Earlier this year, the Senate Standing Committee on Environment, Communications and the Arts (Senate Committee) released its report "The adequacy of protections for the privacy of Australians online" (the Report).1 In the Report, the Senate Committee makes a number of recommendations.
If the recommendations are adopted, there may be significant implications for all companies with an online presence. In particular, your company may need to change the way in which it collects, uses and stores any personal data which it obtains online. Furthermore, companies which do not currently have privacy obligations may be required to comply with the Privacy Act 1988.
The Senate Committee inquiry was commenced in June 2010 as a result of concerns regarding privacy due to the rapid growth in both the use of social networking platforms and technological advancements which make it possible for companies to monitor the online behaviour of their customers for marketing purposes. The Senate Committee's terms of reference included:
(a) data collection and privacy protection on social networking sites; and
(b) the ways in which private companies and government agencies collect data.
Adequacy of Australia's Online Privacy Framework
Due to the development of web 2.0 technologies which allow greater online interaction in respect of user generated content, for example, blogs, social networking sites and video/photo sharing websites, it has become possible to store, share and upload large quantities of personal data onto the web. In addition, it has become easier for website operators to send personal data overseas which, as a result, means that Australian regulators have less control over the manner in which personal data relating to Australians is captured, stored and handled.
Concerns about Consent
Restrictions about the way in which personal data is collected, used and disclosed under the Privacy Act do not apply if an individual provides consent to such use. However, when providing consent, people are often required to read lengthy and complex privacy policies and waive their rights in order to use the website. The Senate Committee recommended that:
- the complaint handling role of the Privacy Commissioner be "expanded to more effectively address complaints about the misuse of privacy consent forms in the online context"2; and
- the Privacy Commissioner's Office should examine consent in the online environment and create guidelines on how privacy consent forms for online services may be appropriately used.3
Concerns about Small Business
Most Australian businesses do not need to comply with the Privacy Act because they are excluded from the definition of "organisation" under the Act. A small business is defined as one which has an annual turnover of $3,000,000 or less. The Senate Committee recommended that, while the small business exemption should be retained, it should be amended so that small businesses:
- holding substantial quantities of personal data; or
- which transfer personal data offshore,
will be required to comply with the Privacy Act.4
Concerns about Online Behavioural Advertising
The Senate Committee recommendations concerning online behavioural advertising have broad implications for online businesses. Presently, there are a variety of ways in which data may be collected about individuals when providing targeted or behavioural advertising to consumers. Among those activities in which individual data may be collected in this manner, which are not currently prohibited under Australian law, are:
- a search engine's ability to track the web browsing history of its users;
- the use of a filter by web-based email service providers to search the content of users' emails to look for key words and then provide the user with advertisements based on the key words found within their email.
In addition, users of social media websites often provide a considerable amount of personal data when registering to use the websites, such as age, sex, address, interests and so forth, which may be used by social media websites or third parties to provide targeted advertising.
The Senate Committee acknowledged that the development of the above technologies led to greater concerns about the level of possible monitoring. The Senate Committee noted that the United States Federal Trade Commission recommended the development of a "do not track" tool in the United States which would allow users to opt out of web tracking by third parties, including behavioural advertising. Two separate bills addressing this issue are currently before the US Congress. The "Do Not Track Me Online Act" was introduced by Representative Jackie Speier on 2 February 2011. If this bill is adopted, the Federal Trade Commission (FTC) will promulgate regulations requiring "covered entities" to disclose to users:
- the ways in which the entity collects information about users' online activities and personal details,
- how that information is used, and
- the persons to whom that information is disclosed.
The regulations will also give users the opportunity to opt-out of having their information collected or used in this manner.
The second bill, the "Do-Not-Track Online Act of 2011" was introduced by Senator Jay Rockefeller on 9 May 2011. This bill requires the FTC to establish standards for "do-not-track" mechanisms. Companies will need to provide mechanisms by which an individual user can opt-out of having their personal information collected. Companies will be prohibited from collecting the personal information of individuals who have opted-out via the "do-not-track" mechanisms. The second bill will apply to providers of mobile applications and services as well as providers of online services.
The Senate Committee noted that there is an industry-wide initiative to develop privacy standards in respect of advertising targeting online behaviour. In March 2011, the Australian Digital Advertising Alliance (ADAA) released the Australian Best Practice Guideline for Online Behavioural Advertising, which included a number of self-regulatory guidelines, including the following:
- explicit consent prior to using online behavioural advertising should be obtained from website users; and
- an easy to use mechanism should be provided to enable users to withdraw their consent.
Members of the ADAA include the Australian Direct Marketing Association, the Internet Industry Association, the Media Federation of Australia, the Communications Council and the Interactive Advertising Bureau.
The Senate Committee recommended that the Privacy Commissioner's office should consult with industry participants, including the advertising industry, web browser developers and internet service providers, to develop and impose a code which includes a "do not track" mechanism5.
Transnational Information Flow
The Senate Committee recommended that the Privacy Act be amended so that a company will be treated as having an Australian link (and thereby be caught by the Privacy Act) where it collects information from Australia. There will be no need for the company to be incorporated in Australia or otherwise have any other link to Australia (beside the fact that it collects information). 6
In respect of cloud computing, the Senate Committee recommended that the Privacy Act be amended so that all Australian organisations transferring personal data offshore are required to be fully accountable in respect of the protection of the privacy of the personal data. 7
Further, the Senate Committee recommended that the Government consider whether such provisions are enforceable and, if required, strengthen the Privacy Commissioner's powers to enforce provisions related to offshore data transfer.8
Cause of Action - Breach of Privacy
A number of organisations, including the Australian Law Reform Commission, the Law Institute of Victoria and the Victorian Privacy Commissioner, submitted that a statutory cause of action for serious invasions of privacy should be developed. The Senate Committee noted that statutory and common law causes of action for breach of privacy are found in many other jurisdictions, including the United Kingdom, the United States and New Zealand.
The Senate Committee agreed with the Australian Law Reform Commission's recommendation that a cause of action be provided by statute for serious breaches of privacy and should be adopted by the Government.9
In light of the recent News of the World telephone hacking scandal in the United Kingdom, there will no doubt be increased support for this cause of action in Australia.
We will keep you informed of further developments.
The assistance of Alec Bombell, Clerk, of Addisons in the preparation of this article is noted and greatly appreciated
 The Senate: Environment & Communications Reference Committees, "The adequacy of protections for the privacy of Australians online", April 2011. http://www.aph.gov.au/senate/committee/ec_ctte/online_privacy/report/report.pdf. Visited on 6 June 2011.
 Recommendation 3.30.
 Recommendation 3.31.
 Recommendation 3.50.
 Recommendation 3.86
 Recommendation 3.96.
 Recommendation 3.109.
 Recommendation 3.110.
 Recommendation 3.122
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.