Search This Blog

Monday, July 12, 2010

Google thrashed with a feather over "very serious" privacy breach

The Australian in "Privacy laws get internet update" reports Special Minister of State Senator Joe Ludwig yesterday committing the Federal Government to amending the Privacy Act to introduce civil penalties - to be imposed by the Federal Court or the Federal Magistrates Court - for "serious breaches when other enforcement measures are not sufficient".
"They will be serious sanctions," he said. "It is essential we have a robust system in place to protect the privacy of individuals."

Well yes, but the Minister announced this in October last year in the Government's phase one response to the Australian Law Reform Commission's 2007 review of the Privacy Act.  This included acceptance of recommendations about enforcement of compliance following an own motion investigation by the Commissioner, and another concerning broader enforcement powers. 

The Minister's remarks had some topicality this week of course, in light of the Federal Privacy Commissioner's finding on Friday that Google had breached the Privacy Act by collecting unsecured WiFi payload data in Australia using Street View vehicles. Commissioner Curtis was satisfied that any collection of personal information by Google would have breached the Privacy Act, that this was "a very serious matter" and that "Australians should reasonably expect that private communications remain private."

But Google was thrashed with a feather.
The Commissioner extracted written undertakings (probably not enforceable) that Google will publish an apology on its official Australian blog (, undertake to conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information, provide a copy of these PIAs to her office and regularly consult with the Commissioner about personal data collection activities arising from significant product launches in Australia. Then full stop. As the  Commissioner said:
"Under the current Privacy Act, I am unable to impose a sanction on an organisation when I have initiated the investigation. My role is to work with the organisation to ensure ongoing compliance and best privacy practice."
Minister Ludwig had earlier released an Exposure Draft of Unified Privacy Principles, now before a Senate committee, but legislation to expand the powers of the Privacy Commissioner- including to obtain enforceable undertakings and seek civil penalties- is one of three tranches of draft legislation to give effect to the phase one response to the ALRC report yet to appear

Expanded powers would only apply to a serious breach of privacy principles by an organisation, public or private, subject to the Privacy Act. They would not be relevant to a breach by an organisation exempt from the act, for example (subject to conditions), acts done and practices engaged in by media organisations in the course of journalism. Nor would they be relevant to a serious breach of privacy that involved conduct by any organisation other than in the course of handling personal information. That's why another recommendation of the ALRC to which the Government is yet to respond- creating a statutory cause of action for a serious breach of privacy-remains relevant to what Minister Ludwig says we need: "a robust system in place to protect the privacy of individuals." A recommendation some in media circles see as the end of the world as we know it.

1 comment:

  1. Anonymous7:17 pm

    What a riduclous situation where our Privacy Commissioner can take no action.