Australia's New Privacy
Baker & McKenzie
Cyberspace Law and Policy Centre CLE Conference
Baker & McKenzie Global Privacy Group
- tim.dixon [at] bakernet.com
Author, CCH Private Sector Privacy
Preparing for the new privacy legislation
new private sector privacy legislation
The arrival of a new privacy regime in Australia in 2001 is a culmination
of several developments over recent years, which have seen privacy emerge as a
major social and commercial issue. Businesses are grappling with rising
customer concerns, a changing regulatory environment, the choice of signing on
to new industry codes, and the risk of a public backlash against technologies
that put customer privacy at risk. The growth of e-commerce in particular has
raised the profile of privacy issues, and has been a major factor behind the
Government's decision to extend the Privacy Act 1988 to the private
Managing privacy issues involves coming to grips with new legal obligations
and balancing competing interests. On the one hand, businesses have a strong
imperative to collect and use personal information. Customer information is
critical to e-commerce, and the more that businesses "know" their customers, and
know how customers respond to different aspects of their products, the better
they are able to target customers with products tailored to their specific
On the other hand, customers want to retain control of their personal
information a lesson which some high-profile internet brands have learnt
at some expense. Customers are increasingly hostile towards businesses which
collect their personal data without their consent, or are not open about how
they use this information. In this environment, managing privacy issues
effectively can avoid unnecessary risk and help build stronger customer
At one level, there is a deceptive simplicity about privacy legislation.
It is based on a simple set of privacy principles, which outlines how
organisations should as much as possible give individuals choice about how and
when their personal information is collected and used amd to whom it is
disclosed; recognising their rights of access to that information; keeping the
information accurate and secure; giving individuals a choice of transacting
anonymously, not storing government identifiers, and ensuring that information
which is transferred overseas is subject to privacy safeguards. However, while
these principles sound relatively simple, in practice the detail of how these
are applied in specific contexts can be difficult. Some indication of the
complexity of applying the legislation to specific instances is indicated by the
fact that the draft guidelines for the National Privacy Principles, which were
released in May, 2001, totalled 174 pages. The scope of the various exemptions
to the Privacy Act are especially complex, and organisations need to understand
these exemptions in order to know how to deal with other organisations.
Few people would have predicted how sharply the privacy issue has come into
focus in recent years. In the early 1990s, privacy was seen largely as a
slightly obscure civil liberties issue. But with the technological developments
of the internet, payment systems encryption, biometrics, data mining, loyalty
cards and the shift in marketing practices towards individual customer
relationship management, privacy has become a major commercial issue. Privacy
has also become a political agenda item, a regular news story and a potential
risk to company reputations. Industry organisations in many areas have
established their own privacy rules which aim to give customers confidence about
how their personal information will be handled. Surveys have recorded
unprecedented levels of concerns about privacy issues, which have been linked to
the slower than expected takeup of e-commerce. These developments suggest that
the right of individuals to control their personal information will be one of
the defining social issues in the information age.
The development of privacy legislation in Australia is part of a global
trend to protect personal information and legislate for fair information
practices. Most industrialised countries now have legislation in place which
covers the handling of personal information and extends to internet
transactions. Australia, like the United States, has lagged this trend until
now while many other countries have been implementing second or third generation
Privacy Act 1988 and the Privacy Amendment (Private Sector) Act
Coverage of privacy legislation prior to amendments
Although online developments have heightened privacy concerns, the history
of specific legal measures to protect privacy in Australia reaches back into the
early 1970s. The first regulatory agency to have responsibility for privacy
issues, the New South Wales Privacy Committee, was established in
In 1976 the Australian Law
Reform Commission began working on a major national report on privacy, which was
released in 1983. The Privacy Act 1988 (Cth)
was a delayed response to
the recommendations of this report, and was initially to be introduced alongside
the proposed Australia Card, the national identity card which was abandoned
after an extraordinarily negative public reaction.
Prior to the recent amendments, the Privacy Act was based around a set of
11 Information Privacy Principles, formulated from the 1980 OECD Guidelines,
covering issues such as the collection, use, security, disclosure, retention and
destruction of personal information. The Privacy Act had only a limited scope,
essentially applying to:
(a) Commonwealth Government agencies
(b) The handling of Tax File Numbers by all
organisations (a set of mandatory Guidelines which restrict the use of TFNs);
(c) The use of credit reporting information in the
At the state level, governments have implemented similar legislation with
the Privacy and Personal Information Protection Act 1998 (NSW) and the
Information Privacy Act 2000 (Vic).
In overall terms, personal information collected by the Commonwealth
Government and some states was covered by privacy legislation, but these laws
had limited impact on the private sector.
Specific statutes also address the use of particular technologies in the
private sector; for example, the Telecommunications Interception Act 1979
and state legislation such as the Listening Devices Act 1984 (NSW)
and the Surveillance Devices Act 1999 (Victoria) prohibit the
unauthorised interception and recording of telephone conversations. The
Telecommunications Act 1997 also imposes restrictions on the unauthorised
disclosure of personal information related to customers of a telecommunications
service provider or an internet service provider.
There is a very limited degree of common law recognition of what might be
seen as a right to privacy in special situations. For example, if it is seen
that a duty of confidentiality exists between two parties (eg bank and customer
or a doctor and patient), then disclosure of information to a third party may be
a breach of confidence.
Outside the framework of legislation, some companies and industry
organisations have adopted a self-regulating approach to privacy
- Individual industries have specific codes of conduct which can govern the
practices of members of industry organisations or sectors. For example, the
National Privacy Principles are being incorporated into revised versions of the
Code of Banking Practice (which already deals with a variety of privacy issues
in clause 12), and the Electronic Funds Transfer Code of Conduct (which already
has some specific safeguards such as those relating to the use of cameras at
Automated Teller Machines).
- Individual industry bodies such as the Banking Industry Ombudsman and the
Telecommunications Industry Ombudsman receive and investigate complaints
relating to privacy breaches within their industries. In the case of the TIO,
membership of the body is compulsory for carriers, carriage service providers
and internet service providers. The Australian Direct Marketing Association
requires all of its members to comply with privacy obligations in its code, and
plans to register this code with the Privacy Commissioner.
- Some individual companies may establish internal guidelines on privacy. For
annual external audit, overseen by an independent panel.
evolution of the current privacy legislation
The Commonwealth Government's extension of privacy legislation in Australia
is the result of a process of policy development over four years:
- The Coalition's 1996 election manifesto included a commitment to "world
best" privacy legislation covering the private sector, and was critical of the
slow response of the previous Government to public concerns over the loss of
- In September 1996 the Attorney-General, Daryl Williams, released a
discussion paper on the proposed extension of the Privacy Act 1988 to the
private sector. It involved extending the existing Information Privacy
Principles to the private sector, with minimal changes to the overall regulatory
regime. This resulted in criticism from the business community that the
legislation would lead to unnecessary compliance costs.
- In March 1997 the Prime Minister, Mr Howard, announced that the Government
would not be extending privacy legislation to the private sector, citing the
problem of the regulatory imposition for small businesses to comply with the
law. Instead, the Prime Minister indicated that privacy should be dealt with
under self-regulatory processes.
- Over the course of 1997, the then Privacy Commissioner, Moira Scollay,
initiated a consultation process in which industry groups, privacy experts,
advocates and consumer organisations worked on the development of a set of
privacy principles which could apply to businesses either through industry codes
or national legislation.
- In February 1998, the Privacy Commissioner launched the National Principles
for the Fair Handling of Personal Information, which soon became known as the
National Privacy Principles. Industry groups such as the Insurance Council of
Australia, the Australian Direct Marketing Association, the Australian
Communications Industry Forum and the Internet Industry Association sought to
insert these principles into their industry codes. A revised set of Principles
was released in January 1999 after further consultations over the exemptions for
law enforcement agencies.
- Between 1997 and 1998 the development of the internet and a growing number
of well publicised privacy invasions gave increasing public profile to the
privacy issue. A public campaign to extend privacy legislation to the private
gained increasing support. By the second half of 1998, several industry groups
were actively advocating the extension of the legislation to the private sector.
The support of business groups was prompted by increasing concerns that in the
absence of a consistent national scheme, a patchwork of different industry
standards and legislation would emerge. This concern was heightened by the
development of a Victorian Bill for privacy protection which aimed to cover the
public and private sector.
- In December 1998 the Attorney-General and the Minister for Communications,
Information Technology and the Arts jointly announced that the government would
implement a "light touch" extension of the Act to the private sector, which
would provide for a default set of privacy standards in the absence of industry
codes to be approved by the Privacy Commissioner. This legislative proposal was
developed throughout 1999 through the Core Consultative Group, a similar group
to that which was involved in the development of the National Privacy
- In April 2000 the Government tabled the Bill in Parliament. The legislation
was reviewed by the House of Representatives Legal and Constitutional Affairs
Committee which released its report in June. The report was critical of the
exemptions in the Bill and proposed several amendments. Two Senate Committees
also reviewed the legislation. The Senate Select Committee on Information
Technologies released its Cookie Monsters report around the same time as
a Senate Legal and Constitutional Legislation Committee reported on the Bill, in
- After amendments in the Senate, which widened the Act's application to
pre-existing data and strengthened the role of the Privacy Commissioner, the
legislation was passed in December 2000 and comes into effect on December 21
Three main factors prompted the change in the Howard
Government's position away from self-regulation:
- The Victorian Government had indicated that it would go ahead with private
sector privacy legislation if the Commonwealth Government failed to legislate.
This in turn threatened to contribute to an untidy patchwork of different laws
in separate states and industry sectors, and prompted industry groups to press
for Commonwealth privacy legislation.
- The European Union s Privacy Directive prohibits trade in personal
information with countries which do not have adequate privacy protection
(effective from October 1998). Because there are no enforceable privacy
safeguards in the private sector, Australia would not meet the test of adequacy,
with potentially significant negative implications for the information
industries in Australia.
- Consumer research has indicated that privacy protection is a pre-requisite
for establishing consumer confidence in new technologies, and information
industry groups were pushing strongly in favour of privacy legislation as a
means to establish trust and confidence.
The extension of the
Privacy Act 1988 to the private sector means that from December 2001 all
organisations which are not covered by an exemption will need to comply with the
National Privacy Principles in how they handle personal information. This will
impose upon organisations requirements relating to how they communicate with
customers when they first collect information, what they do with that
information, to whom they disclose that information, how they keep information
secure, and how they provide access to personal information to individuals.
Organisations which breach these principles may be subject to investigation in
the event of a complaint, and if the complaint it upheld by the Privacy
Commissioner it may lead to a determination by the Privacy Commissioner
involving an award of compensation or being required to change a business
practice. While the history of privacy legislation suggests that it is unlikely
to lead to a stream of large payouts, given the high level of publicity being
paid to privacy issues and the potentially widespread nature of any breach of
privacy principles, privacy issues are now a significant regulatory issue for
organisations which handle personal information.
coverage of "personal information"
Private sector organisations must work with the same definition of
"personal information" in the Act that applies to Commonwealth agencies. The
definition of "personal information" is found in section 6(1):
information' means information or an opinion (including information or an
opinion forming part of a database), whether true or not, and whether recorded
in a material form or not, about an individual whose identity is apparent, or
can reasonably be ascertained, from the information or opinion."
short, personal information is information or an opinion that can identify a
The Explanatory Memorandum to the Privacy Bill 1988
noted that, "the range of information/opinion coming within the definition
is infinite and would include, for example, information relating to the person's
physical description, residence, place of work, business and business
activities, employment, occupation, investments and property holding,
relationships to other persons, recreational interests and political,
philosophical or religious beliefs. The definition applies to such information
or opinion whether recorded in a material form or not, including information
held on databases." [Explanatory Memorandum to the Privacy Bill 1988,
Paragraph 35] The definition of "personal information" is therefore
Even if a record does not identify a person by name, it may
constitute personal information. For example, a person might easily be
re-identified through an account number, employee number, transaction number or
some reference to an external record that uniquely identifies that individual.
This means that simply removing a person's name from a record will not make it
anonymous and stop it from being personal information.
part of the scope of the Act's application to "personal information" is the
definition of a record and a generally available publication. Section 16B
specifies when the Act applies to personal information collected and held by an
organisation, by providing that:
"(1) This Act (except Divisions 4 and 5
of Part III and Part IIIA) applies to the personal information by an
organisation only if the information is collected for inclusion in a record or a
generally available publication.
(2) This Act (except Divisions 4 and 5
of Part III and Part IIIA) applies to personal information that has been
collected by an organisation only if the information is held by the organisation
in a record."
Section 16B(1) applies the Act when personal information
is being collected and section 16B(2) applies the Act to personal information
once it has been collected. Specific provisions apply in Division 4 of Part III
concerning tax file number information, Division 5 of Part III relating to
credit information and Part IIIA relating to credit reporting.
definitions of "record" and "generally available publication" are found in
section 6(1) of the Act.
The definition of "record" defines the scope
of what a record might, and what it might exclude:
(a) a document; or
(b) a database (however kept); or
(c) a photograph or other pictorial representation of a person;
but does not include:
(d) a generally available publication; or
(e) anything kept in a library, art gallery or museum for the purposes of
reference, study or exhibition; or
(f) Commonwealth records as defined by subsection 3(1) of the Archives
Act 1983 that are in the open access period for the purposes of that Act;
(fa) records (as defined in the Archives Act 1983) in the custody
of the Archives (as defined in that Act) in relation to which the Archives has
entered into arrangements with a person other than a Commonwealth institution
(as defined in that Act) providing for the extent to which the Archives or other
persons are to have access to the records.
(g) documents placed by or on behalf of a person (other than an agency) in
the memorial collection within the meaning of the Australian War Memorial Act
(h) letters or other articles in the course of transmission by post."
The definition of "record" is sufficiently broad to encompass records in
electronic form and includes films, videotapes, paintings, drawings, etc. of a
person (under paragraph (c)).
The exclusion for generally available
publications is an important limitation on the scope of the Privacy Act. The
definition of "generally available publication" is found in section
""generally available publication" means a magazine, book,
newspaper or other publication that is or will be generally available to members
of the public."
Thus the Act covers personal information but only
applies to information that is recorded in some form, which can include personal
information in an electronic record. However, it probably would not include
tissue information or bodily fluids such as blood or urine samples. Although
such samples might involve intensely personal information (such as unique
genetic information) they would be unlikely to come within (a), (b) or
the National Privacy Principles: The life cycle of personal
In a general sense, privacy legislation seeks to protect individuals from
the unfair or unauthorised use of their personal information. These rights can
be understood through the life-cycle of information : from
collection, through to use and disclosure to third parties, and ultimately to
the destruction of the information. Privacy laws seek to protect the
individual s right to control the use, storage and disclosure of this
personal information, subject to other public interests such as law enforcement
and the efficiency of public administration. As Professor Alan Westin first
defined it, privacy legislation protects the individual s right to
determine for one s self when, how, and to what extent information
about one s self is communicated to
can protect autonomy, dignity, or health and
Consumers' sensitivity about their personal information varies between
individuals and according to the type of information which a business collects.
For some people, even address, telephone number and email can be sensitive.
Consumer sensitivity is generally higher for:
- the aggregation of personal information from different sources which can
lead to detailed personal profiles (such as through bill management
- information on spending patterns and use of financial services;
- calling records and internet usage information collected by
telecommunications and internet service providers;
- health information collected by health care providers and providers of
- resume, reference and other employment-related information collected by
recruitment agencies, and
- information on customers' use of leisure and entertainment services such as
The amendments to the Privacy Act 1988
extend a set of National Privacy Principles (NPPs) to the private sector. The
NPPs were originally developed by the Privacy Commissioner in 1997 through a
process of consultation with industry and consumer groups. The NPPs differ from
the Information Privacy Principles (IPPs) which apply to Commonwealth Government
The National Privacy Principles set out minimum standards for the handling
of personal information. To a large extent these principles reflect the OECD's
Guidelines Governing the Protection of Privacy and Transborder Flow of
Personal Data from 1980. In the shortest form, they may be summarised in
- Collection of personal information: Collection must be necessary for
an organisation's activities, information must be collected lawfully and fairly,
and as a general principle must be collected with the individual's consent.
- Use and disclosure of personal information: As a general principle,
information can only be used or disclosed for its original purpose unless the
person has consented to its use or disclosure for another purpose. Exemptions
apply to initial contact for direct marketing (if consent wasn't practicable
originally) and other situations such as when there are issues of law
enforcement, public safety or protecting the company from fraud.
- Accuracy of personal information: Organisations must take reasonable
steps to ensure that they keep personal information accurate, complete and up to
- Security of personal information: Organisations must take reasonable
steps to protect the personal information which they hold from misuse, loss
unauthorised access, modification or disclosure.
- Openness in relation to the organisations practices: Organisations
which collect personal information must be able to document their practices and
must make this information available on request.
- Access and correction rights: As a general principle, organisations
must give individuals access to their personal information and must allow them
to correct it or explain something with which they disagree, unless disclosing
this would have an unreasonable impact on someone else's privacy. This
principle is subject to exemptions such as if this disclosure would compromise a
- Use of government identifiers: Organisations cannot use a government
agency's identifier as its identifier. This would cover items such as Medicare
numbers, a Tax File Number (which in any case is covered by other legislation)
or any future identity numbers assigned by a government agency.
- Anonymity: Organisations must give people the option of entering into
transactions anonymously where it is lawful and practicable. For example, this
would apply to travel on a bus, but not to opening a bank account.
- Restrictions on transborder data flows: As a general principle,
organisations can only transfer the personal information about an individual to
a foreign country if they believe that the information will be protected by a
law or a contract which upholds privacy principles similar to the NPPs.
- Special provision for sensitive personal information: A higher level
of privacy protection applies to sensitive personal information, which includes
information about a person's health, political or religious beliefs or
affiliation, and sexual preference. This information must only be collected
with the individual's consent.
The Privacy Commissioner released a
draft set of guidelines on the National Privacy Principles in May 2001, spelling
out some of the factors taken into the account in the interpretation of the
principles. The guidelines are open to comment until July 6 2001.
The NPPs apply generally to all organisations (other than public
sector agencies, which are already covered at a Commonwealth level by the
Information Privacy Principles). The Act defines "organisation" broadly in
section 6C to include an individual, body corporate, partnership, trust or any
unincorporated association. The Act specifically excludes small business
operators, registered political parties, agencies, state or territory
authorities and prescribed state or territory instrumentalities from the
definition of an "organisation" under section 6C (1). The effect of this is that
these entities are exempt from the operation of the Act. The exemptions are
spelt out as follows:
- media organisations: s7B(4)
- registered political parties: s7C
- state or territory authorities or an instrumentality of a State or Territory
prescribed by regulations: s6F
- organisations that are individuals acting in a non-business capacity:
- organisations acting under a Commonwealth or State contract:
- employer organisations: acting in respect of employee records:
(a) Small Businesses: A small business is
defined as a business with an annual turnover of $3 million or less, which does
not provide a health service or hold health information, which does not provide
contractual services to the Commonwealth and does not transfer personal
information about an individual to anyone else for any kind of benefit. In
other words, small businesses are covered if they are involved in the sale of
personal information. This outcome reflects some unique political sensitivities
in the Australian political climate relating to small business.
(b) The Media: Acts or practices done by an
organisation in the course of journalism will be exempt from the legislation.
This provision explicitly aims to strike a balance between the public interest
in providing adequate privacy safeguards with the public interest in allowing a
free flow of information to the public through the media. The scope of this
exemption is especially broad. An organisation can be classified as a media
organisation if it is engaged in the provision of information to the public, and
its "activities consist of ..... dissemination of ..... material having the
character of news, current affairs, information or a documentary". This
attracted criticism because of the possibility of it being used as a
(c) Political parties: Registered political
parties will be exempt from the legislation for their activities in connection
with an election, a referendum, or other participation in the political process.
This was a surprise inclusion in the legislation, as it had never previously
been raised during the extensive consultations over the legislation. The
Government has argued that it is necessary to give this exemption in order to
give effect to the implied constitutional freedom of political speech.
(d) Domestic use: This exemption applies to use
of personal information related to personal, family or household affairs
relating to personal information.
The Act covers all types of personal information which are not publicly
available but, will exclude:
(e) Employee records: Employee records are
defined as a record relating to the employment of an employee including
engagement, training, disciplining, resignation, termination, terms and
conditions, contact details, performance or conduct, remuneration, the union
membership, health information and financial affairs. It extends to current and
(f) Personal information already in existence
when the amendments come into operation will have a limited exemption.
(g) State government contractors: The acts and
practices of contractors to state and territory governments and agencies in
relation to handling personal information under contracts need only to comply
with the applicable standards of the state or territory and will otherwise be
exempt from the Act.
(h) Transfers of personal information between
"related bodies corporate", as defined under section 50 of the
Corporations Law. Related bodies corporate are essentially businesses
which have a shared controlling interest. This might allow a large organisation
with diverse businesses to pool its personal data collections without the
knowledge of its customers. Restrictions still apply to the use and disclosure
of this information, but as an example, an organisation which was able to
conduct direct marketing to customers seemingly can conduct direct marketing in
respect of all of the operations of its related bodies corporate.
By default, the NPPs apply to organisations - that is, unless the
organisation is a signatory to a voluntary code which has been approved by the
Privacy Commissioner. However, the legislation leaves open the option of
industry groups or individual firms developing their own codes of conduct in
place of the NPPs. Codes can be developed by any organisation or group, but
cannot impose a lower standard or privacy protection than the NPPs. Codes must
be approved by the Privacy Commissioner after a process of consultation. The
codes are intended to give the legislation maximum flexibility while retaining a
consistent standard of privacy protection. The Privacy Commissioner recently
released a set of guidelines covering the requirements which must be met for a
code to meet the Commissioner's approval.
scope of the small business exemption
(a) Is the business a 'small business'?
A business is a small business during a financial year if its annual income
from the previous financial year was $3 million or less under section 6D(1) of
the Act. If no business was conducted in the previous financial year, it will be
considered a small business only if its annual income for the current year is $3
million or less. The Act does not exempt small businesses, of themselves, from
the coverage of the Act. The exemption attaches itself to the small business
operators, ie the entity that 'carries on' the business, not the business
(b) How is the $3m threshold for a "small business"
The method for determining the annual turnover of a business is prescribed
by section 6DA of the Act. It defines 'annual turnover' as the sum
- the proceeds of sales of goods and/or services;
- commission income;
- repair and service income;
- rent, leasing and hiring income;
- government bounties and subsidies;
- interest, royalties and dividends;
- other operating income.
In general this figure will equate to
the total of the instalment income a business notifies to the Commissioner of
Taxation on its Business Activity Statement over the course of the financial
year. This is significant as it means that a business should be able to use its
Business Activity Statements for a financial year to demonstrate that it falls
within the definition of a 'small business' under the Act.
has been carried out for only part of the year, section 6DA (2) provides a
formula for determining annual turnover. The formula calculates the annual
turnover for such a business as being the amount of turnover generated by the
business in the part of the year it operated, multiplied by the number of days
in the whole financial year over the number of days in the part of the financial
year when it was operating. On this basis, if a business only operated for 3
months of a financial year but had a turnover of $1m, it would not come within
the definition of a small business because its annual turnover would equate to
'small business operator' test
(a) Does the entity carrying on the small business
carry on any business that is not a small business?
Section 6D (3) excludes from the definition of a 'small business operator'
any entity that operates a small business as part of a group including larger
enterprises, thereby preventing large enterprises from sheltering under the
small business exemption. However, it may not prevent the (unlikely) scenario
of a small business operation maintaining several small businesses which each
turn over less than the annual $3m threshold.
(b) Has the business ever had an annual turnover of
over $3m since the business was started or since the section commenced,
whichever came later?
Further exceptions apply to the rule that an individual, body corporate,
partnership, unincorporated association or trust who carries on a small business
will be a small business operator. Any such organisation will not be a small
business operator, under section 6 (4) where they carry on a business that has
previously had an annual turnover of $3 million or more in a financial year that
has either ended after the business was started, or after the section commenced
in December 2002 (whichever came later).
(c) Does the business maintain health information
records other than in employment record(s)?
If the business provides a health service to another individual and holds
any health information (other than health information in an employee record),
then under 6D(4)(b) it is not exempt from the Act. This provision ensures that
medical practitioners and other providers of health services are included within
the coverage of the legislation.
(d) Does the business collect or disclose personal
information for a gain, benefit or advantage?
The exemption does not apply where a small business either:
- discloses personal information about another individual to anyone else for a
benefit, service or advantage - although this does not prevent an entity from
the exempt definition of a small business operator where the disclosure of this
information is consented to by the individual concerned, or where it is required
by legislation, under section 6D (7).
- provides a benefit, service or advantage to collect information about
another individual from anyone else although again, this does not
prevent an entity from being a small business operator where the information is
collected with the consent of the subject or is required to be collected under
legislation, under section 6D (8).
(e) Is the information collected or disclosed in the
business's role as a contracted service provider?
If the business is a contracted service provider under a Commonwealth
contract, it comes within the exemption. This provision applies whether the
business is a party to the contract or not (such as where it may be a
(f) Is the information collected or disclosed in
connection with the personal, family or household affairs of a small business
operator or for a purpose outside the normal course of a business which the
organisation carries on?
An individual who does something described in section 6D (4) (b), (c) or
(d) can still come within the exemption for a small business operator where such
actions are carried out otherwise than in the course of business he or she
carries on and only for the purposes of, or in connection with, his or her
personal, family or household affairs (section 6D (5)). Similarly, a body
corporate, partnership or unincorporated association that does something in
section 6D (4) (b), (c) or (d), stays within the definition of a small business
operator where such actions are done "otherwise than in the course of a business
it carries on" (section 6D (6)).
(g) Has the business opted in to be covered by the
Small business operators may opt-in to the coverage of the Act by choosing
to be treated as an organisation for the purposes of the legislation. It is
assumed that small businesses will do this if they believe it would improve
consumer confidence in providing them with personal information. In order to
allow this, Section 6EA (1) of the legislation allows small business operators
to elect to come within the complete operation of the Act (with the exception of
section 16D, which is excluded in order to ensure electing small business
operators are covered by the legislation immediately after election: 6EA
(h) Have there been any regulations which would bring
the small business operator within the coverage of the Act?
A small business operator may be treated as an organisation and therefore
be covered by the Act where the Attorney-General makes regulations to that
effect. Section 6E allows the making of regulations relating to:
- all the acts and practices of a specific small business operator; or
- one or more specific acts and/or practices of a specified small business
- all the acts and practices of a class of small business operators;
- one or more specific acts and/or practices of a class of business
Prior to any regulations being made, the
Attorney-General must be satisfied that such a regulation is in the public
interest and must have consulted with the Privacy Commissioner about the
desirability of the regulations (section 6E(4)). In considering whether to make
the determination, the Attorney-General has indicated that the opinions of
Minister for Small Business and the Privacy Advisory Committee are likely to be
taken into account.
(i) When do small businesses which are not exempt
become subject to the legislation?
For those small businesses which are not exempt from the Act, an extra
period of time is given to make it easier to prepare for the obligations of
complying with the Act. The time delay authorised by section 16D gives most
non-exempt small businesses an extra year to prepare for the legislation, with
the NPPs applying from December 2002. For any organisation that carries on one
or more small businesses, other than a business dealing in the provision of
health services, the delayed application period begins with the commencement of
the legislation or the formation of the organisation (whichever is later) and
ends on December 21 2002 or sooner if the organisation begins to carry on a
business that is not a small business or is a health service (section 16D (6)).
In effect, this means that there is no delay in the application of the Act to
small businesses operated by organisations which also operate a non-small
Once in place, an individual who believes that the code has been breached
may make a complaint to the organisation concerned. If it is not resolved
satisfactorily, they may make a complaint to the Privacy Commissioner, or if an
independent adjudicator has been appointed to administer the code, they must
make the complaint to that body.
If there is an approved code of conduct in place, the complaint will
normally be handled by a code authority, who is established and funded by an
industry. In practical terms, this might be the Telecommunications Industry
Ombudsman, the Banking Industry Ombudsman or the code authority for the
Australian Direct Marketing Association code of conduct. If there is no
approved code of conduct in place, the complaint is handled by the Privacy
Breach of the NPPs can result in an order from either a code authority or
the Privacy Commissioner to restrain an action, undertake an action, or to give
A decision by a code authority can be reviewed by the Privacy Commissioner,
and the Privacy Commissioner's decision can be reviewed through the process of
A decision to give an individual a remedy can be appealed in the Federal
Magistrate's Court, and can be enforced through the Court if an organisation has
not complied with the remedy.
a privacy strategy
The best response to the public concerns and changing regulatory
environment for privacy issues is to adopt a strategic approach which identifies
the importance of privacy issues to an organisation and the specific methods
which the organisation intends to use. There are several elements to a privacy
strategy, the detail of which will be determined by the nature of the
information which is collected and used, the size of the organisation and the
extent of the risk to customers' privacy and the reputation of the
A starting point for privacy compliance is the company's website privacy
policy. The information practices of businesses should be clearly explained on
the web site, and this policy should address the full range of information
practices of that agency. Under National Privacy Principle 5 (Openness),
organisations must make available information about their privacy practices.
The Privacy Commissioner's Guidelines for Federal and ACT Government World
Wide Websites sets out a range of issues which an should be considered in
developing a policy, including:
- openness about its information practices;
- an explanation of the site's collection and use of clickstream data and
- what personal information is collected on the site;
- information about the security of any information; and
- the publication of personal information on websites.
privacy policies should address the requirements of the National Privacy
Principles and give specific information about exactly how the organisation and
its alliance partners will use personal information.
Consent is a crucial principle in the implementation of privacy protection.
The National Privacy Principles state that consent must be obtained if personal
information is going to be used for secondary purposes, except under specific
limited conditions. Consent is especially important for direct marketing and
the sharing of personal information with third parties. However, the concept of
consent is not altogether clear. Consent may be obtained in active or passive
ways, which tend to be broadly divided as "express" and "implicit" consent.
"Express consent" or "explicit consent" involves explaining clearly to
consumers the organisation's information practices and obtaining active consent,
such as through a written consent form or via a secure means of communication.
Consent is likely to be regarded as express if consumers are given an active
choice between different privacy options, so that they are not forced into
consenting into specific uses of their personal information.
Companies which rely on "implicit consent" face a higher risk of future
complaints and claims, because they are assuming the consent of an individual
without necessarily bringing to their attention specific details of information
use and disclosure. An organisation which assumes implicit consent might argue
that certain uses of information are obvious from the nature of the person's
dealings with the organisation and do not require explicit consent.
The Privacy Commissioner's definitions of terms used in the National
Privacy Principles define consent in the following way:
"Free and informed agreement with what is being done or proposed. Consent
can be either express or implied. Express consent is given explicitly, either
orally or in writing. Express consent is unequivocal and does not require any
inference on the part of the organisation seeking consent. Implied consent
arises where consent may reasonably be inferred from the action or inaction of
The Explanatory Memorandum emphasises also that for certain categories of
personal information defined as being sensitive, a more explicit form of consent
(again, not specified) is required.
"NPP 2.1(b) allows information to be used or disclosed for a
secondary purpose where the individual has consented to use/disclosure for that
secondary purpose. Consent to the use or disclosure may be express or implied.
Implied consent would be acceptable in some circumstances. Implied consent could
legitimately be inferred from the individual's failure to object to a proposed
use or disclosure (that is, a failure to opt out), provided that the option to
opt out was clearly and prominently presented and easy to take up. If the
consequences for the individual of the use or disclosure were serious, however,
the organisation would have to be able to demonstrate clearly that the
individual could have been expected to understand what was going to happen to
his or her information. In such circumstances it would generally be more
appropriate to seek express consent.
325. NPP 2.1(c) allows personal information (provided it is not
sensitive information) to be used for the secondary purpose of direct marketing
where it is impracticable to get the individual's consent before using the
information; the organisation gives the individual an opportunity to opt out of
further direct marketing communications (at no charge); and the individual has
not already asked the organisation not to send direct marketing material to the
326. This sub-principle allows personal information, other than sensitive
information, to be used in order to establish initial contact with an
individual, provided that the individual is given the chance to opt out of any
further approaches. The exclusion of sensitive information from this
sub-principle recognises that the opt out mechanism is not a sufficient
protection in relation to this type of information. It would allow sensitive
information to be used to establish contact with an individual, in the absence
of consent, for purposes that may be entirely unrelated to the primary purpose
of collection of the sensitive information. The exclusion of sensitive
information will not prevent direct marketing organisations from using sensitive
information about an individual in reliance on, for example, NPP 2.1(b) (that
is, with the individuals consent) or NPP 2.1(a). The application of this
sub-principle in the health context will be detailed in guidelines issued by the
Policies need to be supported by back office implementation of procedures
which ensure that an organisation's internal practices are consistent with its
policies and legal obligations. Many organisations have put a focus on the
front-end development of website policies, but if this is not followed through
and implemented throughout the organisation, businesses are at risk of
misrepresenting their actual information practices. Organisations need to
address how privacy safeguards will be incorporated into their internal
processes, and should identify an individual who can take responsibility for the
development and implementation of the program. For example, many US technology
companies have appointed a Chief Privacy Officer to take this role and the
Australian Direct Marketing Association has required its 500 members to appoint
CPOs by April 2001.
an independent audit
Another method of building confidence in a company's information practices
is to commission an independent audit of the information policies and practices
of an agency. An information audit can help to highlight compliance problems
and can give customers added confidence that a policy is being implemented.
External audits are also a useful tool in making staff aware of their
accountability for their handling of personal information and identifying any
problems areas within the organisation.
The privacy impact assessment process represents an innovative approach to
managing the strategic risk associated with privacy practices at an early stage
of product development. Privacy impact assessments are now being conducted by
some governments such as in Canada, New Zealand, and in the United
States and are likely to become increasingly common in the private
sector. The assessment process allows businesses to identify potential risks,
and outlines options for how those risks might best be managed.
The impact assessment can help avoid nasty surprises and provide outside
input into the development of new products and services. With the rapid
development of e-commerce, there are thousands of new ideas, concepts and
products under development. The use of personal information is often a major
part of these new services. New e-commerce products can have significant
impacts on privacy, and privacy concerns can have a significant impact on how
consumers respond to new technologies. Businesses which ignore these issues can
suffer substantial financial harm and in some cases even find the launch of the
product cancelled or the product substantially modified because of a consumer
In short, the aim of the privacy impact assessment process is to ensure
that new products and services build trust, rather than diminishing it.
A popular way of proving an online business's credentials is to join a
privacy seal program. Privacy seals offer an external stamp of approval for the
practices of a website. They have become particular popular in the United
States in the absence of legal measures to protect privacy. The best known
privacy seal programs are:
- TRUSTe, which was launched in June 1997 - a licensing program which
stipulates conditions to which the licensee must adhere, including privacy
principles and dispute resolution processes. By 2000, 1000 sites were licensed,
including around half of the 100 most visited sites. Nielsen/NetRatings rates
the TRUSTe logo as the most recognised symbol on the internet
- The Council of Better Business Bureaus has a BBBOnLine Privacy program,
which claims a comprehensive process of assessing a company s privacy
policy and practices and has a third party dispute resolution process through
the Better Business Bureaus. The BBBOnLine Privacy program in May 2001 had 820
companies approved (www.bbbonline.org).
- The Online Privacy Alliance is another major US-based initiative which
covers a large proportion of major US companies. The OPA is focused on
transparency and allowing consumer to make choices between which web sites they
visit and where they make transactions. The OPA was launched in 1998 and
includes 85 major US companies and industry organisations.
- CPA WebTrust aims to deliver confidence in the business and information
practices of online companies. It requires its members to go through a full
audit program conducted by an independent certified public accountant. It uses a
specific encryption technology to ensure payment security, and is available in
the US, Canada, the UK, France, Ireland, Australian and New Zealand.
- Another industry group known as the Personalisation Consortium was launched
in 2000. It generally supports an opt-in consent to online marketing, and covers
26 major companies. The Consortium's initial standards for ethical information
practices include fair access to personal information, responsible linkage of
online and offline information, criteria for opt-in and opt-out consent, and
rights of redress for consumers.
adopting a seal should familiarise themselves with a recent evaluation of seal
programs published by the Australian Federal Privacy Commissioner in conjunction
with the Ontario Privacy Commissioner. This report, released in September 2000,
concluded that while they had helped to improve online information practices,
most of the seal programs fell short of adequate privacy standards. The report
Web Seals: A Review of Online Privacy Programs
"The future role that
Web seals might play in e-commerce is unclear. Seals are only in their early
stages of development and will likely evolve and improve over time. They could
come into their own as a powerful facilitator of globalization of consumer
transactions if they are able to provide acceptable and enforceable privacy
protection across multiple jurisdictions. Objective assessments of the extent to
which seals provide true privacy protection, dispute resolution and enforcement,
may be a crucial factor in determining the degree and speed with which they
become more accepted by consumers. Such assessment could assist consumers and
business in differentiating between the competing claims put forward by various
Complaints handling is an important part of managing privacy issues within
an organisation. Effective complaints handling allows a company to identify any
internal compliance problems, and is an important part of managing an
organisation's privacy risks. Poor handling of complaints, such as when staff
are slow in dealing with a complaint, appear to lack knowledge, do not return
phone calls and appear uncooperative, can deepen the aggravation of a customer
who feels their privacy has been invaded. Speedy, informal complaints
resolution processes can turn a disgruntled customer into a satisfied one if
they feel that the organisation takes their concerns seriously. This is
particularly the case in privacy complaints which often do not require or do not
involve monetary compensation (but on the other hand, can sometimes be extremely
serious and cannot be in any way remedied by monetary compensation either). The
Australian Standard on Complaints Handling provides a framework for
organisations to develop internal
A business which is intending to introduce a new online service which might
have significant privacy implications for its customers may wish to initiate a
formal process of consultation. This may be done through an industry
organisation or directly by an individual company. For example, a business may
make informal or formal contact with consumer and privacy groups, and any other
stakeholders, who can help to identify and address potential problems or issues
in the early design of the program. This approach is most relevant in
industries in which a small number of companies play a dominant role, such as in
banking or telecommunications. A business can also explain its plans on its
website and can seek responses from its users and customers. This process can
complement the privacy impact assessment.
It is important that contracts with third party service providers
adequately address privacy issues. Specific measures can be taken to give
maximum protection from the risks associated with third party processing of
The contract should address:
(a) confidentiality undertakings - prohibiting any use
or disclosure of information other than what is necessary to meet the
requirements of the contract (subject to the normal exemptions, such as for
(b) accepting all privacy obligations under relevant
legislation (eg Telecommunications Act, Privacy Act, Code of
(c) an indemnity for any liability arising out of the
agency's breach of their privacy obligations;
(d) acceptance that the contracting party may audit
either directly or through its auditors, the information practices of the
contractors relating to the processing of information as set out in the
contract, and that the contractor must provide all reasonable assistance to the
party conducting the audit;
(e) obligations that the contractor informs the
contracting party if any breaches or alleged breaches of security or of the
Termination provisions should also impose obligation to retain all personal
information and destroy any remaining records of personal information if
contract expires or is terminated.
technologies to enhance privacy
It is important to put the contractual and legal context of privacy
protection into the broader context of technologies which can play a role in
protecting individual privacy. Legal measures are not the only way of providing
consumers with protection for their personal information. A small segment of
the online community is willing to pay to take privacy protection into its own
hands through the use of encryption and other software products which block
cookies and preserve online anonymity. These privacy technologies are useful
for email, browsing web sites and making transactions.
One of the best regarded examples of privacy enhancing technologies is the
Freedom Software program from Zero-knowledge Systems (www.freedom.net). This
software gives a web user anonymity by allowing them to use a pseudonym.
Personal information is encrypted and routed through the company's network of
servers so that it cannot be traced to a user's computer. A pseudonym costs
just $US10 per year. Similar anonymising and anti-cookie software programs are
available from other providers including Cookie Crusher, Cookie Cruncher,
AddsOff, Cookie Cutter, AdSubtract Se, Cookie Pal, Cookie Web Kit, HistoryKill
2000, Netwatcher 2000 and Surfsecret Test.
Other companies offer to take on an information intermediary role,
collecting information from a user and providing it to sites with users'
approval. These "infomediaries" may rate sites according to their privacy
policies (such as Eponymous.com's Eponymous Adviser software) which obtains a
person's name, date of birth, billing and postal address, e-mail, phone number,
credit card details and preferred method of contact. Eponymous has rated the
policies of 30,000 web sites.
The World Wide Web Consortium has taken this concept further by developing
P3P, the Platform for Privacy Preferences, which is intended to be built into
software and allow an automatic comparison between a web surfer's privacy
it would implement the P3P standard in its software. P3P has met with a mixed
response from privacy advocates and users, and it remains to be seen whether it
will become an important element in online privacy measures.
privacy has become a major issue
The growing attention to privacy concerns reflects one of the impacts of
the information revolution on individuals. The information explosion has made
it possible to collect detailed information on customer purchasing patterns, to
profile customers and to use data mining to build greater intelligence into
business strategies. While this has offered great convenience to customers, it
is also prompting a backlash. Survey research in recent years has tracked
rising concerns that consumers are losing control of their personal information.
While privacy concerns a decade ago were mainly focused on government collection
and use of information, in recent years public concerns have shifted towards the
use of personal information in the private sector.
Privacy concerns are now recognised as being more than just a concern for a
small proportion of technophobic customers. Unease with the collection and use
of personal information is now a significant factor holding back the uptake of
e-commerce, with consumers reluctant to risk losing control of their personal
information despite the convenience offered by the online environment. Analysts
now estimate that billions of dollars worth of e-commerce transactions are being
lost because of consumer distrust in current privacy arrangements as
much as $US2.8bn in the United States in 1999, and rising to $US18bn by 2002,
according to Forrester Research. This research has given impetus to regulatory
initiatives in the US and elsewhere.
These concerns have serious effects on businesses which are making
e-commerce a major strategic focus. For example, internet portals need customer
information to maximise advertising revenue. The push for customised marketing
from web advertisers is strong: if an advertiser doubles the ad banner
clickthrough rate on a website from the standard 0.5% to 1%, through targeted
marketing, they can double the site's advertising revenue. But developing
targeted marketing requires the collection and use of personal information, and
this creates risks.
Australians place a high value on the protection of their personal privacy.
Throughout the 1990s a series of public opinion surveys showed consistently that
privacy is a significant concern for people. For example, asked to rank a
number of social issues in a Roy Morgan survey conducted by the Australian
Privacy Commissioner in the mid-1990s, some 93% of Australians rated the
confidentiality of their personal information as important, with 74% saying it
was very important , and a further 19% as important .
Privacy was ranked second only to education as a matter of concern when compared
to other social issues - even ranking ahead of both the economy and the
Research by Ernst
& Young has shown a higher level of concern about online privacy and
security issues than in the US or
New research to be
released by the Federal Privacy Commissioner in 2001 should provide a deeper
insight into how Australians think about privacy issues.
Australian research reflects similar trends to surveys published in other
countries. These are being compiled in the Baker & McKenzie Global Privacy
Attitudes Survey Review, which will soon be available on the Baker &
McKenzie website (www.bakernet.com/e-commerce). The surveys reflect the
conclusions of Alan Westin, a veteran US privacy expert who has conducted 26
national privacy attitudes surveys since 1978, notes that privacy concerns have
been on a trend increase from a base level of around 72% in the early 1970s.
The conclusions of these surveys include the following points:
- There is a very high level of concern about privacy
- A 1999 Roy Morgan survey in Australia reported 56% of people agreeing with
the statement, "I'm worried about invasion of my privacy through new
technology", with 18% agreeing strongly, 24% disagreeing (only 3% strongly) and
20% unable to say. These concerns ranged across all party affiliations, from
50% agreement at the low end to 62% agreement at the high end.
- The 1998 Beyond Concern: Understanding Net Users' Attitudes to Online
Privacy, conducted by AT & T Labs Research, reported 87% of respondents
as being concerned about privacy, with 39% "very concerned" and only 13% "not
very" or "not" concerned.
- A Harris Interactive poll of 2,810 American adults in August 2000 found that
American consumers are more concerned about privacy issues than health care,
crime or taxes. Some 56% stated that they are very concerned about the loss of
personal privacy, compared with 54% with health care, 53% with crime and 52%
- A 1999 survey by the Japanese Ministry of Posts & Telecommunications
Privacy Survey reported that 94% of respondents said that they were interested
in privacy safeguards.
- Privacy concerns are greatest in the online environment
- The IBM Multinational Consumer Privacy Survey in 1999 covering the
United States, the United Kingdom and Germany, showed that concern about threats
to personal privacy on the Internet ranged from 73% in the UK to 92% in the US,
where 72% of people were very concerned.
- The IBM survey also found that consumers have the lowest confidence in the
privacy practices of companies which sell over the Internet (ranging from 10% to
21%), contrasting with trust in the confidentiality of personal information
handled by Banks ranging from 70 77% and for health care providers
ranging from 71 74%.
- A US survey by Yankelovich Partners in August 2000 reported 90% of
respondents saying that protection of the privacy of their personal information
is the most important issue to them when shopping online.
- Consumers especially dislike the use of their personal information for
direct marketing without their consent, particularly when personal information
is sold to third parties for direct marketing purposes
- A Business Week/Harris poll in March, 2000 showed record levels of privacy
concerns, including that
- of the 45% of respondents who had purchased online, 78% were concerned about
the company they buy from sending them spam, with 41% very concerned
- of the 55% of people who have not purchased online, some 94% said they were
concerned about the company they buy from sending them spam, and 63% were very
- 10% overall were happy with browsing habits and shopping patterns being
merged, and 89% were against (including 68% "not at all comfortable").
- 86% of Internet users were concerned abut the use of online purchase
information to directly market back to them, with 65% very concerned.
- The Trust in the Wired Americas survey by Cheskin Research in 2000
covering the US, Latin America and Brazil, indicated a 6.3/10 positive response
for the statement that personal information given to a website may be sold for
- Privacy concerns affect the way in which consumers behave and transact
- The IBM research showed that 50% of consumers in Germany, the UK and the USA
had refused to give information on websites because of privacy concerns, and
between 32% and 54% had decided not to purchase online because of privacy
concerns. 39% of people in the US, 44% in Germany and 47% in the UK stated that
privacy issues had stopped them from making online purchases. Around one third
of Internet users demonstrate "privacy assertive behaviour", such as giving
false information when asked to register online.
- 65% of respondents in the Harris Interactive Survey said that if a website
- 70% of respondents in the Business Week/Harris poll said that they would use
the Internet, register personal information, or purchase more often, if there
were explicit guarantees about the use of their personal information.
- 61% of people who did not use the Internet stated in the Business
Week/Harris poll that they would be more likely to start using the Internet if
their privacy was protected, and 78% of users said they would be more likely to
use the Internet more often if this was the case. For both non-users and users,
privacy was the highest ranking issue affecting whether or not they would use
the Internet more often.
- Consumers want to have control over their personal information and how it
is collected and used
- The Beyond Concern survey indicated that the issue of whether or not
personal information was shared with third parties was the most important
criteria to individuals when visiting websites, with 96% of people registering
agreement with this concern. Being informed of the purpose of collecting
personal information and the nature of the information which was being collected
also ranked as extremely high level concerns.
- In the Business Week/Harris survey, 86% of respondents said that websites
should ask for permission to collect name, address and phone number details all
the time, and 88% said that they should obtain permission before sharing
personal information with any other organisations all the time.
- The same survey indicated that 56% of people would always opt out of the
collection of their personal information if given the choice, and 34% would
sometimes opt out.
- The 1997 GVU survey of Internet users showed 72% of Americans agreeing with
the statement that there should be new laws to protect privacy on the Internet,
while the Business Week/Harris survey indicated 57% saying that laws should be
- Around 80% of people consistently wanted an opt in arrangement for
information collection, and 88% wanted to give consent before any sharing of
their personal information. 55% of web users had noticed privacy policies, of
whom 77% had read them and 35% said they always read them.
concerns are behind the widespread adoption of comprehensive privacy and data
protection legislation in developed countries over the past decade, which are
discussed later in this paper. The global regulatory patchwork of privacy laws
creates challenges for e-commerce which by its nature involves cross-border
alliances and transactions. Some businesses are adopting the approach of
jumping to the highest bar, the European Union Directive, hoping that this will
be adequate for other jurisdictions. Others adapt their policies to local
requirements and do not aim for a consistent global strategy. Many have an ad
hoc approach which only deal with privacy issues when confronted by customer
complaints, negative publicity or because of immediate legal
The challenge for business organisations is to recognise that privacy is a
strategic issue which goes beyond the scope of mere legal compliance. For
- Protecting personal information is an important element of the trust
relationship which businesses want to develop with customers.
- Privacy is recognised as a threshold issue for consumer take-up of
e-commerce, and is especially important for new products which involve the
collection and use of large amounts of personal information, or particularly
sensitive information such as health or financial records.
- Providing consumers with the widest range of choice in relation to their
personal information is an element of quality of service.
- Privacy and security features are an important part of risk management
strategies, because a negative privacy experience can have a substantial impact
on public perceptions of an organisation s trustworthiness.
- Several industry associations have adopted codes of practice which include
privacy standards, and which are binding on their members.
information in an e-commerce environment
Changing business practices have greatly increased the scope for collecting
personal information. This reflects the explosion of information gathering,
processing and storage in recent years. For example, telecommunications
providers know the date, time, length, call number and destination of telephone
calls. Pay TV services can know the viewing interests of subscribers. Internet
portals can know the interests of users from how users navigate their website.
With the development of interactive TV and pay-per-view services, it may also
include a detailed history of a household s viewing patterns. Online
financial services aggregators and bill management services can also collect a
vast amount of highly sensitive information which gives a wide-ranging view of a
While businesses were already able to collect a substantial amount of
personal information on their customers before the arrival of online
transactions, e-commerce creates a much larger and richer store of personal
information because very few online transactions are anonymous. There are also
far more points of collection of information:
- online registration systems allow businesses to collect contact details and
general demographic information;
- clickstream data, collected through cookies, can identify the specific
interests of individuals as well as giving companies information about how
customers respond to the content of their website;
- email allows customers to communicate with businesses with minimal time or
- businesses can track a complete history of customer
The online environment allows businesses to build
individual customer profiles in a way that for most businesses was simply not
practicable across a wide customer base in the past. The information gathered
from these profiles can be an enormously valuable resource for strategic
development as well as for marketing and building customer
The online environment has also fostered the growth of joint ventures and
alliance relationships, where businesses are able to leverage off each other's
strengths. A significant online customer base is a highly valuable commercial
asset for companies which are entering into joint ventures. In some cases,
joint ventures allow companies to access the personal information held by
partners and to expand their records as a result. But joint ventures can also
contain risks if there is a leakage of customer information to other parties
without the consent of those customers.
The risk of adverse media publicity has now become a major reason for
businesses to review and change their privacy practices, after an unprecedented
year of privacy debacles in 2000. Several high-profile businesses have had their
reputations tarnished by lax, inadequate and in some cases illegal information
practices. Despite the fact that for several years surveys have highlighted the
importance of privacy to consumers, it is only more recently with far greater
media coverage of privacy issues that privacy has been recognised as an issue
which can significantly harm the public reputation of businesses.
In some respects, it is not surprising that increasing public attention on
privacy issues is likely to expose some organisations for bad information
practices. Survey research has indicated that many organisations do not have
clearly developed or well implemented privacy policies; and while online privacy
practices are improving, they fall well short of any well-accepted privacy
benchmark. Even in sectors where a substantial amount of personal information is
collected such as online recruitment services, many websites still do not have
privacy policies. Among those that have a policy, many do not have adequate
As the spotlight on internet practices has intensified in recent years, a
growing list of companies have come under attack for careless, unethical or even
deceptive information practices. The public reputations of businesses can be
- bad information collection practices, such as collecting unnecessary
- failing to explain how personal information will be used (and broadly,
- passing on personal information to other companies without the consent of
- security breaches, including unauthorised access to personal information,
unintended disclosure, and problems with credit card numbers;
- making mistakes, such as sending the wrong personal information to
individuals or recording mistaken information, and
- denying people anonymity, such as in their usage of a
These risks are illustrated by some of the privacy
stories which hit the news during 2000.
Networks: Failing to disclose information practices
The year began with online software distributor Real Networks still
smarting from a blitz of negative publicity after the New York Times revealed
that it was collecting information about the musical tastes of 13.5m Real
product users without their knowledge. Real Jukebox, software downloaded
through the Real Networks site, was scanning users' hard drives and transmitting
information about their musical interests and music player back to Real
Networks. This information was then added to pre-existing customer profile
information. Although Real Networks is a member of TRUSTe and displayed its
logo on its website, TRUSTe refused to launch an investigation into Real
Networks because its licence only covers information collected from consumers
over a website, and since the information was actually collected by software
downloaded from a website, Real Networks had not violated its TRUSTe licence.
TRUSTe did announce, however, that it would review its licence
Customer profiling without consent
In perhaps the best-known incident of the year, online advertising agency
DoubleClick came under siege from public outrage for unlawfully obtaining
and selling customers personal information. DoubleClick is the leading online
advertiser, with revenues which had grown from $9m in 1995 to $258m in 1999. By
the end of 1999 DoubleClick was serving 30 billion targeted ads per month, and
serving ads to around 12,000 web sites. In late 1999, DoubleClick began
combining and cross referencing personal information from the web browsing
habits of users with the database of a direct marketing firm, Abacus, which it
had recently acquired. DoubleClick planned to match home address, name and
purchasing habits to individuals' web usage patterns. Following extensive
publicity, a consumer backlash, legal action by the Michigan State
Attorney-General, an FTC investigation and a drop of one third in its share
price, DoubleClick suspended its matching practices in March 2000. Estimates of
the cost to DoubleClick of the incident which occurred at the time of
its second capital raising range as high as $2.2 billion.
Pink contracts for spammers
Controversy erupted for internet service provider PSINet when CNetNews.com
claimed that PSINet was covertly profiting from spamming while publicly opposing
it. CNet News.com obtained a 'pink contract' which indicated that a marketing
firm in Louisiana was paying PSINet an extra $27,000 in a one-off payment for
"increased risks associated with this agreement". Cajunnet, the marketing firm,
sent out 5-20 million spam messages at one time, helping to explain the
additional payment given the likelihood of a large number of complaints and the
risk of damage to PSINet's reputation if the arrangement came to light. At the
same time, PSINet's stated policy on spam had indicated that customers would be
cut off if caught using spam. PSINet subsequently terminated the relationship
and embarked on new compliance and training efforts internally to avoid the
repetition of any such incidents.
selling a bankrupt business's database
American toy e-tailer Toysmart drew criticism when it announced that
it intended to sell off its customer database after the company filed for
bankruptcy on May 19. The decision to sell off the 250,000 customer records
contradicted an express promise on Toysmart's web site never to sell customer
information. This reversal in policy prompted the intervention of the Federal
Trade Commissioner (FTC) who sued Toysmart for engaging in deceptive conduct. 42
states also sought a court injunction from the Federal Court to prevent the sale
taking place for violations of their individual consumer protection schemes. The
FTC eventually came to an agreement with the company that precluded the sale of
the database as a separate asset, such that Toysmart could only sell the
customer database as part of the sale of the whole web site. No company came
forward to buy Toysmart, and in early January 2001 Toysmart's majority owner,
Disney, paid $50,000 to destroy the database.
Amazon.com created a storm of protest when it informed customers that it
businesses to sell their databases after the Toysmart.com debacle. The revisions
to Amazon's policy stated that the 23 million strong customer database is an
asset of the business which may be sold to a third party in the future, without
obtaining any further consent from customers. Amazon's changes provoked
widespread criticism and several complaints have been filed against Amazon's
subsidiaries in Europe were made for breaching local European privacy
Failing to inform consumer of third party use
The toy store e-tail industry was rocked by a further privacy debacle in
August 2000 when it was revealed that Toysrus.com, the e-commerce web
site of the Toys R Us chain, was outsourcing data analysis of its
consumer database to a third party company, Coremetrics, which was then
retaining and using the data for its own data analysis purposes. The company's
the provision of customers personal details including names, postal and email
addresses, and phone numbers to Coremetrics. Toys R Us had reserved the right to
failure to disclose the fact that this analysis would be done by another company
(which retained the data after analysis) prompted numerous complaints. Two
separate class actions were launched against Toys R Us and Coremetrics, forcing
the companies to terminate their business relationship in the wake of
overwhelming negative publicity.
Stories of website security security breaches which placed customer
information at risk became a familiar story during 2000.
- The year began with online music seller CD Universe losing more than
300,000 credit cards to a Russian hacker. Credit card cleaning house
Creditcards.com lost another 55,000 records and in December it was
reported that the hackers had broken into the Egghead website,
potentially gaining access to 3.7 million customer profiles. The company later
reported that investigations indicated that the hackers had not gained access to
the customer records.
- At the year's end, a hacker broke into the customer database of
GlobalCentral.com, a Wyoming internet service provider, and sent
information on customers including their credit card number, bank account
numbers, address, telephone number and terms of their contract with
GlobalCentral. The hacker was reportedly motivated by opposition to
GlobalCentral's support of a conservative family values organisation.
- Furniture retailer Ikea attracted attention when it was revealed that
its customer database, containing names, phone numbers and postal and email
addresses, was publicly accessible on the web for over two days in early
September 2000. The company claimed that the security breach was caused by a
hacker, a claim disputed by experts who cited the lack of adequate
authentication or firewall software as a contributing factor. The incident was
Ikea's second privacy slip-up that year, with the company drawing criticism in
March for adopting a spam-based advertising strategy. The company had offered a
$75 discount coupon to any customer who emailed a promotional e-card to ten of
their friends. The scheme generated 37,000 emails within one week before Ikea
stopped the promotion in response to severe public criticism.
- On 7 July 2000, a customer of British power utility, Powergen, while
attempting to pay a bill on-line, managed to accidentally uncover the
unencrypted, publicly accessible credit card numbers and payment and personal
details of 7,000 Powergen customers. In an attempt to defray criticism, Powergen
at first denied the leak, then later accused the would-be-customer of 'hacking'
their site. The story was picked up by on-line magazine, Silicon.com which
attained from the customer proof of the leak. Despite originally threatening
legal action against both the customer and the magazine, Powergen later admitted
that the blunder had not be caused by the customer but by the company, assuring
customers that its system was now safe.
- In April, web search engines revealed pages containing the personal
registration of some 35,000 members of the adiamondisforever.com website,
a site which gives information about diamonds and which is sponsored by De
- Similarly, a computing error on the Amazon.com website resulted in
the email address of Amazon members being disclosed on an affiliate partner's
website in September.
Taxation Office: Failing to identify a major privacy issue
Privacy issues emerged as a significant problem during the implementation
of major tax reforms in Australia in mid-2000. Central to the business tax
reforms was the need to obtain an Australian Business Number (ABN) for business
to business dealings. Over 3 million applications for ABNs were received during
its first months of operation, although Australian Bureau of Statistics figures
indicate that there are only 1.1m businesses in Australia suggesting
most ABNs were for individuals. But the ATO had not taken into account the
extent to which individuals would obtain ABNs, and the fact that ABN records
would contain a substantial amount of personal information.
Legislation relating to the ABN established a publicly available Australian
Business Register, including information on the holders of ABN drawn from the
ABN registration forms, and in addition the Tax Office was making available (at
a charge of $20) records of registration-related information. Although the ABN
registration booklet mentioned that some ABN information would be publicly
available, the details of this availability were not clear and applicants were
not informed of this on the pages where they entered information. After a
substantial public reaction, and intervention by the Privacy Commissioner, the
Treasurer agreed to legislative amendments and the Tax Office agreed to limit
the amount of information available publicly, and give individuals the option of
limiting disclosure of their information if this disclosure could present a
danger to them.
Privacy concerns were raised in Australia when a hacker accessed the
business and bank account details of up to 27,000 businesses in Australia who
were accredited suppliers of GST information and assistance packages to
businesses through the GST Start-up Assistance Office. The 'hacker'
reportedly obtained the information without actually hacking the site, as the
information was provided on an ordinary page accessible through a URL on the
site (the web address of which had not been disclosed). He then emailed 17,000
of the businesses to inform them of the security breach.
In other incidents, Auction site ReverseAuction agreed to a
settlement with the FTC in January 2000, agreeing to cease from engaging in
unlawful practices including collecting personal information of eBay users and
deceptive spamming. Other legal action on privacy grounds was also launched
against Amazon.com (through its subsidiary Alexa Internet, accused of
sending personal information to Amazon.com without consent), and a class action
suit was filed in Texas against Yahoo! on the basis of a Texan anti-stalking
law, and arguing that cookies are the cyberspace equivalent of
global context of privacy laws
The extension of Australian privacy legislation is occurring in the context
of a rapidly changing global regulatory environment, where privacy has emerged
as a major issue around the world as new technologies impact upon privacy
rights. The global nature of information flows raises complex privacy issues
because of the potential for personal information to flow from jurisdictions
where personal information is subject to privacy regulation, to other
jurisdictions where there is little or no legal protection of personal
information. This has been an especially controversial issue in recent years,
with the European Union's privacy Directive restricting the flows of personal
information to countries which do not have an "adequate" level of protection.
This restriction has resulted in lengthy negotiations with the United States,
which saw this requirement as a restriction on the development of e-commerce,
while the EU argued that the US was neglecting a fundamental human right. After
several years of meetings, the EU and the US concluded the "Safe Harbour"
agreement which gives some protection to the data of Europeans in the United
States, and which came into effect from November 2000.
Depending on the regional context of e-commerce transactions and alliances,
it may be necessary to take account of the international context of legal
protection for personal information. In simple terms, the two main approaches
being adopted around the world to privacy protection are comprehensive privacy
legislation or a mix of self-regulation and specific sectoral legislation, the
approach adopted by the US.
The push towards legal measures to protect privacy began in industrialised
nations in the mid-1970s. In the late 1970s, the Organisation for Economic
Cooperation and Development (OECD) assembled a group of experts who developed a
set of basic privacy and data protection guidelines. The OECD Guidelines
developed in 1980
were the first
significant international agreement on privacy principles. These Guidelines
formed the basis of privacy legislation in most industrialised nations in the
following decade, incorporating eight principles relating to the collection,
use, security and disclosure of personal information. However, the OECD
Guidelines did not set out an explicit statement on how these principles may be
enforced, even in relation to data held by the public sector. As a result,
countries chose a range of measures to implement the privacy
Globally, the most significant privacy legislation in the past decade was
the European Union Directive on data protection, which came into force in
October 1998 and is implemented through national legislation individually in EU
member states. It establishes comprehensive protection of personal information
held by the public and private sectors, whether held electronically, manually or
in any other forms. The EU Directive has become the international benchmark for
privacy protection - not least because countries without what the Directive
describes as an adequate level of data protection, will be
excluded from personal information flows. The EU Directive has been a
significant factor in countries outside of Europe implementing privacy
legislation, including Hong Kong, Taiwan and Canada. Closest to home, the New
Zealand Privacy Act 1993 established an Office of the Privacy
Commissioner who has powers to enforce the Information Privacy Principles
contained in the Act in both the public and private sectors. The Commissioner is
also able to issue Codes, which vary the application of the IPPs for a practice,
company, technology or industry. The extension of Australia's Privacy Act
brings Australia closer to the NZ position, although the Australian
legislation is on several points of comparison weaker than New Zealand's (such
as with its broad exemptions).
The alternative to the legislated approach is through relying more heavily
on self-regulation, which has been favoured in the United States. The
regulatory environment of the United States is clearly the most influential for
internet practices, given the US dominance whether measured by usage, sites,
brand names or revenue. In this area, there have been significant developments
in the past three years, which appear to be leading to internet privacy
towards privacy legislation in the United States
After two years of monitoring the effectiveness of self-regulation, the
Federal Trade Commission (FTC) concluded in May 2000 that self regulation had
failed to provide adequate privacy protection. While it indicated that
significant progress has been made towards the development of industry self
regulation, it also noted that coverage of privacy safeguards is still
inadequate and that legislation has become necessary. The FTC recommended to
Congress that legislation be developed to protect personal information online in
its report Privacy Online: Fair Information Practices in the Electronic
Marketplace: A Federal Trade Commission Report to Congress.
The FTC's conclusions came after its third web site survey reviewed a
random sample of 335 websites and a group of 91 of the busiest 100 websites. The
survey confirmed that most sites collect personal information - 97% and 99%
respectively and that 88% and 100% respectively made some kind of
statement about their privacy practices.
The report concluded that:
"Based on the past years of work addressing internet privacy issues,
including examination of prior surveys and workshops with consumers and
industry, it is evident that online privacy continues to present an enormous
public policy challenge. The Commission applauds the significant efforts of the
private sector and commends industry leaders in developing self-regulatory
initiatives. The 2000 Survey, however, demonstrates that industry efforts alone
have not been sufficient. Because self-regulatory initiatives to date fall far
short of broad-based implementation of effective self-regulatory programs, the
Commission has concluded that such efforts alone cannot ensure that the online
marketplace as a whole will emulate the standards adopted by industry leaders.
While there will continue to be a major role for industry self-regulation in the
future, the Commission recommends that Congress enact legislation that, in
conjunction with continuing self-regulatory programs, will ensure adequate
protection of consumer privacy online."
The FTC's recommendation for legislation would cover consumer-oriented
commercial websites. In other words, it would be a specific internet privacy
measure, rather than the comprehensive data protection legislation adopted by
most other advanced nations. It would therefore continue the blend of sectoral
legislation and self-regulation which has been adopted by the US in recent
years. The FTC's legislation would require that these websites comply with the
four widely-accepted fair information practices of:
- Notice in which websites would need to give clear,
conspicuous notice of their information practices including information about
what is collected, how it is collected, how it is used, how consumers are given
choice, security, any access, whether information is disclosed to third parties
and whether third parties collect information off the website.
- Choice in which websites would be required to give consumers
choices about how their information is used for purposes beyond the original
purpose of its collection, including internal and external secondary uses.
- Access in which websites would give consumers reasonable
access to the information which has been collected about consumers, and
reasonable opportunity to review information and correct any inaccuracies.
- Security in which websites would be required to take
reasonable steps to protect the security of the information obtained from
These principles are a shortened version of the 1980
OECD principles, and are less extensive than those in the National Privacy
The internet industry in the United States is increasingly recognising the
likelihood of privacy legislation. As in Australia, one of the strongest
drivers of a national privacy regime in the United States is the concern of
business groups to avoid a patchwork of inconsistent state-based privacy laws.
New York, California, Maryland, South Carolina, Florida, Wisconsin and other
states have been debating broad privacy laws. The American Electronics
Association began a push for a uniform national privacy law in 2000, to avoid a
Meanwhile, in some states, individuals sometimes backed by state
governments have begun taking the law into their own hands. Yahoo!
faces a creative claim under Texan anti-stalking laws for its use of cookie
technology which according to Dallas lawyer Lawrence J. Friedman allows the
organisation "to watch, to spy, to conduct surveillance, to analyse the habits,
inclinations, preferences and states" of people who visit its sites "without
consent, agreement or permission of the class members". Friedman is claiming
$50bn in economic damages and despite its inventiveness, if it gets a
plaintiff-friendly Texan jury in an environment of frustration over internet
privacy the outcome cannot be certain.
During 2000 the United States saw several privacy initiatives including
medical privacy regulations, children's privacy laws, a ban on the use of
genetic information in hiring and promotion in Federal agencies, the
implementation of privacy policies on all Federal government websites and the
growing use of Privacy Impact Assessments as a normal part of the process of
developing new government computer systems.
President Bush has indicated publicly that he intends to adopt a
pro-privacy stance on policy issues, and in a decision in April which angered
the health industry the Administration approved health privacy rules which had
been drawn up under the Clinton Administration. President Bush's apparent
privacy commitment builds on public positions taken in 2000 by President Clinton
and Vice President Gore, who both gave addresses on privacy issues. A swag of
congressional privacy proposals in 2000 foreshadow the likelihood of an eventual
agreement on legislation. The proposals range from a general study of privacy
issues (the Privacy Protection Study Commission Act), to requirements
that consumers give explicit, opt-in consent for sharing of data, as well as
annual reports on data usage and the right to sue for misuse of data
(Personal Data Privacy Protection Act). In between, proposals such as
the Online Privacy Protection Act (with bipartisan sponsorship) and the
Electronic Privacy Bill of Rights Act require privacy policies on web
sites, rights to opt-out of disclosure of information to third parties and
rights to access personal data.
A working group of Congress members from both houses and both parties was
formed in late 2000 with the aim of reaching a consensus on new privacy laws,
likely to impose a set of baseline requirements to which all Web sites might
have to adhere under the working group's compromise legislation. In line with
FTC recommendations, the legislation would require that the websites give
information about the collection and use of personal information, and visitors
to websites would be able to choose either to opt out of the collection of their
personal information or to limit the use of the information. The Federal Trade
Commission would have oversight of implementation of the law.
By February 2001, 13 privacy Bills had already been introduced into the new
Congress, and several from 2000 are expected to be reintroduced. The bipartisan
Congressional Privacy Caucus is working towards a privacy Bill that embodies
basic privacy principles and may even ban some internet tracking technologies
such as web bugs. In March, the House Commerce Committee's Trade and Consumer
Protection Subcommittee held informational hearings on privacy legislation.
Opinion is split over the likely outcome of the growing Congressional debate on
the issue, as direct marketing and other industry lobby groups are now mounting
a concerted campaign of opposition to legislative proposals.
Privacy has moved from being a relatively obscure civil liberties issue to
becoming a critical building block for Australia's information economy. It is
also a part of Australia's competitive positioning in the global information
economy. The legal protection of personal information reflects public
expectations, and for this reason businesses must think of not only how to meet
their forthcoming legal obligations, but also to consider whether they handle
sensitive personal information and what their customers expect from them. In
that sense, privacy should be seen as a strategic challenge and opportunity, and
not just a technical issue of legal compliance. In order to build consumer
trust, manage information effectively and avoid any privacy landmines,
businesses need to ensure that they align their privacy strategy to their
broader strategic direction.
With only months remaining until the amendments to the Privacy Act come
into effect, it is worth noting that those organisations which do not have all
of their information practices in order by December 21 are unlikely to face
grave problems immediately. However, there will be a significantly increased
risk after 21 December and it is important that organisations work strategically
to minimise their risks and to focus on how they can meet customers' expectation
that their personal information will be respected and that they will remain in
control of it. This is the fundamental issue at the heart of the new era in
privacy safeguards which will commence in coming months.
Tim Dixon, Baker & McKenzie Global Privacy Group Sydney
tim.dixon [at] bakernet.com
Privacy Committee Act 1975
Westin, A. Privacy and Freedom, New York, 1967, p39, quoted in Goldman,
J. Privacy and individual empowerment in the interactive age ,
paper presented at the Visions for Privacy in the 21st Century
conference, Victoria, British Columbia, May 9-11 1996,
Trubow, G. Protocols for the secondary use of personal information,
unpublished paper, John Marshall Law School Centre for Informatics Law, February
Privacy Commissioner, Guidance notes to the National Principles for the Fair
Handling of Personal Information, January
Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill
Tim Dixon, Surveys confirm high public concern about privacy , 2
Privacy Law and Policy Reporter 1995 vol.
Ernst & Young, "Virtual Shopping in Australia: An Ernst & Young Special
OECD Guidelines covering the protection of privacy and transborder flows of
personal data, Paris, 1980