Privacy and Data Protection: Developments in Australia
With the Acxiom/Packer joint venture in data-warehousing serving as a powerful catalyst for raising public awareness about privacy, the Coalition Government was finally forced to act. On November 30, the Attorney General stated ‘Reports of a data warehouse of personal and financial information being developed by Acxiom highlight the importance of the private sector privacy legislation. The collection of information by Acxiom and its database will be covered by the legislation.’
He lied. The legislation will not apply to existing databases at all, least of all the Acxiom/Packer database that contains personal information about of millions of Australians.
This is just one of many grave concerns being expressed by the federal opposition and other advocates for a genuinely co-regulatory framework for privacy in Australia. Other major concerns include lack of enforcement provisions and the introduction date, set at well over a year away.
After all the promises and tough talking it seems obvious that the vested interests have once again been well-served by the Coalition. The exemption for existing databases is a blatant example of the government protecting existing corporate interests, particularly in the lucrative data-warehousing sector. By exempting the proposed legislation from applying to existing databases, the Government has created a handy barrier to entry for new competitors.
There will be little tolerance for such a negligent approach to privacy in the Australian community. Public awareness is growing as internet users in particular wisen up to some of the more manipulative techniques of online marketeers. Even seemingly harmless features on web sites are potentially tools for collecting data. For example, E-tractions GameServer software analyses the quiz-takers’ answers to learn more information about them in order to target them with ads.
Controversy and intrigue is growing about the prevalence with which many dot.coms derive revenue streams by on-selling personal data. Whereas a backward glance at sophisticated marketing technology and methodology reveals a long history of cross-referencing information, the power of the Internet and associated technologies has allowed for the consolidation of massive amounts of data, with cross referencing techniques creating new services for new markets.
Personal information about spending habits is valuable to corporations and companies will pay a fortune to gain an edge. The purchase of potential customer profiles keeps marketing tightly focussed and efficient. The result is an unregulated global, multi-billion dollar industry in personal data-trafficking.
According to a survey conducted by US market researcher Odyssey, 82 percent of households with Internet access believe–somewhat or strongly–that the government needs to regulate online companies’ use of consumers’ personal data. Further, 92 percent of Internet-connected households say they do not trust Web sites to safeguard the confidentiality of their personal data, even if the sites promise to do so.
This depth of angst in the community about privacy is driving a political response in parliaments around the world. The European Union set the pace in 1998 with the Data Protection Directive. Under this Directive, EU Member States must ensure personal data transferred to non-EU countries is “adequately” protected. This requirement has placed pressure on many countries to act to protect privacy in both the public and private sectors.
Dialogue between the US and the European Commission has led to a recent announcement regarding their ‘safe harbor’ arrangement. Under the arrangement, the US Department of Commerce will establish a list of companies adhering to a set of data protection rules and related enforcement requirements that the European Commission has found to provide ‘adequate’ protection. Adherents to the ‘safe harbor’ will thus be secure against data blockages, the sanction that constitutes the teeth in the EU Directive.
Compliance will be checked in the first instance by private sector bodies, but non-compliance will also be subject to legal sanctions, notably under Section 5 of the US Federal Trade Commission Act, which forbids misrepresentation and deceptive trade practices (e.g. announcing adherence to a privacy arrangement and then ignoring it).
This ‘safe harbor’ proposal, which is yet to be endorsed by the European Parliament, represents a significant weakening of the provisions of the EU Directive on Data Protection. It is a win for the US which, despite legislation existing in many states, looks to remain unregulated at the federal level.
In many respects the Coalition bill is no better. The massive exemption for existing databases effectively mandates abuse and the delay in implementation invites a frenzied market response in preparation of the ‘stable door closing’ in July 2001, the date of commencement in the privacy bill.
One particular area of concern is the privacy of personal information collected and managed by the public service that is now being outsourced in massive multi-agency clusters to multinational IT corporations. This makes a mockery of the original Privacy Act 1988, as its application ceases in those departments and agencies where the information technology has been outsourced.
The only assurance that has been offered by government agancies is that the provisions of the Privacy Act 1988 are reflected in a clause in the contract. However, the Government has prevented scrutiny, through the parliamentary process of the privacy provisions in these contracts by hiding the details behind claims of ‘commercial in confidence’.
The Coalition’s bill does not offer privacy or protection of these databases on highly sensitive personal information.
How personal information collected by Governments is handled is fast becoming the focal point for much of the privacy and data protection debate. For example, dot.com Medical Logic offers a subscription-based ‘online portfolio of your health assets’ to Americans. The company’s value proposition is ubiquitous access by the health consumer, their doctor, specialist etc, to a full set of personal medical records via the internet.
In addition to reasonable concerns about the security and confidentiality of such data, there is a raging debate about the practice of selling aggregate, non-identifying data to pharmaceutical companies for the purposes of research and market analysis.
With the Health Insurance Commission having recently outsourced their information management to IBM-GSA, and Centrelink next in line, it is likely that the fires of public debate about privacy and data protection will once again be stoked. Ironically, the fundamental inadequacy of the Coalition’s privacy bill has fanned the flames, provoking intense parliamentary scrutiny into the bill.
Industry and the community are looking for leadership and certainty with respect to privacy. The Coalition approach to privacy means they will have to keep looking. The strength of a genuinely co-regulatory approach to privacy lies in the clarity of the legislative framework, cooperative structures for the community and industry and credible, enforceable sanctions: none of which are features of the current bill.
