 2000.

4.8 Australian Taxation Office: Failing to identify a major privacy issue

Privacy issues emerged as a significant problem during the implementation of major tax reforms in Australia in mid-2000. Central to the business tax reforms was the need to obtain an Australian Business Number (ABN) for business to business dealings. Over 3 million applications for ABNs were received during its first months of operation, although Australian Bureau of Statistics figures indicate that there are only 1.1m businesses in Australia  suggesting most ABNs were for individuals. But the ATO had not taken into account the extent to which individuals would obtain ABNs, and the fact that ABN records would contain a substantial amount of personal information.
Legislation relating to the ABN established a publicly available Australian Business Register, including information on the holders of ABN drawn from the ABN registration forms, and in addition the Tax Office was making available (at a charge of $20) records of registration-related information. Although the ABN registration booklet mentioned that some ABN information would be publicly available, the details of this availability were not clear and applicants were not informed of this on the pages where they entered information. After a substantial public reaction, and intervention by the Privacy Commissioner, the Treasurer agreed to legislative amendments and the Tax Office agreed to limit the amount of information available publicly, and give individuals the option of limiting disclosure of their information if this disclosure could present a danger to them.
Privacy concerns were raised in Australia when a hacker accessed the business and bank account details of up to 27,000 businesses in Australia who were accredited suppliers of GST information and assistance packages to businesses through the GST Start-up Assistance Office. The 'hacker' reportedly obtained the information without actually hacking the site, as the information was provided on an ordinary page accessible through a URL on the site (the web address of which had not been disclosed). He then emailed 17,000 of the businesses to inform them of the security breach.

4.9 Other legal action

In other incidents, Auction site ReverseAuction agreed to a settlement with the FTC in January 2000, agreeing to cease from engaging in unlawful practices including collecting personal information of eBay users and deceptive spamming. Other legal action on privacy grounds was also launched against Amazon.com (through its subsidiary Alexa Internet, accused of sending personal information to Amazon.com without consent), and a class action suit was filed in Texas against Yahoo! on the basis of a Texan anti-stalking law, and arguing that cookies are the cyberspace equivalent of stalking.

5. The global context of privacy laws

The extension of Australian privacy legislation is occurring in the context of a rapidly changing global regulatory environment, where privacy has emerged as a major issue around the world as new technologies impact upon privacy rights. The global nature of information flows raises complex privacy issues because of the potential for personal information to flow from jurisdictions where personal information is subject to privacy regulation, to other jurisdictions where there is little or no legal protection of personal information. This has been an especially controversial issue in recent years, with the European Union's privacy Directive restricting the flows of personal information to countries which do not have an "adequate" level of protection. This restriction has resulted in lengthy negotiations with the United States, which saw this requirement as a restriction on the development of e-commerce, while the EU argued that the US was neglecting a fundamental human right. After several years of meetings, the EU and the US concluded the "Safe Harbour" agreement which gives some protection to the data of Europeans in the United States, and which came into effect from November 2000.
Depending on the regional context of e-commerce transactions and alliances, it may be necessary to take account of the international context of legal protection for personal information. In simple terms, the two main approaches being adopted around the world to privacy protection are comprehensive privacy legislation or a mix of self-regulation and specific sectoral legislation, the approach adopted by the US.
The push towards legal measures to protect privacy began in industrialised nations in the mid-1970s. In the late 1970s, the Organisation for Economic Cooperation and Development (OECD) assembled a group of experts who developed a set of basic privacy and data protection guidelines. The OECD Guidelines developed in 1980[10] were the first significant international agreement on privacy principles. These Guidelines formed the basis of privacy legislation in most industrialised nations in the following decade, incorporating eight principles relating to the collection, use, security and disclosure of personal information. However, the OECD Guidelines did not set out an explicit statement on how these principles may be enforced, even in relation to data held by the public sector. As a result, countries chose a range of measures to implement the privacy principles.
Globally, the most significant privacy legislation in the past decade was the European Union Directive on data protection, which came into force in October 1998 and is implemented through national legislation individually in EU member states. It establishes comprehensive protection of personal information held by the public and private sectors, whether held electronically, manually or in any other forms. The EU Directive has become the international benchmark for privacy protection - not least because countries without what the Directive describes as an adequate  level of data protection, will be excluded from personal information flows. The EU Directive has been a significant factor in countries outside of Europe implementing privacy legislation, including Hong Kong, Taiwan and Canada. Closest to home, the New Zealand Privacy Act 1993 established an Office of the Privacy Commissioner who has powers to enforce the Information Privacy Principles contained in the Act in both the public and private sectors. The Commissioner is also able to issue Codes, which vary the application of the IPPs for a practice, company, technology or industry. The extension of Australia's Privacy Act brings Australia closer to the NZ position, although the Australian legislation is on several points of comparison weaker than New Zealand's (such as with its broad exemptions).
The alternative to the legislated approach is through relying more heavily on self-regulation, which has been favoured in the United States. The regulatory environment of the United States is clearly the most influential for internet practices, given the US dominance whether measured by usage, sites, brand names or revenue. In this area, there have been significant developments in the past three years, which appear to be leading to internet privacy legislation.

5.1 Moves towards privacy legislation in the United States

After two years of monitoring the effectiveness of self-regulation, the Federal Trade Commission (FTC) concluded in May 2000 that self regulation had failed to provide adequate privacy protection. While it indicated that significant progress has been made towards the development of industry self regulation, it also noted that coverage of privacy safeguards is still inadequate and that legislation has become necessary. The FTC recommended to Congress that legislation be developed to protect personal information online in its report Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress.
The FTC's conclusions came after its third web site survey reviewed a random sample of 335 websites and a group of 91 of the busiest 100 websites. The survey confirmed that most sites collect personal information - 97% and 99% respectively  and that 88% and 100% respectively made some kind of statement about their privacy practices.
The report concluded that:
"Based on the past years of work addressing internet privacy issues, including examination of prior surveys and workshops with consumers and industry, it is evident that online privacy continues to present an enormous public policy challenge. The Commission applauds the significant efforts of the private sector and commends industry leaders in developing self-regulatory initiatives. The 2000 Survey, however, demonstrates that industry efforts alone have not been sufficient. Because self-regulatory initiatives to date fall far short of broad-based implementation of effective self-regulatory programs, the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. While there will continue to be a major role for industry self-regulation in the future, the Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online."
The FTC's recommendation for legislation would cover consumer-oriented commercial websites. In other words, it would be a specific internet privacy measure, rather than the comprehensive data protection legislation adopted by most other advanced nations. It would therefore continue the blend of sectoral legislation and self-regulation which has been adopted by the US in recent years. The FTC's legislation would require that these websites comply with the four widely-accepted fair information practices of:
These principles are a shortened version of the 1980 OECD principles, and are less extensive than those in the National Privacy Principles.
The internet industry in the United States is increasingly recognising the likelihood of privacy legislation. As in Australia, one of the strongest drivers of a national privacy regime in the United States is the concern of business groups to avoid a patchwork of inconsistent state-based privacy laws. New York, California, Maryland, South Carolina, Florida, Wisconsin and other states have been debating broad privacy laws. The American Electronics Association began a push for a uniform national privacy law in 2000, to avoid a "privacy maze".
Meanwhile, in some states, individuals  sometimes backed by state governments  have begun taking the law into their own hands. Yahoo! faces a creative claim under Texan anti-stalking laws for its use of cookie technology which according to Dallas lawyer Lawrence J. Friedman allows the organisation "to watch, to spy, to conduct surveillance, to analyse the habits, inclinations, preferences and states" of people who visit its sites "without consent, agreement or permission of the class members". Friedman is claiming $50bn in economic damages  and despite its inventiveness, if it gets a plaintiff-friendly Texan jury in an environment of frustration over internet privacy the outcome cannot be certain.
During 2000 the United States saw several privacy initiatives including medical privacy regulations, children's privacy laws, a ban on the use of genetic information in hiring and promotion in Federal agencies, the implementation of privacy policies on all Federal government websites and the growing use of Privacy Impact Assessments as a normal part of the process of developing new government computer systems.
President Bush has indicated publicly that he intends to adopt a pro-privacy stance on policy issues, and in a decision in April which angered the health industry the Administration approved health privacy rules which had been drawn up under the Clinton Administration. President Bush's apparent privacy commitment builds on public positions taken in 2000 by President Clinton and Vice President Gore, who both gave addresses on privacy issues. A swag of congressional privacy proposals in 2000 foreshadow the likelihood of an eventual agreement on legislation. The proposals range from a general study of privacy issues (the Privacy Protection Study Commission Act), to requirements that consumers give explicit, opt-in consent for sharing of data, as well as annual reports on data usage and the right to sue for misuse of data (Personal Data Privacy Protection Act). In between, proposals such as the Online Privacy Protection Act (with bipartisan sponsorship) and the Electronic Privacy Bill of Rights Act require privacy policies on web sites, rights to opt-out of disclosure of information to third parties and rights to access personal data.
A working group of Congress members from both houses and both parties was formed in late 2000 with the aim of reaching a consensus on new privacy laws, likely to impose a set of baseline requirements to which all Web sites might have to adhere under the working group's compromise legislation. In line with FTC recommendations, the legislation would require that the websites give information about the collection and use of personal information, and visitors to websites would be able to choose either to opt out of the collection of their personal information or to limit the use of the information. The Federal Trade Commission would have oversight of implementation of the law.
By February 2001, 13 privacy Bills had already been introduced into the new Congress, and several from 2000 are expected to be reintroduced. The bipartisan Congressional Privacy Caucus is working towards a privacy Bill that embodies basic privacy principles and may even ban some internet tracking technologies such as web bugs. In March, the House Commerce Committee's Trade and Consumer Protection Subcommittee held informational hearings on privacy legislation. Opinion is split over the likely outcome of the growing Congressional debate on the issue, as direct marketing and other industry lobby groups are now mounting a concerted campaign of opposition to legislative proposals.


Privacy has moved from being a relatively obscure civil liberties issue to becoming a critical building block for Australia's information economy. It is also a part of Australia's competitive positioning in the global information economy. The legal protection of personal information reflects public expectations, and for this reason businesses must think of not only how to meet their forthcoming legal obligations, but also to consider whether they handle sensitive personal information and what their customers expect from them. In that sense, privacy should be seen as a strategic challenge and opportunity, and not just a technical issue of legal compliance. In order to build consumer trust, manage information effectively and avoid any privacy landmines, businesses need to ensure that they align their privacy strategy to their broader strategic direction.
With only months remaining until the amendments to the Privacy Act come into effect, it is worth noting that those organisations which do not have all of their information practices in order by December 21 are unlikely to face grave problems immediately. However, there will be a significantly increased risk after 21 December and it is important that organisations work strategically to minimise their risks and to focus on how they can meet customers' expectation that their personal information will be respected and that they will remain in control of it. This is the fundamental issue at the heart of the new era in privacy safeguards which will commence in coming months.

[1] Tim Dixon, Baker & McKenzie Global Privacy Group Sydney tim.dixon [at] bakernet.com
[2] Privacy Committee Act 1975 (NSW)
[3] Westin, A. Privacy and Freedom, New York, 1967, p39, quoted in Goldman, J. Privacy and individual empowerment in the interactive age , paper presented at the Visions for Privacy in the 21st Century conference, Victoria, British Columbia, May 9-11 1996, p26
[4] Trubow, G. Protocols for the secondary use of personal information, unpublished paper, John Marshall Law School Centre for Informatics Law, February 22 1993, p4
[5] Privacy Commissioner, Guidance notes to the National Principles for the Fair Handling of Personal Information, January 1999
[6] Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000
[7] AS4269-1995
[8] Tim Dixon, Surveys confirm high public concern about privacy , 2 Privacy Law and Policy Reporter 1995 vol. 9
[9] Ernst & Young, "Virtual Shopping in Australia: An Ernst & Young Special Report" January 2000
[10] OECD Guidelines covering the protection of privacy and transborder flows of personal data, Paris, 1980