Skip to content.

Home

Allens Arthur Robinson

Archive 2001

Privacy Commissioner releases Public Key Infrastructure Guidelines

24 December 2001 

The Privacy Commissioner recently released Public Key Infrastructure Guidelines to help government agencies to assess privacy issues concerning Public Key Infrastructures (PKI).

A PKI is a tool intended to provide secure channels of communications and greater certainty about the identity of parties in online transactions. An example of the benefits of PKIs given in the guidelines is where an individual has privacy concerns about communicating with an agency by telephone, so uses email or web-based communication instead. 

The guidelines recognise that there are privacy risks associated with PKIs, for example from the way agencies use PKI and the personal information collected and handled using PKI. The Privacy Commissioner considers that the guidelines will assist agencies in addressing these issues. 

Return to top

NHMRC s95A Guidelines approved

21 December 2001 

The Privacy Commissioner has approved new Guidelines issued by the National Health and Medical Research Council (NHMRC) under Section 95A of the Privacy Act 1988. The Guidelines provide a framework to ensure privacy protection of health information. They cover information that is collected, used or disclosed:

  • for research relevant to public health or public safety; 
  • for the compilation or analysis of statistics relevant to public health or public safety; or 
  • in the conduct of health service management activities. 

The Guidelines will help members of ethics committees and researchers to better understand and fulfil their obligations under the new privacy laws.

Return to top

Privacy Commissioner issues determinations

21 December 2001 

The Privacy Commissioner has issued two Temporary Public Interest Determinations, one of which allows family histories to be gathered by health providers in some situations. 

According to the Privacy Commissioner, the importance of taking a medical history justifies taking details about third parties without their consent in order to provide medical care. For more, see:

Temporary Public Interest Determination No. 2001-1
Determination under section 80B(3) giving general effect to Temporary Public Interest Determination No. 2001-1

The second determination concerns the Australian Government Service number, used for managing government employee superannuation funds. For more, see:

Temporary Public Interest Determination No. 2001-2
Determination under section 80B(3) giving general effect to Temporary Public Interest Determination No. 2001-2

The Privacy Commissioner can issue these determinations under the Privacy Act if satisfied that the public interest in allowing an agency or organisation to do an act outweighs the public interest in adhering to an NPP or Code. The agency or organisation is then deemed not to have breached the NPP or Code.

Return to top

New laws to create culture that respects privacy

20 December 2001

The Federal Attorney-General, Daryl Williams QC, has released his views on the new privacy laws and how they will impact on organisations bound by the regime. "The new laws lay a solid foundation for comprehensive privacy protection in Australia," he said. "They are also a key part of the regulatory framework for the growth of electronic commerce".

The co-regulatory approach of the new laws which allows organisations to create their own set of privacy rules on the back of the National Privacy Principles is also a feature he sees as important. "This approach is designed to ensure that Australians can have confidence that their personal information will be handled appropriately by private sector organisations while not forcing unnecessary costs on business".

Mr Williams predicts the role of the Privacy Commissioner, Mr Malcolm Crompton, will be to work with - not against - business and other organisations "to ensure realistic and mutually agreeable outcomes".

The laws - which come into effect tomorrow - will bring private sector organisations into line with the public sector, which has been bound by Information Privacy Principles since 1998.

Return to top

New online privacy resource

18 December 2001

The Center for Democracy & Technology has launched ConsumerPrivacyGuide.org with a number of consumer groups. The new online resource provides consumers with privacy information, tips and advice on controlling the collection and use of their personal information.

Return to top

Law Reform Commission rules on surveillance

6 December 2001

The NSW Law Reform Commission has made wide-ranging recommendations affecting workplace surveillance in its report tabled before Parliament. The Interim Report on Surveillance recommends broad-based regulation of surveillance, citing personal privacy as the paramount concern. Surveillance should, it says, be subject to clear rules and only occur when justified for the greater public benefit.

The Report recommends the introduction of a Surveillance Act to replace the Listening Devices Act 1984 (NSW) and the Workplace Video Surveillance Act 1998 (NSW). The new Act would regulate covert surveillance, including the monitoring of emails, web usage and tracking via biometric devices. For any covert surveillance, the Act would require the approval of an independent body such as the Industrial Relations Commission.

Regulating employee surveillance would put obligations on employers, who may otherwise be exempt under the new privacy laws.

Return to top

Indianapolis telemarketers face fines

6 December 2001

From 1 January 2002, telemarketers in Indianapolis face fines of up to $25,000 for calling numbers registered on a special privacy list.

Under new laws passed earlier this year by the General Assembly, residents of Indianapolis can register their home number with the Attorney-General's office. Once registered, the number is off limits for telemarketers.

Charitable organisations, newspapers, insurance agents and realtors are exempt from the law and may continue to contact residents.

For further information, see the Attorney General's site.

Return to top

Website privacy policies too complicated

3 December 2001

According to the results of a survey examining consumers' views on internet Privacy Policies, few people thoroughly review the privacy policies of internet sites they visit. Only 3% of more than 2000 adults said they did so - other users did not because of a lack of time or interest and a high level of difficulty in understanding the policies.

The survey, conducted by Harris Interactive, was sponsored by the Privacy Leadership Initiative (PLI), a trade group of high-powered companies including IBM, Dell Computers and DoubleClick. Other results of the survey indicated a need for more succinct and straightforward policies and an increase in conformity of issues dealt with by policies across all site-types.

For more information, see the PLI press release.

Return to top

California sells citizens' birth details

29 November 2001 

Records of more than 24 million Californian citizens have been sold to an online genealogy website by the State of California.

While live, this allowed users access to peoples' names, date of birth, country of origin and mother's maiden name. Concerns were raised over use of the information for identity theft in light of September 11 and the fact that fake driving licences were used to book flights. This information could be used to discover information relating to bank accounts and financial records.

In response to wide-sweeping criticism of the sale, the genealogy site Rootsweb.com has removed the information. Their website states:

The databases containing California and Texas birth records previously hosted at Rootsweb.com have been removed. In addition to our goal to provide outstanding genealogical resources to our users, Rootsweb.com is also committed to protecting the privacy of our customers.

Return to top

ADMA releases privacy guidelines

28 November 2001

The ADMA (Australian Direct Marketing Association) has released to industry its draft Guidelines for Use of Data in Direct Marketing. The Guidelines are designed to cover the full life cycle of customer data from the time it is first captured until it is eventually destroyed.

ADMA's CEO, Mr Rob Edwards, believes that the new privacy regime will force organisations to overhaul their databases, leading to fewer customer complaints. He also indicated that issues such as security, accuracy, quality and integrity will be paramount in any database review.

The ADMA is seeking comment on the guidelines from business, consumer representatives and government before finalising them in February 2002.

Return to top

Privacy conference

28 November 2001

The Department of Human Services hosted the national Privacy - Make it your Business conference in Melbourne on 27 and 28 November. Papers included insights from the Privacy Commissioner and information about new Victorian legislation covering health information.

The Federal Privacy Commissioner, Malcolm Crompton, outlined the history of privacy in Australia and his view on the future of privacy in Australia at a conference in Melbourne.

Although aimed primarily at the Healthcare industry, the speech was wide-ranging and covered topics including:

  • the effects of the events of September 11; 
  • the differences between state and federal privacy regimes and why the federal regime will take precedence over any act or practice also regulated by a state act; 
  • the integration of privacy into the proposed national electronic health records system, HealthConnect; and 
  • how those in the private health sector can expect the new Act to impact upon them. 

The Commissioner strongly encouraged use of the Commission's extensive Internet resources and membership of the collaborative Privacy Network Connections.

Meanwhile, Victorian Health Minister John Thwaites spoke about the Health Records Act set to commence on 1 July 2002 at the latest. Mr Thwaites described how the HR Act will dovetail with the incoming privacy regime to regulate people's health information. 

The HR Act gives Victorians a right of access to their health information - even if it's held by a private sector organisation which is exempt from the federal privacy regime. The Victorian Parliament has also proposed Regulations to control fees charged by organisations for access to information. For more, see the overview of the HR Act on the Department of Human Services website.

Return to top

Search engine advances pose privacy concerns 

27 November 2001
 

Privacy concerns have been raised by organisations including Internet Security Systems and SearchEngineWatch.com about the ability of web search engines to gain access to web pages which are not intended for public access. These pages may contain confidential details including credit details and confidential passwords.

Google has a new file format search tool which provides access to a range of file types which previously were not accessible.

Google has included a Google Information for Webmasters page on its site. This gives information on having web pages removed from Google's index (so they're no longer accessed by the search engine) and answers to question including why Google may download information from a "secret site". The onus is on web administrators to secure sensitive pages so they don't turn up in search results.

Return to top

Victorian Paper questions online dissemination of criminal records 

21 November 2001 

The Victorian Government has released an Issues Paper as part of a federal working group created to address the control of criminal records. 

The Paper focuses on privacy concerns surrounding online publication of criminal records on the Crimenet website. The site allows paying subscribers to access the criminal history of convicted individuals. 

IT considers the implications of the incoming privacy regime, and how publication of criminal records may well attract the attention of the Privacy Commissioner.

Criminal records are sensitive information under the amendments to the Privacy Act. The paper states that the "(Privacy) Act is likely to apply to some activities of organisations which disseminate criminal history information". Organisations seeking to use the small business exemption to avoid complying with the Privacy Act will be caught where disclosure of an individual's criminal history is made "for a benefit, service or advantage". According to the Paper, "(a)ny database operator who charges for access to criminal history information would not come within this exception".

The paper is available for public comment and submission until 7 December 2001.

Return to top

Regulation of SMS spam - will it work?

20 November 2001

The Australian Communications Industry Forum has released a draft code regulating the use of SMS for advertising, marketing and commercial use. The ACIF - Australia's self-regulatory body for telecommunication carriers and service providers - hopes that regulating carriers and service providers with whom message originators have a commercial arrangement will minimise spam. Direct marketing is addressed in the new privacy legislation.

The code was developed by a working committee made up of representatives from the telecommunications and marketing industries, as well as government regulatory agencies and consumer groups. It covers three main areas:

  • marketing messages sent by carriers and carriage service providers; 
  • the relationship between carriers or providers and commercial message originators; and 
  • acceptable practices such as health, safety or law enforcement SMS messages. 

The Consumers' Telecommunications Network has criticised the code, claiming that it will only solve half the problem as it does not apply to message originators who are not aligned with a telco. The other perceived weakness of the Code its use of a customer opt-out, as opposed to opt-in, regime.

Return to top

US Privacy Act doesn't apply to most health websites

19 November 2001

Key findings from a US internet project by charitable group Pew have revealed the disparity between online and offline regulation of sensitive/health information.

The US Privacy Act only covers healthcare entities regulated by the US Department of Health and Human Services - health care providers, health plans and health care clearinghouses. Many websites collecting sensitive information as part of providing healthcare advice are not covered by the Act. This means consumers should carefully examine the privacy policy of each and every site they visit as they will have no remedy under the US Privacy Act if their information is abused.

The project comments:

"(c)onsumers may engage in online health activities with an expectation that the personal information they provide to specific health Web sites is protected when, in fact, there are no privacy protections afforded by the federal regulation. The burden will be on consumers and Web site operators to determine which Web sites must comply with the regulation".

Return to top

High Court rules on corporate privacy

15 November 2001

The Australian High Court has refused to recognise the concept of corporate privacy in a recent decision on the ABC's proposed screening of footage showing the commercial slaughter of possums.

The court adopted the USA position as the model upon which Australian debate should continue. Under this model, actions may generally only be brought by individuals: "with the exception of appropriation of one's name or likeness, an action for invasion of privacy can be maintained only by a living individual whose privacy is invaded". 

The court was not prepared to extend the concept of invasion of privacy to a corporation, which they saw as an artificial - as opposed to natural - person, not capable of suffering emotional or personal distress.

Return to top

Genetic information Issues Paper released

14 November 2001 

The Australian Law Reform Commission and Australian Health Ethics Committee have released an Issues Paper on the protection of genetic information. The privacy of genetic information is just one of the issues being considered by a joint ALRC and AHEC inquiry.

The inquiry will be consulting the public on the issues surrounding protection of genetic information and is calling for submissions on the Issues Paper by 14 January 2002.

Return to top

EU approves amendments to electronic privacy bill

13 November 2001 

The European Parliament voted on 13 November 2001 to adopt amendments to a draft EU directive (scroll to see the correct directive) to protect privacy in the electronic communications sector.

One of the main amendments will require websites to obtain users' consent if they use 'cookies' to track their movements whilst online. The legislation is designed to safeguard privacy rights by cutting down the use of 'cookies'.

The amendment has received criticism from industry operators - for more, see our earlier news story.

The Parliament also passed resolutions allowing anti-terrorist investigators to eavesdrop on private data on the Internet and endorsed an increase in cooperation in hunting down terrorists.

The amendments will be considered in the EU's Council of Ministers before being sent back to Parliament for another reading. If the directive is passed, it must be ratified and adopted in each EU country before it comes into effect.

Return to top

Internet Explorer privacy risk

13 November 2001

A Microsoft Bulletin confirms a flaw in Microsoft Internet Explorer 5.5 and 6.0 which allows hackers to access user information or 'cookies' on a web browser. Website users' privacy and information are at risk with the potential for hackers to alter it. A patch to fix this flaw is available from the Microsoft site.

Return to top

Microsoft Passport & Windows XP - the privacy hazards of convenience

2 November 2001

Privacy concerns over the capacity of Microsoft Passport and Windows XP to store, profile and monitor users' personal information have been raised by local and US privacy groups. Both the Electronic Frontiers Australian and Electronic Privacy Information Centre reject Microsoft's claims that the benefits of these products outweigh the privacy risks.

EPIC has asked the US House of Congress Subcommittee on Commerce, Trade and Consumer Protection to question the FTC about its efforts to protect consumers. 

Return to top

Privacy high on agenda in New Zealand

2 November 2001

A recent poll conducted throughout New Zealand ranks individual privacy as an issue of concern. The poll indicated that:

  • 91% of respondents would be concerned if their personal information was used by a business for a purpose different to that for which it was supplied; 
  • 89% expressed concern about their personal information falling into the hands of a third party without their knowledge 

High percentages also had concerns about businesses obtaining excess personal information and the recording of personal information, without consent, via the Internet.

Return to top

A world without cookies?

2 November 2001

Cookies are information storage devices used by Internet servers to enhance website delivery speed and customise advertising. The catch is that cookies usually operate without a web user's knowledge. They can track and store information on a user's surfing habits without the user's consent.

The proposed amendments will require users to opt-in and consent to use of their information every time they visit a website. This could mean that users will pay to access Internet sites. It will also have a significant effect on the online advertising industry as cookies are seen by online advertisers as an integral part of the Internet's everyday use. Danny Meadows-Klue of the UK Interactive Advertising Bureau has launched the Save Our Cookies campaign on the basis that cookies are an essential aid to help the consumer get the best out of the internet with the minimum time and effort.

Return to top

Gateway joins the Safe Harbor agreement

29 October 2001

Gateway has joined the EU-US Safe Harbor agreement, which has now been signed by a total of 124 US organisations. Other major computer manufacturers who have joined the agreement include Intel and Hewlett-Packard.

Until now Gateway has kept and managed all of its personal information on EU citizens in Europe, in compliance with the EU data protection directive. It is now in the process of transferring all of this data to the US and ceasing all international operations. It has joined the Safe Harbor to avoid violating the EU data protection directive, suggesting that there is no other way to do this than to join the agreement.

The US Department of Commerce has established an export portal for the Safe Harbor agreement, including a list of companies that adhere to it.

For more on the compliance requirements of the Australian privacy regime, and what your business can do to meet them, see our compliance page.

Return to top

US FTC seeks to amend kids' online privacy rule

26 October 2001

The US Federal Trade Commission is seeking public comment on its proposal to postpone scheduled changes to parental consent requirements over the collection of personal information from children.

The Children's Online Privacy Protection Rule came into effect on 21 April 2000. Among other things, it requires websites and online services directed at children under 13 to obtain verifiable parental consent prior to collecting, using or disclosing personal information from children.

The Rule includes a sliding scale approach to obtaining verifiable parental consent. If a website operator is collecting personal information purely for its own internal use, verifiable consent may be obtained through an email message from the parent. The sliding scale is due to expire on 21 April 2002, after which time website operators are supposed to obtain verifiable parental consent using more reliable methods, such as:

  • faxing or mailing a print-and-send form; 
  • requiring a parent to use a credit card in connection with consent; 
  • having a parent call a toll-free telephone number; and 
  • using e-mail accompanied by a PIN or password. 

At the time the Rule was made the FTC assumed that such methods would be widely available and affordable by April 2002. It now believes that this is not the case, and wants to extend the sliding scale approach until 21 April 2004. The FTC is seeking comment until 30 November on the cost and availability of secure electronic mechanisms and infomediary services for verification, as well as the impact of extending the sliding scale.

Return to top

UK privacy law comes into effect

24 October 2001 

The second stage of the UK Data Protection Act 1998 has come into force, applying privacy regulation to private organisations that process personal data. Key changes include:

  • expanded rights of access for data subjects to information about them, including to hard copy data; 
  • new rights for data subjects to prevent processing: 
  • likely to cause damage or distress; and 
  • for the purpose of direct marketing; 
  • the removal of all exemptions for small to medium enterprises; 
  • all organisations must appoint a Data Protection Officer; 
  • all subcontracted personal data processing must be regulated by a written contract imposing specific security obligations; and 
  • transferring personal data outside the EU is prohibited unless there is adequate protection for that data. 

The UK Information Commissioner has issued guidance to help data controllers stay within the law. This information will be developed over time.

For more on sending personal data overseas under the new Australian privacy regime, see our international data flows page or recent publication Focus: Privacy

Return to top

EU tries to reach compromise on spam ban

22 October 2001

New amendments have been tabled in the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, in an attempt to find an acceptable compromise on spam.

In September 2001, the European Parliament approved an amendment (prohibiting spam sent without the prior permission of subscribers) to a proposed EU directive on privacy of electronic communications. However, the Parliament sent the proposed directive back to the committee stage because of concern over the total number of amendments. The Committee has now suggested two further amendments on spam:

  • introducing an opt-in approach; and 
  • allowing member states to choose between legislating opt-in and opt-out models. 

Among other suggested amendments are:

  • classing SMS as a form of unsolicited marketing; and 
  • requiring people sending unsolicited email to include a working email address. Electronic communications services providers would have to enable their subscribers to view the sender and subject line of emails and delete them without having to download the email's content or attachments. 

If adopted by the Committee, the new amendments will be considered by the European Parliament.

Return to top

Privacy Commissioner outlines status of state privacy laws

19 October 2001

The Federal Privacy Commissioner has released a new publication, Privacy in Australia. This document outlines the role of his Office and current developments on other key privacy issues in Australia, including:

  • information technology, e-commerce and electronic service delivery; and 
  • the current state of development of privacy regulations in each of the Australian states. 

Return to top

Japan regulates ISPs to protect privacy

19 October 2001

The Japanese government has proposed a bill that would make ISPs responsible for protecting privacy online. ISPs must investigate any complaints receives about online privacy violations. ISPs would have to notify the person or group that posted the allegedly offensive information, giving them a week to justify their action. If a satisfactory justification is not provided, or if otherwise convinced that a complaint is authentic, ISPs would have to correct or remove the information from the Internet.

Private organisations would be designated by the Ministry of Public Management, Home Affairs, Posts and Telecommunications to act as ISP watchdogs.

The Cabinet is expected to approve the bill on October 30 before introducing it to parliament.

Return to top

Focus: Privacy

12 October 2001

Changes to Australian privacy laws will affect the way Australians do business. These laws will have a significant impact on Australian businesses which send personal information offshore. Partner Katherine Sainty and Senior Associate Brigid Keary look at how these changes may impact on your business and some of the practical steps you can take to minimise that impact View publicationdownload pdf version (56KB)

Return to top

Privacy Regulations prescribe standards for codes covering complaints handling

12 October 2001 

The Privacy Commissioner has the power to approve privacy codes under the Privacy Act. A complaints handling procedure in a code can only be approved if the Commissioner is satisfied that the procedures meet prescribed standards in the new Privacy (Private Sector) Regulations 2001.

The regulations are designed to uphold a number of principles for complaint handling procedures, including:

  • access for all individuals about whom a participating organisation holds personal information; 
  • independence - participating organisations in a particular code should have no influence over the determination of complaints under that code; 
  • fairness and the appearance of fairness, including procedural fairness; 
  • accountability to the public, including reports of determinations and information about complaints; 
  • efficiency and timeliness; and 
  • effectiveness, including regular review by an independent person. 

Return to top

US House Committee outlines plans for privacy legislation

12 October 2001

Leaders of the US House of Representatives Energy and Commerce Committee have broadly outlined plans for federal privacy legislation. The Bill, which is based on the principles of industry self-regulation, aims to pre-empt state privacy laws and consumer lawsuits. 

Companies would be required to disclose the scope of personal information they collect from individuals and the purposes for which it is used. Consumers would also be able to limit or prevent the sale or disclosure of their personal information to "non-affiliated third parties". 

Areas already covered by federal privacy laws, such as the Gramm-Leach-Bliley financial services legislation, would not be regulated by the Bill. The Bill would supersede conflicting or inconsistent state law requirements.

The Bill should be introduced to the House of Representatives by late 2001 or early 2002.

Return to top

Canadian Privacy Commissioner rules on prescription patterns of doctors 

5 October 2001 

Widespread public interest prompted the Privacy Commissioner of Canada to publish his finding in a complaint case lodged by a doctor alleging a violation of the privacy of his prescription patterns. The doctor complained that IMS Health Canada was selling information about his prescription habits without his consent. 

In the finding, the Privacy Commissioner considers the question of whether prescription information is not only personal information about the patient but also personal information about the prescribing physician under the Canadian Personal Information Protection and Electronic Documents Act. 

The Commissioner held that if prescription patterns of a physician were deemed to be information "about" the physician, then the same determination would have to be made about identifiable patterns within the work products of a wide variety of other occupations. Therefore, information about an individual is to be distinguished from information about the tangible result of his or her work activity. Prescription information, whether in the form of an individual prescription or patterns discerned from a number of prescriptions, was held not to be personal information about the physician. For more information about the privacy of health information under the new Australian privacy regime, see our health page. 

Return to top

AOL plans to use cookies to track advertising

5 October 2001 

America Online has warned its subscribers that it will now deposit cookies on their computers, in a recent revision to its privacy policy posted on its web site. Cookies are small text files placed on a user's computer that can be used to store information such as passwords, preferences or web surfing habits. The company says that it will only use cookies and web bugs to help keep track of which advertisements its members have seen and who has responded to them. Cookies will not be used to track individual users. For more on privacy policies under the new Australian privacy regime, see our compliance page.

Return to top

US FTC abandons plans for privacy legislation

4 October 2001 

Timothy Muris, Chairman of the Federal Trade Commission, will announce that the FTC will not seek any new laws to enhance online consumer privacy in a speech at the Privacy 2001 conference in Cleveland. Instead, the FTC will concentrate its efforts on enforcing existing laws, including the Fair Credit Reporting Act, the Children's Online Privacy Protection Act, the Gramm-Leach-Bliley Act and the Telemarketing Sales Rule. This is a reversal of the policy pursued in the US under the Clinton presidency, when new consumer privacy laws were seen as vital to protect personal data on the Internet. Since his appointment to the FTC chairmanship in June, Mr Muris's views on privacy have been a topic of intense speculation.

Mr Muris is expected to announce that the FTC will increase the staff working on privacy issues by 50%. Spam, identity theft and pretexting will all be extensively targeted.

Return to top

Health privacy guidelines released

3 October 2001

The Privacy Commissioner has released the final version of the Guidelines on Privacy in the Private Health Sector. The Guidelines are intended to assist health service providers to meet their obligations under the Privacy Act.

Return to top

EU Distance Selling Directive to ban spam for financial services

27 September 2001

The EU has agreed to pass laws to ban e-mail spam and inertia marketing which promotes financial services.

Return to top

International business asks EU to approve its standard clauses for dataflow contracts

24 September 2001 

Seven business associations, including the International Chamber of Commerce, have asked the European Commission to approve model contract clauses they have developed for transborder dataflows out of the EU. The associations suggest that their model clauses remedy defects in the Commission's own standard clauses, approved on 1 July 2001 (for more, see our earlier news piece). They claim that their clauses are more flexible and reflect business reality better than the Commission's clauses.

The Commission has said that approval of its own standard clauses does not affect its ability to authorise other standard contract clauses for transborder dataflow. Christopher Kuner, a representative of the International Chamber of Commerce, said: "We appreciate all the work the Commission has done, but their clauses impose responsibilities on data importers and exporters which exceed the 'adequate level of data protection' required in the EU Data Protection Directive for international data transfers."

Return to top

Privacy Commissioner rewrites information sheets

20 September 2001

In light of the release of the final NPP guidelines on 17 September, the Office of the Privacy Commissioner has rewritten and reissued its information sheets on Australia's new privacy law. Topics include 

Return to top

WIPO meets to consider privacy, e-commerce impact on intellectual property

19 September 2001 

The World Intellectual Property Organisation (WIPO) is meeting in Geneva from 19-21 September to consider the impact of e-commerce, including privacy, on intellectual property. This is the second such conference WIPO has held - the first was in September 1999. The conference includes sessions on identity and identifiers, as well as privacy. Ms Helen Daniels, Assistant Secretary of the Information Law Branch of the Commonwealth Attorney-General's Department, will address the privacy session.

Return to top

Privacy Commissioner releases NPP guidelines

17 September 2001 

The Privacy Commissioner has released the NPP Guidelines. The guidelines give organisations guidance on how the NPPS will be interpreted. For more about the NPPs and privacy codes, see our NPPs page.

Return to top

EU amends draft contract clauses following public comment

10 September 2001 

The European Commission has released public comments on its draft contract clauses for protecting personal data sent outside the EU. The clauses cover contracts between data controllers and data processors, including outsourcing agreements.

The Commission said that the comments were helpful and that the business community had generally welcomed the clauses. It noted industry's concern that there was a risk the clauses would not be used if they were:

  • too detailed or difficult to implement in practice; 
  • insufficiently flexible for the purposes of e-business; or 
  • imposed unnecessary burdens on the parties. 

In light of the comments, the Commission has released a revised draft of the clauses. The most important amendments concern the scope of a data importer's liability and the requirements for security measures. 

The Commission hopes to be in a position to approve the draft clauses before the end of 2001.

Return to top

British industry tries to simplify European data protection contracts

7 September 2001

The Confederation of British Industry is working to produce a simplified version of the EU's standard contract clauses for transborder dataflow. 

The Confederation hopes that its version of the clauses will be simpler to use and to understand than those released by the European Commission on 1 July 2001 (for more, see our earlier news piece). Its members found those clauses vague and difficult to follow, and feared that non-EU companies would have even more trouble using them. The Confederation's final draft clauses will be submitted to the Commission by the end of September. 

Return to top

Plan to ban spam back on track in EU

7 September 2001

Companies are likely to be banned from sending unsolicited emails to consumers after the European Parliament voted against a proposal to allow spam - so long as customers could opt out. 

The Parliament instead approved an amendment to the proposed European Parliament and Council directive on the processing of personal data and the protection of privacy in the electronic communications sector. This prohibits spam without the prior permission of subscribers, creating an opt-in system. 

However, European MEPs have sent the proposed directive back to the committee stage, concerned about the total number of amendments. A final decision is not expected until towards the end of 2001.

Return to top

Privacy munched by monster.com

6 September 2001 

Monster.com's privacy practices and business methods should be investigated by the US Federal Trade Commission, according to a new report from the Privacy Foundation. Monster.com is the largest job-search site on the Internet. The report suggests that, although Monster's practices are not illegal, it has:

  • discussed selling resume data to marketers; 
  • saved resumes sent by job seekers to its site, even when the job seeker has deleted them; 
  • received resumes sent by job seekers to corporate web sites without disclosing this to the job seekers themselves; 
  • supplied its marketing partners with information from job-search activities, including unique identifiers; and 
  • asked university students to provide age and gender information when applying for jobs without the benefit of a specific privacy policy. 

The Privacy Foundation says some of these practices should be investigated by the FTC as part of its ongoing antitrust investigation into Monster's place in the online job-search industry.

Return to top

Privacy Commissioner releases revised guidelines

6 September 2001 

The Privacy Commissioner has released a revised version of the Code Development Guidelines. For more about developing privacy codes, and having them approved, see our privacy codes page.

Return to top

Technology offers better privacy protection than law - study

5 September 2001

The debate about the best way to protect privacy continues in the US. A recent study by the Pacific Research Institute claims that technology will protect privacy better than laws because it is proactive, not reactive. The study advocates a self-help approach to privacy, suggesting that anonymising technologies and industry standards schemes are better at protecting privacy than laws. Government regulation is presented as "useless at best, harmful at worst".

The Federal Trade Commission is expected to release its views on the privacy regulation debate in the next month.

Return to top

Privacy Commissioner reveals business objections to draft NPP guidelines

31 August 2001

In a speech to the Connections 2001 Conference in Melbourne, the Privacy Commissioner discussed submissions received on the draft NPP Guidelines. The Commissioner indicated that the most controversial elements of the Guidelines are:

  • the length of the guidelines - to be reduced in the final version; 
  • a perception that the guidelines take an approach which makes business the enemy (for more on this and the Attorney-General's reaction, see the Lexis Legal story); 
  • the narrow description of primary purpose of information collection; 
  • ambiguities about consent and how to get it; and 
  • the limits imposed on the unrelated use of personal information for direct marketing without consent. 

The final version of the NPP guidelines will be circulated by the Privacy Commissioner in late October 2001. For more information on the NPPs and how to comply, see our NPPs and Privacy Codes page.

Return to top

US banks fail to provide online privacy choices: study

29 August 2001 

The Centre for Democracy and Technology has analysed online banking practices of 100 US banks and found that only 22% provide customers with a convenient online means of preventing information sharing with other companies.

The study revealed that several mortgage companies offering online services did not give their customers any notice of their privacy practices. The Centre has asked the FTC to take action against these companies who are violating the Gramm-Leach-Bliley financial services law which came into effect on 1 July 2001.

For more information on how Australia's financial institutions will be affected by our new privacy law, see our credit providers page.

Return to top

Privacy Commissioner issues new determination on credit providers

24 August 2001

The Privacy Commissioner has issued a determination on classes of credit providers under the Privacy Act. The following classes of corporations are deemed to be credit providers for the purposes of the Act:

  • corporations providing loans in respect of the provision of goods or services on terms allowing the deferral of payment, in full or in part, for at least seven days; and 
  • corporations engaged in hiring, leasing or renting goods where a deposit worth less than the value of the goods is paid for the return of the goods, and the relevant arrangement lasts at least seven days. 

The determination affects businesses which are not already credit providers under other provisions of the Act. It is effectively a continuation of a previous determination issued in 1996, and expires on 26 February 2002. The Privacy Commissioner is currently reviewing the determination in consultation with relevant credit providers and consumer groups.

For more information about how credit providers will be affected by the new privacy regime, see our credit providers page.

Return to top

UK Institute of Management warns members on employee monitoring

24 August 2001

The UK Institute of Management has warned its members that monitoring staff e-mail and phone calls may be an invasion of privacy under the UK Human Rights Act 1998, which came into force late last year. In new guidelines, the Institute suggests that unauthorised monitoring of employee telephone calls and e-mails on company premises are covered by the Act, "even when the employer suspects that a member of staff is using its resources in a personal capacity".

The Institute says that a manger may be able to argue that interception is reasonable if it can show that employees had been told that:

such behaviour was a disciplinary offence; and 
checks would be made where appropriate to detect breaches of company regulations. 

It has encouraged UK managers to consider company policies on these practices and clearly communicate them to staff.

For more information on the treatment of workplace email monitoring under the new Australian privacy law, see our employment page.

Return to top

Government websites still not up to scratch on privacy

20 August 2001 

A recent audit of Commonwealth government web sites show that nearly a third of them still fail to meet the basic requirement of displaying a privacy statement.

Government websites covered by the Information Privacy Principle, guidelines must have a privacy statement and warnings about the risks associated with using the Internet. But fewer than a quarter of government websites which collect personal information had an adequate privacy statement, while under half warn users of the risks of sending information over the Internet. 

The Federal Privacy Commissioner has written to all agency heads urging them to ensure that their web sites comply with the Information Privacy Principle guidelines. He cautioned that "for government agencies, anything less than 100% compliance is not acceptable".

For more information about current privacy regulation of federal government agencies, and contracting with such agencies under the new privacy regime, see our government work page.

Return to top

Privacy Commissioner reveals concerns about consent, public databases

16 August 2001

Malcolm Crompton, the Privacy Commissioner, has highlighted the need to continuously rethink privacy solutions in the light of new technology. In a speech to the Attorney-General's Department's conference Privacy and Security in the Information Age in Melbourne last week he raised concerns about two issues:

  • the meaning of consent; and
  • privacy protection for public registers. 

Consent He revealed that the business community had reacted strongly to the requirement in the draft NPP guidelines that for consent to be valid it must be informed, specific and voluntary. Business submitted the test was too strict and placed an onerous compliance burden on organisations. The Commissioner suggested that it may be preferable to abandon the notion of consent in some circumstances instead of stretching it so far that it is almost unrecognisable However, he indicated that - in return - there should be additional safeguards protecting the information from unrelated uses or disclosures.

Public registers The Commissioner explained that personal information on registers such as the electoral role is inadequately protected and frequently used for other purposes. His Office has recommended that a public inquiry be held to review and update the privacy protection of information held in public registers.

Return to top

New complaints to FTC about Windows XP privacy violations

16 August 2001

Fourteen US consumer organisations have strengthened their complaint to the Federal Trade Commission against Microsoft. The complaint, first made in July, is about Microsoft's forthcoming Windows XP operating system and Passport authentication service. The consumer groups hopes the FTC will decide that Microsoft is collecting personal information in an unfair and deceptive manner.

After the initial complaint was filed, Microsoft reduced the amount of information collected by Passport. The groups allege that this is insufficient and claim Passport has no mechanism for deleting personal information once it has been provided. They have asked the FTC to take numerous steps against Microsoft, including:

  • investigating Passport's information collection practices; and
  • ordering changes to Windows XP registration procedures so they require less personal information. 

In reply, Microsoft has suggested that the complainants misunderstand the products and technologies challenged, and that many of the points made are overly vague. The US Senate Judiciary committee has scheduled a hearing on Microsoft XP in September.

Return to top

IIA launches online privacy code

16 August 2001 

The Internet Industry Association has launched a draft privacy code for the Internet industry. The new voluntary code aims to bridge the discrepancies between Australian and EU privacy requirements and give children better protection. It goes beyond the legal requirements of Australia's new privacy regime in three areas:

  • children - extra protection for personal information from or about children;
  • direct marketing - the code favours permission-based models; and 
  • EU - it places additional limits on the use, collection and disclosure of information from known residents of the EU. 

Only IIA members may subscribe to the code; those who do so will be able to display a seal on their sites. The  draft code is open for comment until 5 October 2001. It will then be submitted to the Privacy Commissioner for review and - if it meets the new regime's standards - approval. For more on codes and how they're approved, see our privacy codes page.

Return to top

Web bug explosion 

14 August 2001 

Use of 'web bugs' has exploded on personal web pages, according to a new US study conducted by Cyveillance. Web bugs gather information about visitors to a website, and are often invisible because they're clear or too small to see. They're often added as part of the frames, advertising tools and utilities offered by online companies to help individuals create free home pages. They can't be detected without studying the source code of a web page or employing specially designed software.

A web page is nearly five times more likely to contain a web bug today than in 1998. Although they are often used to gather innocuous statistics, web bugs can also collect information such as the user's IP address and preferences recorded by cookies. When used by a network of sites linked to a third party - such as an advertising agency - web bugs become a powerful tool for in-depth personal and transactional profiling.

The study also found that some corporate privacy policies do not disclose the use of web bugs, or disclose their use without explaining that the information they collect may be shared with third parties.

For more on the rules for collecting personal information under the new Australian privacy regime, see our NPPs page.

Return to top

US firms claim protection against lawsuits justifies employee monitoring

13 August 2001

A recent American Management Association survey shows that many companies monitor their employees' e-mail, Internet use and computer files primarily to avoid legal liability. This was rated as more important than either security concerns or productivity measurement. Of the companies surveyed, 73.6% actively monitor employees' communications. Most companies with active monitoring practices have formal, written policies covering e-mail, Internet and software use, but few inform staff about these policies or require their consent.

Nearly one in four companies reported performing key word or key phrase searches of e-mail and computer files. Over half reported taking disciplinary actions against staff for violating e-policies.

To find out how workplace monitoring will be regulated by the new Australian privacy regime, see our employee information page.

Return to top

European Parliament considers new privacy regulation for EU institutions

9 August 2001

The European Parliament has adopted the first reading of a proposal designed to ensure that individuals have legally enforceable rights against EU institutions and bodies that process their personal data. This includes protection for employees of the EU whose data is processed for employment reasons.

The proposed Regulation on the protection of individuals with regard to the processing of personal data by the institutions and bodies of the Community and on the free movement of such data will also specify the data-processing obligations of data controllers within EU institutions. It will set out rules for collection, processing and transfer of personal information by all EU bodies and give individuals access, correction and blocking rights. A new independent authority, the European Data Protection Supervisor, will be responsible for monitoring all official processing of personal data.

The European Parliament made numerous amendments to the text initially proposed by the European Commission. The Regulation remains before the Parliament.

Return to top

Exclusive - Privacy Commissioner on international data flows

9 August 2001 

The Office of the Federal Privacy Commissioner has provided Allens with some details about the approach it plans to take to international data flows from Australia under NPP 9. Under NPP 9 an organisation may transfer personal information overseas if it reasonably believes the recipient will provide privacy protection substantially similar to the NPPs, for example under laws in the recipient jurisdiction.

Until now, the Commissioner has not confirmed whether he would follow the EU model of 'adequacy findings'. This involves assessing privacy regimes to determine whether they provide appropriate protection. 

Maxine Lloynd, Assistant Director, Education and Promotion in the Commissioner's Office, told Allens that "so called 'adequacy findings' are clearly something the Commissioner may be able to do". However, she cautioned that it "should also be remembered that determining adequacy requires care".

The Commissioner's Office has recommended that until any adequacy findings are in place, "organisations that intend to export data are strongly encouraged to undertake appropriate privacy assurance procedures". The draft guidelines on the NPPs, issued in May, offer some guidance on these procedures.

For more information on how international data flows will be affected by the new privacy regime in Australia, see our International Data Flows page.

Return to top

NHMRC publishes draft s 95A health privacy guidelines 

6 August 2001 

The National Health and Medical Research Council has released its draft Guidelines under s95A of the Privacy Act 1988. They cover the use and disclosure of health information for the purposes of research or statistics on public health, public safety and the management of health services.

The draft guidelines provide a framework for deciding whether the public interest in proposed research, statistical or management activities outweighs the public interest in protecting privacy. Once approved by the Privacy Commissioner, they allow an organisation to collect, use or disclose health information for research or statistics work (approved by a properly constituted Human Research Ethics Committee) without infringing the Privacy Act. 

The draft guidelines only apply when identifiable health information is to be collected, used or disclosed without obtaining the individual's informed consent. They do not replace the NPPs and should be read in conjunction with relevant industry-specific privacy codes.

The National Health and Medical Research Council is seeking submissions on the draft guidelines by 6 September 2001.

For more about how privacy regulation under the new Australian law affects health care and research, see our health section.

Return to top

Privacy Commissioner releases survey results

31 July 2001 

The Federal Privacy Commissioner has released the results of three key privacy surveys. The surveys cover Australian attitudes towards privacy in the context of:

The results show that consumers trust organisations more if they are given control over how their information is used - 55% said that organisations with privacy policies would be more likely to gain their trust. More than 40% of respondents said they had refused to deal with organisations because of concerns over the use and protection of their personal information. The research also shows that Australians rank respect for personal information equal first with quality of product or service.

Knowledge of the new privacy laws in the business community appears to be patchy:

  • less than 40% of respondents were aware of who will be caught by the new laws; and 
  • only 19% of respondents had started preparing. 

The Privacy Commissioner will use the findings to develop a marketing and communication strategy for the new law.

Return to top

US FTC aims privacy rules at banks

30 July 2001

The US Federal Trade Commission has issued draft privacy and security standards for customer financial information held by a broad range of financial institutions. The standards are required by the Gramm-Leach-Bliley legislation, which came into effect on 1 July 2001. Its security provisions require the FTC to establish standards for financial institutions on administrative, technical and physical safeguards for customer information.

To ensure flexibility, the draft standards provide that each information security program should be appropriate to the size and complexity of each financial institution and the scope of its activities. Each financial institution would be required - at least - to:

  • designate employees to coordinate its privacy safeguards program; 
  • assess risks in each area of its operations; 
  • design and implement an information security program to control those risks; 
  • require contractors to safeguard customer information; and
  • adapt its program if material changes to its business affect its safeguards. 

The FTC is seeking comments on the proposed rules until the end of September. 

For information on how Australia's financial institutions will be affected by our new privacy regime, see our credit providers page.

Return to top

US House Committee calls for reality check on privacy proposals

26 July 2001

Billy Tauzin, the Republican chairman of the House Energy and Commerce Committee has insisted on a pragmatic approach to designing privacy legislation. In a hearing of the Subcommittee on Commerce, Trade and Consumer Protection, Tauzin said "we cannot and will not design some elaborate new privacy regime that will take into account every possible daydream of how this information could be used".

Executives from IBM, General Motors, Proctor and Gamble and Amazon pressed the Subcommittee not to create specific privacy legislation to target online commerce. They generally supported industry self-regulation, and stated that the three pillars of privacy policy discussion should be understanding consumer needs; delivering consumer benefits; and generating consumer trust.

Return to top

Privacy concerns dominate submissions on national e-health record system

24 July 2001 

Doctors' and consumers' groups are urging the Australian Federal Health Minister to abandon plans to introduce the Better Medication Management System Bill into parliament next month because of privacy concerns. The Bill represents the first stage of plans to develop national e-health records.

The Better Medication Management system will make it possible to create an electronic patient medication record for each person in Australia. Records will be put together using information provided by doctors, pharmacists and patients on a voluntary basis. The system is intended to improve access to information about consumer medicines and reduce adverse outcomes and hospitalisation.

Submissions from the AMA and the Pharmacy Guild on the draft Bill have condemned it for:

  • failing to protect personal privacy; and 
  • containing complex opt-in and consent provisions. 

See our health section for more about how privacy regulation under the new Australian law affects health care providers.

Return to top

Victorian Law Reform Commission identifies employee privacy as a priority

19 July 2001

The Victorian Law Reform Commission (VLRC) has held a consultation session on privacy law reform, following its release of an Information Paper designed to:

  • examine how privacy is protected under current law; and
  • recommend priority areas for reform. 

The Information Paper sought views on areas to be included in a reference from the Attorney General to the VLRC for further investigation. It identified priority areas including a perceived lack of adequate privacy protection for employees. Reforms in this area could cover issues ranging from surveillance of employee activities and communications to compulsory psychological testing. 

Other suggested areas include the protection of employee records and the privacy of an employee's physical space and personal belongings. The VLRC believes that these issues present serious privacy problems and should be dealt with at State level.

Return to top

Location Privacy Bill introduced in US Senate

11 July 2001

Democrat senator John Edwards has introduced the Location Privacy Protection Bill into the US Senate. The Bill aims to protect the privacy of users of Internet-ready wireless devices that report their exact location to carriers and, potentially, to third parties. It requires companies providing wireless location-based services to notify users when collecting information about their location. The Bill also prohibits the use or sale of this information without the user's consent.

Senator Edwards said that this sort of legislation would not hamper collection of location information for public safety. The Bill has been referred to the Senate Commerce Committee for consideration.

Return to top

US Senate Committee begins new push for privacy regulation

11 July 2001

The first of a series of Internet privacy hearings by the US Senate Commerce Committee has set an aggressive tone in favour of privacy legislation. In his opening statement Fritz Hollings, the Committee's new Democrat chairman, advocated legislation requiring consumers to opt-in to the use and disclosure of their personal information. He argued that recent privacy notices issued by some financial institutions are deceptive and provide "concrete evidence why opt-out doesn't work".

Testimony to the Committee illustrated sharp disagreement between industry and consumer advocacy groups over what notice, consent and access requirements should be compulsory. Representatives from Microsoft and Amazon discussed their companies' efforts to protect consumer privacy through technology and self-regulation, and concluded that there is no need for privacy legislation in the US. The Committee chairman, however, challenged his colleagues to "finish the job" of crafting federal privacy legislation this year.

Return to top

European committee blocks plan to ban spam

11 July 2001

A European parliament committee has blocked plans to force e-marketers to seek consumer permission before they send out unsolicited commercial e-mails, or spam. In an amendment to a proposed EU Directive, the Citizens' Rights and Freedoms, Justice and Home Affairs Committee has deleted provisions which would outlaw spam.

The amendment to the proposed Directive (the European Parliament and Council Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector) asserts that spamming is already covered by special protection measures. These include existing directives on data protection, misleading advertising and unfair terms in consumer contracts. The Committee said the original provisions were "rigid and cost-increasing" and unlikely to be effective. The amendment is expected to pass unchallenged in September by a full meeting of the European parliament.

This approach, which leans towards an "opt-out" system for regulating spam, contrasts with that of the EU Telecommunications Council, made up of telecommunications ministers of the 15 EU member states. A majority of the Telecommunications Council supports an "opt-in" system. During a meeting on 27 June 2001, the Council agreed that more work is needed on this issue. Debate on how to deal with spam continues at the highest levels of the EU.

Return to top

Financial privacy notices in US "poorly written and unreadable"

7 July 2001

An analysis of 60 privacy notices issued by banks in the US has found that consumers will have difficulty understanding them. The study, published on www.privacyrights.org, found the notices used too many complicated sentences and uncommon words.

The Gramm-Leach-Bliley legislation, which came into effect on July 1, requires banks to provide customers with "clear and conspicuous" notices. This means that the language used should be "reasonably understandable". The US regulations offer six strategies for ensuring that a privacy notice is "clear and conspicuous":

  • present information in a clear and concise way; 
  • use short explanatory sentences or bullet lists; 
  • use concrete everyday words; 
  • use the active voice; 
  • avoid multiple negatives; and 
  • avoid imprecise explanations that may open to interpretation. 

The study, conducted by the Privacy Rights Clearinghouse, shows that banks haven't followed most of these strategies. Notices have not been designed to highlight the nature and importance of the information they contain.

It suggests banks:

  • use plain-language headings to call attention to the notice;
  • use a readable font at a reasonable size; 
  • have wide margins and generous line spacing; and 
  • use bold or italics for key words. 

Return to top

Guidance on new US medical privacy protection 

6 July 2001

The US Department of Health and Human Services has issued the first in a series of guidance materials on medical privacy. It covers new federal laws protecting medical records and other personal health information, which took effect in April. It explains and clarifies key provisions of the regulations to help health care providers and health plans comply.

It summarises what an average health care provider must do under the new rules:

  • give patients information about their privacy rights and how information about them can be used; 
  • adopt clear privacy procedures; 
  • train employees to understand these procedures; 
  • choose a privacy official, responsible for seeing they are adopted and followed; and
  • secure patient records containing personally identifiable health information. 

Future changes to the rules are also foreshadowed in the guidance materials. They include giving explicit permission for pharmacists to fill phoned-in prescriptions from a patient's doctor without the patient's written consent, and enlarging the scope of parental access to information about their children's health.

See our health section for more on how the new Australian regime affects health care providers.

Return to top

Intel joins the Safe Harbor agreement

2 July 2001

Intel has signed the EU-US Safe Harbor agreement, breathing new life into an agreement many US firms have been slow to embrace. It joins other technology giants Hewlett-Packard and Microsoft as signatories to the agreement.

Intel's Privacy Compliance Manager has suggested that the Safe Harbor provides an easy mechanism to ensure compliance with the EU data privacy Directive. It also allows the company to use the agreement as a "one stop-shop" on privacy instead of dealing with the requirements of 15 individual EU member states.

The Safe Harbor agreement came into effect in the US on 1 July 2001. It has been signed by 77 US companies so far - many signatories are small or medium-sized companies whose major business is selling privacy protection. The US Department of Commerce has established an export portal for the Safe Harbor agreement, including a list of companies that adhere to it.

For more on the compliance requirements of the Australian privacy regime, and what your business can do to meet them, see our compliance page.

Return to top

European Commission adopts standard contract clauses for transborder privacy protection

1 July 2001

The European Commission has approved a set of standard contractual clauses to protect its citizens' personal data outside EU borders. These clauses will make it easier to transfer data from within the EU to non-EU countries within the requirements of the EU Data Protection Directive. 

Return to top

Council of Europe approval of Cybercrime Treaty attracts privacy concerns

29 June 2001

The Council of Europe's final draft Convention on Cybercrime has been criticised for sacrificing privacy protection. The Convention creates minimum laws to deal with high-tech crime. It also tackles problems facing law enforcement agencies trying to pursue criminals across national borders. The final draft Convention must still be approved by the European Council of Ministers in September.

Critics of the Convention believe it introduces new international powers at the expense of individual privacy. In response, the European Committee on Crime Problems recently included some provisions limiting surveillance to criminal investigations and added some civil liberty safeguards.

Return to top

Children's privacy

21 June 2001

The Federal Attorney General has announced that a specialist consultative group will review privacy laws to assess the need for special protection of children's personal information. The group will review privacy laws, international obligations, State and Territory legislation concerning children and consider advances in technology such as the Internet.

Return to top

Second set of credit advice summaries

18 June 2001

The FPC has prepared and released another set of credit advice summaries for comment. The first summaries were released in January 2001 and finalised in June 2001. The new summaries deal with additional issues relating to credit provisions in the Privacy Act, including:

  • evidence for s.18E(8)(c) notices;
  • 'credit' under the Privacy Act and 'credit' under the UCCC; 
  • defaults and clearouts on assigned debts; 
  • Explanatory Note 55 to the Credit Reporting Code of Conduct; 
  • related corporations; and 
  • utilities as credit providers. 

Comments are required by 10 August 2001.

Return to top

A summary and some key issues are available for comment

15 June 2001 

The Office of the Federal Privacy Commissioner (FPC) has released a summary of the draft Guidelines to the National Privacy Principles (NPPs) to help facilitate feedback on the Guidelines.

The summary is designed to assist stakeholders to focus on or identify issues which are relevant to them under the NPPs without having to review the whole Guidelines. It provides an overview of each Guideline, poses some key questions for individuals and organisations and asks for feedback on the Guidelines.

Return to top

Commissioner releases consultation paper 

12 June 2001 

The federal Privacy Commissioner has released a consultation paper on privacy issues and public key infrastructure (PKI). 

Gatekeeper, a PKI , has been developed by the Australian federal government to enhance consumer confidence in online government services. PKI involves encryption technology which makes it possible to confirm the identity of users and preserve the integrity of online messages. However, it may also expose individual users to privacy risks. 

The Privacy Commissioner will consult with key stakeholders, including Commonwealth agencies, privacy and consumer representatives and industry. Stakeholders are invited to consider the consultation paper and to make submissions by 27 July. 

The paper also suggests some guidelines for handling privacy issues in the use of PKI by Commonwealth agencies.

Return to top

IIA privacy code to offer EU compliance

5 June 2001 

The Internet Industry Association (IIA) will release its industry privacy code for consultation shortly. A key feature of the draft privacy code is an EU Privacy Directive compliance module. IIA says that the EU-US impasse on trans-border data protection issues is a commercial opportunity for Australian online/e-commerce businesses to present themselves as safer to deal with than their US counterparts.

While complying with the EU compliance module will be an option in the privacy code, the IIA says that its code will impose higher privacy standards than are found in the new privacy legislation, especially on children's privacy and spam.

IIA plans to submit the privacy to the Privacy Commissioner for approval later this year after consultation with consumers and industry.

For more on how industry privacy codes will work under the Australian privacy regime, see our approval of privacy codes page.

Return to top

Amazon's Alexa gets slap on the wrist from the FTC

31 May 2001

According to the Federal Trade Commission, Amazon's Internet subsidiary, Alexa, probably made deceptive statements about its privacy practices, but will not be punished because the problem has been addressed.

Allegations were made last year that Alexa surreptitiously collected personal data on consumers through its online help system. FTC staff found that Alexa gathered personal information such as names and email addresses from web surfers without their knowledge, while claiming it did not. This practice violated US laws prohibiting unfair or deceptive trade practices. However, as Alexa has shut down part of its service and extensively modified its privacy policy, no enforcement action will be taken. Amazon's decision in April to settle civil class actions for invasion of privacy for a sum totalling US$1.9m was also relevant.

Alexa has now changed its privacy policy to make it more explicit, drafting a lengthy version which it describes itself as many pages describing that what we do with this information is nothing.

Return to top

Account aggregators on notice about privacy rights

31 May 2001 

A discussion paper released by ASIC examines the issues arising from account aggregation services. These services are new to Australia and involve service providers aggregating information from a range of consumer accounts, including deposit, transaction, credit, managed funds and brokerage accounts for later use or sale.

The discussion paper includes ASIC's concerns about the privacy practices of aggregators, including:

  • prominence and coverage of an aggregator's web site privacy statement; 
  • disparity in privacy standards offered by aggregators; 
  • use of opt-out web forms for unsolicited marketing when opt-in methods are preferred by the Privacy Commissioner; 
  • third party disclosures; and 
  • privacy standards to apply to aggregation services which are based overseas but handle Australian's personal information. 

Privacy statements should address what happens to personal information if the consumer chooses to discontinue the service or if the aggregator goes into liquidation. These issues are not usually addressed in current statements.

ASIC invites comment on the discussion paper by 13 July 2001.

Return to top

Most US banks unprepared for privacy compliance deadline

25 May 2001

According to a US study, a majority of banks and financial services institutions are a long way from meeting the consumer privacy protection requirements which come into effect on July 1. Under the Gramm-Leach-Bliley legislation passed in 1999, banks, insurance companies and securities firms must tell their customers what sort of personal data they plan to share and with whom. Customers must be given a chance to opt-out of data sharing.

The study of over 100 banks, conducted by the Total Compliance Group, says that most banks are well advanced in sending such notices and assume they are sufficient for compliance with the law. However other steps, such as conducting stringent background checks on employees and service providers, improving computer security and network penetration risks assessments, are also required. These have not been put in place by many banks.

Complying with the Gramm-Leach-Bliley legislation does not mean that financial services providers will meet EU standards under the Safe Harbor agreement with the US. Commentators such as the US Privacy Rights Clearinghouse in its updated financial privacy fact sheet suggest that US banks have a lot more work to do to implement proper privacy procedures.

For information on how Australian financial services businesses will be affected by our new privacy regime, see our credit providers page.

Return to top

FTC finds Amazon didn't breach consumer privacy

24 May 2001

The Federal Trade Commission has rejected a petition from the Electronic Privacy Information Center and Junkbusters alleging that Amazon.com deceived its customers when it changed its privacy policy in September 2000. In its revised policy, Amazon no longer allowed customers to send an email to "never@amazon.com" to opt out of Amazon sharing their information with third parties.

Despite possible ambiguity in the revised policy, the FTC accepted Amazon's assurances that it will not disclose customer information of those who had previously selected "never". More importantly, it found that the policy change made in September was not material. Actual collection and disclosure practices did not change.

The FTC added that in the event of a material policy change, it would expect Amazon to provide adequate notice to customers as well as a mechanism to obtain customer consent to the change with respect to information already collected. This statement offers some guidance on what will be expected when other US businesses change their privacy policies.

Return to top

UK Government encourages use of information padlock for privacy

22 May 2001

The UK Government now requires organisations collecting personal data to use an information padlock. The padlock, a graphic signpost, is aimed at improving public awareness of data protection issues.

The padlock must be used at any point where information is collected, including application forms, advertising coupons and websites and be accompanied by an explanation of why the data is required and for what purpose it will be used. If an option box is used, the signpost must be placed next to it.

The Government hopes that the padlock will become the established symbol of organisations with an open and fair approach to data handling under the UK privacy legislation. A pamphlet explaining the use of the new symbol is available from the UK Data Protection Commissioner.

Return to top

Privacy compliance could cost US companies $30 billion

18 May 2001

A US study has found that companies doing business online could pay up to $36 billion to update websites and practices to comply with currently proposed privacy legislation.

The study, conducted by the director of the AEI-Brookings Joint Centre for Regulatory Studies, focuses on 4 proposed online privacy laws: the Consumer Internet Privacy Enhancement Bill, the Consumer Online Privacy and Disclosure Bill, the Consumer Privacy Bill, and the Spyware Control and Privacy Bill. The report suggests that the market's current self-regulation schemes are sufficient and that the actual benefits of this additional online privacy legislation are unknown.

Return to top

FTC Nominee refuses to commit to privacy legislation

17 May 2001

The nominated candidate to head the powerful US Federal Trade Commission has refused to declare a position on the need for privacy legislation. In his Senate confirmation hearing, Timothy Muris, a law professor who worked at the FTC during the Reagan administration, said that the idea of privacy legislation was a new one for him. He stated that he was not yet ready to say whether any type of legislation in the area would be acceptable.

Return to top

Microsoft to join Safe Harbor agreement

15 May 2001 

Microsoft has announced that it will sign the EU-US Safe Harbor agreement. This move enhances prospects that more US firms will sign up to the agreement which has so far been slow to attract US companies. Despite a June 30 deadline for US companies to avoid enforcement actions in Europe under the EU Data Protection Directive, only 40 companies have signed the agreement.

Microsoft's Director of Corporate Privacy said they had spent about US $500,000 to comply with the Safe Harbor standards. Compliance processes used by Microsoft included annual surveys of consumer data handling, employee training, reviews of major systems, education on best practice and the active participation of internal audit groups and outside consultants.

For more on how to ensure your business complies with the Australian privacy regime, see our compliance page.

Return to top

EU launches new guide to data protection rights

15 May 2001

The European Commission has published a new guide to inform citizens and businesses about their data privacy rights and what to do when those rights are violated. It includes useful tips on who is entitled to handle personal data and how it can be processed. The guide also explains data controllers and the rules they must follow.

See our International Data Flow page for more detail about how the EU Data Protection Directive affects Australian business.

Return to top

Draft Health Privacy Guidelines released

14 May 2001

Consumer control over health information and the doctor/patient relationship will be strengthened by the draft health privacy guidelines, according to Malcolm Crompton, the Federal Privacy Commissioner. The health guidelines which were released on 14 May explain what the National Privacy Principles mean for health service providers and consumers.

The guidelines are intended to operate alongside existing professional, legal and ethical obligations of health professionals. All private sector health providers, including those who don't belong to a professional body or association, will be covered.

The Australian Medical Association (AMA) says it has some "serious concerns" about the guidelines, which it claims are not strong enough to protect privacy in the e-health age. The AMA suggests the guidelines do not deal adequately with the serious issue of electronic health records and de-identified data.

The Privacy Commissioner is calling for public submissions on the guidelines by 20 July 2001 with the actual guidelines due to be published in October.

Return to top