Lost in the privacy landscape

Finding your bearings in the Australian privacy landscape has become increasingly difficult, says Gilbert + Tobin’s Peter G Leonard.

Australia’s privacy and data protection laws are hard to explain and often poorly understood. The first challenge is to explain that the Australian Privacy Commissioner sits in the Office of the Australian Information Commissioner (OAIC) and applies laws that the Australian parliament has misleadingly called ‘principles’.

The second challenge is describing how to read principles as laws and fit them together with other provisions in the Privacy Act that clearly are drafted as laws.

And then there’s the difficulty of trying to interpret these provisions when dealing with novel issues such as cross-border cloud deployment and access to personal information held in another jurisdiction (or jurisdictions unknown), geo-tracking of devices, data warehouses, virtualised servers, big data and customer data analytics.

Third is the challenge of explaining how privacy and security by design become law from 12 March 2014 (through principles drafted in very general terms that never refer to these concepts).

Privacy and security by design must then become part of information flows and the engineering of how organisations structure their processes and design their products. The law will then require organisations to devise technical, operational and contractual safeguards to implement privacy and security by design.

But industry practice has not yet developed to the stage where we can reliably say what safeguards are appropriate, implemented how and when.

Scepticism often sets in when management are told by some hapless lawyer or privacy professional that this isn’t just a case of bolting on some additional technical security to existing information and work flows.

Incomprehension usually arrives when the information engineers and the privacy and compliance professionals gather together and the engineers hear that their best practice security risk management frameworks and methodologies don’t really work for personal and sensitive information.

They also hear that all that information about customers that looks innocuous and everyone ‘must know’ is really personal information about individuals that is regulated.

Next is the challenge of explaining the legal status of guidance from the OAIC, particularly in an environment where the Australian parliament dodges hard issues by placing increasing reliance upon OAIC guidance. The parliament does this without giving OAIC guidance any formal legal status.

Then follows the challenge of explaining that although the Privacy Commissioner, Timothy Pilgrim, has a central guidance and enforcement role, he has been allocated very limited staff and other resources.

In fact, the resources available to the commissioner have declined despite a major expansion in his responsibilities and the range and complexity of privacy issues throughout the Australian economy.

Given that it is important that the commissioner provide guidance on the application of the new privacy laws, one can’t really expect that his meagre resources budget will leave much to say about the gazillion privacy policy issues exercising privacy regulators and professionals around the globe.

And the commissioner also has to address major government privacy issues, such as facilitating data sharing between government agencies and cloud computing. And deal with PRISM. Just wait until the industry codes (APP Codes) start arriving on his desk!

Everyone’s in on the act

Privacy also pops up in lots of different places in Australia nowadays. The Australian Communications and Media Authority (ACMA) has become a very active privacy policy maker.

First by applying its Privacy Guidelines for Broadcasters in investigations about privacy related infractions of broadcasting codes, the ACMA has been the chief developer of the law as to serious invasions of personal privacy as applicable to the electronic media.

So although we do not yet have an accepted private right of action for invasion of privacy in Australia, the ACMA has developed and applied rules as to what is a serious invasion of personal privacy.

Second, through the ACMA’s application of the Telecommunications Consumer Protections Code C628:2012 (the TCP Code), the ACMA has become a principal regulator of handling and use of telecommunications-related personal information.

The TCP Code has strong privacy provisions which require telecommunications service providers to, among other things, have robust procedures to keep customers’ personal information secure.

These provisions have been applied against providers for failing to adequately secure stored customer information from third party hack-in intrusions.

The ACMA has alas been a vigorous enforcer of spam and do not call legislation, two key planks in regulation of electronic marketing.

And the ACMA has been using its research and policy budget to good effect, recently releasing detailed discussion papers on diverse privacy related topics, such as why ‘coherent regulation is best for digital communications policy’, cloud services, near field communications and apps.

These papers include proposals for an active role for the ACMA in further development of privacy regulation of all information passing through telecommunications links or over radio communications or derived from communications services. In an interconnected digital and cloud-based world, that’s most information.

But that’s not all. We have the Australian Competition and Consumer Commission (ACCC) applying Australian Consumer Law. In the United States, the Federal Trade Commission has used comparable laws to become a de facto regulator as to the fairness and intelligibility – in the new trendy new term, ‘transparency’ – of privacy statements and consumer contracts.

These laws are also powerful tools for the regulator to argue that if a corporation does not comply with its own privacy statement, that corporation is guilty of misleading or deceptive conduct.

We also have the Australian Attorney-General’s Department applying poorly understood Telecommunications (Interception and Access) Act 1979 and Criminal Code provisions relating to unauthorised access to stored communications – such as email servers – and other unauthorised access to information technology systems. Arguably, many cookie deployments today infringe these provisions.

And we also have state and territory governments and regulatory authorities applying state and territory privacy laws relating to personal information derived from their agencies, use of workplace or video surveillance technologies, use of tracking devices and technologies and access to computer data. There is plenty of overlap of state and federal law, and plenty of variation in the content of these laws.

And then, of course, there are industry codes of practice, many of which include provisions dealing with privacy and provide remedies for non-compliance.

Privacy and data protection in Australia has become a confusing landscape, with forests of regulation to get lost in, unexplored corners and many poorly understood rules.

At a time when privacy and information security is becoming a major area of concern for governments, businesses and consumers, it is unfortunate that Australia has created such a confusing thicket of regulation and quasi regulation.

So the next time that the CIO chairs a security and privacy compliance meeting with the CMO, the HR director, IT security experts and privacy professionals, and that meeting disappears into a cloud of mutual incomprehension, you’ll understand why.

Peter G Leonard is a partner at Gilbert + Tobin Lawyers and a director of the International Association of Privacy Professionals ANZ.