FC: Roger Clarke and EFA: Australia must ditch 253-page "Privacy Act"

From: Declan McCullagh (declanat_private)
Date: Fri Aug 31 2001 - 18:51:06 PDT

  • Next message: Declan McCullagh: "FC: Humorless Comedy Central show demands battlebots.org domain"

    [Roger is a smart and thoughtful fellow who I respect greatly, but I 
    suspect that our views on privacy legislation differ substantially. 
    Reasonable people can disagree over whether the best way to protect privacy 
    is through market forces and technology (something I prefer) or nationwide 
    legislation aimed at restricting business practices. It looks like Roger 
    and EFA supported the second approach in the beginning, but then (almost 
    predictably) the legislation morphed into something they now oppose. --Declan]
    
    **********
    
    Date: Sat, 1 Sep 2001 11:31:31 +1000
    From: Roger Clarke <Roger.Clarkeat_private>
    Subject: Privacy Debacle in Australia
    Cc: Irene Graham <edat_private>
    
    To Roger's Personal List of Privacy Glitterati:
    
    Privacy legislation affecting the Australian private sector comes into 
    force on 21 Dec 2001.  As previously advised, it's the world's worst 
    privacy legislation - 253 pages of exceptions and exemptions; and I refer 
    to it as the Anti-Privacy Act.
    
    The Privacy Commissioner issued a draft set of guidelines, which contained 
    an explanation of how he intended to interpret the legislation.  They were 
    liberal interpretations, which (if they'd had the force of law) would have 
    adjusted some of the abuses in the Act back towards the standards of the 
    OECD Guidelines of 1980.
    
    The Privacy Commissioner has caved into pressure from industry 
    associations, doubtless strongly supported by his masters in the 
    government, and the final version of the guidelines is no longer 
    privacy-supportive.
    
    Below is an open letter from Electronic Frontiers Australia, which explains 
    the latest debacle in the history of privacy in Australia.
    
    Some further source-material is after that.  Feel free to use this as a 
    basis for informing other people about the parlous state of privacy in 
    Australia.
    
    
    EFA Open Letter to the Federal Privacy Commissioner
    
    31 August 2001
    
    Mr M Crompton
    Federal Privacy Commissioner
    L8, 133 Castlereagh Street
    Sydney NSW 2000    <http://www.privacy.gov.au>
    
    Dear Mr Crompton
    
    EFA has appreciated the opportunity to participate in the NPP Guidelines
    Reference Group during the past six months. As you are aware, EFA has
    previously been generally supportive of the approach being taken by the
    OFPC in relation to the Guidelines and we have commented to that effect
    publicly, including in media interviews. However, during the past few weeks
    information emanating from the OFPC has caused us to review our position
    and we advise accordingly below.
    
    EFA hereby records our strong disapproval of the significant reversals in
    the OFPC's approach as evidenced in the revised draft Guidelines and
    Information Sheets recently distributed to members of the NPP Guidelines
    Reference Group and, apparently, unnamed others. We also disapprove of the
    minimalist and secretive "consultation" process being undertaken given the
    changes to the public consultation draft issued in May are major and there
    is no evidence that these changes are desired or supported by ordinary
    members of the public whose privacy is at risk.
    
    We have previously indicated our concern regarding the extremely short time
    (two working days) granted to prepare comments on the substantially altered
    guidelines and the difficulties of commenting while the supplementary
    information sheets were not available. Having since received the draft
    information sheets, we are appalled to learn that a number of previously
    intended sheets will not be produced. Moreover, the remainder fail to
    address matters that are at the very core of whether the "privacy"
    legislation will provide adequate, if any, protection against privacy
    abusive practices by organisations required to comply with the Act. While
    some such matters are briefly mentioned in the gutted Guidelines, the
    information is either so hazy and ambiguous that it is useless or the
    content and tone appears likely to legitimise privacy invasion to a greater
    extent than the legislation itself does.
    
    We understand that a criticism of the public consultation draft was that it
    was too lengthy and we agreed that a shorter document plus supplementary
    sheets may be more user friendly. We did not expect however, that one means
    of reducing the size would be to simply delete guidance on some important
    matters, principally it appears where some (but not all) business lobby
    groups objected to the contents of the public consultation draft issued by
    your office.
    
    In view of the above, EFA declines to provide comments on the Information
    Sheets. In addition to the three day time frame for responses being totally
    inadequate, EFA considers that no benefit to EFA members is likely to arise
    from our continued participation in this "consultation" process. In our
    view it is clear that a decision has been taken to favour business
    interests over the privacy of ordinary citizens that the legislation is
    allegedly intended to protect. Moreover, after six months participation in
    this process, we are sure the OFPC is already well aware of EFA's views.
    
    With regard to the short comment periods on the revised material, we
    recognise this results from the OFPC decision to issue final guidelines
    earlier than scheduled because some business interest groups said the
    scheduled date did not provide businesses with adequate time to prepare.
    While we commend efforts to provide final guidelines as soon as possible to
    organisations who genuinely desire guidance from the Commissioner, it is
    pertinent to note that some (perhaps all) of the groups critical of the
    scheduled release date are the very same ones who do not wish the
    Commissioner to provide guidance on compliance with the law at all, and/or
    who have indicated intent to comply with their organisation's
    interpretation of the legislation irrespective of any interpretation by the
    Commissioner in the guidelines. These groups are obviously well aware that
    the guidelines are just that, guidelines, not the law. Such groups have
    already had some nine months to prepare to comply with the legislation and
    the claim that they cannot do so until the final guidelines are issued is
    nonsense.
    
    We believe there are reasonable grounds for the view that the guidelines
    have been gutted at the request of some business lobby groups who seek to
    ensure that:
    - members of the public will have little guidance available to them about
    the obligations (if any) of businesses  to respect their privacy and about
    the prospects of a complaint being upheld by the Commissioner, and
    - businesses will have the opportunity to claim insufficient guidance from
    the Commissioner and hence expect "kid glove" treatment in dealing with
    complaints.
    
    In acquiescing to the demands of various business lobby groups, the
    Commissioner's office is likely to fail, not only citizens, but also many
    businesses who seek clear guidance on compliance with the law so as to
    avoid the potential for complaints and/or genuinely wish to undertake best
    practice in protecting their customers' privacy.
    
    In summary, it presently appears that the Federal Privacy Commissioner's
    office has been hijacked by politically powerful big business lobby groups
    with minimal interest in their customers' right to privacy. If such a
    perception is not factual and is not to become a widely held view in the
    general community, the current draft guidelines require another major
    overhaul, this time to restore backbone and balance.
    
    Yours sincerely
    
    Irene Graham
    Executive Director
    on behalf of the EFA Board
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Irene Graham
    Executive Director - Electronic Frontiers Australia Inc. (EFA)
    EFA: <http://www.efa.org.au>
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    
    Some background materials:
    http://www.efa.org.au/Issues/Privacy/#bill
    
    Roger's notes from January 2001:
    
    The Privacy Act 1988 (Cth) currently relates to the federal public sector 
    plus credit reporting practices.  The Privacy Amendment (Private Sector) 
    Act 2000, passed 6 December 2000, amends it to apply some new provisions to 
    the private sector.
    
    But its purpose, and its effect, are to legitimise privacy-invasive
    practices, not to protect privacy.  I outright opposed the Bill, arguing
    strongly that it would *worsen* relationships between consumers and
    business, and hence served *no-one's* interests.
    
    I've written a series of things on the Bill, of which this is the most
    recent and succinct:
    http://www.anu.edu.au/people/Roger.Clarke/DV/SenatePBSub2000.html
    and this is the most comprehensive:
    http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html
    
    The Bill was introduced by the Government (Liberal + National/Country
    parties = Tories).  It was considered by House and Senate Committees.  The
    Opposition (Labor) has never been a friend of privacy (the Australia Card
    initiative of 1985-87 was theirs).  Labor moved some weak-kneed amendments,
    some of which were eventually accepted by the Government.  The Opposition
    then supported the Bill;  consequently the cross-benches (Democrats and
    Independents) were unable to achieve any more significant amendment.
    
    If one were to assume that the statute was actually intended as an
    implementation of the OECD Guidelines, then it's the world's worst privacy
    legislation.  I believe it's far more appropriate to refer to it as the
    Anti-Privacy Act, and leave it at that.
    
    The Act as passed is at:
    http://www.austlii.edu.au/au/legis/cth/num_act/pasa2000n1552000373/index.html
    
    An unofficial consolidated version of the Privacy Act 1988, now 100 pp. 
    [error: 253 pp.!] of amazingly convoluted verbiage, is at:
    http://www2.austlii.edu.au/privacy/Privacy_Act_1988/
    
    The EU has made clear that the provisions fall far short of compliance with 
    the EU Directive:
    http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm
    
    The Attorney-General rudely rejected the EU's comments, just as he had 
    earlier rudely rejected the advice of his own so-called 'Core Consultative 
    Group'.
    
    -- 
    Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
    
    Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                     Tel: +61 2 6288 1472, and 6288 6916
    mailto:Roger.Clarkeat_private            http://www.xamax.com.au/
    
    Visiting Fellow                       Department of Computer Science
    The Australian National University     Canberra  ACT  0200 AUSTRALIA
    Information Sciences Building Room 211       Tel:  +61  2  6125 3666
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 19:13:20 PDT