Flaws in the Glass; Gashes in the Fabric

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 25 February 1997

© Xamax Consultancy Pty Ltd, 1997

Invited Address to Symposium on 'The New Privacy Laws', Queen Victoria Ballroom, George St, Sydney, 19 February 1997

This paper is at http://www.anu.edu.au/people/Roger.Clarke/DV/Flaws.html


Abstract

A conference for lawyers is a sure sign that privacy protection is becoming routinised. Routinisation would be good news for privacy advocates, if the regulatory regime were an effective one.

This paper argues that the contrary is true. Privacy protection in Australia is pitifully inadequate in its coverage. The primary law is seriously flawed, and entirely inappropriate for use as a template for extension to new areas.

This paper identifies some of the inadequacies of privacy protection in Australia, as an antidote against smug self-satisfaction.


Contents

Introduction

Deficiencies in Australian Law and Practice

Meta-Legal Factors

Conclusions

Electronic Resources

References


Introduction

During 1996, my experiences in relation to privacy attitudes among the Australian public, corporations and government agencies were by and large quite positive, and my recent papers have reflected that, on matters as diverse as privacy strategy for corporations and government agencies, a survey of public attitudes to privacy, and the directions of development of Commonwealth legislation.

But I was invited to this Conference specifically to reassess the adequacy of existing privacy laws, and that has been a sobering experience. I anticipated that the Conference would have a complacent air about it, and indeed it did: a lot of the speakers focussed either on abstract motherhoods or on legal minutiae; and there was just too much respect and politeness in evidence.

The Australian privacy-protective regime came late, is very scant, and is unable to withstand the challenges of technological change and the ebullience of government agencies and corporations.

It comprises two primary pieces of legislation:

There have been some amendments to the Privacy Act, but the law retains serious flaws, identified in a paper published by this author in 1989. There are a few additional statutes, some incidental coverage in long-standing legislation, and some accidental by-products of tort law.

A 1996 Discussion Paper issued by the Commonwealth Attorney-General may or may not lead to the imposition of regulation on the private sector.

All States have muttered about passing legislation, some on an approximately annual basis. The most recent undertaking by a State Attorney-General was in Queensland at the beginning of 1997. A report containing specific recommendations for legislation is currently before the Victorian Minister for Multimedia, Alan Stockdale.

But none has ever acted yet. Moreover, the N.S.W. Attorney-General gave an opening address to this Conference that contained not a word that would not have been possible as long ago as 1980, and both the text and his answers to questions demonstrated an abysmal lack of command of the issues.

This inadequacy and inaction needs to be juxtaposed against a couple of key considerations:

Despite the appalling shortfalls in the privacy protective regime, there is a tendency towards complacency, at least among lawyers, but even among privacy advocates.

The purpose of this paper is to catalogue aspects of the existing privacy-protective regime that fall short of the public's needs. They are loosely organised into two groups: firstly those that are readily identifiable as inadequacies in existing law and practice, and secondly those that are implicit within the existing pattern, and require more fundamental surgery.

Like almost all public advocacy, this paper was flung together in haste, and inevitably omits some important topics. [To my embarrassment, I found that I had entirely omitted the serious matter of multiple use of identification schemes].


Deficiencies in Australian Law and Practice

This first cluster of concerns relates to matters that are capable of being addressed by changes to existing laws and practices, without a fundamental re-think of the regulatory regime.

It is stressed that these problems are additional to those identified in this author's 1989 paper assessing the Privacy Act against the OECD Guidelines, in particular in section 6, in section 7 and in the summary in Exhibit 5. A small proportion of these have been picked up in the Privacy Commissioner's submission to the Commonwealth Attorney-General regarding his 1996 Discussion Paper.

A very important point that is easily overlooked is that the current set of Information Privacy Principles is seriously problematical if applied to the private sector.


Justification Processes

In the words of the Australian Privacy Charter, "The maintenance of other social interests (public and private) justifies some interferences with privacy and exceptions to these Principles. The onus is on those who wish to interfere with privacy to justify doing so".

Unfortunately, the current regime contains almost no obligations on the perpetrators of privacy-invasive behaviour to demonstrate that their actions are reasonable in the circumstances. Here are three areas of inadequacy.

* Justification for the Existence of Personal Data Systems

Australian privacy laws do not establish any requirement that organisations explain and demonstrate the need for systems that process personal data. Moreover, they have the effect of legitimating all pre-existing personal data systems, and all future systems, provided that a set of fair information principles is complied with.

A regime that meets the populace's needs would:

* Justification of the Statement of Purpose of Personal Data

Australian privacy laws simply require that the purpose(s) of personal data be stated, and perhaps published. This can be satisfied by statements that lack the least vestige of credibility, along the lines of 'for administrative purposes', and 'to enable the organisation to perform its statutory functions'.

An effective privacy-protective regime would impose responsibility on the operator of each system to provide a meaningful statement of purpose, and justify it to some organisation with the power to reject it.

(Note that this does not necessarily imply the expensive measure of maintaining a register of systems and their purposes, because the appropriateness of many data collection, use and disclosure activities will rarely, if ever, be called into serious question).

* Justification of the Relevance of Data to a Decision

Australian privacy law merely requires that data be relevant to a decision, without requiring that the decision-maker justify the way in which the data is relevant.

An effective regime would:

It can be argued that these are not functions that a Privacy Commissioner should properly perform, but rather that they should be left to other social and political processes. If so, then the process requires much clearer articulation than letters to the editor, talk-back radio, and marches in the streets. As is argued elsewhere in this paper, public consultation on privacy protection matters generally has been singularly lacking.


Scope Limitations

Variously accidentally and intentionally, existing laws are restricted to only a proportion of the matters that concern real people. Here are some important examples of these limitations on the regime's scope.

* Records versus Information

Current laws refer to 'records containing personal information'. This deflects attention away from personal information and towards particular I.T. mechanisms, and creates opportunities for schooldays-debaters-turned-barristers to ply their trade against the public interest.

* Identification

The Privacy Act applies only where the person's identity is apparent or can reasonably be ascertained "from the information or opinion". This leaves unregulated circumstances in which the identity of the person is apparent from context, or where it can be ascertained only by the addition of further information.

* People

It is highly desirable that the privacy-protective regime apply to people generally, and not to some sub-set or sub-sets, such as citizens, permanent residents, or people in Australia.

The Privacy Act falls short of this standard, because it precludes investigation of a breach of the Alteration Principle unless the person concerned is either an Australian citizen or has rights of permanent residence.

* Limitation to Data Protection

There are many dimensions of privacy, including privacy of the person and of personal behaviour. The Commonwealth regime addresses only the limited dimension commonly referred to as information privacy.

The N.S.W. Privacy Committee's research and complaints-investigation powers have always been much broader. It is highly desirable that, as floated in the Commonwealth Attorney-General's 1996 Discussion Paper, the Privacy Commissioner's research scope be broadened to encompass all dimensions.

* 'Public Registers'

The Commonwealth regime exempts "generally available publications". This may be read as exempting what are popularly referred to as 'public registers', such as the electoral roll and land titles registers. These data collections should be subjected to the normal controls over access, based on the purposes for which they are assembled.


Exemptions and Exceptions

* Exemptions Instead of Balanced Implementation

The Privacy Act blindly adopted the exemption classes that had been established a decade earlier in relation to the Freedom of Information Act.

Any form of exemption, whether of classes of data, system, organisation or anything else, is a very blunt weapon, because it creates a void within which uncontrolled abuses can occur.

The appropriate approach is careful implementation of universal principles such that all interests are protected.

* Exceptions to Use and Disclosure Protections

The Privacy Act contains an exception to the use and disclosure conventions that is so broad as to cripple the entire statute. In common with the Telecommunications Act, there is an exception for "[use or disclosure for any purpose] reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue".

This is an invitation to all agencies subject to the Act to use and disclose personal data for virtually any purpose. Such an uncontrolled power has no place in the legal framework of a free nation. To comply with the public's needs, it must be simply deleted, forcing each such use and disclosure to be the subject of explicit legal authorisation.

* General Versus Universal Principles

This matter is vitally important, and a separate brief paper addresses the question of Exemptions from General Principles versus Balanced Implementation of Universal Principles.


Consultative Processes

During the first eight years of the present regime, the Privacy Commissioner has consistently consulted with government agencies, and has consistently failed to involve privacy interest groups in an equivalent manner. The outcomes of consultations with agencies are not made available, on the grounds of confidentiality; and nor even are the results of surveys of agency practices. This dismissiveness appears, at least at times, to have extended beyond advocacy groups, to include State Government bodies, and in particular the N.S.W. Privacy Committee.

Concern has to exist that the low regard for privacy advocates may also be shared with the Commonwealth Government itself. That the privacy lobby was unpopular with the Labor Government of 1983-96 is not particularly surprising, because privacy law was forced upon it. But the current Government also has yet to establish any form of relationship with privacy advocacy groups.


Bureaucratic Registration

Some privacy laws contain requirements about the creation and maintenance of a register of personal data systems. The Commonwealth Privacy Act contains such a provision, although admittedly one less sapping of the Commissioner's resources than some statutes.

Such provisions are unnecessary, wasteful and provide a negligible contribution to privacy protection. They are merely a device for making it appear that something is being done and money is being spent. The cynic interprets them as a means of ensuring that the statutory authority is primarily an administrator rather than a watchdog.

The purpose of the OECD Public Access Principle (in the Commonwealth Act this is currently approximated by IPP 5 (1)) is to impose on all organisations a clear responsibility to provide the kinds of data that a member of the public needs, in order to understand the nature of the organisation's personal data holdings. Whether the information is maintained on a permanent basis is a decision for each organisation; a consolidated register is a worthless exercise.


The Variability of Data Sensitivity

Data varies greatly in its sensitivity, depending on the data-item, the person concerned, and the circumstances. It is inadequate to assume that particular data-items (e.g. date-of-birth, marital status, number of dependants) have a particular, fixed degree of sensitivity. Australian privacy law does not adequately reflect the variability of data sensitivity.

There are already several ways in which data sensitivity may have to be considered in the Australian legal context, including:

An effective information privacy protective regime would:


Repugnance of Automated Decision-Making About People

An effective information privacy protection regime would impose responsibility on the operator of a personal data system to ensure that all decisions about human beings (or at least those that might reasonably be expected to have negative consequences for the people concerned) are subject to review by a human being before being communicated or implemented.

The EU Directive addresses this need. Australian privacy laws are silent on the matter.


Meta-Legal Factors

The matters discussed in the preceding sections are all capable of being addressed through amendments to existing legislation at the federal level, incorporation within conventional Bills at State level, or adaptation of the practices of regulatory agencies.

There are more fundamental problems with the existing privacy-protective regime, that cannot be addressed as simply and directly. These are outlined below.


Captive Watchdog

Statutory watchdog agencies are by definition created by Parliament; but they are in practice part of the broad pattern of government. The Act or Acts under which they operate are assigned to the portfolio of a Minister; the appointment of Commissioners and members of statutory committees (and delays in such appointments) are under the control of a Minister; and they are dependent on, and in some degree beholden to, the Minister's Portfolio Department.

Unsurprisingly, there is pressure on a Privacy Commissioner to appreciate the needs of Ministers, of Ministers' Press Secretaries, of the government monolith in general, and of particular government agencies. In some cases, of course, the Commissioners themselves are members, ex-members, or future members of the senior executive service, and hence owe debts, are owed debts, and/or would like to be owed debts.

The first Privacy Commissioner repeatedly stated that his function is not 'the public's privacy champion', but rather the administrator of a specific statute. He paid considerable respect to the views of agencies; he was willingly used by the then Minister for Social Security as a protective weapon against privacy advocates; and he seldom consulted with, and showed scant regard for, privacy interest groups.

Added to that, the Commissioner's staff are inevitably public servants, and in most cases are 'just passing through' - it's not a good career move to spend too long in such an organisation. Unlike the N.S.W. Privacy Committee, which has attracted and sought out people concerned about the issue, virtually no ex-employees of the Privacy Commissioner have ever been visible in privacy debates. Loyalty to the Commissioner, and particularly to the privacy interest, has to be in considerable doubt.

The cynical member of the public, and the student of political science, perceives these factors to be part of a pattern of 'capture' of the watchdog by the thieves.


The Power Gap in the Fight Against Major Agencies and Monolithic Government

Contemporary government administration is powerful, and protects its power with great assiduousness. Major agencies have enormous ability to withstand attacks by their own Ministers and by Cabinet, let alone by mere watchdog agencies and public interest groups. When it suits them to do so, agencies form alliances, and assert that all government agencies are as-one, greatly enhancing their ability to hold off initiatives they deem undesirable.

Privacy interests have great difficulty combatting the power of government agencies. It would be difficult enough if the energies of privacy interest groups and statutory watchdogs were combined; but, as outlined above, the Commonwealth body in particular regards itself as an administrator of an Act of Parliament, and keeps privacy interest groups at arms-length.

The Privacy Act was passed in the aftermath of the demise of the Australia Card, but not due to any high regard by the then Government for privacy. (The maxim was, and presumably remains: "Privacy is a bourgeois right", unquote Neal Blewett, Minister for the Australia Card).

The Commonwealth privacy-protective regime was merely the price of gaining passage for enhancements to the Tax File Number (TFN) scheme. During the following few years, the TFN's usage was dramatically extended, in direct contravention of the then Government's undertakings.

Subsequently, there was a (failed) attempt to implement a highly privacy-intrusive scheme called the 'Law Enforcement Access Network' (LEAN). The failure was in no sense a response to privacy concerns, however; but rather a result of Commonwealth-State jealousies and distrust.

Further evidence of the lack of penetration of privacy as a strategic variable in government executive thinking was provided by a 1994-95 Report on a federal government review of I.T. in the Commonwealth public service, called 'Clients First'. This demonstrated abysmal ignorance of privacy issues. It also embodied presumptions that the Privacy Commissioner was a servant of the public sector, and that the privacy regulatory regime was to be adapted to suit the self-perceived needs of government executives.

Symptomatic of the difficulties confronting the Privacy Commissioner is the history of one of the key challenges facing him when he was appointed, which was to get data matching under control. Soon after his appointment, he likened data-matching to 'drift-net fishing'. But the rhetoric could not be matched by action, and he largely failed in that mission:

Executives of government agencies are professionals, and around for the long term. After the first flush of energy of a new Government subsides, Cabinet Ministers are 'easy meat' for their nominal servants. Privacy protection is against the interest of government executives, and their resistance is effective because Privacy Commissioners and even Cabinet Ministers have quite limited real powers.


Non-Adaptiveness to Technological Change

* Developments of the 1970s and 1980s

The previous section noted that data matching continues out of control. The significance of this is that a relatively simple but highly privacy-invasive technology of the mid-1970s is still not subject to effective controls. What chance is there then, that complex technologies will be understood, let along mastered.

Since the model on which the existing privacy legislation is based was drafted in the 1970s, dramatic developments have occurred in I.T. Examples of developments with significant privacy implications include:

The Privacy Commissioner has undertaken some research in these areas, and has published a couple of useful reports. But no substantive steps whatsoever have been taken to address the issues.

* The Information Society of January 1990 and Beyond

One particular, and particularly important development in I.T. has been the emergence of the Information Infrastructure, primarily evidenced by the Internet, but to a limited extent also by the roll-out of Cable TV.

Successive Commonwealth Governments have entirely failed to understand the opportunities and threats the Information Infrastructure presents, other than as a means of maximising the sale-value of the national telecommunications carrier.

Moreover, attempts are being made to carry draconian and highly privacy-intrusive data collection powers that exist within the voice communications arena across into the new forms of electronic communications.

In addition to this serious concern, other challenges present themselves, including:

The existing privacy-protective regime is entirely incapable of coping with and responding to these challenges, and legal and administrative staff are not going to be able to help understand them, let alone achieve a reasonable balance between the privacy interest and other, more powerfully represented interests.


From Anonymity to Identification

I.T.'s capacity is tempting organisations to convert many hitherto anonymous transactions into identified ones. The web of old, new, and near-future data trails is intensifying around us.

In general, consumer transactions and government programs should permit anonymity, except where clear justification for some degree of identification is demonstrated. Schemes involving direct identification should require very careful justification, which should be published in order to enable public scrutiny.

Moreover, it is commonly assumed that the choice lies between identification and anonymity. This is simply not the case, because indirect identification, or pseudonymity, is available as means of achieving trade-off among the various interests. Maximum use should be made of I.T.'s capacity to support pseudonymous transactions and trails.

Nothing in the Australian privacy-protection regime provides any resistance against the tendencies toward increased data-intensity, and away from anonymous towards identified schemes; and there is little evidence of pressure by privacy watchdogs towards pseduonymous schemes.


Rights in Relation to Personal Data

In most jurisdictions, property and other rights in data are entirely unclear. This is not some new challenge: the difficulty has been evident for at least a quarter-century. But it is the subject of renewed interest as a result of the explosion in Internet services.

An effective privacy-protective regime needs to address the question in some constructive manner. There are several approaches that could be adopted.

* Ownership of Personal Data

Australian privacy laws are silent regarding the ownership of data. The data ownership is separate from (or, reflecting the recent judgement about medical records, perhaps one needs to say 'separable from') the question of ownership of the medium on which data is stored, e.g. it is undisputed that doctors own their medical records, but it is contentious as to whether anyone owns the data stored in them, and if so, who; and it is uncontestable that the data subject has a very substantial interest in the data, which must be formally recognised.

The German Supreme Court has read a right of 'informational self-determination' into the Constitution. Two leading New York sociologists of the information age (Alan Westin and Ken Laudon) have argued for property in personal data as a means of addressing privacy problems.

Establishing ownership rights in data, and vesting them in the person to whom it relates, would address the privacy concern. Some qualifying rights would be needed, however, to ensure practicality, e.g. an implied licence for record-keepers to retain personal data on records, and to use it in ways that are consistent with privacy laws.

Less ambitious measures are also available, including the creation of more restricted rights, such as those discussed below.

* Right to Use Personal Data

Whether or not personal data is owned by anyone, the use of personal data might be precluded in the absence of a right to do so. Such a right could arise under law, or under consent (express or implied). This approach is similar to the notion of an 'opt-in' arrangement.

Such a placement of the onus of proof on the user would require a workably long grace period within which all organisations could assess whether they have such a right, and, if not, seek it, or adapt their practices.

* Right to Rent Out or Charge for Use

Whether or not personal data is owned by anyone, the use of personal data might be subject to payment by the user to the data subject. This is the key element of the Westin-Laudon argument for ownership rights in personal data, because it enables the use of data to be determined in a marketplace, through contractual arrangements in respect of each relationship between a person and an organisation. Organisations would only be likely to enter into negotiations for such a contractual right where they foresaw financial or other advantages to themselves in doing so; and this would represent a considerable protection for information privacy.

There are precedents for such approaches in the form of U.S. supermarkets that offer a discount in return for access to personal data; and the 'Fly-Buys' scheme in Australia, which is widely recognised by consumers as involving a sacrifice of privacy in return for the possibility of a reward.

Such a right would be likely to be circumscribed by express legal authority for specific organisations to use specific personal data.

* Right to Preclude Use

Alternatively, all uses of personal data might be regarded as being legal simply because they are not illegal; but each person would have the opportunity to deny organisations the right to use their data. Such a right would be likely to be circumscribed by express legal authority for specific organisations to use specific personal data.

This is similar to the notion of an 'opt-out' arrangement. As a general solution to personal privacy invasions, it is likely to be inadequate; it may, on the other hand, be of value in specific circumstances.


Linkage to More General Human Rights

An effective information privacy protection regime would explicitly link privacy with the promotion of such key freedoms as thought, expression and association, and additional freedoms necessary in the information society, such as freedom from surveillance.

In Australia this link is tenuous, although some benefits may arise from the Privacy Commissioner's association with the Human Rights & Equal Opportunities Commission.


Conclusions

Those who demonstrate complacency about the privacy-protective regime operating in Australia are out of touch with reality. Complacency includes earnest discussions about microscopically unimportant details while massive flaws and gashes remain in the protective framework.

This paper has identified a range of serious concerns, some of which are addressable within the context of existing legislation and model framworks, and others of which are much more fundamental.


Bibliography of Major Electronic Resources

A comprehensive set of electronic sources is maintained by the author. As at 14 February 1997, this included the following:


References

Here is a comprehensive listing of relevant papers by this author.

The following papers are directly relevant to the argument pursued in this paper:

Dataveillance Theory

Dataveillance in Australia


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 13 February 1997

Last Amended: 25 February 1997


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916