In 2000, Scott McNealy, CEO of Sun Microsystems, made a pronouncement that struck a chord with all who live and work in the internet-connected world. He told us, ‘Privacy is dead — get over it’.
Developments in the six years since — continued technological change and ‘the war on terror’ with all its associated hyperbole — have, for some, confirmed that McNealy was right.
Yet there is strong evidence that privacy is something we value, and not simply because it is protected from arbitrary interference in the Universal Declaration of Human Rights and other international treaties.
In a 2004 survey for the Federal Privacy Commissioner, Roy Morgan Research found that over 90% of those questioned expressed concern about organisations accessing personal information without their knowledge, information being used for purposes they didn’t know about, and being asked for information not relevant to a transaction.
Despite these concerns, most accept that there must be a balance between our right to privacy, the compromises we make in exchange for goods and services, and the legitimate interests of government.
Thanks to Bill Leak.
We expect the balance to be represented by fair information-handling practices and transparency about what organisations do with personal information. In some circumstances we expect to be able to have some say in the matter.
Australia has a patchwork of privacy laws but governments are struggling to keep up with intrusive practices in the market place, particularly when it comes to the internet. All of us can be ‘googled’, information on the internet may be around forever, and the experts tell us internet security is an oxymoron.
Governments themselves — in the name of security or efficiency — also stand accused of intruding unnecessarily on our privacy rights. The laws in this area are complex, with overlap and uncertainty in important respects, but still with large gaps in scope and coverage.
Following recommendations by the Federal Privacy Commissioner and a Senate Committee, the Federal Attorney General, Phillip Ruddock in February asked the Australian Law Reform Commission to undertake an examination of Australian privacy laws. However, no quick fix is likely — the Commission has until March 2008 to complete its work.
The Productivity Commission’s recent report ‘Rethinking Regulation’ says that businesses see existing privacy laws as costly and part of the ‘cumulative regulatory burden’. The report recommends a national review of privacy laws from the business perspective.
Health researchers believe that privacy laws are limiting important medical research. The Australian Health Ministers Advisory Council has for years been working to develop a national framework for health privacy, but so far there is no evidence of progress, or even a timetable.
Inadequacies in the current system
The following are just a few of the many inadequacies in the current system.
Our privacy laws do not require an organisation to inform individuals where there may have been a breach of privacy, even a major breach which may lead to identity theft and fraud. The US law on this has been tightened following high profile instances last year of hackers illegally accessing the credit card accounts of millions of Americans, with the US congress and 37 states introducing laws, or currently considering, laws that require notification to those who might be affected by such breaches of privacy. In Australia the privacy regime only provides for a complaint once a person comes to know about a possible breach.
Private sector organisations with a turnover of less than $3 million are not covered by Australian privacy laws, except if they provide a health service or trade in personal information. Many have criticised the private sector provisions of the Federal Privacy Act have as weak and declared that privacy commissioners who have oversight responsibilities have under-resourced.
Large chunks of personal information are excluded from privacy laws. For example, the Federal Privacy Act does not apply to employee records.
But the NSW Government is the worst offender, as evidenced by its success in the Australian Privacy Foundation’s 2005 Big Brother Award for ‘a privacy invader with a long record of profound disregard for privacy’.
The NSW Privacy Commissioner has brought to the Government’s attention that NSW public servants enjoy less privacy protection than others because legislation excludes information about suitability for appointment or employment as a public sector official.
Also last year the NSW Administrative Decisions Tribunal (ADT) held that privacy legislation does not cover personal information available to the NSW Police Service associated with law enforcement. In a case involving an imposter who gave an innocent person’s name who was then subjected to numerous visits by police including an attempt by the NSW Sheriff to seize household goods in payment of the imposter’s debt, the tribunal found that the innocent person whose identity had been used had no rights under NSW privacy legislation.
There are more privacy blackholes in NSW to report such as the recently established Public Transport Ticketing Corporation established to manage the introduction and operation of integrated ticketing services for public transport. Because this is to be a State Owned Corporation it will not be subject to NSW privacy laws (others in this category include NSW Lotteries and Sydney Water). The Government says it will ensure ‘administrative’ compliance with the law even though the rights to independent review of privacy complaints by the ADT and potentially damages of up to $40,000 for breach, will not apply to the Corporation.
These gaps and anomalies are just part of a broader picture which the Australian Law Reform Commission Report should address (in 2008).
There are other concerns about new or emerging privacy intrusions: closed circuit TV cashless tollways, tracking devices, and telephones. Then, of course, various ID cards are under consideration including a Medicare smartcard, a smartcard driver’s license in Queensland and a National ID card.
Governments have also been expanding the powers of the police and intelligence services in the name of protecting us from the threat of terrorism. Some changes have seen further erosion of rights to privacy. The latest ‘necessary’ change is legislation which will confer powers on Federal authorities to tap the telephone and emails of anyone who may have been contacted by someone who turns out to be a terrorism suspect. The Law Council says that inevitably this will involve collection of information about innocent people.
Even where laws do apply, enforcement mechanisms are weak. Privacy Commissioners have limited resources and there is little audit or review. Where such activities are undertaken the results are not reassuring. The Victorian Privacy Commissioner recently reported on privacy issues arising out of the use of surveillance cameras in taxis and found serious shortcomings. Who knows about the situation in other states?
Striking the right balance to protect privacy
Privacy rights need a uniform, clear, comprehensive and up to date protection framework which strikes the appropriate balance between these rights and other legitimate interests. In its absence, governments and technological change will continue to eat away at rights we expect, and largely take for granted.
The Human Rights Act Campaign’s proposal for a Human Rights Bill includes the right to privacy. The Bill won’t solve the privacy problem. It will however mean that privacy issues must be addressed appropriately. It is an important opportunity to attempt to draw some lines in the sand to require parliaments and the courts to take privacy seriously.
The message for governments should be that the fundamentals need to be sorted, and quickly. To leave this issue to one side until 2008, with who knows what unanticipated developments between now and then, itself constitutes a significant privacy risk. Privacy issues, as with other important considerations, need to be considered when new policies and projects are under consideration. Australian governments should follow Canada’s lead in making privacy impact assessments a mandatory requirement in government decision making.
Lets hope McNealy’s ‘privacy is dead’ statement comes to be seen as a clever one liner rather than an accurate or prophetic description of our future rights.