Privacy catching up to the information age

When the Coalition was elected on March 2, 1996, few would have anticipated the intensity of the information revolution that lay ahead for the Howard government in its 11½ years at the helm.

Many considered themselves “computer literate” by then, but in reality this meant little more than the ability to tap out a letter on a word processor - at that stage it could even have been the archaic WordPerfect, long since consigned to the programming archives.

In March 1996, only the lucky few had access to the Internet at home. Google was in its infancy as a research project at Stanford University, the launch of Hotmail was months away and online banking would not be introduced by the Commonwealth Bank for another year. The likes of YouTube and Facebook were almost a decade away.

The primary instrument that protects the privacy of users in an on-line environment is the Privacy Act. It was enacted by the Hawke Labor government in 1988, the product of a seven-year research effort by the Australian Law Reform Commission (ALRC) which gave effect to Australia’s obligations to implement the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data.

Since our formation in 1977, the Australian Democrats have led the way on developing privacy law. It was through the use of our balance of power that we managed to defeat the Australia Card, paving the way for the formation of the Privacy Act. Our other major achievements include introducing a Private Senator’s Bill to extend the coverage of the Privacy Act to the private sector; long campaigning for the removal of several exemptions from privacy laws; and initiating the wide ranging Senate Legal and Constitutional Committee Inquiry into the effectiveness of privacy laws.

At the same time as working to enhance privacy laws, the Democrats have also embraced new technologies. Eleven years ago, when I entered the Senate, there were no parliamentary email addresses and no access to the Internet for MPs and their offices. I was one of the first politicians to have an email address and website (well before the advent of parliamentary email addresses) and I tabled the first online petition in 1997.

Despite the best efforts of the Democrats, the Privacy Act has failed dismally to keep pace with the rapid advances in the fields which the Act regulates. It has also had to cope with events like September 11 that spurred a whole new set of reasons to invade personal privacy. Following the tragic events on that day, the Howard government passed 40 pieces of security related legislation.

Many laws removed independent judicial scrutiny of applications to conduct surveillance and intelligence gathering operations, in favour of self-authorising mechanisms with little oversight. In Parliament’s last two sitting periods alone, laws were passed that allow AFP officers to secretly enter and search people’s homes and computers, without having to inform the person for months or even years after the search is completed. Other laws granted AFP and ASIO officers access to “prospective data” from mobile phones without any judicial oversight or the requirement of a warrant, with the potential to allow any mobile to be used as a de facto tracking device.

In September, the government introduced and passed legislation in one sitting day that gave retrospective sanction to the use of the Australian Crime Commission’s coercive powers - which allow the abrogation of the right to silence (by definition, an invasion of personal privacy) - when the Courts had called the admissibility of evidence obtained under those powers into question.

In combination, the information revolution, a heightened security environment, and the failure of the government to ensure that privacy laws keep pace mean that personal privacy is more under threat than ever before.

In December 2007, Justice Michael Kirby of the High Court and Federal Privacy Commissioner, Karen Curtis, called for an urgent overhaul of laws governing the Internet, warning that the present legislative and regulatory frameworks are inadequate to cope with issues such as identity fraud and safeguards for personal information.

Few would be better qualified to comment on the adequacy of our privacy laws: Justice Kirby helped to engineer the OECD guidelines which formed the basis of the Privacy Act in the 1980s. His appointment to the High Court preceded the Howard government’s election by just months (perhaps much to Mr Howard’s regret) and as such his term has coincided with the information revolution that left the government in its wake.

The change in government may have sparked optimism among privacy advocates of a new era of privacy law reform. Indeed, such optimism might not be misplaced: in a potential sign of Kevin Rudd’s interest in the laws that govern privacy, data protection and the use of government and personal information, the Government in its first week in office excised the Office of the Privacy Commissioner from the Attorney-General’s portfolio and placed it in the “safe hands” of Senator John Faulkner, Rudd’s man in charge of his own Department of Prime Minister and Cabinet.

The Rudd Government also plans to establish an Information Commissioner, with statutory powers to oversee both the Privacy Act and the Freedom of Information Act. The Information Commissioner will be independent from government, providing a welcome degree of impartiality for FOI matters in particular.

However, Labor’s track record on privacy suggests that we should approach its term in government with a good deal of vigilance and scepticism.

Each of the anti-terror laws mentioned above were passed with the support of the ALP based on a tactic of small target politics, and commonsense amendments put forward by the minor parties in the Senate were rejected. Calls for the Government to demonstrate the gap in existing laws were denounced as “soft on terror”.

Meanwhile, newly anointed Finance Minister, Lindsay Tanner, confirmed within a week of the election that the Access Card will be scrapped, based on projected costs savings of more than $1 billion. The project stood to create the largest mass centralisation of personal data in Australia’s history. While its dumping is warmly welcomed, the cost justification that belies the Labor Government’s decision reflects a reluctance to commit to its abolition on principled grounds. Indeed, it was the ALP that attempted to introduce the Australia Card in the 1980s and one wonders whether a cheaper alternative will not rear itself at some stage during the Government’s term.

The Privacy Act is presently the subject of an ALRC inquiry which is due to report in March 2008. The Act as it stands contains confusing differences between State and Commonwealth laws, making compliance a nightmare, while different rules apply to government and business. Moreover, exemptions for political parties, the media and small businesses mean that the Privacy Act is more like a block of Swiss cheese than a bulwark against undue incursions into personal privacy.

To cap it off, under-funding of the Privacy Commissioner and a lack of penalties or remedies for privacy breaches result in little incentive for people to take any notice of the existing law.

Any meaningful reform of privacy laws, therefore, will be contingent upon Labor mustering the political will to implement the ALRC’s recommendations. Already, the ALRC’s preliminary suggestions for privacy law reform have been met with a degree of hostility in many quarters - most notably the media, which of course has the most to lose from a tightening of laws that regulate access to sensitive personal information. It follows that Kevin Rudd will have a tough time maintaining a balance between the media’s self-interest in FOI reform and the necessary reforms to privacy law that must occur if the legislature is to catch up with the information age.

The Democrats have long campaigned for Privacy Act reform. As after July we have no Democrat Senators, I am concerned that there will be no independent voice to carry the privacy mantle.

I initiated a Senate inquiry into the Privacy Act in 2004 which lead to the ALRC’s present review. We also opposed the exemptions for small businesses and political parties when they were introduced to the Act. It is hard to see any of the major parties committing to the removal of this exemption, which allows them to maintain their valuable voter databases and run targeted election campaigns.

In August, I introduced a Private Senator’s Bill to deal with another gaping hole in the Privacy Act ­ data security breach notification. The Bill would amend the Act to place an onus on Government organisations and businesses to notify an individual when there has been a confirmed or reasonably suspected breach of data security involving that person's personal information. The Bill was not supported by Labor or the Coalition.

It may be early days for the Rudd Government, but it should learn from the mistakes of its predecessor and take an early and authoritative approach to privacy law reform. If it does not, Kevin 07 may just become more than an on-line annoyance and represent another missed opportunity for our policy makers to step into the on-line era.