Search This Blog

Monday, April 11, 2011

Shift in thinking necessary to protect online privacy

The Senate Environment and Communications Reference Committee report on the adequacy of protections for the privacy of Australians online released last week examines issues  related to the adequacy of the existing privacy framework for protecting the privacy of Australians online; and challenges for law enforcement arising from technological advances. The Committee made a string of important recommendations (the response to the Government's plans for data retention by ISPs attracted most media interest) and also warned of dangers arising from rapid advances in technology and ingrained thinking about policy prescriptions from another era [2.85]:
..in relation to a number of emerging issues, it seems Australia's current approach to privacy regulation is applying offline thinking to online situations. The committee cautions that, as online technology continues to develop and new privacy issues emerge, it will be necessary to continually evaluate Australia's privacy framework to ensure that regulators are not simply applying old policy values and frameworks, which may be well suited to the offline contexts, to a very different online situation.

The recommendations were:

 Recommendation 1
2.31   The committee recommends that the government consider and respond to the recommendations in the Cyberspace Law and Policy Centre’s report: Communications privacy complaints: In search of the right path, and recommendations from the Australian Communications Consumer Action Network arising from that report.

Recommendation 2
3.30   The committee recommends that the Australian Privacy Commissioner's complaint-handling role under paragraph 21(1)(ab) of the Privacy Act be expanded to more effectively address complaints about the misuse of privacy consent forms in the online context.
3.31   The committee further recommends that the Office of the Privacy Commissioner examine the issue of consent in the online context and develop guidelines on the appropriate use of privacy consent forms for online services.

Recommendation 3
3.50   The committee recommends that the small business exemptions should be amended to ensure that small businesses which hold substantial quantities of personal information, or which transfer personal information offshore are subject to the requirements of the Privacy Act 1988.
3.51   To achieve this end, the committee urges the Australian Privacy Commissioner to undertake a review of those categories of small business with significant personal data holdings, and to make recommendations to government about expanding the categories of small business operators prescribed in regulations as subject to the Privacy Act 1988.
3.52   The committee further recommends that the second tranche of reforms to the Privacy Act 1988 amend the Act to provide that all Australian organisations which transfer personal information overseas, including small businesses, must ensure that the information will be protected in a manner at least equivalent to the protections provided under Australia's privacy framework.

Recommendation 4
3.86   The Committee recommends that the OPC in consultation with web browser developers, ISPs and the advertising industry, should, in accordance with proposed amendments to the Privacy Act, develop and impose a code which includes a 'Do Not Track' model following consultation with stakeholders.

Recommendation 5
3.96   The committee recommends that item 19(3)(g)(ii) of the exposure draft of amendments to the Privacy Act 1988 be amended to provide that an organisation has an Australian link if it collects information from Australia, thereby ensuring that information collected from Australia in the online context is protected by the Privacy Act 1988.

Recommendation 6
3.109   The committee recommends that the government amend the Privacy Act 1988 to require all Australian organisations that transfer personal information offshore are fully accountable for protecting the privacy of that information.
3.110   The committee further recommends that the government consider the enforceability of these provisions and, if necessary, strengthen the powers of the Australian Privacy Commissioner to enforce offshore data transfer provisions.

Recommendation 7
3.116   The committee recommends that the Australian government continue to work internationally, and particularly within our region, to develop strong privacy protections for Australians in the online context.

Recommendation 8
3.122   The committee recommends that the government accept the ALRC's recommendation to legislate a cause of action for serious invasion of privacy.

Recommendation 9
4.74   The committee recommends that before pursuing any mandatory data retention proposal, the government must:
  • undertake an extensive analysis of the costs, benefits and risks of such a scheme;
  • justify the collection and retention of personal data by demonstrating the necessity of that data to law enforcement activities;
  • quantify and justify the expense to Internet Service Providers of data collection and storage by demonstrating the utility of the data retained to law enforcement;
  • assure Australians that data retained under any such scheme will be subject to appropriate accountability and monitoring mechanisms, and will be stored securely; and
  • consult with a range of stakeholders.

No comments:

Post a Comment