FC: Roger Clarke and EFA: Australia must ditch 253-page "Privacy Act"

[Declan McCullagh <declan () well com>]

[Roger is a smart and thoughtful fellow who I respect greatly, but I 
suspect that our views on privacy legislation differ substantially. 
Reasonable people can disagree over whether the best way to protect privacy 
is through market forces and technology (something I prefer) or nationwide 
legislation aimed at restricting business practices. It looks like Roger 
and EFA supported the second approach in the beginning, but then (almost 
predictably) the legislation morphed into something they now oppose. --Declan]

**********

Date: Sat, 1 Sep 2001 11:31:31 +1000
From: Roger Clarke <Roger.Clarke () xamax com au>
Subject: Privacy Debacle in Australia
Cc: Irene Graham <ed () efa org au>

To Roger's Personal List of Privacy Glitterati:

Privacy legislation affecting the Australian private sector comes into 
force on 21 Dec 2001.  As previously advised, it's the world's worst 
privacy legislation - 253 pages of exceptions and exemptions; and I refer 
to it as the Anti-Privacy Act.

The Privacy Commissioner issued a draft set of guidelines, which contained 
an explanation of how he intended to interpret the legislation.  They were 
liberal interpretations, which (if they'd had the force of law) would have 
adjusted some of the abuses in the Act back towards the standards of the 
OECD Guidelines of 1980.

The Privacy Commissioner has caved into pressure from industry 
associations, doubtless strongly supported by his masters in the 
government, and the final version of the guidelines is no longer 
privacy-supportive.

Below is an open letter from Electronic Frontiers Australia, which explains 
the latest debacle in the history of privacy in Australia.

Some further source-material is after that.  Feel free to use this as a 
basis for informing other people about the parlous state of privacy in 
Australia.


EFA Open Letter to the Federal Privacy Commissioner

31 August 2001

Mr M Crompton
Federal Privacy Commissioner
L8, 133 Castlereagh Street
Sydney NSW 2000    <http://www.privacy.gov.au>

Dear Mr Crompton

EFA has appreciated the opportunity to participate in the NPP Guidelines
Reference Group during the past six months. As you are aware, EFA has
previously been generally supportive of the approach being taken by the
OFPC in relation to the Guidelines and we have commented to that effect
publicly, including in media interviews. However, during the past few weeks
information emanating from the OFPC has caused us to review our position
and we advise accordingly below.

EFA hereby records our strong disapproval of the significant reversals in
the OFPC's approach as evidenced in the revised draft Guidelines and
Information Sheets recently distributed to members of the NPP Guidelines
Reference Group and, apparently, unnamed others. We also disapprove of the
minimalist and secretive "consultation" process being undertaken given the
changes to the public consultation draft issued in May are major and there
is no evidence that these changes are desired or supported by ordinary
members of the public whose privacy is at risk.

We have previously indicated our concern regarding the extremely short time
(two working days) granted to prepare comments on the substantially altered
guidelines and the difficulties of commenting while the supplementary
information sheets were not available. Having since received the draft
information sheets, we are appalled to learn that a number of previously
intended sheets will not be produced. Moreover, the remainder fail to
address matters that are at the very core of whether the "privacy"
legislation will provide adequate, if any, protection against privacy
abusive practices by organisations required to comply with the Act. While
some such matters are briefly mentioned in the gutted Guidelines, the
information is either so hazy and ambiguous that it is useless or the
content and tone appears likely to legitimise privacy invasion to a greater
extent than the legislation itself does.

We understand that a criticism of the public consultation draft was that it
was too lengthy and we agreed that a shorter document plus supplementary
sheets may be more user friendly. We did not expect however, that one means
of reducing the size would be to simply delete guidance on some important
matters, principally it appears where some (but not all) business lobby
groups objected to the contents of the public consultation draft issued by
your office.

In view of the above, EFA declines to provide comments on the Information
Sheets. In addition to the three day time frame for responses being totally
inadequate, EFA considers that no benefit to EFA members is likely to arise
from our continued participation in this "consultation" process. In our
view it is clear that a decision has been taken to favour business
interests over the privacy of ordinary citizens that the legislation is
allegedly intended to protect. Moreover, after six months participation in
this process, we are sure the OFPC is already well aware of EFA's views.

With regard to the short comment periods on the revised material, we
recognise this results from the OFPC decision to issue final guidelines
earlier than scheduled because some business interest groups said the
scheduled date did not provide businesses with adequate time to prepare.
While we commend efforts to provide final guidelines as soon as possible to
organisations who genuinely desire guidance from the Commissioner, it is
pertinent to note that some (perhaps all) of the groups critical of the
scheduled release date are the very same ones who do not wish the
Commissioner to provide guidance on compliance with the law at all, and/or
who have indicated intent to comply with their organisation's
interpretation of the legislation irrespective of any interpretation by the
Commissioner in the guidelines. These groups are obviously well aware that
the guidelines are just that, guidelines, not the law. Such groups have
already had some nine months to prepare to comply with the legislation and
the claim that they cannot do so until the final guidelines are issued is
nonsense.

We believe there are reasonable grounds for the view that the guidelines
have been gutted at the request of some business lobby groups who seek to
ensure that:
- members of the public will have little guidance available to them about
the obligations (if any) of businesses  to respect their privacy and about
the prospects of a complaint being upheld by the Commissioner, and
- businesses will have the opportunity to claim insufficient guidance from
the Commissioner and hence expect "kid glove" treatment in dealing with
complaints.

In acquiescing to the demands of various business lobby groups, the
Commissioner's office is likely to fail, not only citizens, but also many
businesses who seek clear guidance on compliance with the law so as to
avoid the potential for complaints and/or genuinely wish to undertake best
practice in protecting their customers' privacy.

In summary, it presently appears that the Federal Privacy Commissioner's
office has been hijacked by politically powerful big business lobby groups
with minimal interest in their customers' right to privacy. If such a
perception is not factual and is not to become a widely held view in the
general community, the current draft guidelines require another major
overhaul, this time to restore backbone and balance.

Yours sincerely

Irene Graham
Executive Director
on behalf of the EFA Board

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Irene Graham
Executive Director - Electronic Frontiers Australia Inc. (EFA)
EFA: <http://www.efa.org.au>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Some background materials:
http://www.efa.org.au/Issues/Privacy/#bill

Roger's notes from January 2001:

The Privacy Act 1988 (Cth) currently relates to the federal public sector 
plus credit reporting practices.  The Privacy Amendment (Private Sector) 
Act 2000, passed 6 December 2000, amends it to apply some new provisions to 
the private sector.

But its purpose, and its effect, are to legitimise privacy-invasive
practices, not to protect privacy.  I outright opposed the Bill, arguing
strongly that it would *worsen* relationships between consumers and
business, and hence served *no-one's* interests.

I've written a series of things on the Bill, of which this is the most
recent and succinct:
http://www.anu.edu.au/people/Roger.Clarke/DV/SenatePBSub2000.html
and this is the most comprehensive:
http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

The Bill was introduced by the Government (Liberal + National/Country
parties = Tories).  It was considered by House and Senate Committees.  The
Opposition (Labor) has never been a friend of privacy (the Australia Card
initiative of 1985-87 was theirs).  Labor moved some weak-kneed amendments,
some of which were eventually accepted by the Government.  The Opposition
then supported the Bill;  consequently the cross-benches (Democrats and
Independents) were unable to achieve any more significant amendment.

If one were to assume that the statute was actually intended as an
implementation of the OECD Guidelines, then it's the world's worst privacy
legislation.  I believe it's far more appropriate to refer to it as the
Anti-Privacy Act, and leave it at that.

The Act as passed is at:
http://www.austlii.edu.au/au/legis/cth/num_act/pasa2000n1552000373/index.html

An unofficial consolidated version of the Privacy Act 1988, now 100 pp. 
[error: 253 pp.!] of amazingly convoluted verbiage, is at:
http://www2.austlii.edu.au/privacy/Privacy_Act_1988/

The EU has made clear that the provisions fall far short of compliance with 
the EU Directive:
http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm

The Attorney-General rudely rejected the EU's comments, just as he had 
earlier rudely rejected the advice of his own so-called 'Core Consultative 
Group'.

--
Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke () xamax com au            http://www.xamax.com.au/

Visiting Fellow                       Department of Computer Science
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211       Tel:  +61  2  6125 3666




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------