Adequacy of Australia's online privacy framework
Rapid developments in online computing technology over recent decades
have created important opportunities for Australian individuals and businesses,
facilitating access to vast quantities of information and allowing businesses
to take advantage of international markets. As Mr Flynn, Head of Public Policy
and Government Affairs, Google Australia, noted:
The online world offers tremendous opportunities for
people—opportunities to get access to all the information in the world and
opportunities to communicate and collaborate with people everywhere.
Australians are enthusiastic users of the internet. We have research from
Nielsen which shows that some 86 per cent of Australians have internet access.
However, during this inquiry, it was emphasised to the committee that
continuous advances in online technology and computing power creates constant
challenges for privacy regulators around the world. The past decade has seen
the development and rapid adoption of web 2.0 technologies—that is technologies
'characterised by enabling greater online interaction and user-generated
such as social networking websites, blogs and video and photo sharing
websites—as well as rapid advances in computing power. These developments have
made it possible to store and share great quantities of personal data, and made
individuals increasingly likely to upload personal information onto the web.
A combination of these and other technological advancements has exacerbated
existing concerns about the adequacy of Australia's privacy framework to
protect the privacy of Australians online, as well as created new privacy
As the Privacy Commissioner, Mr Pilgrim explained:
Privacy remains a key issue in the information age...In the
internet age personal information is easy to access and publish. It is
searchable, downloadable, reusable and can remain in circulation sometimes indefinitely.
These changed conditions for information handling can have a
significant impact on the protection of individual privacy. Once released
online, it can be difficult to recoup, delete or control what happens to personal
Furthermore, the ease with which information can be sent overseas means
that Australian regulators have a diminishing ability to control the way in
which individuals and organisations capture, store and handle personal data. Ms
King-Siem, Vice President, Liberty Victoria, noted:
For almost any given interaction there is a good chance that
your information is shooting its way around the world and some along the way
may or may not be captured.
Mr Jacobs, Chair, Electronic Frontiers Australia (EFA), explained that a
key concern with personal data 'shooting its way around the world' and being
captured is the uncertainty about whether the information is being monitored or
stored, and if so, by whom and for what purpose:
If your traffic is flowing through another country, for
instance the United States, we have definitely heard reports about widespread
real-time monitoring of communications in there. There was a lawsuit filed
against AT&T for their complicity in installing massive hardware at the
behest of the National Security Agency to monitor all of the real-time
communications on AT&T’s network, and that court case did not go anywhere
because congress passed a law giving them retroactive immunity...when you send
somebody an email, you do not know where it is going to go. It could certainly
be in another jurisdiction where that [monitoring] is occurring...It is a
public fact that information sent to China goes through the so-called ‘great
firewall’, which does keyword monitoring, for instance.
There have been a number of recent high profile instances of personal
data being improperly captured or released. Possibly the most striking was the
collection of payload data from unencrypted Wi-Fi networks by Google's street
cars in over 30 countries, including Australia.
Representatives of Google who appeared before the committee described the
collection as a 'mistake', as did Google's Senior Vice President of Engineering
Mr Flynn, Head of Public Policy and Government Affairs, Google
Australia, stated that Google has apologised for this mistake, and taken steps
to ensure similar privacy breaches do not occur in Google's future projects.
While the Chair of EFA, Mr Jacobs, believes that 'Google should have
known better and should have done better', and that Google 'deserve[s] to cop a
bit of flack for what they did, because it was a serious invasion of privacy',
Mr Jacobs also acknowledged that the incident was most likely an error rather
than a deliberate 'part of a broader or more sinister trend to spy on people'.
The committee notes that the AFP has finalised its investigation into
whether Google's actions constituted a breach of the Telecommunications
(Interception and Access) Act 1979, finding that while there may have been
a breach, it was inadvertent. In addition, the AFP concluded that the
difficulty in gathering evidence means that pursuing the matter further 'would
not be an efficient and effective use of the AFP's resources'.
Another recent, high profile example involved applications on the social
networking site, Facebook, transmitting personal information to advertising
companies without user's knowledge or consent, and against Facebook's privacy
The implications of these privacy breaches for individuals can be
significant. Criminals can aggregate online personal data to facilitate
criminal activity, such as identity theft and fraud.
Concerns have also been raised that the aggregation of data may leave certain
groups of individuals vulnerable to discrimination. For example, the Australian
Federation of AIDS Organisations submitted that without careful data privacy
controls, the aggregation of health records may result in HIV-positive
individuals being discriminated against by health providers because of their
Individuals whose personal data is released can also, and probably more
commonly, suffer great embarrassment as a result of the information being
publicised, or further intrusions on their privacy such as unsolicited emails
or telephone calls from marketers.
The CEO of the Australian Communications Consumer Action Network
(ACCAN), the peak body for Australian consumers on telecommunications and
online issues, Ms Corbin, told the committee that:
Our membership, and consumers in Australia generally,
highlight that they are very concerned about privacy issues overall, especially
given the greater reliance upon communications technology and also by companies
who collect our personal data on technology that includes access to cloud
applications and databases that are perhaps increasingly collecting more and
more information with a potential for harm and for mistakes to happen
increasing in magnitude as a result.
During this inquiry the committee received evidence about a large number
and wide range of privacy concerns that have been created or exacerbated by
online technological advances. It is not practical for the committee to explore
all of the concerns raised in detail in this report. Instead, this chapter has
identified five key aspects of Australian privacy framework which underpin the
vast majority of concerns raised during this inquiry about the adequacy of
protections for the privacy of Australians online:
the exemption of small businesses from the Privacy Act 1988;
online behavioural advertising;
transnational data flows; and
whether Australia needs a statutory cause of action for breach of
The Australian Privacy Foundation (APF) submitted that:
The concept of consent is probably the single most serious
weakness in Australia's privacy regulation. No matter how dire, there is
virtually no type of privacy violation that cannot be justified by reference to
the victim having consented to the action in question.
Many of the restrictions on the collection, use and disclosure of
personal information that apply under the Privacy Act can be avoided if
an individual's consent is obtained. For example restrictions apply on the use
of information for a secondary purpose (i.e. not the purpose for which it was
collected), and the transfer of information offshore under a contract. However
the restrictions do not apply if consent is obtained.
The exposure draft of the new APPs retains the centrality of consent in
overcoming many of the restrictions placed on the collection, use and
disclosure of personal information.
The APF argued that the ease with which consent can be obtained is
disproportionate to the cure-all effect that it has on individual privacy, and
Privacy protection is virtually meaningless where its
protective application can be so easily circumvented, for example by [an]
Internet user being forced to "consent" to unspecific privacy
invasive practices, bundled with pages of other terms and conditions, when
signing up for a social networking account.
The APF suggested that stricter regulation of consent is required, and
suggested consumer protection measures of the Trade Practices Act 1974
as a model.
As briefly discussed in chapter 2, the privacy policies to which
individuals are often required to consent in order to obtain an online service
are often lengthy and complex. This issue was raised by a number of submitters
and witnesses to this inquiry.
Ms Corbin, CEO, ACCAN, informed the committee that:
Most consumers tell us that they do not read them [privacy
statements] and that they just tick a box because they want to get on and use
the service...In the end people really want to use the services, so they are
faced with the decision of whether to use the service or to waive a right, and
in most instances they do not understand the legalese that they are waiving
their right to. So it is ultimately a waste of time to have these agreements.
Similarly, Ms Miller, from the Law Institute of Victoria, stated:
I think with online access everyone wants it to be quick and
is used to it being quick. When confronted with a 20-page document that still
seems to be written in 1950s legalese and which has not been touched by the
trend towards plain English, I absolutely agree that people just click through.
Ms King-Siem, Vice President, Liberty Victoria, agreed with the APF's
submission about the idea of consent being 'a bit of a furphy',
because of the fact that people are required to tick a box waiving their legal
rights so that a transaction can occur.
Ms King-Siem argued that much of the time the personal information collected as
a result of this 'consent' or waiver is not even necessary, and gave the
example of Facebook requiring users to enter their real name.
However, Mrs Rohan, Director, Corporate and Regulatory Affairs, ADMA,
The majority of websites have pretty clear privacy
statements. In addition to that, they have very clear cookie statements. It is
difficult to see how they would be manipulating people in those instances.
Mrs Rohan used the example of a recent lecture at which she asked
advertising students whether they played games on Facebook, and received the
response that many did not because they had read the privacy policies and
decided against using those services. Mrs Rohan stated:
The issues that ACCAN raised of some people not understanding
the privacy policies and the readability and the understandability of them are
true, but I do not think that should denigrate the fact that a vast amount of
the population are alert to potential privacy issues, do read consent notices
or privacy notices and do make a choice not to deal in some instances where
they have concerns.
The committee agrees with the comments of most witnesses, including the
Privacy Commissioner, about the fact that people are often required to consent
to numerous pages of legalese, waiving their privacy rights, in order to use
web-based services. Anecdotal evidence indicates that most consumers simply
'tick and flick' these consent forms without actually reading them. In the
committee's view this is a serious problem that needs to be addressed within
Australia's privacy framework.
While the Privacy Act has long allowed consent to justify the waiver of
privacy rights in the offline sphere, it seems to the committee that the
over-use of complex consent forms has increased exponentially with the
expansion of online services. Furthermore, Liberty Victoria submitted that offline
and online transactions requiring consent have some fundamental differences,
online transactions often are not covered by Australian law;
the data may therefore be used for purposes, or disclosed to
other organisations, not envisaged by the consumer;
third parties may be collecting the transactional data; and
electronic data is rarely deleted, and is more accessible to more
people and organisations than offline data.
Liberty Victoria also argued that:
Social and financial pressure is increasing on
consumers/businesses to interact online. Goods are cheaper, bills lower when
paid online and social networking sites have reached ubiquitous levels; the
pressure to interact/transact online has increased, but the understanding of
that transaction/interaction has decreased. In practice, this lack of knowledge
reduces the 'genuineness' of consent in online transactions/interactions.
The United States Federal Trade Commission (FTC) recently reported on
'Protecting Consumer Privacy in an Era of Rapid Change' and recommended a
framework for businesses and policymakers in dealing with consumer privacy
The FTC's findings corroborated the Australian Privacy Commissioner's evidence
that privacy notices are often ineffective, misconstrued by consumers, lengthy
The FTC recommended that:
Privacy notices should be clearer, shorter, and more
standardized, to enable better comprehension and comparison of privacy
Based on the evidence received in this inquiry, the committee wholeheartedly
supports this recommendation of the FTC in the Australian context. The
committee also emphasises the importance of an enforcement mechanism to ensure
that industry complies with a requirement for shorter, clearer and more
standardised privacy notices. Accordingly, the committee urges that the Privacy
Commissioner's complaint-handling role under paragraph 21(1)(ab) of the Privacy
Act be expanded to more effectively address complaints about the misuse of
consent forms in the online context, particularly those which result in the
disclosure of personal information. The committee also recommends that the OPC consider
the issue of the genuineness of consent in the online context, and develop
guidelines on the appropriate use of privacy consent forms for online services.
The committee recommends that the Australian Privacy Commissioner's
complaint-handling role under paragraph 21(1)(ab) of the Privacy Act be
expanded to more effectively address complaints about the misuse of privacy
consent forms in the online context.
The committee further recommends that the Office of the Privacy
Commissioner examine the issue of consent in the online context and develop
guidelines on the appropriate use of privacy consent forms for online services.
Small Business exemption
Since amendments made in 2000, the vast majority of Australian
businesses have been exempt from complying with the requirements of the Privacy
The Act provides that small businesses are excluded from the definition of
'organisation' under the Act and are generally exempt from its operation.
A small business is defined as having an annual turnover of $3 million or less.
However, a small business may be captured by the Act if it:
provides health services and holds health information (other than
collects personal information or discloses personal information
for a benefit, service or advantage (unless it always has the consent of the
individuals concerned or always does so when authorised by legislation);
is providing services to the Australian Government or its
is related to a larger business;
is a reporting entity under the Anti-Money Laundering and
Counter-Terrorism Financing Act 2006;
is a 'protected action ballot agent', or an association of
employees for the purposes of the Fair Work Act 2009;
is prescribed by regulation;
opts in to the Act.
While the committee was not provided with recent, official data on the
number of small businesses with annual turnovers of $3 million or less, as at
June 2007, 94 per cent of actively trading businesses in Australia had
annual turnovers of less than $2 million.
Accordingly, the Act's small business exemption applies to the vast majority of
Australian businesses, including most of those that collect personal
The Privacy Commissioner, Mr Pilgrim, explained to the committee:
If an organisation within Australia is a small business, as defined
by the Privacy Act—that generally means it falls underneath the $3 million
threshold—then the Privacy Act does not apply to any of its activities: how it
collects the information, what it needs to do with the information, and who it
passes it on to. Flowing from that scenario, if that small business that is
exempt from the act then passes that information to an organisation overseas,
and assuming that that organisation overseas has no links to Australia, then
with that scenario the Privacy Act would not come into play for either the
small business or the overseas entity, and therefore that personal information
would not be subject to the protections of the Privacy Act.
The purpose of amending the Act to exempt most small businesses was 'to
minimise compliance costs for small businesses'.
The (then) government also justified the exemption on the basis that many do
not pose a high risk to privacy.
In 2005, the Senate Legal and Constitutional Affairs References
Committee considered the exemption, and recommended that it be removed from the
Act, given that the exemption is 'too broad and too complex', that 'privacy
rights should not disappear just because a consumer happens to be dealing with
a small company', and the fact that 'other jurisdictions, such as New Zealand,
operate effectively without any small business exemption'.
In its review of the Act in 2008, the ALRC found that 'given the
increasing use of technology by small businesses, the risk posed to privacy may
not necessarily be low'.
Accordingly, the ALRC also recommended that the small businesses exemption be
removed from the Act.
The government has not yet responded to this particular recommendation.
Mr Pilgrim, the Privacy Commissioner, argued that there needs to be a
balance between ensuring that small businesses are not overly and unnecessarily
burdened by privacy regulation and ensuring that those businesses with large
holdings of personal information are required to protect that information.
Mr Pilgrim discussed Internet Service Providers (ISPs) as an example of a
business that might hold large quantities of personal information about
customers but which might have an annual turnover of under $3 million and thus
be exempt from the Privacy Act.
Mr Pilgrim informed the committee that:
There is already provision within the Privacy Act that, in
that situation, a group of organisations such as ISPs can be inscribed into the
coverage of the Privacy Act—so there is a mechanism to do that.
The provision to which Mr Pilgrim referred provides that regulations may
prescribe that the Act applies to a class of small business operators which
would otherwise be classified as small businesses.
Mr Pilgrim warned:
We would need to look carefully at any recommendation to
remove the small business exemption, because I too would acknowledge that there
is potentially an impost through the regulatory process on small businesses that
may not need to have that sort of impost. If I could use not a glib term but a
colloquial example: the local fish and chip shop or the corner milk bar may
have very little personal information. But if you remove a blanket exemption
like the Privacy Act from small business then there may be issues that they
would have to consider that may not necessarily warrant that level of
regulatory burden on them.
The committee notes that the exemption of small businesses from the Privacy
Act means that over 90 per cent of Australian businesses are currently not
required to comply with the provisions of the Act. This is entirely appropriate
for many traditional offline businesses, such as a local fish and chip shop, in
which limited details about customers are given during a transaction, and
accordingly the business's holdings of personal customer information are likely
to be limited and its risk to privacy low.
However, the exponential growth in the use of online technologies
through which consumers transact and interact with business means that a
growing number of small Australian businesses may now hold and use significant
quantities of personal information which is routinely given in the course of an
ordinary online transaction.
Furthermore, there are new categories of companies which operate in the
online environment and by their nature have access to vast quantities of
personal data, such as ISPs.
In other words, the online business environment in which many small
Australian businesses now operate appears to present substantially greater
risks to personal privacy than the old offline model.
The committee is particularly concerned about the fact that certain
small businesses which hold significant quantities of personal data are exempt
from the Privacy Act and accordingly are able to transfer the personal
information of their customers offshore without restriction or oversight. In
the committee's view, small businesses which hold significant quantities of
personal information, or which transfer personal information offshore, ought to
be subject to the provisions of the Privacy Act.
The committee accepts the Privacy Commissioner's comments about there
being existing mechanisms within the Privacy Act through which categories of
small business that pose a significant risk to privacy can be made subject to
the Act through prescription in regulation. However, the committee believes
that these existing mechanisms must be utilised more effectively by government.
It would be timely and appropriate for the Privacy Commissioner to conduct a
review of categories of small businesses with significant holdings of personal
information and to make recommendations to government regarding the
prescription of additional categories of small businesses which ought to be
subject to the requirements of the Privacy Act. The government must ensure that
the risks posed to individual privacy by small businesses which routinely hold
significant quantities of personal data or which transfer personal data
offshore are mitigated by Australia's privacy framework.
Proposed Australian Privacy Principle 8 has provisions relating to
transfer of information overseas; however the small business exemptions will
still apply. In the committee's view all organisations transferring personal
information overseas should be subject to the Privacy Act.
The committee recommends that the small business exemptions should be amended
to ensure that small businesses which hold substantial quantities of personal
information, or which transfer personal information offshore are subject to the
requirements of the Privacy Act 1988.
To achieve this end, the committee urges the Australian Privacy
Commissioner to undertake a review of those categories of small business with
significant personal data holdings, and to make recommendations to government
about expanding the categories of small business operators prescribed in
regulations as subject to the Privacy Act 1988.
The committee further recommends that the second tranche of reforms to
the Privacy Act 1988 amend the Act to provide that all Australian
organisations which transfer personal information overseas, including small
businesses, must ensure that the information will be protected in a manner at
least equivalent to the protections provided under Australia's privacy
Related discussion relevant to small business transferring personal
information overseas is at paragraph 3.106ff.
Online behavioural advertising
Developments in online technology have created new, lucrative
opportunities for advertisers. In its submission, the Internet Safety Institute
described online businesses which have 'made enormous profits by
"monetising" personal data' through online behavioural advertising.
There are a number of ways in which web service providers are now able
to collect data about individuals which is incredibly useful for the purposes
of targeted, or behavioural advertising. For example, the amount of personal
information that individuals upload on social networking sites—such as age,
location, hobbies and interests—means that the operators of those sites have a
huge range of personal data that is very useful to advertisers. Mr Jacobs,
Chair, EFA, explained:
If you are an advertiser and you go to Facebook, you can
place an ad that only goes to university students between the ages of 18 and 23
who are interested in horses but are not yet members of the Equestrian
Federation of Australia, for instance. From an advertiser’s point of view that
is a goldmine and you would be willing to pay a very high premium to target an
advertisement that way, as opposed to something that is just seen by everybody.
The more niche your market is, then the more you are willing to pay.
Another 'goldmine' for advertisers is the ability of search engines to
track a user's web browsing history. Google Australia, for example, informed
the committee that it routinely holds browser history linked to an IP (Internet
Protocol) address for nine months.
This information could be used to compile statistics and to analyse consumer
behaviour for the purposes of targeted marketing.
A further technique that is widely used is the placement of 'cookies'—a
text file stored by a web browser when a user visits a particular website,
which then sends messages back to the server each time the user requests that
Representatives from Google Australia explained how cookies are used for
The interest based advertising system effectively uses a
cookie and, when the machine on which that cookie is present visits one of
those websites, that is added to what we have as an anonymous database. Over
time that may effectively add interest categories. For example, if a particular
machine is visiting a lot of sports websites, then over time the interest based
advertising system will conclude that that particular user is interested in ads
for sports. Then, when that user goes to another website on that broad Google
Display Network, they may get an ad for sporting material.
Providers of web-based email services are also able to filter the
content of users' emails, searching for key words, and advertise based on the
content of an email. Ms Vij, Manager, Public Policy and Government Affairs,
Google Australia, explained:
It is the same kind of technology that also scans to identify
viruses or spam. In a similar way it looks for particular word—or patterns, I
guess, in the case of viruses or spam—to identify that, in the case of advertising,
this keyword appears, so this might be a relevant ad. If a person does not want
to see advertising on Gmail they can use the HTML version of Gmail.
The Attorney-General's Department advised the committee that there is
nothing to prevent web-based email service providers filtering emails in such a
manner under Australia's telecommunications interception legislation, because
of the fact that users agree to the filtering when they sign up to the email service.
A number of witnesses and submitters also discussed the advertising
opportunities that will be created with the advent of location based social
networking services. Mr McDonald, Board Member, Communications Council,
If you have subscribed to a service like Foursquare, it
allows you to broadcast to your social network where you are—Facebook does the
same now. The advertising model on Foursquare is to give local deals...Obviously
with location based services for the consumer it is incredibly important to be
relevant. If I am in a shopping centre—I think it is great to use shopping
centres as an example—and I am shopping for the best deal, advertisers are in a
situation where those types of services can enable their products to be found
and the consumers at that point are given more choice.
As a result of all of these ways that web service providers are now able
to collect personal information about users of their services, advertising has
become increasingly targeted to an individual's interests and location. Privacy
Commissioner, Mr Pilgrim, observed:
What we are dealing with here in terms of marketing is that,
when you or I go on the internet—whatever we are doing—we will get
advertisements coming up to us. As you say, those advertisements are getting
more and more targeted because of the ability of the systems to be able to
check our browsing history, look at our IP address and make assumptions that
the person at the other end is interested in something. 
As outlined below, representatives of the advertising industry argued
that these forms of targeted marketing are in both advertisers' and consumers'
However, a number of witnesses and submitters expressed concern about
the level of monitoring that these technologies now allow.
The Privacy Commissioner argued:
In my view individuals should be able to move about the web
without their movements being tracked or monitored by others, including the
providers of targeted advertising.
Currently, NPP 2 of the Privacy Act allows the use of personal
information in targeted advertising provided certain conditions are met: it is
impracticable to obtain consent; the individual has not made a request not to
receive direct marketing; the individual is informed in each communication of
their ability to request the marketing to stop and will not be charged for
this; and each communication sets out the organisation's address and telephone
NPP 2 distinguishes between information collected for the primary
purpose of advertising and information collected for another purpose. Draft
amendments to the Privacy Act, released by the government in June 2010, intend
to impose an alternative distinction between individuals who have provided
personal information to the advertiser and those who have not.
However the Privacy Act does not and will not apply to behavioural
advertising if the information gathered is not 'personal information'.
Users of these advertising technique argued that the information about
browsing history cannot identify an individual, and therefore cannot be defined
as personal information under the Privacy Act.
However, the OPC submitted that:
Over time, however, the aggregation of data may enable
identification of individuals. When America Online released three months'
search terms in 2006, for instance, it proved possible to identify individual
Ms King-Siem, Vice President, Liberty Victoria, agreed:
If you take what would be alleged to be an anonymous web
user’s browsing history but if you only have one person living at a particular
address then that effectively means that that is personal information because
it is identifiable or ascribable to a particular person. It is a very
convenient way to say that it is actually anonymous data when, by the nature of
where it has come from or other relevant factors, it is easy to determine who
it actually belongs to. That point, strictly speaking, is when it becomes
personal information. Before that point it is not, even though all the tools
are at hand to make it personal information.
Mr McDonald, Board Member, Communications Council, and founder of a
digital advertising agency, disagreed, arguing that behavioural advertising is
more akin to advertising at a sporting event:
To a large extent when we are firing behavioural advertising
it is just the same as going to a football match and knowing that there are
many people there who like sport. We do not target individuals. It is very,
very difficult. Even if we wanted to, the data is not there for us to do that.
Certainly Google et cetera do a pretty good job of disallowing that type of
activity. If I were talking about personal data specifically, I think Facebook
would be the biggest concern because we are able to advertise things that you
like based on what is in your profile. Then again, you have the freedom of
information to turn on what you like and what you do not like. But certainly
there is a lot of development in that area and we are very careful around how
we use that.
Mr McDonald further stated:
In terms of tracking and tracing, it is really not something
where the agencies themselves have that data. That data is held by the social
networks or maybe by the manufacturers themselves. To my knowledge, we have not
seen the opportunity to use specific data other than targeted to a location,
not a person.
Google supported this evidence, and informed the committee that it
places great importance on individual privacy concerns, and accordingly will
not provide web browser history directly to advertisers.
Advertisers argued that not only do these modern advertising data
collection techniques assist advertisers in targeting their audience, they also
benefit web users. For example, Mr Leesong, CEO, Communications Council, argued
Consumers do have a level of comfort in knowing that the
communication is targeted towards their specific interests. If I have an
interest in computers, I would much rather be reading about the latest software
rather than reading about the latest widget manufacturers.
Mr McDonald, agreed:
We know from all the studies that we have done that more
effective advertising leads to greater consumer love or trust for a site, and
certainly contextual advertising, from point to view of being relevant, deeply
affects the experience around the site...Whenever we run a campaign, we might
see that a banner ad is or is not being clicked on et cetera. There is a lot of
analysis that goes into looking at not just effectiveness but also how much a
consumer has actually enjoyed an experience. It is a very important part of the
Mr McDonald also pointed out that the targeted advertising enabled by
these techniques also has the benefit of allowing advertisers to ensure that
ads are not inappropriately targeted, for example to minors:
If we want to protect the younger audience, then we are able
to use the same systems to make sure that advertising reaches the right
audience—the right products that do not offend different people.
Mr McDonald continued:
...you could even look at it from the perspective that the
same technology could be used to target people who were in areas prone to
bushfires so that they receive the messaging, as opposed to people who were not
in those affected areas. So there is a lot of good that comes out of this
technology, and I think as an industry we try to find the best way to utilise
those technologies for good...
The AANA also emphasised that advertising plays an important role for
Australian businesses in informing consumers about their choices and driving
In response to concerns about the perceived intrusiveness of
individuals' online behaviour being monitored, the Privacy Commissioner
expressed the view that:
What we would like to see as much as possible in that context
is choice—choice for the individual to know what is happening and choice to be
able to at least opt out if not opt in to that sort of marketing, where it is effective
and will work.
Google submitted that its users do have such choice, through their Dashboard
feature. However, the committee notes the comment of Mr Jacobs, Chair, EEFA,
that 'only a very sophisticated user can manage all of this'.
Given the previously discussed difficulties with respect to the
complexity and length of many privacy policies, the committee explored the possibility
of an opt-in model for web users to agree to receive behavioural marketing
based on their web browser history and other personal data. Mr Flynn, Google
Australia's Head of Public Policy and Government Affairs, argued that:
Advertising is one of the key ways that pays for all the
services that people can access online. Internet users have become used to the
ability to freely access a lot of very useful information. Interest based
advertising is generally about trying to make advertising more useful and about
trying to allow, in particular, publishers, news organisations and others to
get a better revenue stream. One of the big challenges in the internet space
that we face is making good content pay for itself. So a system that requires
‘opt in’ could have a negative impact, but I do not want to speculate beyond
that because obviously there would be complex legal and operational questions.
Mr Jacobs, Chair, EFA, expressed a similar view:
Being able to show somebody who is reading an email about the
Bahamas an advertisement for a trip to the Bahamas has enormous value for the advertisers
and for Google. Therefore it is not in their interests to put up an opt-in model.
There is no technological reason why it could not be opt in, but there is a
very compelling—from Google’s case—business reason, and that is the pressure
that we are always going to be dealing with.
As a result of its recent inquiry into 'Protecting Consumer Privacy in
an Era of Rapid Change', the United States Federal Trade Commission recommended
that a 'Do Not Track' mechanism for online behavioural advertising be
The FTC in its investigation found that 'companies engaged in behavioural
advertising may be invisible to most consumers'.
The FTC has encouraged the development of tools to allow
consumers to control and manage the information collected about them online,
and noted in its report that some organisations have responded by developing
such tools. The FTC noted Google's ad preferences manager and Yahoo!'s ad
interest manager as examples. The FTC also noted the development of
self-regulatory guidelines by an industry group comprised of media and
However, the FTC found that despite these developments 'an effective
mechanism [to improve consumer control of behavioural marketing] has yet to be
implemented on an industry-wide basis'. The report noted that the use of existing
mechanisms is low as consumers are often unaware of them.
Accordingly, the FTC recommended that a 'Do Not Track' mechanism be established
to 'support a more uniform and comprehensive consumer choice mechanism for
In terms of enforcement, the FTC noted that the 'Do Not Track' mechanism could
be established either by legislation or 'potentially through robust,
In terms of implementation, the FTC suggested:
...placing a setting similar to a persistent cookie on a
consumer's browser and conveying that setting to sites that the browser visits,
to signal whether or not the consumer wants to be tracked or receive targeted
The committee notes that there is currently an industry-wide initiative
in Australia to develop standards for privacy regarding online behavioural
advertising. A cross industry group of marketing and advertising industry
bodies—including ADMA, AANA, the Communications Council, the Internet Industry
Association, the Media Federation of Australia and the Interactive Advertising
Bureau—was formed in November 2010 to develop the guidelines.
The committee notes the industry's stated commitment to developing online
behavioural advertising standards including its pledge to 'share these
guidelines with the Senate Committee and the industry as a whole as soon as
The group released its guidelines in March 2011. The guidelines provide, amongst
other things, that:
Service Providers should obtain Explicit Consent prior to
engaging in Third Party online behavioural advertising (OBA); and
Service Providers should provide an easy to use mechanism for Web
Users to withdraw their Explicit Consent to the collection and use of OBA Data
for Third Party OBA.
The committee strongly supports the recommendation of the FTC regarding
the need for a more effective mechanism through which consumers can choose and
manage their behavioural marketing preferences. Noting the ongoing industry
initiative to develop self-regulatory standards on online behavioural
marketing, the committee strongly commends the proposed US model to industry.
The Committee recommends that the OPC in consultation with web browser
developers, ISPs and the advertising industry, should, in accordance with
proposed amendments to the Privacy Act, develop and impose a code which
includes a 'Do Not Track' model following consultation with stakeholders.
Transnational information flows
One of the major obstacles to the Australian government effectively
regulating online privacy is the transnational nature of the internet. The
Australian Parliament is only able to enact privacy laws relating to companies
incorporated in Australia or with an Australian link, and it is increasingly
easy for organisations to relocate around the world to a jurisdiction with the
most favourable laws for its operation. This makes international cooperation a
key component of any effective privacy protection framework. As Ms King-Siem,
Vice President, Liberty Victoria explained:
Even if we have the strongest privacy laws in the world, if
we cannot enforce them it does not do us much good. That is where international
cooperation is key.
However, Ms King-Siem went on to argue that:
It is very hard for us to argue greater protection if we do
not offer it within our own jurisdiction.
Ms King-Siem suggested:
A starting point would be, and Australia is a signatory to,
the [International Covenant on Civil and Political Rights], yet we have not
actually brought in our own protections to an adequate level.
Google discussed the issue from its perspective of a major web-based
organisation operating in multiple jurisdictions around the world:
How does a provider that operates in many different
countries, and that in our case seeks to provide a consistent global product
with a consistent policy and a set of terms and conditions underpinning that product,
meet differing legal requirements? I guess ultimately it is a matter for legal
analysis as to which particular laws we have to comply with. We are bound by
the laws in countries that we operate...I think it is fair to say that in some
respects European privacy law is amongst the most prominent legal models in the
world and something that all providers need to take account of.
The Privacy Commissioner, Mr Pilgrim, explained the issues faced by his
office with respect to transborder data flows:
Regulating privacy online can be difficult due to the greater
ease with which personal information can flow between jurisdictions. Like other
regulatory schemes, domestic privacy laws may struggle to cope with the
ubiquitous nature of the internet. In Australia, organisations that send
personal information overseas for processing continue to have obligations under
the Privacy Act with regard to that information. The Privacy Act also contains
provisions to allow extraterritorial operation where an overseas organisation
carries on a business in Australia and collects or holds that information in
Australia, and the current reform process is working to enhance those
The Privacy Act does not apply to organisations not incorporated in
an act or practice of the organisation relates to the personal
information of an Australian citizen or permanent resident; and
the organisation carries on business in Australia and collects or
holds the information in Australia.
The OPC submitted that there is uncertainty as to how this provision
operates with respect to personal information submitted over the internet by an
individual in Australia to an organisation based overseas:
Given that the internet has allowed greater transfer of personal
information across national boundaries, clarifying the scope of
extra-territorial operation of the Privacy Act would enhance the Office's
ability to apply the Act in these circumstances.
The OPC has suggested that the requirement for information to have been
collected in Australia is ambiguous, because in a situation where an
Australian submits information to an organisation based overseas, it is unclear
whether the overseas organisation has collected information at the point of
upload (Australia), or wherever the recipient organisation is based. The OPC
has recommended amending the Act to specify that information collected from
or held in Australia is subject to the privacy principles.
The exposure draft of amendments to the Privacy Act intends to clarify
However the OPC has submitted to the Senate Finance and Public Administration
Committee that the proposed amendments do not resolve the existing uncertainty
of the provision. OPC submitted that 'the exposure draft's changes to [section]
5B...do not clarify the issue of where online collection occurs'.
The committee recommends that item 19(3)(g)(ii) of the exposure draft of
amendments to the Privacy Act 1988 be amended to provide that an
organisation has an Australian link if it collects information from
Australia, thereby ensuring that information collected from Australia in the
online context is protected by the Privacy Act 1988.
The committee notes that there may be some enforcement challenges
relating to this provision, but does not consider that this reduces the need
for this reform to proceed.
The OPC's submission indicates that the issues associated with the
transnational nature of online transactions are likely to increase the risk to
privacy as 'cloud computing' becomes more ubiquitous. Cloud computing involves
the outsourcing of data processing and storage to organisations based overseas.
The OPC submitted that:
While cloud computing may offer benefits to Australian
organisations and agencies, the Office considers that there may be some privacy
risks associated with use of cloud computing that should be addressed to ensure
compliance with Australian privacy laws.
In this regard the committee received information from Macquarie Telecom
which sounds a timely warning on the reduced protections accruing to personal
data hosted in the US by a US 'cloud provider':
It would be extremely difficult to enforce a statutory right
arising under Australian law in the U.S., as those laws would not necessarily
have extraterritorial effect. Even if a contract with a U.S. Cloud provider is
governed by Australian law (which is unlikely under standard terms), enforcement
of that contract in a U.S. Court will require expert evidence as to the
interpretation and effect of the Australian law, which is costly and difficult.
A U.S.-based Cloud provider would be required to comply with
U.S. laws and obey all orders issued by a U.S. Court, even if compliance caused
the provider to violate an order issued by an Australian Court.
Even where there is no conflict between U.S. and Australian
law, a U.S. court is not obligated to automatically give effect to the orders
of an Australian court... [F]or a U.S. court to give effect to an Australian
judgment...it would have to be shown that the U.S.-based Cloud provider was
subject to Australian law and had been given adequate notice and an opportunity
to be heard by the Australian court, and that the Australian order did not
offend the public policy of the U.S. forum state.
NPP 9 and proposed APP 8 require that Australian organisations which
send personal information overseas ensure that the data held overseas is
governed by privacy laws substantially similar to the Privacy Act, or that
contracts prevent overseas affiliates from releasing or using the information
other than in accordance with the Privacy Act. In addition, APP 8 will require
agencies and organisations to notify individuals if they are likely to disclose
personal information to overseas recipients. The OPC supports this change, and
recommends that organisations which use cloud computing conduct privacy impact
However, Professor Graham Greenleaf and Mr Nigel Waters submitted to the
Senate Finance and Public Administration Committee that proposed APP 8 does not
address many problems with cross-border data transfers. For example, they argue
individuals are not required to be given notice of any breaches
by an overseas recipient and so have no way of proving a breach;
there are no requirements that individuals be notified of the
fact that their personal information is to be sent overseas prior to, or at the
time that it is sent; and
there are numerous ways in which an exporter of data can be
exempt from being accountable for the security of personal information sent
The committee notes that the above discussion of the small business
exemption provides a mechanism by which an exporter of data can be exempt from
accountability for personal data sent overseas. The small business exemption
means that over 90 per cent of Australian companies may freely send personal
information to overseas companies without ensuring that the privacy of those to
whom the information relates will be protected.
Professor Greenleaf and Mr Waters recommend that APP 8 be amended to
provide that rather than an Australian organisation being able to transfer
personal information overseas if it reasonably believes that the
information will be protected in a similar manner to under the Privacy Act, the
information must in fact be protected in a manner similar to under
This suggestion would bring Australian law more into line with European privacy
regulation under which personal data may only be transferred to a non-EU
country if that country can provide adequate protection or if the data
controller can personally guarantee that the data will be protected.
Under Article 29 of the EU Data Protection Directive, a working party
was created to advise on the level of protection in non-EU countries. The working
party has negotiated data protection agreements with various non-EU countries,
including the 'Safe Harbor Principles' between the EU and the United States of
While the Safe Harbor Principles have attracted a degree of criticism,
including during this inquiry,
they doubtless provide a greater degree of certainty with respect to the
protection of personal information transferred offshore than does a requirement
that the organisation transferring the data have a 'reasonable belief' that the
data will be protected.
The committee supports the suggestion of Professor Greenleaf and Mr
Waters with respect to the strengthening of Australia's offshore data transfer
provisions under the Privacy Act. The committee urges that the exposure draft
of amendments to the Privacy Act be amended to take account of this suggestion,
and ensure that Australian organisations are fully accountable for protecting
the privacy of the personal information they send overseas.
Furthermore, the committee considers that, while the small business
exemption ought to remain in the Privacy Act 1988, the provisions
relating to the offshore transfer of personal information must apply to all
Accordingly, the committee recommends that the government strengthen
Australia's privacy legislation to require all Australian companies which
transfer personal information offshore are accountable for protecting the
privacy of that data. The committee further recommends that the government
consider ways to strengthen and ensure the enforceability of such provisions.
The committee recommends that the government amend the Privacy Act
1988 to require all Australian organisations that transfer personal
information offshore are fully accountable for protecting the privacy of that
The committee further recommends that the government consider the
enforceability of these provisions and, if necessary, strengthen the powers of
the Australian Privacy Commissioner to enforce offshore data transfer
The committee notes that the government will consider the powers and
functions of the Privacy Commissioner as part of its response to ARLC report
However, even if Professor Greenleaf's and Mr Waters' recommendation is
implemented, the capacity of Australian legislation to protect the privacy of
Australians online will remain limited and will depend on the cooperation of
overseas organisations and law enforcement agencies.
For this reason, the OPC and Victorian Privacy Commissioner have argued that
legislation alone is not sufficient to protect the privacy of Australians
In this regard, the Privacy Commissioner, Mr Pilgrim, informed the
To further enhance the ability of the privacy regulators to
protect personal information, there has been considerable work done to
strengthen international cooperation on privacy regulation. This has included development
by APEC of cross-border privacy enforcement arrangements to facilitate the
handling of privacy complaints between jurisdictions. As well, there is
continuing activity through the OECD’s working party on privacy and internet
However, the committee notes the concerns expressed by the Australian
Privacy Foundation (APF) about the weakness of the APEC Privacy Framework.
Dr Clarke, Chair, APF, argued that:
The US has actually tried to ratchet the standards down even
further than their current five eighths by coming up with an APEC Privacy
Framework. They endeavoured to use the very low regard that privacy is held in
in East Asian cultures as a means of coming up with an alternative privacy
framework and sets of principles which would be even weaker than their own FTC
Ms King-Siem, Vice President, Liberty Victoria, expressed similar
concerns, stating that:
There was certainly an impression that APEC was being used as
a bit of a cat’s paw for the same purpose [of weakening the safe harbor
The committee recommends that the Australian government continue to work
internationally, and particularly within our region, to develop strong privacy
protections for Australians in the online context.
Statutory cause of action for breach of privacy
In addition to working internationally, a number of witnesses pointed
out that there is more the government could do to protect Australian's online
privacy. Several submitters argued for a statutory cause of action for
invasions of online privacy.
For example, Ms King-Siem, Vice President, Liberty Victoria, argued that
a key way in which the Australian Government could strengthen privacy in
Australia would be to enact a statutory right to privacy:
...government has a real role to play and should be
supporting, rather than taking a prescriptive attitude to what information is
out there. A general right to privacy, for instance, would put the power back
into the hands of Australians. In a lot of cases they probably would not have
the wherewithal to take action directly, but at least it puts it back in their
hands and it means that they can enforce their rights against whoever is
infringing them, be that a corporation, another individual or any other sort of
person. At the moment our legislative regime does not really provide for that
Ms King-Siem continued:
I would have thought that the role of government is to
support where possible the users’ right to privacy. The fact that we do not
actually recognise the right to privacy is slightly problematic in that regard.
That would probably be the first argument I would put if we had an independent
right to privacy, which the Australian courts have said for a long time that we
should have but have been unwilling to step forward and recognise that in a
meaningful way because they have been sitting back waiting for the legislature
to do it, which so far has been rather unwilling. If that were the case then
you would probably see an awful lot of class actions jumping up here and there
and that would bring corporations into line a lot faster. That is where you are
really letting market forces determine where privacy would lie.
The ALRC has also recommended the development of a statutory cause of
action for serious invasions of privacy.
The ALRC considered both statutory and common law causes of action for breach
of privacy in other, comparable jurisdictions including the United States,
Canada, Ireland, the United Kingdom, the EU and New Zealand and concluded
that the development of a statutory cause of action would allow the Australian
government to take a more flexible approach to defences and remedies, and avoid
some of the issues experienced in other jurisdictions which only have common
law causes of action.
The Victorian Privacy Commissioner, APF and Law Institute of Victoria
all indicated support for this recommendation of the ALRC in their submissions
to this inquiry.
The government has not yet responded to this recommendation, but has stated
that it intends to do so in the second stage of its response to the ALRC's
The committee recommends that the government accept the ALRC's
recommendation to legislate a cause of action for serious invasion of privacy.
Navigation: Previous Page | Contents | Next Page