You are here:
Privacy Law Resources >>
 PrivLRes 2
| Name Search
| Recent Documents
Dixon, Tim --- "Preparing for the new privacy legislation"  PrivLRes 2;  CyberLRes 7 (1 January 2001)
You are here:
WorldLII Databases >>
 PrivLRes 2
'Preparing for the new privacy legislation' ( CyberLRes 7) -  PrivLRes 2
T Dixon (2001)
Baker & McKenzie Global Privacy Group
Author, CCH Private Sector Privacy Handbook
Preparing for the new privacy legislation
new private sector privacy legislation
The arrival of a new privacy regime in Australia in 2001 is a culmination
of several developments over recent years, which have
seen privacy emerge as
a major social and commercial issue. Businesses are grappling with rising customer
concerns, a changing
regulatory environment, the choice of signing on to new
industry codes, and the risk of a public backlash against technologies
put customer privacy at risk. The growth of e-commerce in particular has raised
the profile of privacy issues, and has
been a major factor behind the Government's
decision to extend the Privacy Act 1988
to the private sector.
Managing privacy issues involves coming to grips with new legal obligations
and balancing competing interests. On the one hand,
businesses have a strong
imperative to collect and use personal information. Customer information is
critical to e-commerce,
and the more that businesses "know" their customers,
and know how customers respond to different aspects of their products, the
they are able to target customers with products tailored to their specific interests.
On the other hand, customers want to retain control of their personal information
a lesson which some high-profile internet brands
have learnt at some expense.
Customers are increasingly hostile towards businesses which collect their personal
their consent, or are not open about how they use this information.
In this environment, managing privacy issues effectively can
risk and help build stronger customer relationships.
At one level, there is a deceptive simplicity about privacy legislation.
It is based on a simple set of privacy principles, which
outlines how organisations
should as much as possible give individuals choice about how and when their
is collected and used amd to whom it is disclosed; recognising
their rights of access to that information; keeping the information
and secure; giving individuals a choice of transacting anonymously, not storing
government identifiers, and ensuring
that information which is transferred overseas
is subject to privacy safeguards. However, while these principles sound relatively
simple, in practice the detail of how these are applied in specific contexts
can be difficult. Some indication of the complexity
of applying the legislation
to specific instances is indicated by the fact that the draft guidelines for
the National Privacy
Principles, which were released in May, 2001, totalled
174 pages. The scope of the various exemptions to the Privacy Act
complex, and organisations need to understand these exemptions in order to know
how to deal with other organisations.
Few people would have predicted how sharply the privacy issue has come into
focus in recent years. In the early 1990s, privacy
was seen largely as a slightly
obscure civil liberties issue. But with the technological developments of the
systems encryption, biometrics, data mining, loyalty cards
and the shift in marketing practices towards individual customer relationship
management, privacy has become a major commercial issue. Privacy has also become
a political agenda item, a regular news story
and a potential risk to company
reputations. Industry organisations in many areas have established their own
which aim to give customers confidence about how their personal
information will be handled. Surveys have recorded unprecedented
levels of concerns
about privacy issues, which have been linked to the slower than expected takeup
of e-commerce. These developments
suggest that the right of individuals to control
their personal information will be one of the defining social issues in the
The development of privacy legislation in Australia is part of a global trend
to protect personal information and legislate for
fair information practices.
Most industrialised countries now have legislation in place which covers the
handling of personal
information and extends to internet transactions. Australia,
like the United States, has lagged this trend until now while many
have been implementing second or third generation privacy laws.
The Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000
Background: Coverage of privacy legislation prior to amendments
Although online developments have heightened privacy concerns, the history
of specific legal measures to protect privacy in Australia
reaches back into
the early 1970s. The first regulatory agency to have responsibility for privacy
issues, the New South Wales
Privacy Committee, was established in 1975.
In 1976 the Australian Law Reform Commission began working on a major national
report on privacy, which was released in 1983.
The Privacy Act 1988 (Cth)
was a delayed response to the recommendations of this report, and was initially
to be introduced alongside the proposed Australia
Card, the national identity
card which was abandoned after an extraordinarily negative public reaction.
Prior to the recent amendments, the Privacy Act
was based around a set of
11 Information Privacy Principles, formulated from the 1980 OECD Guidelines,
covering issues such
as the collection, use, security, disclosure, retention
and destruction of personal information. The Privacy Act
had only a limited
scope, essentially applying to:
(a) Commonwealth Government agencies
(b) The handling of Tax File Numbers by all organisations
(a set of mandatory Guidelines which restrict the use of TFNs); and
(c) The use of credit reporting information in the
In overall terms, personal information collected by the Commonwealth Government
and some states was covered by privacy legislation,
but these laws had limited
impact on the private sector.
Specific statutes also address the use of particular technologies in the
private sector; for example, the Telecommunications Interception Act 1979
and state legislation such as the Listening Devices Act 1984 (NSW)
and the Surveillance Devices Act 1999 (Victoria)
prohibit the unauthorised
interception and recording of telephone conversations. The Telecommunications
also imposes restrictions on the unauthorised disclosure of personal
information related to customers of a telecommunications
service provider or
an internet service provider.
There is a very limited degree of common law recognition of what might be
seen as a right to privacy in special situations. For
example, if it is seen
that a duty of confidentiality exists between two parties (eg bank and customer
or a doctor and patient),
then disclosure of information to a third party may
be a breach of confidence.
Outside the framework of legislation, some companies and industry organisations
have adopted a self-regulating approach to privacy
- Individual industries have specific codes of conduct which can govern the
practices of members of industry organisations or sectors.
For example, the
National Privacy Principles are being incorporated into revised versions of
the Code of Banking Practice
(which already deals with a variety of privacy
issues in clause 12), and the Electronic Funds Transfer Code of Conduct (which
already has some specific safeguards such as those relating to the use of
cameras at Automated Teller Machines).
- Individual industry bodies such as the Banking Industry Ombudsman and the
Telecommunications Industry Ombudsman receive and investigate
to privacy breaches within their industries. In the case of the TIO, membership
of the body is compulsory
for carriers, carriage service providers and internet
service providers. The Australian Direct Marketing Association requires
of its members to comply with privacy obligations in its code, and plans to
register this code with the Privacy Commissioner.
- Some individual companies may establish internal guidelines on privacy.
For example, Telstra has developed a corporate privacy
policy which is subject
to an annual external audit, overseen by an independent panel.
The evolution of the current privacy legislation
The Commonwealth Government's extension of privacy legislation in Australia
is the result of a process of policy development over
- The Coalition's 1996 election manifesto included a commitment to "world
best" privacy legislation covering the private sector,
and was critical of
the slow response of the previous Government to public concerns over the loss
of privacy protections.
- In September 1996 the Attorney-General, Daryl Williams, released a discussion
paper on the proposed extension of the Privacy Act 1988 to the private
sector. It involved extending the existing Information Privacy Principles
to the private sector, with minimal
changes to the overall regulatory regime.
This resulted in criticism from the business community that the legislation
lead to unnecessary compliance costs.
- In March 1997 the Prime Minister, Mr Howard, announced that the Government
would not be extending privacy legislation to the
private sector, citing the
problem of the regulatory imposition for small businesses to comply with the
law. Instead, the
Prime Minister indicated that privacy should be dealt with
under self-regulatory processes.
- Over the course of 1997, the then Privacy Commissioner, Moira Scollay, initiated
a consultation process in which industry groups,
privacy experts, advocates
and consumer organisations worked on the development of a set of privacy principles
apply to businesses either through industry codes or national
- In February 1998, the Privacy Commissioner launched the National Principles
for the Fair Handling of Personal Information, which
soon became known as
the National Privacy Principles. Industry groups such as the Insurance Council
of Australia, the Australian
Direct Marketing Association, the Australian
Communications Industry Forum and the Internet Industry Association sought
to insert these principles into their industry codes. A revised set of Principles
was released in January 1999 after further
consultations over the exemptions
for law enforcement agencies.
- Between 1997 and 1998 the development of the internet and a growing number
of well publicised privacy invasions gave increasing
public profile to the
privacy issue. A public campaign to extend privacy legislation to the private
gained increasing support.
By the second half of 1998, several industry groups
were actively advocating the extension of the legislation to the private
The support of business groups was prompted by increasing concerns that in
the absence of a consistent national
scheme, a patchwork of different industry
standards and legislation would emerge. This concern was heightened by the
of a Victorian Bill for privacy protection which aimed to cover
the public and private sector.
- In December 1998 the Attorney-General and the Minister for Communications,
Information Technology and the Arts jointly announced
that the government
would implement a "light touch" extension of the Act to the private sector,
which would provide for
a default set of privacy standards in the absence
of industry codes to be approved by the Privacy Commissioner. This legislative
proposal was developed throughout 1999 through the Core Consultative Group,
a similar group to that which was involved
in the development of the National
- In April 2000 the Government tabled the Bill in Parliament. The legislation
was reviewed by the House of Representatives Legal
and Constitutional Affairs
Committee which released its report in June. The report was critical of the
exemptions in the
Bill and proposed several amendments. Two Senate Committees
also reviewed the legislation. The Senate Select Committee on Information
Technologies released its Cookie Monsters report around the same time
as a Senate Legal and Constitutional Legislation Committee reported on the
Bill, in October
- After amendments in the Senate, which widened the Act's application to pre-existing
data and strengthened the role of the Privacy
Commissioner, the legislation
was passed in December 2000 and comes into effect on December 21 2001.
Three main factors prompted the change in the Howard Government's position
away from self-regulation:
- The Victorian Government had indicated that it would go ahead with private
sector privacy legislation if the Commonwealth Government
failed to legislate.
This in turn threatened to contribute to an untidy patchwork of different
laws in separate states
and industry sectors, and prompted industry groups
to press for Commonwealth privacy legislation.
- The European Union s Privacy Directive prohibits trade in personal information
with countries which do not have adequate privacy
protection (effective from
October 1998). Because there are no enforceable privacy safeguards in the
private sector, Australia
would not meet the test of adequacy, with potentially
significant negative implications for the information industries in Australia.
- Consumer research has indicated that privacy protection is a pre-requisite
for establishing consumer confidence in new technologies,
industry groups were pushing strongly in favour of privacy legislation as
a means to establish trust and
The extension of the Privacy Act 1988
to the private sector means
that from December 2001 all organisations which are not covered by an exemption
will need to comply
with the National Privacy Principles in how they handle
personal information. This will impose upon organisations requirements
to how they communicate with customers when they first collect information,
what they do with that information, to
whom they disclose that information,
how they keep information secure, and how they provide access to personal information
to individuals. Organisations which breach these principles may be subject to
investigation in the event of a complaint, and if
the complaint it upheld by
the Privacy Commissioner it may lead to a determination by the Privacy Commissioner
award of compensation or being required to change a business practice.
While the history of privacy legislation suggests that
it is unlikely to lead
to a stream of large payouts, given the high level of publicity being paid to
privacy issues and the
potentially widespread nature of any breach of privacy
principles, privacy issues are now a significant regulatory issue for organisations
which handle personal information.
The coverage of "personal information"
Private sector organisations must work with the same definition of "personal
information" in the Act that applies to Commonwealth
agencies. The definition
of "personal information" is found in section 6(1):
"'personal information' means information or an opinion (including information
or an opinion forming part of a database), whether
true or not, and whether
recorded in a material form or not, about an individual whose identity is apparent,
or can reasonably
be ascertained, from the information or opinion."
In short, personal information is information or an opinion that can identify
The Explanatory Memorandum to the Privacy Bill 1988
noted that, "the
range of information/opinion coming within the definition is infinite and would
include, for example, information
relating to the person's physical description,
residence, place of work, business and business activities, employment, occupation,
investments and property holding, relationships to other persons, recreational
interests and political, philosophical or religious
beliefs. The definition
applies to such information or opinion whether recorded in a material form or
not, including information
held on databases." [Explanatory Memorandum to the
Privacy Bill 1988,
Paragraph 35] The definition of "personal information"
is therefore broad.
Even if a record does not identify a person by name, it may constitute personal
information. For example, a person might easily
be re-identified through an
account number, employee number, transaction number or some reference to an
external record that
uniquely identifies that individual. This means that simply
removing a person's name from a record will not make it anonymous
and stop it
from being personal information.
Another important part of the scope of the Act's application to "personal information"
is the definition of a record and a generally
available publication. Section
16B specifies when the Act applies to personal information collected and held
by an organisation,
by providing that:
"(1) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to
the personal information by an organisation only
if the information is collected
for inclusion in a record or a generally available publication.
(2) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to
personal information that has been collected by
an organisation only if the
information is held by the organisation in a record."
Section 16B(1) applies the Act when personal information is being collected
and section 16B(2) applies the Act to personal information
once it has been
collected. Specific provisions apply in Division 4 of Part III concerning tax
file number information, Division
5 of Part III relating to credit information
and Part IIIA relating to credit reporting.
The definitions of "record" and "generally available publication" are found
in section 6(1) of the Act.
The definition of "record" defines the scope of what a record might, and what
it might exclude:
(a) a document; or
(b) a database (however kept); or
(c) a photograph or other pictorial representation of a person;
but does not include:
(d) a generally available publication; or
(e) anything kept in a library, art gallery or museum for the purposes of
reference, study or exhibition; or
(f) Commonwealth records as defined by subsection 3(1)
of the Archives
that are in the open access period for the purposes of that Act;
(fa) records (as defined in the Archives Act 1983
) in the custody of
the Archives (as defined in that Act) in relation to which the Archives has
entered into arrangements with
a person other than a Commonwealth institution
(as defined in that Act) providing for the extent to which the Archives or other
persons are to have access to the records.
(g) documents placed by or on behalf of a person (other than an agency) in
the memorial collection within the meaning of the Australian War Memorial
(h) letters or other articles in the course of transmission by post."
The definition of "record" is sufficiently broad to encompass records in electronic
form and includes films, videotapes, paintings,
drawings, etc. of a person (under
The exclusion for generally available publications is an important limitation
on the scope of the Privacy Act
. The definition of "generally available publication"
is found in section 6(1):
""generally available publication" means a magazine, book, newspaper or other
publication that is or will be generally available
to members of the public."
Thus the Act covers personal information but only applies to information that
is recorded in some form, which can include personal
information in an electronic
record. However, it probably would not include tissue information or bodily
fluids such as blood
or urine samples. Although such samples might involve intensely
personal information (such as unique genetic information) they
would be unlikely
to come within (a), (b) or (c).
Understanding the National Privacy Principles: The life cycle of personal information
In a general sense, privacy legislation seeks to protect individuals from
the unfair or unauthorised use of their personal information.
These rights can
be understood through the life-cycle of information : from collection, through
to use and disclosure to
third parties, and ultimately to the destruction of
the information. Privacy laws seek to protect the individual s right to control
the use, storage and disclosure of this personal information, subject to other
public interests such as law enforcement and
the efficiency of public administration.
As Professor Alan Westin first defined it, privacy legislation protects the
s right to determine for one s self when, how, and to what extent
information about one s self is communicated to others.
This right can protect autonomy, dignity, or health and welfare. 
Consumers' sensitivity about their personal information varies between individuals
and according to the type of information which
a business collects. For some
people, even address, telephone number and email can be sensitive. Consumer
sensitivity is generally
- the aggregation of personal information from different sources which can
lead to detailed personal profiles (such as through
bill management services);
- information on spending patterns and use of financial services;
- calling records and internet usage information collected by telecommunications
and internet service providers;
- health information collected by health care providers and providers of information
- resume, reference and other employment-related information collected by
recruitment agencies, and
- information on customers' use of leisure and entertainment services such
as online gambling.
The amendments to the Privacy Act 1988
extend a set of National Privacy
Principles (NPPs) to the private sector. The NPPs were originally developed
by the Privacy
Commissioner in 1997 through a process of consultation with industry
and consumer groups. The NPPs differ from the Information
(IPPs) which apply to Commonwealth Government agencies.
The National Privacy Principles set out minimum standards for the handling
of personal information. To a large extent these principles
reflect the OECD's
Guidelines Governing the Protection of Privacy and Transborder Flow of Personal
Data from 1980. In the shortest form, they may be summarised in this way:
- Collection of personal information: Collection must be necessary
for an organisation's activities, information must be collected lawfully and
as a general principle must be collected with the individual's
- Use and disclosure of personal information: As a general principle,
information can only be used or disclosed for its original purpose unless
the person has consented
to its use or disclosure for another purpose. Exemptions
apply to initial contact for direct marketing (if consent wasn't practicable
originally) and other situations such as when there are issues of law enforcement,
public safety or protecting the company
- Accuracy of personal information: Organisations must take reasonable
steps to ensure that they keep personal information accurate, complete and
up to date.
- Security of personal information: Organisations must take reasonable
steps to protect the personal information which they hold from misuse, loss
access, modification or disclosure.
- Openness in relation to the organisations practices: Organisations
which collect personal information must be able to document their practices
and must make this information
available on request.
- Access and correction rights: As a general principle, organisations
must give individuals access to their personal information and must allow
correct it or explain something with which they disagree, unless disclosing
this would have an unreasonable impact on someone
else's privacy. This principle
is subject to exemptions such as if this disclosure would compromise a fraud
- Use of government identifiers: Organisations cannot use a government
agency's identifier as its identifier. This would cover items such as Medicare
a Tax File Number (which in any case is covered by other legislation)
or any future identity numbers assigned by a government
- Anonymity: Organisations must give people the option of entering
into transactions anonymously where it is lawful and practicable. For
this would apply to travel on a bus, but not to opening a bank account.
- Restrictions on transborder data flows: As a general principle, organisations
can only transfer the personal information about an individual to a foreign
if they believe that the information will be protected by a law or
a contract which upholds privacy principles similar to the
- Special provision for sensitive personal information: A higher level
of privacy protection applies to sensitive personal information, which includes
information about a person's
health, political or religious beliefs or affiliation,
and sexual preference. This information must only be collected with the
The Privacy Commissioner released a draft set of guidelines on the National
Privacy Principles in May 2001, spelling out some of
the factors taken into
the account in the interpretation of the principles. The guidelines are open
to comment until July 6
The NPPs apply generally to all organisations (other than public sector
agencies, which are already covered at a Commonwealth level by the Information
The Act defines "organisation" broadly in section 6C to
include an individual, body corporate, partnership, trust or any unincorporated
association. The Act specifically excludes small business operators, registered
political parties, agencies, state or territory
authorities and prescribed state
or territory instrumentalities from the definition of an "organisation" under
section 6C (1).
The effect of this is that these entities are exempt from the
operation of the Act. The exemptions are spelt out as follows:
- media organisations: s7B(4)
- registered political parties: s7C
- state or territory authorities or an instrumentality of a State
or Territory prescribed by regulations: s6F
- organisations that are individuals acting in a non-business capacity:
- organisations acting under a Commonwealth or State contract: s7B(2)
- employer organisations: acting in respect of employee records: s7B(3)
(a) Small Businesses: A small business is
defined as a business with an annual turnover of $3 million or less, which does
not provide a health service
or hold health information, which does not provide
contractual services to the Commonwealth and does not transfer personal information
about an individual to anyone else for any kind of benefit. In other words,
small businesses are covered if they are involved
in the sale of personal information.
This outcome reflects some unique political sensitivities in the Australian
climate relating to small business.
(b) The Media: Acts or practices done by
an organisation in the course of journalism will be exempt from the legislation.
explicitly aims to strike a balance between the public interest
in providing adequate privacy safeguards with the public interest
a free flow of information to the public through the media. The scope of this
exemption is especially broad. An
organisation can be classified as a media
organisation if it is engaged in the provision of information to the public,
its "activities consist of ..... dissemination of ..... material having
the character of news, current affairs, information or
a documentary". This
attracted criticism because of the possibility of it being used as a loophole.
(c) Political parties: Registered political
parties will be exempt from the legislation for their activities in connection
with an election, a referendum,
or other participation in the political process.
This was a surprise inclusion in the legislation, as it had never previously
been raised during the extensive consultations over the legislation. The Government
has argued that it is necessary to give
this exemption in order to give effect
to the implied constitutional freedom of political speech.
(d) Domestic use: This exemption applies
to use of personal information related to personal, family or household affairs
relating to personal
The Act covers all types of personal information which are not publicly available
but, will exclude:
(e) Employee records: Employee records are
defined as a record relating to the employment of an employee including engagement,
resignation, termination, terms and conditions, contact
details, performance or conduct, remuneration, the union membership, health
information and financial affairs. It extends to current and former employers.
(f) Personal information already in existence
when the amendments come into operation will have a limited exemption.
(g) State government contractors: The acts
and practices of contractors to state and territory governments and agencies
in relation to handling personal information
under contracts need only to comply
with the applicable standards of the state or territory and will otherwise be
(h) Transfers of personal information between
"related bodies corporate", as defined under section 50 of the Corporations
Law. Related bodies corporate are essentially businesses which have a shared
controlling interest. This might allow a large organisation
with diverse businesses
to pool its personal data collections without the knowledge of its customers.
Restrictions still apply
to the use and disclosure of this information, but
as an example, an organisation which was able to conduct direct marketing to
customers seemingly can conduct direct marketing in respect of all of the operations
of its related bodies corporate.
By default, the NPPs apply to organisations - that is, unless the organisation
is a signatory to a voluntary code which has been
approved by the Privacy Commissioner.
However, the legislation leaves open the option of industry groups or individual
developing their own codes of conduct in place of the NPPs. Codes can
be developed by any organisation or group, but cannot impose
a lower standard
or privacy protection than the NPPs. Codes must be approved by the Privacy Commissioner
after a process of
consultation. The codes are intended to give the legislation
maximum flexibility while retaining a consistent standard of privacy
The Privacy Commissioner recently released a set of guidelines covering the
requirements which must be met for
a code to meet the Commissioner's approval.
The scope of the small business exemption
(a) Is the business a 'small business'?
A business is a small business during a financial year if its annual income
from the previous financial year was $3 million or
less under section 6D(1)
of the Act. If no business was conducted in the previous financial year, it
will be considered a small
business only if its annual income for the current
year is $3 million or less. The Act does not exempt small businesses, of themselves,
from the coverage of the Act. The exemption attaches itself to the small
business operators, ie the entity that 'carries on' the business, not the
(b) How is the $3m threshold for a "small business"
The method for determining the annual turnover of a business is prescribed
by section 6DA of the Act. It defines 'annual turnover'
as the sum of:
- the proceeds of sales of goods and/or services;
- commission income;
- repair and service income;
- rent, leasing and hiring income;
- government bounties and subsidies;
- interest, royalties and dividends;
- other operating income.
In general this figure will equate to the total of the instalment income
a business notifies to the Commissioner of Taxation on
its Business Activity
Statement over the course of the financial year. This is significant as it means
that a business should
be able to use its Business Activity Statements for a
financial year to demonstrate that it falls within the definition of a 'small
business' under the Act.
Where business has been carried out for only part of the year, section 6DA (2)
provides a formula for determining annual turnover.
The formula calculates the
annual turnover for such a business as being the amount of turnover generated
by the business in
the part of the year it operated, multiplied by the number
of days in the whole financial year over the number of days in the
part of the
financial year when it was operating. On this basis, if a business only operated
for 3 months of a financial year
but had a turnover of $1m, it would not come
within the definition of a small business because its annual turnover would
The 'small business operator' test
(a) Does the entity carrying on the small business
carry on any business that is not a small business?
Section 6D (3) excludes from the definition of a 'small business operator'
any entity that operates a small business as part of
a group including larger
enterprises, thereby preventing large enterprises from sheltering under the
small business exemption.
However, it may not prevent the (unlikely) scenario
of a small business operation maintaining several small businesses which each
turn over less than the annual $3m threshold.
(b) Has the business ever had an annual turnover
of over $3m since the business was started or since the section commenced, whichever
Further exceptions apply to the rule that an individual, body corporate,
partnership, unincorporated association or trust who carries
on a small business
will be a small business operator. Any such organisation will not be a small
business operator, under section
6 (4) where they carry on a business that has
previously had an annual turnover of $3 million or more in a financial year
has either ended after the business was started, or after the section commenced
in December 2002 (whichever came later).
(c) Does the business maintain health information
records other than in employment record(s)?
If the business provides a health service to another individual and holds
any health information (other than health information
in an employee record),
then under 6D(4)(b) it is not exempt from the Act. This provision ensures that
and other providers of health services are included within
the coverage of the legislation.
(d) Does the business collect or disclose personal
information for a gain, benefit or advantage?
The exemption does not apply where a small business either:
- discloses personal information about another individual to anyone else for
a benefit, service or advantage - although this does
not prevent an entity
from the exempt definition of a small business operator where the disclosure
of this information
is consented to by the individual concerned, or where
it is required by legislation, under section 6D (7).
- provides a benefit, service or advantage to collect information about another
individual from anyone else although again, this
does not prevent an entity
from being a small business operator where the information is collected with
the consent of
the subject or is required to be collected under legislation,
under section 6D (8).
(e) Is the information collected or disclosed in
the business's role as a contracted service provider?
If the business is a contracted service provider under a Commonwealth contract,
it comes within the exemption. This provision applies
whether the business is
a party to the contract or not (such as where it may be a sub-contractor).
(f) Is the information collected or disclosed in
connection with the personal, family or household affairs of a small business
operator or for a purpose outside the normal course of a business which the
organisation carries on?
An individual who does something described in section 6D (4) (b), (c) or
(d) can still come within the exemption for a small business
such actions are carried out otherwise than in the course of business he or
she carries on and only for the
purposes of, or in connection with, his or her
personal, family or household affairs (section 6D (5)). Similarly, a body corporate,
partnership or unincorporated association that does something in section 6D
(4) (b), (c) or (d), stays within the definition
of a small business operator
where such actions are done "otherwise than in the course of a business it carries
(g) Has the business opted in to be covered by the
Small business operators may opt-in to the coverage of the Act by choosing
to be treated as an organisation for the purposes of
the legislation. It is
assumed that small businesses will do this if they believe it would improve
consumer confidence in providing
them with personal information. In order to
allow this, Section 6EA (1) of the legislation allows small business operators
to elect to come within the complete operation of the Act (with the exception
of section 16D, which is excluded in order to ensure
electing small business
operators are covered by the legislation immediately after election: 6EA (2)).
(h) Have there been any regulations which would
bring the small business operator within the coverage of the Act?
A small business operator may be treated as an organisation and therefore
be covered by the Act where the Attorney-General makes
regulations to that effect.
Section 6E allows the making of regulations relating to:
- all the acts and practices of a specific small business operator; or
- one or more specific acts and/or practices of a specified small business
- all the acts and practices of a class of small business operators;
- one or more specific acts and/or practices of a class of business operators.
Prior to any regulations being made, the Attorney-General must be satisfied
that such a regulation is in the public interest
and must have consulted with
the Privacy Commissioner about the desirability of the regulations (section
6E(4)). In considering
whether to make the determination, the Attorney-General
has indicated that the opinions of Minister for Small Business and the
Advisory Committee are likely to be taken into account.
(i) When do small businesses which are not exempt
become subject to the legislation?
For those small businesses which are not exempt from the Act, an extra period
of time is given to make it easier to prepare for
the obligations of complying
with the Act. The time delay authorised by section 16D gives most non-exempt
an extra year to prepare for the legislation, with the NPPs
applying from December 2002. For any organisation that carries on
one or more
small businesses, other than a business dealing in the provision of health services,
the delayed application period
begins with the commencement of the legislation
or the formation of the organisation (whichever is later) and ends on December
21 2002 or sooner if the organisation begins to carry on a business that is
not a small business or is a health service (section
16D (6)). In effect, this
means that there is no delay in the application of the Act to small businesses
operated by organisations
which also operate a non-small business.
Once in place, an individual who believes that the code has been breached
may make a complaint to the organisation concerned. If
it is not resolved satisfactorily,
they may make a complaint to the Privacy Commissioner, or if an independent
has been appointed to administer the code, they must make the complaint
to that body.
If there is an approved code of conduct in place, the complaint will normally
be handled by a code authority, who is established
and funded by an industry.
In practical terms, this might be the Telecommunications Industry Ombudsman,
the Banking Industry
Ombudsman or the code authority for the Australian Direct
Marketing Association code of conduct. If there is no approved code
in place, the complaint is handled by the Privacy Commissioner.
Breach of the NPPs can result in an order from either a code authority or
the Privacy Commissioner to restrain an action, undertake
an action, or to give
A decision by a code authority can be reviewed by the Privacy Commissioner,
and the Privacy Commissioner's decision can be reviewed
through the process
of administrative review.
A decision to give an individual a remedy can be appealed in the Federal
Magistrate's Court, and can be enforced through the Court
if an organisation
has not complied with the remedy.
Developing a privacy strategy
The best response to the public concerns and changing regulatory environment
for privacy issues is to adopt a strategic approach
which identifies the importance
of privacy issues to an organisation and the specific methods which the organisation
to use. There are several elements to a privacy strategy, the detail
of which will be determined by the nature of the information
which is collected
and used, the size of the organisation and the extent of the risk to customers'
privacy and the reputation
of the business.
A starting point for privacy compliance is the company's website privacy
policy. The information practices of businesses should
be clearly explained
on the web site, and this policy should address the full range of information
practices of that agency.
Under National Privacy Principle 5 (Openness), organisations
must make available information about their privacy practices. The
Guidelines for Federal and ACT Government World Wide Websites sets out
a range of issues which an should be considered in developing a policy, including:
- openness about its information practices;
- an explanation of the site's collection and use of clickstream data and
- what personal information is collected on the site;
- information about the security of any information; and
- the publication of personal information on websites.
In brief, privacy policies should address the requirements of the National
Privacy Principles and give specific information about
exactly how the organisation
and its alliance partners will use personal information.
Consent is a crucial principle in the implementation of privacy protection.
The National Privacy Principles state that consent
must be obtained if personal
information is going to be used for secondary purposes, except under specific
Consent is especially important for direct marketing and
the sharing of personal information with third parties. However, the
of consent is not altogether clear. Consent may be obtained in active or passive
ways, which tend to be broadly divided
as "express" and "implicit" consent.
"Express consent" or "explicit consent" involves explaining clearly to consumers
the organisation's information practices and obtaining
active consent, such
as through a written consent form or via a secure means of communication. Consent
is likely to be regarded
as express if consumers are given an active choice
between different privacy options, so that they are not forced into consenting
into specific uses of their personal information.
Companies which rely on "implicit consent" face a higher risk of future complaints
and claims, because they are assuming the consent
of an individual without necessarily
bringing to their attention specific details of information use and disclosure.
which assumes implicit consent might argue that certain uses
of information are obvious from the nature of the person's dealings
organisation and do not require explicit consent.
The Privacy Commissioner's definitions of terms used in the National Privacy
Principles define consent in the following way:
"Free and informed agreement with what is being done or proposed. Consent
can be either express or implied. Express consent is
given explicitly, either
orally or in writing. Express consent is unequivocal and does not require any
inference on the part
of the organisation seeking consent. Implied consent arises
where consent may reasonably be inferred from the action or inaction
The Explanatory Memorandum emphasises also that for certain categories of
personal information defined as being sensitive, a more
explicit form of consent
(again, not specified) is required.
"NPP 2.1(b) allows information to be used or disclosed for a secondary
purpose where the individual has consented to use/disclosure for that
purpose. Consent to the use or disclosure may be express or implied. Implied
consent would be acceptable in some
circumstances. Implied consent could legitimately
be inferred from the individual's failure to object to a proposed use or disclosure
(that is, a failure to opt out), provided that the option to opt out was clearly
and prominently presented and easy to take
up. If the consequences for the individual
of the use or disclosure were serious, however, the organisation would have
able to demonstrate clearly that the individual could have been expected
to understand what was going to happen to his or her
information. In such circumstances
it would generally be more appropriate to seek express consent.
325. NPP 2.1(c) allows personal information (provided it is not sensitive
information) to be used for the secondary purpose of direct marketing
it is impracticable to get the individual's consent before using the information;
the organisation gives the individual
an opportunity to opt out of further direct
marketing communications (at no charge); and the individual has not already
the organisation not to send direct marketing material to the individual.
326. This sub-principle allows personal information, other than sensitive
information, to be used in order to establish initial
contact with an individual,
provided that the individual is given the chance to opt out of any further approaches.
of sensitive information from this sub-principle recognises that
the opt out mechanism is not a sufficient protection in relation
to this type
of information. It would allow sensitive information to be used to establish
contact with an individual, in the
absence of consent, for purposes that may
be entirely unrelated to the primary purpose of collection of the sensitive
The exclusion of sensitive information will not prevent direct
marketing organisations from using sensitive information about
in reliance on, for example, NPP 2.1(b) (that is, with the individuals consent)
or NPP 2.1(a). The application
of this sub-principle in the health context will
be detailed in guidelines issued by the Privacy Commissioner."
Policies need to be supported by back office implementation of procedures
which ensure that an organisation's internal practices
are consistent with its
policies and legal obligations. Many organisations have put a focus on the front-end
website policies, but if this is not followed through and implemented
throughout the organisation, businesses are at risk of misrepresenting
actual information practices. Organisations need to address how privacy safeguards
will be incorporated into their internal
processes, and should identify an individual
who can take responsibility for the development and implementation of the program.
For example, many US technology companies have appointed a Chief Privacy Officer
to take this role and the Australian Direct
Marketing Association has required
its 500 members to appoint CPOs by April 2001.
Conduct an independent audit
Another method of building confidence in a company's information practices
is to commission an independent audit of the information
policies and practices
of an agency. An information audit can help to highlight compliance problems
and can give customers
added confidence that a policy is being implemented.
External audits are also a useful tool in making staff aware of their accountability
for their handling of personal information and identifying any problems areas
within the organisation.
Privacy impact assessments
The privacy impact assessment process represents an innovative approach to
managing the strategic risk associated with privacy
practices at an early stage
of product development. Privacy impact assessments are now being conducted by
such as in Canada, New Zealand, and in the United States
and are likely to become increasingly common in the private sector.
process allows businesses to identify potential risks, and outlines options
for how those risks might best be
The impact assessment can help avoid nasty surprises and provide outside
input into the development of new products and services.
With the rapid development
of e-commerce, there are thousands of new ideas, concepts and products under
development. The use
of personal information is often a major part of these
new services. New e-commerce products can have significant impacts on privacy,
and privacy concerns can have a significant impact on how consumers respond
to new technologies. Businesses which ignore these
issues can suffer substantial
financial harm and in some cases even find the launch of the product cancelled
or the product
substantially modified because of a consumer backlash.
In short, the aim of the privacy impact assessment process is to ensure that
new products and services build trust, rather than
Privacy seal programs
A popular way of proving an online business's credentials is to join a privacy
seal program. Privacy seals offer an external stamp
of approval for the practices
of a website. They have become particular popular in the United States in the
absence of legal
measures to protect privacy. The best known privacy seal programs
- TRUSTe, which was launched in June 1997 - a licensing program which stipulates
conditions to which the licensee must adhere,
including privacy principles
and dispute resolution processes. By 2000, 1000 sites were licensed, including
of the 100 most visited sites. Nielsen/NetRatings rates the TRUSTe
logo as the most recognised symbol on the internet (www.truste.org).
- The Council of Better Business Bureaus has a BBBOnLine Privacy program,
which claims a comprehensive process of assessing a company
and practices and has a third party dispute resolution process through the
Better Business Bureaus. The
BBBOnLine Privacy program in May 2001 had 820
companies approved (www.bbbonline.org).
- The Online Privacy Alliance is another major US-based initiative which covers
a large proportion of major US companies. The OPA
is focused on transparency
and allowing consumer to make choices between which web sites they visit and
where they make
transactions. The OPA was launched in 1998 and includes 85
major US companies and industry organisations. (www.privacyalliance.org)
- CPA WebTrust aims to deliver confidence in the business and information
practices of online companies. It requires its members
to go through a full
audit program conducted by an independent certified public accountant. It
uses a specific encryption
technology to ensure payment security, and is available
in the US, Canada, the UK, France, Ireland, Australian and New Zealand.
- Another industry group known as the Personalisation Consortium was launched
in 2000. It generally supports an opt-in consent
to online marketing, and
covers 26 major companies. The Consortium's initial standards for ethical
include fair access to personal information, responsible
linkage of online and offline information, criteria for opt-in and
consent, and rights of redress for consumers.
Organisations considering adopting a seal should familiarise themselves with
a recent evaluation of seal programs published by
the Australian Federal Privacy
Commissioner in conjunction with the Ontario Privacy Commissioner. This report,
September 2000, concluded that while they had helped to improve
online information practices, most of the seal programs fell short
privacy standards. The report Web Seals: A Review of Online Privacy Programs
"The future role that Web seals might play in e-commerce is unclear. Seals are
only in their early stages of development and
will likely evolve and improve
over time. They could come into their own as a powerful facilitator of globalization
transactions if they are able to provide acceptable and enforceable
privacy protection across multiple jurisdictions. Objective
assessments of the
extent to which seals provide true privacy protection, dispute resolution and
enforcement, may be a crucial
factor in determining the degree and speed with
which they become more accepted by consumers. Such assessment could assist consumers
and business in differentiating between the competing claims put forward by
various seal providers."
Complaints handling is an important part of managing privacy issues within
an organisation. Effective complaints handling allows
a company to identify
any internal compliance problems, and is an important part of managing an organisation's
Poor handling of complaints, such as when staff are slow in dealing
with a complaint, appear to lack knowledge, do not return
phone calls and appear
uncooperative, can deepen the aggravation of a customer who feels their privacy
has been invaded. Speedy,
informal complaints resolution processes can turn
a disgruntled customer into a satisfied one if they feel that the organisation
takes their concerns seriously. This is particularly the case in privacy complaints
which often do not require or do not involve
monetary compensation (but on the
other hand, can sometimes be extremely serious and cannot be in any way remedied
compensation either). The Australian Standard on Complaints Handling
provides a framework for organisations to develop internal
A business which is intending to introduce a new online service which might
have significant privacy implications for its customers
may wish to initiate
a formal process of consultation. This may be done through an industry organisation
or directly by an
individual company. For example, a business may make informal
or formal contact with consumer and privacy groups, and any other
who can help to identify and address potential problems or issues in the early
design of the program. This approach
is most relevant in industries in which
a small number of companies play a dominant role, such as in banking or telecommunications.
A business can also explain its plans on its website and can seek responses
from its users and customers. This process can
complement the privacy impact
It is important that contracts with third party service providers adequately
address privacy issues. Specific measures can be taken
to give maximum protection
from the risks associated with third party processing of personal data:
The contract should address:
(a) confidentiality undertakings - prohibiting any
use or disclosure of information other than what is necessary to meet the requirements
of the contract (subject to the normal exemptions, such as for legal proceedings;
(b) accepting all privacy obligations under relevant
legislation (eg Telecommunications Act, Privacy Act, Code of Conduct);
(c) an indemnity for any liability arising out of
the agency's breach of their privacy obligations;
(d) acceptance that the contracting party may audit
either directly or through its auditors, the information practices of the contractors
relating to the processing of information as set out in the contract, and that
the contractor must provide all reasonable assistance
to the party conducting
(e) obligations that the contractor informs the
contracting party if any breaches or alleged breaches of security or of the
Termination provisions should also impose obligation to retain all personal
information and destroy any remaining records of personal
information if contract
expires or is terminated.
Using technologies to enhance privacy
It is important to put the contractual and legal context of privacy protection
into the broader context of technologies which can
play a role in protecting
individual privacy. Legal measures are not the only way of providing consumers
with protection for
their personal information. A small segment of the online
community is willing to pay to take privacy protection into its own
the use of encryption and other software products which block cookies and preserve
online anonymity. These privacy
technologies are useful for email, browsing
web sites and making transactions.
One of the best regarded examples of privacy enhancing technologies is the
Freedom Software program from Zero-knowledge Systems
software gives a web user anonymity by allowing them to use a pseudonym. Personal
information is encrypted
and routed through the company's network of servers
so that it cannot be traced to a user's computer. A pseudonym costs just $US10
per year. Similar anonymising and anti-cookie software programs are available
from other providers including Cookie Crusher,
Cookie Cruncher, AddsOff, Cookie
Cutter, AdSubtract Se, Cookie Pal, Cookie Web Kit, HistoryKill 2000, Netwatcher
2000 and Surfsecret
Other companies offer to take on an information intermediary role, collecting
information from a user and providing it to sites
with users' approval. These
"infomediaries" may rate sites according to their privacy policies (such as
Adviser software) which obtains a person's name, date
of birth, billing and postal address, e-mail, phone number, credit card
and preferred method of contact. Eponymous has rated the policies of 30,000
The World Wide Web Consortium has taken this concept further by developing
P3P, the Platform for Privacy Preferences, which is
intended to be built into
software and allow an automatic comparison between a web surfer's privacy preferences
and a web site's
the P3P standard in its software. P3P has met with a mixed
response from privacy
advocates and users, and it remains to be seen whether it will become an important
element in online
Why privacy has become a major issue
The growing attention to privacy concerns reflects one of the impacts of
the information revolution on individuals. The information
explosion has made
it possible to collect detailed information on customer purchasing patterns,
to profile customers and to
use data mining to build greater intelligence into
business strategies. While this has offered great convenience to customers,
it is also prompting a backlash. Survey research in recent years has tracked
rising concerns that consumers are losing control
of their personal information.
While privacy concerns a decade ago were mainly focused on government collection
and use of
information, in recent years public concerns have shifted towards
the use of personal information in the private sector.
Privacy concerns are now recognised as being more than just a concern for
a small proportion of technophobic customers. Unease
with the collection and
use of personal information is now a significant factor holding back the uptake
of e-commerce, with
consumers reluctant to risk losing control of their personal
information despite the convenience offered by the online environment.
now estimate that billions of dollars worth of e-commerce transactions are being
lost because of consumer distrust
in current privacy arrangements as much
as $US2.8bn in the United States in 1999, and rising to $US18bn by 2002, according
to Forrester Research. This research has given impetus to regulatory initiatives
in the US and elsewhere.
These concerns have serious effects on businesses which are making e-commerce
a major strategic focus. For example, internet portals
need customer information
to maximise advertising revenue. The push for customised marketing from web
advertisers is strong:
if an advertiser doubles the ad banner clickthrough rate
on a website from the standard 0.5% to 1%, through targeted marketing,
can double the site's advertising revenue. But developing targeted marketing
requires the collection and use of personal
information, and this creates risks.
Australians place a high value on the protection of their personal privacy.
Throughout the 1990s a series of public opinion surveys
that privacy is a significant concern for people. For example, asked to rank
a number of social issues
in a Roy Morgan survey conducted by the Australian
Privacy Commissioner in the mid-1990s, some 93% of Australians rated the confidentiality
of their personal information as important, with 74% saying it was very important
, and a further 19% as important . Privacy
was ranked second only to education
as a matter of concern when compared to other social issues - even ranking ahead
the economy and the environment.
Research by Ernst & Young has shown a higher level of concern about online
privacy and security issues than in the US or
New research to be released by the Federal Privacy Commissioner in 2001 should
provide a deeper insight into how Australians
think about privacy issues.
Australian research reflects similar trends to surveys published in other
countries. These are being compiled in the Baker &
McKenzie Global Privacy
Attitudes Survey Review, which will soon be available on the Baker & McKenzie
The surveys reflect the conclusions of
Alan Westin, a veteran US privacy expert who has conducted 26 national privacy
surveys since 1978, notes that privacy concerns have been on a trend
increase from a base level of around 72% in the early 1970s.
of these surveys include the following points:
- There is a very high level of concern about privacy issues.
- A 1999 Roy Morgan survey in Australia reported 56% of people agreeing with
the statement, "I'm worried about invasion of my privacy
through new technology",
with 18% agreeing strongly, 24% disagreeing (only 3% strongly) and 20% unable
to say. These concerns
ranged across all party affiliations, from 50% agreement
at the low end to 62% agreement at the high end.
- The 1998 Beyond Concern: Understanding Net Users' Attitudes to Online
Privacy, conducted by AT & T Labs Research, reported 87% of respondents
as being concerned about privacy, with 39% "very concerned"
and only 13% "not
very" or "not" concerned.
- A Harris Interactive poll of 2,810 American adults in August 2000 found
that American consumers are more concerned about privacy
issues than health
care, crime or taxes. Some 56% stated that they are very concerned about the
loss of personal privacy,
compared with 54% with health care, 53% with crime
and 52% with taxes.
- A 1999 survey by the Japanese Ministry of Posts & Telecommunications
Privacy Survey reported that 94% of respondents said
that they were interested
in privacy safeguards.
- Privacy concerns are greatest in the online environment
- The IBM Multinational Consumer Privacy Survey in 1999 covering the
United States, the United Kingdom and Germany, showed that concern about threats
to personal privacy
on the Internet ranged from 73% in the UK to 92% in the
US, where 72% of people were very concerned.
- The IBM survey also found that consumers have the lowest confidence in the
privacy practices of companies which sell over the
Internet (ranging from
10% to 21%), contrasting with trust in the confidentiality of personal information
handled by Banks
ranging from 70 77% and for health care providers ranging
from 71 74%.
- A US survey by Yankelovich Partners in August 2000 reported 90% of respondents
saying that protection of the privacy of their
personal information is the
most important issue to them when shopping online.
- Consumers especially dislike the use of their personal information for
direct marketing without their consent, particularly when
is sold to third parties for direct marketing purposes
- A Business Week/Harris poll in March, 2000 showed record levels of privacy
concerns, including that
- of the 45% of respondents who had purchased online, 78% were concerned about
the company they buy from sending them spam, with
41% very concerned
- of the 55% of people who have not purchased online, some 94% said they were
concerned about the company they buy from sending
them spam, and 63% were
- 10% overall were happy with browsing habits and shopping patterns being
merged, and 89% were against (including 68% "not at all
- 86% of Internet users were concerned abut the use of online purchase information
to directly market back to them, with 65% very
- The Trust in the Wired Americas survey by Cheskin Research in 2000
covering the US, Latin America and Brazil, indicated a 6.3/10 positive response
the statement that personal information given to a website may be sold
- Privacy concerns affect the way in which consumers behave and transact
- The IBM research showed that 50% of consumers in Germany, the UK and the
USA had refused to give information on websites because
of privacy concerns,
and between 32% and 54% had decided not to purchase online because of privacy
concerns. 39% of people
in the US, 44% in Germany and 47% in the UK stated
that privacy issues had stopped them from making online purchases. Around
one third of Internet users demonstrate "privacy assertive behaviour", such
as giving false information when asked to register
- 65% of respondents in the Harris Interactive Survey said that if a website
their personal information.
- 70% of respondents in the Business Week/Harris poll said that they would
use the Internet, register personal information, or
purchase more often, if
there were explicit guarantees about the use of their personal information.
- 61% of people who did not use the Internet stated in the Business Week/Harris
poll that they would be more likely to start using
the Internet if their privacy
was protected, and 78% of users said they would be more likely to use the
Internet more often
if this was the case. For both non-users and users, privacy
was the highest ranking issue affecting whether or not they would
Internet more often.
- Consumers want to have control over their personal information and how
it is collected and used
- The Beyond Concern survey indicated that the issue of whether or
not personal information was shared with third parties was the most important
criteria to individuals when visiting websites, with 96% of people registering
agreement with this concern. Being informed
of the purpose of collecting personal
information and the nature of the information which was being collected also
as extremely high level concerns.
- In the Business Week/Harris survey, 86% of respondents said that websites
should ask for permission to collect name, address
and phone number details
all the time, and 88% said that they should obtain permission before sharing
with any other organisations all the time.
- The same survey indicated that 56% of people would always opt out of the
collection of their personal information if given the
choice, and 34% would
sometimes opt out.
- The 1997 GVU survey of Internet users showed 72% of Americans agreeing with
the statement that there should be new laws to protect
privacy on the Internet,
while the Business Week/Harris survey indicated 57% saying that laws should
be passed now.
- Around 80% of people consistently wanted an opt in arrangement for information
collection, and 88% wanted to give consent before
any sharing of their personal
information. 55% of web users had noticed privacy policies, of whom 77% had
read them and
35% said they always read them.
These concerns are behind the widespread adoption of comprehensive privacy
and data protection legislation in developed countries
over the past decade,
which are discussed later in this paper. The global regulatory patchwork of
privacy laws creates challenges
for e-commerce which by its nature involves
cross-border alliances and transactions. Some businesses are adopting the approach
of jumping to the highest bar, the European Union Directive, hoping that this
will be adequate for other jurisdictions. Others
adapt their policies to local
requirements and do not aim for a consistent global strategy. Many have an ad
hoc approach which
only deal with privacy issues when confronted by customer
complaints, negative publicity or because of immediate legal requirements.
The challenge for business organisations is to recognise that privacy is
a strategic issue which goes beyond the scope of mere
legal compliance. For
- Protecting personal information is an important element of the trust relationship
which businesses want to develop with customers.
- Privacy is recognised as a threshold issue for consumer take-up of e-commerce,
and is especially important for new products which
involve the collection
and use of large amounts of personal information, or particularly sensitive
information such as
health or financial records.
- Providing consumers with the widest range of choice in relation to their
personal information is an element of quality of service.
- Privacy and security features are an important part of risk management strategies,
because a negative privacy experience can
have a substantial impact on public
perceptions of an organisation s trustworthiness.
- Several industry associations have adopted codes of practice which include
privacy standards, and which are binding on their
Personal information in an e-commerce environment
Changing business practices have greatly increased the scope for collecting
personal information. This reflects the explosion of
processing and storage in recent years. For example, telecommunications providers
know the date, time,
length, call number and destination of telephone calls.
Pay TV services can know the viewing interests of subscribers. Internet
can know the interests of users from how users navigate their website. With
the development of interactive TV and pay-per-view
services, it may also include
a detailed history of a household s viewing patterns. Online financial services
and bill management services can also collect a vast amount of highly
sensitive information which gives a wide-ranging view of
a person's finances.
While businesses were already able to collect a substantial amount of personal
information on their customers before the arrival
of online transactions, e-commerce
creates a much larger and richer store of personal information because very
few online transactions
are anonymous. There are also far more points of collection
- online registration systems allow businesses to collect contact details
and general demographic information;
- clickstream data, collected through cookies, can identify the specific interests
of individuals as well as giving companies information
about how customers
respond to the content of their website;
- email allows customers to communicate with businesses with minimal time
or effort; and
- businesses can track a complete history of customer purchases.
The online environment allows businesses to build individual customer profiles
in a way that for most businesses was simply not
practicable across a wide customer
base in the past. The information gathered from these profiles can be an enormously
resource for strategic development as well as for marketing and building
The online environment has also fostered the growth of joint ventures and
alliance relationships, where businesses are able to
leverage off each other's
strengths. A significant online customer base is a highly valuable commercial
asset for companies
which are entering into joint ventures. In some cases, joint
ventures allow companies to access the personal information held
and to expand their records as a result. But joint ventures can also contain
risks if there is a leakage of customer
information to other parties without
the consent of those customers.
The privacy minefield
The risk of adverse media publicity has now become a major reason for businesses
to review and change their privacy practices,
after an unprecedented year of
privacy debacles in 2000. Several high-profile businesses have had their reputations
by lax, inadequate and in some cases illegal information practices.
Despite the fact that for several years surveys have highlighted
of privacy to consumers, it is only more recently with far greater media coverage
of privacy issues that privacy
has been recognised as an issue which can significantly
harm the public reputation of businesses.
In some respects, it is not surprising that increasing public attention on
privacy issues is likely to expose some organisations
for bad information practices.
Survey research has indicated that many organisations do not have clearly developed
implemented privacy policies; and while online privacy practices are
improving, they fall well short of any well-accepted privacy
in sectors where a substantial amount of personal information is collected such
as online recruitment services,
many websites still do not have privacy policies.
Among those that have a policy, many do not have adequate privacy standards.
As the spotlight on internet practices has intensified in recent years, a
growing list of companies have come under attack for
careless, unethical or
even deceptive information practices. The public reputations of businesses can
be damaged by:
- bad information collection practices, such as collecting unnecessary information;
- failing to explain how personal information will be used (and broadly, failing
- passing on personal information to other companies without the consent of
- security breaches, including unauthorised access to personal information,
unintended disclosure, and problems with credit card
- making mistakes, such as sending the wrong personal information to individuals
or recording mistaken information, and
- denying people anonymity, such as in their usage of a website.
These risks are illustrated by some of the privacy stories which hit the
news during 2000.
Real Networks: Failing to disclose information practices
The year began with online software distributor Real Networks still
smarting from a blitz of negative publicity after the New York Times revealed
that it was collecting information about
the musical tastes of 13.5m Real product
users without their knowledge. Real Jukebox, software downloaded through the
Networks site, was scanning users' hard drives and transmitting information
about their musical interests and music player back
to Real Networks. This information
was then added to pre-existing customer profile information. Although Real Networks
member of TRUSTe and displayed its logo on its website, TRUSTe refused
to launch an investigation into Real Networks because its
licence only covers
information collected from consumers over a website, and since the information
was actually collected by
software downloaded from a website, Real Networks
had not violated its TRUSTe licence. TRUSTe did announce, however, that it would
review its licence agreements.
DoubleClick: Customer profiling without consent
In perhaps the best-known incident of the year, online advertising agency
DoubleClick came under siege from public outrage for unlawfully obtaining
and selling customers personal information. DoubleClick is the leading
advertiser, with revenues which had grown from $9m in 1995 to $258m in 1999.
By the end of 1999 DoubleClick was serving
30 billion targeted ads per month,
and serving ads to around 12,000 web sites. In late 1999, DoubleClick began
cross referencing personal information from the web browsing habits
of users with the database of a direct marketing firm, Abacus,
which it had
recently acquired. DoubleClick planned to match home address, name and purchasing
habits to individuals' web usage
patterns. Following extensive publicity, a
consumer backlash, legal action by the Michigan State Attorney-General, an FTC
and a drop of one third in its share price, DoubleClick suspended
its matching practices in March 2000. Estimates of the cost
to DoubleClick of
the incident which occurred at the time of its second capital raising range
as high as $2.2 billion.
PSINet: Pink contracts for spammers
Controversy erupted for internet service provider PSINet when CNetNews.com
claimed that PSINet was covertly profiting from spamming
while publicly opposing
it. CNet News.com obtained a 'pink contract' which indicated that a marketing
firm in Louisiana was
paying PSINet an extra $27,000 in a one-off payment for
"increased risks associated with this agreement". Cajunnet, the marketing
sent out 5-20 million spam messages at one time, helping to explain the additional
payment given the likelihood of a
large number of complaints and the risk of
damage to PSINet's reputation if the arrangement came to light. At the same
PSINet's stated policy on spam had indicated that customers would be cut
off if caught using spam. PSINet subsequently terminated
the relationship and
embarked on new compliance and training efforts internally to avoid the repetition
of any such incidents.
Toysmart selling a bankrupt business's database
American toy e-tailer Toysmart drew criticism when it announced that
it intended to sell off its customer database after the company filed for bankruptcy
on May 19. The decision to sell off the 250,000 customer records contradicted
an express promise on Toysmart's web site never
to sell customer information.
This reversal in policy prompted the intervention of the Federal Trade Commissioner
sued Toysmart for engaging in deceptive conduct. 42 states also sought
a court injunction from the Federal Court to prevent the
sale taking place for
violations of their individual consumer protection schemes. The FTC eventually
came to an agreement with
the company that precluded the sale of the database
as a separate asset, such that Toysmart could only sell the customer database
as part of the sale of the whole web site. No company came forward to buy Toysmart,
and in early January 2001 Toysmart's majority
owner, Disney, paid $50,000 to
destroy the database.
Amazon.com created a storm of protest when it informed customers that it
about the capacity
of businesses to sell their databases after the Toysmart.com debacle. The revisions
to Amazon's policy stated
that the 23 million strong customer database is an
asset of the business which may be sold to a third party in the future, without
obtaining any further consent from customers. Amazon's changes provoked widespread
criticism and several complaints have been
filed against Amazon's subsidiaries
in Europe were made for breaching local European privacy standards.
Toysrus.com Failing to inform consumer of third party use
The toy store e-tail industry was rocked by a further privacy debacle in
August 2000 when it was revealed that Toysrus.com, the e-commerce web
site of the Toys R Us chain, was outsourcing data analysis of its consumer
database to a third party company, Coremetrics, which was then retaining
and using the data for its own data analysis purposes. The company's privacy
policy made no mention
of the outsourcing relationship, which involved the provision
of customers personal details including names, postal and email
phone numbers to Coremetrics. Toys R Us had reserved the right to gather and
analyse customer information in
the fact that this analysis would be done by another company (which retained
the data after analysis) prompted numerous complaints. Two separate class actions
were launched against Toys R Us and Coremetrics,
forcing the companies to terminate
their business relationship in the wake of overwhelming negative publicity.
Stories of website security security breaches which placed customer information
at risk became a familiar story during 2000.
- The year began with online music seller CD Universe losing more than
300,000 credit cards to a Russian hacker. Credit card cleaning house Creditcards.com
lost another 55,000 records and in December it was reported that the hackers
had broken into the Egghead website, potentially gaining access to
3.7 million customer profiles. The company later reported that investigations
that the hackers had not gained access to the customer records.
- At the year's end, a hacker broke into the customer database of GlobalCentral.com,
a Wyoming internet service provider, and sent information on customers including
their credit card number, bank account
numbers, address, telephone number
and terms of their contract with GlobalCentral. The hacker was reportedly
by opposition to GlobalCentral's support of a conservative family
- Furniture retailer Ikea attracted attention when it was revealed
that its customer database, containing names, phone numbers and postal and
addresses, was publicly accessible on the web for over two days in early
September 2000. The company claimed that the security
breach was caused by
a hacker, a claim disputed by experts who cited the lack of adequate authentication
or firewall software
as a contributing factor. The incident was Ikea's second
privacy slip-up that year, with the company drawing criticism in March
adopting a spam-based advertising strategy. The company had offered a $75
discount coupon to any customer who emailed
a promotional e-card to ten of
their friends. The scheme generated 37,000 emails within one week before Ikea
promotion in response to severe public criticism.
- On 7 July 2000, a customer of British power utility, Powergen, while
attempting to pay a bill on-line, managed to accidentally uncover the unencrypted,
publicly accessible credit card
numbers and payment and personal details of
7,000 Powergen customers. In an attempt to defray criticism, Powergen at first
denied the leak, then later accused the would-be-customer of 'hacking' their
site. The story was picked up by on-line magazine,
Silicon.com which attained
from the customer proof of the leak. Despite originally threatening legal
action against both
the customer and the magazine, Powergen later admitted
that the blunder had not be caused by the customer but by the company,
customers that its system was now safe.
- In April, web search engines revealed pages containing the personal registration
of some 35,000 members of the adiamondisforever.com website, a site
which gives information about diamonds and which is sponsored by De Beer's.
- Similarly, a computing error on the Amazon.com website resulted in
the email address of Amazon members being disclosed on an affiliate partner's
website in September.
Australian Taxation Office: Failing to identify a major privacy issue
Privacy issues emerged as a significant problem during the implementation
of major tax reforms in Australia in mid-2000. Central
to the business tax reforms
was the need to obtain an Australian Business Number (ABN) for business to business
3 million applications for ABNs were received during its first
months of operation, although Australian Bureau of Statistics figures
that there are only 1.1m businesses in Australia suggesting most ABNs were
for individuals. But the ATO had not
taken into account the extent to which
individuals would obtain ABNs, and the fact that ABN records would contain a
amount of personal information.
Legislation relating to the ABN established a publicly available Australian
Business Register, including information on the holders
of ABN drawn from the
ABN registration forms, and in addition the Tax Office was making available
(at a charge of $20) records
of registration-related information. Although the
ABN registration booklet mentioned that some ABN information would be publicly
available, the details of this availability were not clear and applicants were
not informed of this on the pages where they
entered information. After a substantial
public reaction, and intervention by the Privacy Commissioner, the Treasurer
to legislative amendments and the Tax Office agreed to limit the amount
of information available publicly, and give individuals
the option of limiting
disclosure of their information if this disclosure could present a danger to
Privacy concerns were raised in Australia when a hacker accessed the business
and bank account details of up to 27,000 businesses
in Australia who were accredited
suppliers of GST information and assistance packages to businesses through the
GST Start-up Assistance Office. The 'hacker' reportedly obtained the
information without actually hacking the site, as the information was provided
ordinary page accessible through a URL on the site (the web address of
which had not been disclosed). He then emailed 17,000 of
the businesses to inform
them of the security breach.
Other legal action
In other incidents, Auction site ReverseAuction agreed to a settlement
with the FTC in January 2000, agreeing to cease from engaging in unlawful practices
personal information of eBay users and deceptive spamming.
Other legal action on privacy grounds was also launched against Amazon.com
(through its subsidiary Alexa Internet, accused of sending personal information
to Amazon.com without consent), and a class
action suit was filed in Texas against
Yahoo! on the basis of a Texan anti-stalking law, and arguing that cookies are
equivalent of stalking.
The global context of privacy laws
The extension of Australian privacy legislation is occurring in the context
of a rapidly changing global regulatory environment,
where privacy has emerged
as a major issue around the world as new technologies impact upon privacy rights.
The global nature
of information flows raises complex privacy issues because
of the potential for personal information to flow from jurisdictions
information is subject to privacy regulation, to other jurisdictions where there
is little or no legal protection
of personal information. This has been an especially
controversial issue in recent years, with the European Union's privacy Directive
restricting the flows of personal information to countries which do not have
an "adequate" level of protection. This restriction
has resulted in lengthy
negotiations with the United States, which saw this requirement as a restriction
on the development
of e-commerce, while the EU argued that the US was neglecting
a fundamental human right. After several years of meetings, the
EU and the US
concluded the "Safe Harbour" agreement which gives some protection to the data
of Europeans in the United States,
and which came into effect from November
Depending on the regional context of e-commerce transactions and alliances,
it may be necessary to take account of the international
context of legal protection
for personal information. In simple terms, the two main approaches being adopted
around the world
to privacy protection are comprehensive privacy legislation
or a mix of self-regulation and specific sectoral legislation, the
adopted by the US.
The push towards legal measures to protect privacy began in industrialised
nations in the mid-1970s. In the late 1970s, the Organisation
for Economic Cooperation
and Development (OECD) assembled a group of experts who developed a set of basic
privacy and data
protection guidelines. The OECD Guidelines developed in 1980
were the first significant international agreement on privacy principles. These
Guidelines formed the basis of privacy legislation
in most industrialised nations
in the following decade, incorporating eight principles relating to the collection,
and disclosure of personal information. However, the OECD Guidelines
did not set out an explicit statement on how these principles
may be enforced,
even in relation to data held by the public sector. As a result, countries chose
a range of measures to implement
the privacy principles.
Globally, the most significant privacy legislation in the past decade was
the European Union Directive on data protection, which came into force
in October 1998 and is implemented through national legislation individually
in EU member states. It
establishes comprehensive protection of personal information
held by the public and private sectors, whether held electronically,
or in any other forms. The EU Directive has become the international benchmark
for privacy protection - not least
because countries without what the Directive
describes as an adequate level of data protection, will be excluded from
information flows. The EU Directive has been a significant factor in
countries outside of Europe implementing privacy legislation,
Kong, Taiwan and Canada. Closest to home, the New Zealand Privacy Act 1993
established an Office of the Privacy Commissioner who has powers to enforce
the Information Privacy Principles contained in the
Act in both the public and
private sectors. The Commissioner is also able to issue Codes, which vary the
application of the
IPPs for a practice, company, technology or industry. The
extension of Australia's Privacy Act brings Australia closer to the NZ
position, although the Australian legislation is on several points of comparison
New Zealand's (such as with its broad exemptions).
The alternative to the legislated approach is through relying more heavily
on self-regulation, which has been favoured in the United States. The
regulatory environment of the United States is clearly the most influential
for internet practices, given the US dominance whether measured by usage, sites,
brand names or revenue. In this area, there
have been significant developments
in the past three years, which appear to be leading to internet privacy legislation.
Moves towards privacy legislation in the United States
After two years of monitoring the effectiveness of self-regulation, the Federal
Trade Commission (FTC) concluded in May 2000 that
self regulation had failed
to provide adequate privacy protection. While it indicated that significant
progress has been made
towards the development of industry self regulation,
it also noted that coverage of privacy safeguards is still inadequate and
legislation has become necessary. The FTC recommended to Congress that legislation
be developed to protect personal information
online in its report Privacy
Online: Fair Information Practices in the Electronic Marketplace: A Federal
Trade Commission Report to Congress.
The FTC's conclusions came after its third web site survey reviewed a random
sample of 335 websites and a group of 91 of the busiest
100 websites. The survey
confirmed that most sites collect personal information - 97% and 99% respectively
and that 88% and
100% respectively made some kind of statement about their
The report concluded that:
"Based on the past years of work addressing internet privacy issues, including
examination of prior surveys and workshops with
consumers and industry, it is
evident that online privacy continues to present an enormous public policy challenge.
applauds the significant efforts of the private sector and commends
industry leaders in developing self-regulatory initiatives.
The 2000 Survey,
however, demonstrates that industry efforts alone have not been sufficient.
Because self-regulatory initiatives
to date fall far short of broad-based implementation
of effective self-regulatory programs, the Commission has concluded that
efforts alone cannot ensure that the online marketplace as a whole will emulate
the standards adopted by industry leaders.
While there will continue to be a
major role for industry self-regulation in the future, the Commission recommends
enact legislation that, in conjunction with continuing self-regulatory
programs, will ensure adequate protection of consumer privacy
The FTC's recommendation for legislation would cover consumer-oriented commercial
websites. In other words, it would be a specific
internet privacy measure, rather
than the comprehensive data protection legislation adopted by most other advanced
It would therefore continue the blend of sectoral legislation and self-regulation
which has been adopted by the US in recent years.
The FTC's legislation would
require that these websites comply with the four widely-accepted fair information
- Notice in which websites would need to give clear, conspicuous
notice of their information practices including information about
collected, how it is collected, how it is used, how consumers are given choice,
security, any access, whether information
is disclosed to third parties and
whether third parties collect information off the website.
- Choice in which websites would be required to give consumers choices
about how their information is used for purposes beyond the
of its collection, including internal and external secondary uses.
- Access in which websites would give consumers reasonable access
to the information which has been collected about consumers, and
opportunity to review information and correct any inaccuracies.
- Security in which websites would be required to take reasonable
steps to protect the security of the information obtained from customers.
These principles are a shortened version of the 1980 OECD principles, and
are less extensive than those in the National Privacy
The internet industry in the United States is increasingly recognising the
likelihood of privacy legislation. As in Australia,
one of the strongest drivers
of a national privacy regime in the United States is the concern of business
groups to avoid a
patchwork of inconsistent state-based privacy laws. New York,
California, Maryland, South Carolina, Florida, Wisconsin and other
been debating broad privacy laws. The American Electronics Association began
a push for a uniform national privacy
law in 2000, to avoid a "privacy maze".
Meanwhile, in some states, individuals sometimes backed by state governments
have begun taking the law into their own hands.
Yahoo! faces a creative claim
under Texan anti-stalking laws for its use of cookie technology which according
to Dallas lawyer
Lawrence J. Friedman allows the organisation "to watch, to
spy, to conduct surveillance, to analyse the habits, inclinations,
and states" of people who visit its sites "without consent, agreement or permission
of the class members". Friedman
is claiming $50bn in economic damages and
despite its inventiveness, if it gets a plaintiff-friendly Texan jury in an
of frustration over internet privacy the outcome cannot be certain.
During 2000 the United States saw several privacy initiatives including medical
privacy regulations, children's privacy laws, a
ban on the use of genetic information
in hiring and promotion in Federal agencies, the implementation of privacy policies
all Federal government websites and the growing use of Privacy Impact Assessments
as a normal part of the process of developing
new government computer systems.
President Bush has indicated publicly that he intends to adopt a pro-privacy
stance on policy issues, and in a decision in April
which angered the health
industry the Administration approved health privacy rules which had been drawn
up under the Clinton
Administration. President Bush's apparent privacy commitment
builds on public positions taken in 2000 by President Clinton and
Gore, who both gave addresses on privacy issues. A swag of congressional privacy
proposals in 2000 foreshadow
the likelihood of an eventual agreement on legislation.
The proposals range from a general study of privacy issues (the Privacy Protection
Study Commission Act
), to requirements that consumers give explicit, opt-in
consent for sharing of data, as well as annual reports on data usage and
right to sue for misuse of data (Personal Data Privacy Protection Act
In between, proposals such as the Online Privacy Protection Act
bipartisan sponsorship) and the Electronic Privacy Bill of Rights Act
require privacy policies on web sites, rights to opt-out of disclosure of information
to third parties and rights to access
A working group of Congress members from both houses and both parties was
formed in late 2000 with the aim of reaching a consensus
on new privacy laws,
likely to impose a set of baseline requirements to which all Web sites might
have to adhere under the
working group's compromise legislation. In line with
FTC recommendations, the legislation would require that the websites give
about the collection and use of personal information, and visitors to websites
would be able to choose either to
opt out of the collection of their personal
information or to limit the use of the information. The Federal Trade Commission
would have oversight of implementation of the law.
By February 2001, 13 privacy Bills had already been introduced into the new
Congress, and several from 2000 are expected to be
reintroduced. The bipartisan
Congressional Privacy Caucus is working towards a privacy Bill that embodies
basic privacy principles
and may even ban some internet tracking technologies
such as web bugs. In March, the House Commerce Committee's Trade and Consumer
Protection Subcommittee held informational hearings on privacy legislation.
Opinion is split over the likely outcome of the
growing Congressional debate
on the issue, as direct marketing and other industry lobby groups are now mounting
campaign of opposition to legislative proposals.
Privacy has moved from being a relatively obscure civil liberties issue to
becoming a critical building block for Australia's information
economy. It is
also a part of Australia's competitive positioning in the global information
economy. The legal protection of
personal information reflects public expectations,
and for this reason businesses must think of not only how to meet their forthcoming
legal obligations, but also to consider whether they handle sensitive personal
information and what their customers expect
from them. In that sense, privacy
should be seen as a strategic challenge and opportunity, and not just a technical
legal compliance. In order to build consumer trust, manage information
effectively and avoid any privacy landmines, businesses
need to ensure that
they align their privacy strategy to their broader strategic direction.
With only months remaining until the amendments to the Privacy Act come into
effect, it is worth noting that those organisations
which do not have all of
their information practices in order by December 21 are unlikely to face grave
However, there will be a significantly increased risk
after 21 December and it is important that organisations work strategically
to minimise their risks and to focus on how they can meet customers' expectation
that their personal information will be respected
and that they will remain
in control of it. This is the fundamental issue at the heart of the new era
in privacy safeguards
which will commence in coming months.
Tim Dixon, Baker & McKenzie Global Privacy Group Sydney email@example.com
Privacy Committee Act 1975 (NSW)
Westin, A. Privacy and Freedom, New York, 1967, p39, quoted in Goldman,
J. Privacy and individual empowerment in the interactive age , paper presented
the Visions for Privacy in the 21st Century conference, Victoria,
British Columbia, May 9-11 1996, p26
Trubow, G. Protocols for the secondary use of personal information, unpublished
paper, John Marshall Law School Centre for Informatics Law, February 22 1993,
Privacy Commissioner, Guidance notes to the National Principles for the Fair
Handling of Personal Information, January 1999
Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000
Tim Dixon, Surveys confirm high public concern about privacy , 2 Privacy
Law and Policy Reporter 1995 vol. 9
Ernst & Young, "Virtual Shopping in Australia: An Ernst & Young Special
Report" January 2000
OECD Guidelines covering the protection of privacy and transborder flows of
personal data, Paris, 1980