Cyberspace Law 2.0 materials -
Privacy
, personal information security and data protection

1.            What is privacy?. 1

2.            Privacy and the Internet 2

3.            Privacy Commissioners. 2

4.            Public sector Commonwealth legislation. 3

5.            Private sector Commonwealth legislation. 4

6.            The National Privacy Principles. 4

Application of the NPPs  5

Complaints and Enforcement 6

7.            Other Commonwealth laws concerning privacy, reviews. 7

The ALRC 2008 review   7

Spam and the Spam Act 2003   13

8.            State and Territory privacy laws. 8

New South Wales  8

Victoria  8

Queensland  9

Other State privacy legislation  9

9.            Other laws. 9

10.          US Privacy Policy. 10

11.          European Union (EU) Privacy Directive. 11

12.          Non-Legislative Measures to Protect Privacy. 11

Privacy Seals  11

Privacy statements on websites  12

Anonymity Tools  12

Pseudonymity  12

Cookies  13

13.          Medical Records. 15

14.          Chat rooms. 15

 


[April 2011: Senate Committee on online privacy - recommends implementing CLPC report:
http://www.aph.gov.au/Senate/committee/ec_ctte/online_privacy/report/]

1.              What is privacy?

Privacy may be defined as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others (Westin AF, Privacy and Freedom New York: Atheneum, 1967, page 7). Privacy is your right to control what happens with personal information about you.

In Australia there is no general right to privacy. Some protection is afforded through the operation of certain Federal and State legislation, together with the law of contract, tort and confidential information.

2.              Privacy and the Internet

The use of the Internet can affect the privacy rights a person has in his or her identity or personal data. Internet use and transactions generate a large amount of personal information which provide insights into your personality and interests.

Privacy issues relating to identity include the possible appropriation of a person’s email identity and address. Ease of access to and the appropriation of email addresses has led to the practice of sending vast amounts of unsolicited e-mails (spam). Identification through email and website transactions and the ability to locate people’s physical addresses easily through national and international directories have raised new privacy concerns.

Privacy issues relating to personal data arise from insecure electronic transmissions, data trails and logs of email messages, online transactions and the tracking of web pages visited. Privacy invasion issues arise from data matching (the process of wholesale cross checking of data from one source against another source such as tax and social security data) and personal profile extraction processes which use this data alone or in combination with other publicly available data.

The first half of Roger Clarke’s article Introducing PITs and PETs: Technologies Affecting Privacy (http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html) also highlights some of the privacy concerns arising from the Internet and technology generally.

3.              Privacy Commissioners

Privacy Commissioners exist federally (http://www.privacy.gov.au), in NSW (http://www.lawlink.nsw.gov.au/privacynsw) and Victoria (http://www.privacy.vic.gov.au), but currently not in other states.

Privacy Commissioners have certain responsibilities under relevant Commonwealth and State privacy legislation. Their functions include:

More information about the role of the Privacy Commissioners can be obtained from:

4.              Public sector Commonwealth legislation

The Privacy Act 1988 (Cth) (http://scaletext.law.gov.au/html/comact/6/3324/top.htm) embodies 11 Information Privacy Principles (IPPs). Federal and ACT government departments and agencies must comply with these principles. The IPPs are:

·           Principle 1 – Manner and purpose of collection of personal information

·           Principle 2 – Solicitation of personal information from individual concerned

·           Principle 3 – Solicitation of personal information generally

·           Principle 4 – Storage and security of personal information

·           Principle 5 – Information relating to records kept by record-keeper

·           Principle 6 – Access to records containing personal information

·           Principle 7 – Alteration of records containing personal information

·           Principle 8 – Record-keeper to check accuracy etc. of personal information before use

·           Principle 9 – Personal information to be used only for relevant purposes

·           Principle 10 – Limits on use of personal information

·           Principle 11 – Limits on disclosure of personal information

 

Personal Information under s 6 of the Privacy Act is defined as:

Information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Despite this definition in the Privacy Act, it is not always clear what is ‘personal information’. The general principle is that any information about an individual whose identity is apparent, or can reasonably be ascertained from the information, is ‘personal information’.

Where it is possible for information that is not personally identifiable to be easily correlated with information that is personally identifiable, the original information may be viewed as personal information. For example, the Privacy Commissioner may judge an ISP to be in possession of personal information, if that ISP collects information about websites visited by a subscriber. Although the information by itself is not identifiable of an individual, it may be easily correlated with other information initially supplied to the ISP by the subscriber to enable the person’s identity to be established.

More information about the IPPs can be gained from the Office of the Federal Privacy Commissioner’s Guidelines to the IPPs at http://www.privacy.gov.au/publications/index.html

 

Private sector business must comply with the Act as follows:

·       credit providers and credit-reporting agencies must comply with credit reporting rules in the Act and in the legally binding code of conduct dealing with credit rating information of individuals;

·       all organisations that store and use tax file number information must comply with tax file number guidelines issued by the Privacy Commissioner (s 17 Privacy Act).

5.              Private sector Commonwealth legislation

The Privacy Amendment (Private Sector) Act 2000 (Cth) (http://scaletext.law.gov.au/html/comact/10/6269/top.htm) (PSA) took effect on the 21 December 2001.

The PSA establishes 10 National Privacy Principles (NPPs) as the minimum privacy standards for the private sector. The NPPs differ slightly to the IPPs to reflect the different issues that operate in a commercial environment, such as provisions relating to direct marketing. The NPPs deal with the same main issues as the IPPs: the collection, use, disclosure, storage and security of information and rights to access this information.

The NPPs require organisations to allow individuals to deal with them anonymously provided this is lawful and practicable. For example, this would require electronic road toll systems and payphone providers to provide an anonymous payment option such as cash or prepaid cards.

With the advent of this new law directed at the private sector, the Office of the Federal Privacy Commissioner (OFPC) has released the National Privacy Principle Guidelines (the NPP Guidelines) (http://www.privacy.gov.au/publications/nppgl_01.html). The advisory Guidelines give an indication to the factors the Commissioner may take into account when handling a privacy complaint while also providing organisations with further information on how to comply with the NPP’s. The OFPC has also published numerous Information Sheets about specific NPPs to further aid organisations on complying with this legislation (http://www.privacy.gov.au/publications/index.html). 

The Office of the Federal Privacy Commissioner has also released Guidelines relating to the use of Public Key Infrastructure in relation to Government handling of personal information (Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to communicate or transact with individuals http://www.privacy.gov.au/publications/pki.doc).

The Commissioner has other privacy responsibilities arising under the National Health Act 1953. In light of the sensitivity of health information, the Commissioner has also released Guidelines on Privacy in the Private Health Sector (http://www.privacy.gov.au/publications/hg_01.html), to aid health organisations in complying with relevant privacy legislation and standards.

6.              The National Privacy Principles

Note: Personal information for the purposes of the NPPs is the same definition used in the public sector that is contained in s 6 of the Privacy Act.

The NPPs cover:

·           Principle 1 – Fair Collection

                Collection of personal information is only allowed if it is necessary for the function or activity of the organisation. Organisations must explain their information practices to individuals at the time when they collect their personal information.

·           Principle 2 – Use and disclosure

                Personal information should generally not be used or disclosed for the purpose other than for which it is collected without the consent of the individual concerned.

·           Principle 3 – Data quality

                Organisations must take reasonable steps to ensure that personal information collected used or disclosed by them is accurate, complete and up to date.

·           Principle 4 – Data security

                Organisations must take reasonable steps to protect personal information they hold from unauthorised access, and must not hold data longer than it needs.

·           Principle 5 – Openness

                Organisations must clearly express and make available their policies about how they collect, hold, use and disclose personal information.

·           Principle 6 – Access and correction

                Organisations must provide individuals with access to information they hold them on request and the right to have that information corrected if it is not accurate, complete and up to date.

·           Principle 7 – Identifiers

An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by an agency or Commonwealth provider. The purpose of this NPP is to prevent the emergence of a de facto system of universal identity numbers, and loss of privacy from the combination and re-combination of the data.

·           Principle 8 – Anonymity

                Where lawful and practical, individuals must be given the option of remaining anonymous when entering into a transaction with an organisation.

·           Principle 9 – Transborder data flows

                An organisation in Australia may transfer personal information about an individual to someone who is in a foreign country only if the believe the organisation upholds similar principles of fair data handling or it is for the benefit of the individual.

·           Principle 10 – Sensitive information

An organisation must not collect sensitive information about individuals unless the individual consents, or if the organisation is required to do so by law.

Apart from their application, the major difference between the IPPs and NPPs is NPP number 7 and 8.

Application of the NPPs

As of 21 December 2001, private sector organizations (defined to include partnerships, trusts and individuals) will be required to comply with the NPPs unless they have in place a code of practice approved by the Privacy Commissioner. The Commissioner will not register codes that provide a lower level of privacy protection than what is provided by the NPPs (see http://www.privacy.gov.au/business/codes for more information about Privacy Codes).

The following exemptions are available:

·           Small business operators with an annual turnover of $3m or less. To qualify, an entity must:

         have an annual turnover of $3 million or less;

         not be related to a business with an annual turnover of greater than three million dollars;

         not provide a health service and hold health records;

         not disclose personal information about an individual for a benefit, service or advantage;

         not provide a benefit, service or advantage to collect personal information; or

         not be a contracted service provider for a Commonwealth contract (even if the entity is not a party to the contract).

·           Acts done or practices engaged in by media organizations ‘in the course of journalism’.

This phrase is not defined and is intended to apply to all media regardless of its mode and method of delivery. Internet news site providers will be exempt from the legislation.

·           Employee records where the organisation is or has been an employer of the individual in question and the act or practice is directly related:

         to a current or former employment relationship between the employer and the individual, and

         is an employee record held by the organisation and relating to the individual.

Employee record is defined and includes health information, personal and emergency contact details, the employee’s membership of a professional or trade association and the employee’s taxation, banking or superannuation affairs. This appears to be a subset of the items that might exist on an employee’s employment record. Great care should thus still be taken with employee records.

·           Acts and practices of organisations performed in relation to a contract with a State or Territory instrumentality where that contract involves handling personal information. Such acts and practices will be covered by State or Territory privacy standards.

·           Various further exemptions exist for members of Parliament and others in relation to practices relating to elections or referendums.

Complaints and Enforcement

Complaints about infringements of privacy rights can be made to the Privacy Commissioner who has discretion to investigate or take other action.

The remedies available under the Privacy Act vary significantly from those in the various State jurisdictions.

The Privacy Commissioner has the power to:

·           investigate a complaint made to the Privacy Commissioner;

·           investigate a complaint that a code adjudicator has referred to the Privacy Commissioner;

·           to hear appeals from a decision of a code adjudicator;

·           investigate all complaints made about a federal Government contractor;

·           investigate an act or practice that may be a breach of privacy (even if no complaint has been made);

·           seek an injunction from the Federal Court to restrain or prohibit a person from engaging in conduct that does or would breaching the Privacy Act. No undertaking as to damages is required if application is made by the Commissioner; and

·           make a determination that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the breach of privacy (ss 52(1) and 55A Privacy Act).The loss or damage includes injury to the complainant’s feelings or humiliation suffered by the complainant. Whilst such a determination of the Commissioner is not binding or conclusive between any of the persons involved, the complainant or the Commissioner may subsequently initiate proceedings in the Federal Court to obtain an order enforcing the determination.

No appeal to a court or tribunal on the merits is available from decisions of the Privacy Commissioner.

7.              Other Commonwealth laws concerning privacy, reviews

The Commonwealth Spent Convictions Scheme came into force on 30 June 1990 under the Crimes Act 1914 (Cth) (http://scaletext.law.gov.au/html/pasteact/0/28/top.htm). The scheme entitles a person to not disclose (if requested) certain criminal convictions after ten years (or five years in the case of juvenile offenders) and provides protection against unauthorised use and disclosure of this information. It covers minor convictions for federal, state and foreign offences. The protection varies according to the type of offence. The scheme also covers pardons and quashed convictions.

Data Matching Program (Assistance and Tax) Act 1990 (Cth) (http://scaletext.law.gov.au/html/pasteact/0/445/top.htm) regulates the way tax file numbers are used in matching data held by the Australian Tax Office with data supplied by applicants for social security benefits and other forms of financial assistance.

The National Health Act 1953 (Cth) (http://scaletext.law.gov.au/html/pasteact/0/173/top.htm), under which the Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claims information under the Pharmaceutical Benefits Scheme and the Medicare program.

The privacy of telecommunications is regulated by the Telecommunications Act 1997 (Cth) (http://scaletext.law.gov.au/html/pasteact/2/3021/top.htm) and the Telecommunications Interception Act 1979 (Cth) (http://scaletext.law.gov.au/html/pasteact/0/464/top.htm).

The ALRC 2008 review

There has been a major review of the Privacy Act by the Australian Law Reform Commission, leading to a report 108 in July 2008, and the new government is expected to take several years to work through the recommendations. Among them include removing some exemptions, creating a private right of action, and requiring mandatory notification of breaches of disclosure rules.

In late 2012 a range of proposals were finally put forward to deal with some of the recommendations. As of October 2012, no legislation had passed.

Spam and the Spam Act

In the case of electronic mail, spam is any electronic mail message that is:

·                transmitted to a large number of recipients; and

·                some or all of those recipients have not explicitly and knowingly requested those messages.

Apart from being a general nuisance and a waste of valuable bandwidth, the spam problem has escalated to the extent that it is now a source of economic loss. A European Union study estimated that spam costs Internet subscribers worldwide $6.8 billion per year (see http://www.noie.gov.au/projects/confidence/Improving/Spam/Info.htm). http://europa.eu/rapid/pressReleasesAction.do?reference=IP/06/1629&format=HTML&aged=0&language=EN&guiLanguage=en

NPP 1 provides that personal information collected must be necessary for one or more of an organisation’s functions or activities, must be collected only by lawful and fair means and not in an unreasonably intrusive way, and organisations must explain to customers how they intend to use their information. NPP 2 states that an organisation can send a direct marketing communication to an individual without their consent provided:

·            it was not practicable to obtain consent at the time when their personal information was first collected, and

·            the individual is given the opportunity to opt out of further communications.

An important issue in relation to spam is how high the bar will be set in terms of what is practicable for organisations in obtaining consent from individuals for the use of their personal information for direct marketing purposes. The Internet Industry Association (IIA) Code of Practice encourages Internet Service Providers to block incoming bulk postings from non-subscribers. The IIA’s National Spam Initiative also aims to ‘empower all Australians to better control the spam situation’ and currently (as at 23 April 2003) has a scheme that ensure that all users, from consumers to businesses, have access to proven filtering technologies on a month-long free trial (see http://www.iia.net.au/index.php?option=com_content&task=view&id=119&Itemid=73http://www.iia.net.au/nospam.

Self help remedies include blocking particular incoming email addresses. Most email software has an option to do this in the ‘Mail Preferences’ tag or equivalent.

In April 2003 the National Office for the Information Economy (NOIE) (now AGIMO) released the final version of its Spam Report (http://pandora.nla.gov.au/pan/42105/20040520-0000/www2.dcita.gov.au/ie/publications/2003/04/spam_report.html). The report, whose recommendations are were supported by Senator Richard Alston, former Minister for Communications, Information Technology and the Arts calls for prompt legislative action. It proposes that the sending of unsolicited email be illegalised unless it has been previously consented to by the user and that any commercial emails contain details of the sender’s name and physical and electronic addresses. Recognising that legislation alone is insufficient to combat the spam problem the report calls for a co-regulatory approach including:

·           collaboration with industry bodies (such as the Internet Industry Association) to implement codes of practice to ensure the compliance with legislation;

·           requiring ISPs to make available to clients filtering options from an approved schedule of spam filtering tools at reasonable cost, and evaluate and publicise spam filtering options and products;

·           working together with international organisations such as OECD and APEC to develop global guidelines and cooperative mechanisms to combat spam; and

·           the development of a major information campaign to raise awareness of the nature of spam, provide simple technical advice and a basic guide to anti-spam products.

The report also noted the inherent difficulties of controlling spam in that the architecture of the Internet is such that the sender bears minimal costs as the recipient absorbs the majority of the costs involved in sending this unsolicited mail.

The report's call for legislation was met swiftly with the enactment of the Spam Act 2003 (Cth). (http://www.comlaw.gov.au/Details/C2012C00030 or http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366/). The Spam Act enforces business, and senders of commercial emails to:

For further discussion about the effects of the Act see:

 

 

8.              State and Territory privacy laws

New South Wales

The Privacy and Personal Information Act 1998 (NSW) (http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464) sets up the NSW Office of the Privacy Commissioner (http://www.lawlink.nsw.gov.au/ http://www.lawlink.nsw.gov.au/pc.nsf) and confers on the Commissioner powers concerning research, advice and handling complaints about breaches of privacy. The NSW Information Privacy Principles (IPPs) are similar to the Federal IPPs. They apply to the NSW public sector and include an obligation for the development and implementation of Privacy Management Plans. These standards regulate the way public sector agencies deal with personal information. The NSW IPPs are:

·           Principle 1 – Collection of personal information for lawful purposes

·           Principle 2 – Collection of personal information directly from individual

·           Principle 3 – Requirements when collecting personal information

·           Principle 4 – Other requirements relating to collection of personal information

·           Principle 5 – Retention and security of personal information

·           Principle 6 – Information about personal information held by agencies

·           Principle 7 – Access to personal information held by agencies

·           Principle 8 – Alteration of personal information

·           Principle 9 – Agency must check accuracy of personal information before use

·           Principle 10 – Limits on use of personal information

·           Principle 11 – Limits on disclosure of personal information

The NSW Privacy Commissioner may investigate and conciliate complaints about breaches of privacy by organisations and individuals who are not public sector agencies.

In NSW there is a merits review of certain decisions of the Privacy Commissioner to the NSW Administrative Decisions Tribunal.

The NSW Privacy Commissioner’s website provides a detailed overview of the Privacy and Personal Information Act 1998 (NSW) and the IPPs at http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_indexhttp://www.lawlink.nsw.gov.au/pc.nsf/pages/generalinfo.

Victoria

The Information Privacy Act 2000 (Vic) (http://www.austlii.edu.au/au/legis/vic/consol_act/ipa2000231) creates the office of a Privacy Commissioner in Victoria (http://www.privacy.vic.gov.au). The Commissioner may undertake research and monitor developments in data processing and computer technology (including data matching and data linkage) to ensure any adverse effects on personal privacy are minimised. The Act sets out its own set of 10 Information Privacy Principles. These are almost identical to the federal NPPs which apply to the private sector but in Victoria apply only to the public sector.

An individual or organisation whose interests are affected by a decision of the Privacy Commissioner to serve a compliance notice may apply to the Victorian Civil and Administrative Tribunal for review of the decision.

The Surveillance Devices Act 1999 (Vic) (http://www.austlii.edu.au/au/legis/vic/consol_act/sda1999210) regulates data surveillance devices. A ‘data surveillance device’ is any device capable of being used to record or monitor the input of information into or the output of information from a computer, but does not include an optical surveillance device.

A law enforcement officer must not knowingly install, use or maintain a data surveillance device to record or monitor information input or output from a computer without the express or implied consent of the person on whose behalf that information is being input or output. An exception is where the installation, use or maintenance of a data surveillance device is in accordance with a warrant, an emergency authorisation or a Commonwealth law. Where such a device is lawfully installed, it is an offence to interfere with or damage such a device.

Queensland

It is expected that Queensland will introduce state privacy legislation within the next five years.

Currently, Queensland has an administrative privacy regime based on Queensland Information Standard 42 – Privacy (http://www.governmentict.qld.gov.au/02_infostand/standards.htmhttp://www.iie.qld.gov.au/comminfo/guidelines.asp). This standard applies to all Queensland Government agencies and while it does not have the full force of law it seems to have achieved widespread compliance. The core of IS42 is a set of Information Privacy Principles which mirror the Commonwealth IPPs.

Other State privacy legislation

There are various other State and Territory provisions which deal with listening devices, health records and credit reporting agents but these are dated and have little application to privacy issues arising on the Internet. There is however legislation regulating data surveillance devices in the Northern Territory (Surveillance Devices Act 2000). 

9.              Other laws

The laws of nuisance and breach of confidence may sometimes be used to provide a remedy for invasions of privacy of personal information. Actions for defamation and breach of copyright may also be relevant in certain circumstances.

The law of nuisance may provide limited scope for protection against intrusive information collection practices. Nuisance is a remedy against unreasonable intrusion upon the enjoyment of land. Telephone harassment constitutes an action in nuisance and a breach of the tort of intentional infliction of emotional distress (Khorasandjian v Bush [1993] 3WLR 476). Automatic video surveillance of a Sydney backyard has also been held to be an actionable nuisance (Raciti v Hughes [1995] NSWSC, unreported 19 Oct 1995, Young J). If email is shown to be an integral part of the enjoyment of the home (similar to the telephone) harassment by email may constitute a nuisance. Currently (as at 4 April 2003) in the United States the California Supreme Court is faced with the issue of deciding whether excessive emailing by a third party to a company’s internal email system can constitute a trespass to goods (see Howard Mintz, ‘Ex-Intel worker's case goes to high court’ The Mercury News http://www.corpwatch.org/article.php?id=6208 http://www.bayarea.com/mld/mercurynews/business/5517523.htm).

An action for breach of confidence can be used to protect personal information if the required elements of the action are present. The information imparted must be confidential and imparted in circumstances imposing an obligation of confidence. Whether a confidential relationship between an individual and an organization can be established will depend on the terms of the relationship (generally in contract). The terms of a website’s privacy policy may indicate the nature of the relationship. Confidence is not breached where the unauthorised disclosure is made in the public interest. The defence requires the court to balance the public interest in maintaining confidentiality against the public interest in disclosure.

10.          US Privacy Policy

In the US the Federal Trade Commission (FTC) (http://www.ftc.gov) recommended in May 2000 (http://www.ftc.gov/reports/privacy2000/privacy2000.pdf) that websites must:

·           provide consumers with clear notice about their information practices including the information they collect and the means of information collection (this includes passive data collection methods enabled by web hosts or web bugs used by third parties (such as advertisers) to track consumer preferences;

·           offer consumers choice about how their personal identifying information is used beyond the use for which the information is provided;

·           offer consumers access to the information about them collected by the website; and

·           take reasonable steps to protect the security of the information collected from consumers.

However these recommendations have never been incorporated into any legislative instrument. The problem with privacy regulation in the Unites Sates is that the country lacks focused privacy laws. The United States has numerous pieces of legislation on both a State and Federal level regulating various aspects of privacy protection, but no real comprehensive scheme exists. It also should be noted that the government is far more heavily regulated than private citizens and corporations, particularly in areas where implied rights to privacy have been found in the Constitution (Yee Fen Lim, Cyberspace law: Commentary and Materials, Oxford University Press 2002, p 155).

The Identity Theft and Assumption Deterrence Act of 1998, makes the FTC a central clearinghouse for identity theft complaints. The FTC plays a key role in protecting privacy in the US (see http://www.ftc.gov/privacy).

While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from the adoption of comprehensive legislation by European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organisations to comply with the European Union Directive (which applies to non EU countries communicating with parties in the EU), the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbour" framework (see http://www.export.gov/safeharbor and http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm for the Safe Harbour principles specifically). Safe Harbour was approved by the EU in July of 2000 and is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or to avoid facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbour will assure that EU organisations know that your company provides "adequate" privacy protection, as defined by the EU Directive.

11.          European Union (EU) Privacy Directive

The European Union in July 1995 adopted a Directive on the protection of personal data to regulate the handling of personal information (http://europa.eu/scadplus/leg/en/lvb/l14012.htmhttp://europa.eu.int/comm/internal_market/en/dataprot/law/index.htm). The directive provides regulation of situations where data is transferred to non-EU countries. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection for the personal information, although a practical system of exemptions and special conditions also applies. The advantage for non-EU countries that can provide adequate protection is that the free flow of data from all EU states will be assured.

The EU introduced in 2002 a Directive about the processing of personal data and the protection of privacy in the electronic communications sector (http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf). The purpose of the new directive is to update EU law to reflect continuing technological developments in electronic communications services and to provide technology neutral privacy protection to personal data. The directive includes new or updated policies on spamming, cookies and the collection of personal data in public directories. (See Global Internet Policy Initiative’s overview of the 2002 Directive at http://www.cdt.org/privacy/guide/protect/privacy-memo.pdf.)

The EU has expressed concerns that the Privacy Amendment (Private Sector) Act 2000 (Cth), does not provide adequate protection under the EU directive. The result is that Australian organisations may need to develop their own compliance with EU rules to be able to do business with EU members.

In response to this incompatibility, the Internet Industry of Australia (IIA) (http://www.iia.net.au) has drafted its own privacy code to be registered under the Privacy Act. Once the code has been given EU approval, Australian organisations will be able to adopt this code in order to safely conduct business with countries from the EU. The code is yet to come into force and according to the IIA is in its final stages of development (http://www.iia.net.au/index.php?option=com_content&task=category&id=68&Itemid=33http://www.iia.net.au/privacycode.html). The IIA however considers this code to be an interim solution while government negotiations continue regarding the compliance of the NPPs to the EU Directive.

12.          Non-Legislative Measures to Protect Privacy

Privacy Seals    

Many sites now carry a privacy seal of approval issued by an operator of an online seal program. The most widely used is http://www.truste.org. The use of the seal on the site indicates that the operator claims to have met a series of privacy requirements that are mandated by the organisation providing the seal. In the case of TRUSTe, it signifies the site operator has agreed to comply with ongoing oversight and consumer resolution procedures based on the US Federal Trade Commission principles.

Privacy seals have no legal effect. They simply indicate to visitors that privacy representations made by a website are backed by a third party.

The Australian Direct Marketing Association (ADMA) (http://www.adma.com.au) provides a form of seal for direct marketers which indicates they are compliant with ADMA’s direct marketing code (http://www.adma.com.au/consumer/codeOfPractice.htm). This code does not have any formal status under the private sector privacy regime.

Both the IPPs and NPPs include the principle that personal information must be properly secured by the holder of the information. Employing secure socket layer technology for transfer of any personal information would seem to meet this obligation.

Privacy statements on websites

The Privacy Amendment (Private Sector) Act 2000 (Cth) requires organisations to set out their policy on personal information management in a publicly available document. Organisations must take ‘reasonable steps’ to advise any person who asks what sort of personal information it holds, for what purposes and how it collects, holds, uses and discloses that information. After 21 December 2001, every organization that collects personal information will be required to have a privacy policy. Privacy is still a key consumer concern for e-commerce. E-commerce websites should prominently display their privacy policy.

Similar to the content rating options now available in browsers, the World Wide Web Consortium’s Platform for Privacy Preferences Project (P3P) (http://www.w3.org/P3P) incorporates a specified privacy standards into web pages to allow the rating and blocking of sites that don’t meet the particular standard set (by the user) in the browser. This would provide a significant incentive to have a ‘complying’ privacy policy on the website.

Privacy policy statements need to be accurate and reflect the actual practices of the organisation. If not, legal action may be taken under trade practices legislation for misleading and deceptive conduct. It is important not to leave out significant facts as silence can also be construed to be misleading or deceptive.

Anonymity Tools

Different approaches to anonymity exist. There are cloaking technologies such as Pretty Good Privacy or suites of software such as Freedom Security & Privacy Suite (see www.freedom.net) that claim they can provide untraceable encrypted email and anonymous browsing and chat. Some of these technologies have created concern for law enforcement agencies but currently would not of themselves be illegal in Australia.

Another online identity protection option is the use of intermediary-operated services in the data transfer process. Each intermediary is only aware of the identity of the intermediary that it directly receives data from or directly transfers data to, and the system is such that it is unable to track the data originator or receiver. Examples of this anonymity tool include ECash and anonymous remailers. Ramailers allow a person to keep their email address protected from disclosure by providing another path through which the message is delivered to its final destination. (See Roger Clarke’s Introducing PITs and PETs: Technologies Affecting Privacy (http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html))

Clarke also draws attention to the inherent problem anonymity technologies create for law enforcement agencies in that it undermines accountability. However it is this inevitable use for criminal and fraudulent purposes that creates the need for anonymity for ordinary Internet users. This level of anonymity, Clarke notes, needs to be higher than in the real world if it is to provide users (both individuals and organisations) with adequate protection.

Pseudonymity

Pseudonymity is another approach to privacy protection. It offers less user protection than anonymity, but can perhaps be seen as the middle path between disclosure of identity and anonymity. Clarke notes that complete anonymity while favouring individual freedom it may tip the balance towards creating an environment where e-crime could prosper. The following extract expands on Clarke’s view of pseudonymity:

Very substantial protections could be provided for individuals' identities, but those protections could be breachable when particular conditions are fulfilled. This is the concept of 'pseudonymity'. Fundamental to pseudonymity services are that:

·           a person needs to be able to adopt multiple pseudonyms;

·           the relationship between a pseudonym and the personal identity behind it must be generally not knowable by other parties;

·           legal, organisational and technical measures are vital, to ensure protection of that relationship; and

·           the protections may be overridden, with legal authority and/or the collusion of multiple other parties.

The challenge confronting developers of gentle PETs (Privacy Enhancing Technologies such as  P3P and remailers) is that the legal, organisational and technical protections need to be trustworthy. If the power to override them is in the hands of a person or organisation that flouts the conditions, then pseudonymity's value as a privacy protection collapses. Unfortunately, governments throughout history have shown themselves to be untrustworthy when their interests are too seriously threatened; and corporations are dedicated to shareholder value alone, and will only comply with the conditions when they are subject to sufficiently powerful preventative mechanisms and sanctions.

Cookies

A cookie is a record stored on a user’s machine as a result of a web-server instructing a web-browser to do so. A cookie indicates to the website server what parts of the website are visited. A cookie itself is unlikely to contain personal information but can be used to build up a profile of the user. Cookies facilitate the speed of access to sites on subsequent visits and are widely used.

E-Businesses that send cookies from their web sites, are advised to include a statement to this effect in their privacy policy.

Unless a browser is set to disable cookies or prompt the user that cookies are being downloaded onto their machine, the user will be unaware this is occurring. In the absence of such a setting there is an intrusion into the computer that is connected to the Internet. The cookie remains on the hard drive of the computer.

Any unprivileged interference with a chattel (i.e tangible property) in possession of another, provided the injury is direct and immediate (rather than consequential) is a trespass. The storage of cookies on the hard drive may constitute trespass to a chattel. This remedy is unlikely to be granted by a court as an easy ‘self-help’ remedy exists, that is, deletion of the cookies, and the storage of cookies on the hard drive is unlikely to constitute damage from the loss of use of a non-profit earning chattel (Halsburys Laws of Australia – Damages to goods).

Another option may be an action for misleading and deceptive conduct under the s 52 of the Trade Practices Act 1974 (Cth) or equivalent state fair trading legislation (e.g s 42 Fair Trading Act 1987 (NSW)) for those sites that do not indicate on their home page that they use cookies. However these provisions only apply in the course of trade and commerce, and are therefore only applicable to commercial sites not, websites that display information only.

The report’s call for legislative is currently being acted upon (as at July 2003); politicians have already met with senior Internet industry professionals, including members of the IIA, to discuss the form, scope and implementation of the government's proposed legislation. While the proposed bill is still in its formative stages it appears that the opt-in system of accepting commercial emails proposed by the NOIE report will be created. For more information see the IIA Press Release ‘IIA Ups the Ante in War Against Spam: Internet Leaders to Consider Spam Law’ at http://www.iia.net.au/news/060301.html. 

13.          Medical Records

As Commonwealth and State governments move towards systems of electronic health records, they are slowly starting to implement specific health privacy legislation covering the handling of health information in electronic records in the public and private sectors. In New South Wales the Health Records and Information Privacy Act (http://www.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370) was passed in 2002 but is yet to commence. The Act aims to promote fair and responsible handling of health information by protecting individual’s privacy in relation to that information, enabling them to access health information and providing a framework to resolve disputes regarding the handling of health information. Other States with similar legislation include:

·           Victoria – Health Records Act 2001 (http://www.health.vic.gov.au/healthrecords/http://www.dms.dpc.vic.gov.au/l2d/H/ACT01966/0_2.html); and

·           ACT – Health Records (Privacy and Access) Act 1997 (http://www.legislation.act.gov.au/a/1997-125/current/pdf/1997-125.pdf).

The Federal Privacy Commissioner’s health page is a good resource on the current privacy regime in the health industry (http://www.privacy.gov.au/health).  

14.          Chat rooms

Chat rooms are places where real time conversation takes place in a text mode. Chat rooms are usually public although private chat rooms are offered on some sites. Most people use pseudonyms and so real identity is not apparent. If you make your real identity or your email address known in a public or private chatroomchat room, then another person who chooses to enter the chatroomchat room may gain access to this personal information. Also, records of ‘real time’ conversations remain accessible by others for quite some time after the conversation took place.