Privacy Act revisions: Little bark, no bite

The new privacy laws are here but they don’t exactly exude a sense of security, and despite the best intentions of the Privacy Commissioner, the new guidelines are essentially designed to fight yesterday’s battles.

When enacted in 1988, the original Privacy Act was a progressive law in an era when consumers were becoming concerned about the information held in corporate databases.

A quarter of a century later that concern almost seems quaint. Big data, the internet and social media have changed privacy issues in ways unimagined by 1980s marketers or the parliaments of the time.

With its 13 Australian Privacy Principles (APPs), the new rules are impressive -- consumers now have the right to address inaccuracies in their records and businesses are obliged to inform customers on how they collect, use and store data.

In reality however the 2014 amendments do little but add more red tape for business while doing little to address genuine concerns in a world where data can be cross-matched from multiple sources and processed anywhere on the planet.

The problem for the Privacy Commissioner and those who drafted the Act is that it’s based upon on old terms of reference, says Peter Timmins, a lawyer who runs the Open and Shut blog that discusses privacy and freedom of information issues.

“The Australian Law Reform report the legislation is based upon was published in 2008,” Timmins points out. “The terms of reference were drafted by the Howard government in 2006.”

In Timmins’ view, the length of time it has taken the Federal Government to address the issues has left Australia’s privacy law struggling to catch up -- a problem compounded by uncoordinated state laws, with Western Australia having no privacy legislation at all.

The leaky boat of corporate data

The fact that the corporate world has a problem with protecting customers’ data is beyond debate. Yesterday, Telstra was found to have breached the previous National Privacy Principles in its handling of more than 15,000 customer records.

Globally, the corporate privacy track record is far worse, with companies around the world failing dismally to protect customer data.

In 2011, Sony disgraced itself with a series of data breaches that exposed payment details of over 100 million customers -- a debacle that cost the company an estimated $200 million to clean up.

Last year, US department store chain Target had its payments network hijacked by a criminal gang that skimmed up to 110 million credit card details, a scandal that’s only just starting to work its way through the courts.

Perhaps the most concerning of all is the Experian data breach where identity thieves were able to access millions of US credit reporting records, uncovering a gold mine of intimate data.

Twenty-four-year-old Vietnam resident Hieu Minh Ngo, who pled guilty to fraud charges in a US court last week, posed as a Singaporean private detective to set up an account with an American data broker which later became a subsidiary of Experian.

Through his account, Ngo had access to the personal details of 200 million Americans, including their Social Security numbers and key financial information. Online security writer Brian Krebs reports that at least 3.1 million queries were made through Ngo’s service.

Global weaknesses

UK-based Experian’s problems illustrate the key weakness in the modern Privacy Act. As one of the world’s biggest information brokers, it runs operations out of server farms and call centres across the globe and is one of dozens of companies that Australian corporations engage for services like credit checking, direct marketing and loyalty schemes. Most companies’ data are scattered around the world in dozens of locations.

The Privacy Act now requires companies to tell customers where their data is saved, which is how Coles found itself in the news last weekend when itsrevised privacy statement detailed the countries where data may be stored.

“The third parties to whom we disclose personal information may be located in Australia and other countries including Argentina, China, Canada, Hungary, India, Israel, Ireland, Italy, Japan, Hong Kong, Mexico, Netherlands, New Zealand, Pakistan, Philippines, Poland, Singapore, Spain, South Africa, South Korea, UAE, United Kingdom and United States of America.” Coles’ statement read.

Business Spectator asked Coles if Experian was one of its service providers but the company did not respond in time.

Fuzzy data

In complying with the provision of the Privacy Act, Coles’ policy is impeccable and it illustrates the problem with the new regulations appearing to deliver a lot but achieving little.

“We handle your personal information in connection with providing, administering, improving and personalising our products and services. This can include processing payments, delivering orders, managing promotions, providing refunds and discounts, verifying your identity, communicating with you (including direct marketing), conducting product and market research, maintaining and updating our records, dealing with enquiries from you, and working with our service providers and other Wesfarmers group companies.”

Coles’ statement tells you everything and yet leaves you no better informed than when you began; it’s a classic case of a company ticking the regulatory boxes.

This is not to criticise Coles -- the company has gone to lengths to assure the media and its customers that it complies with the APPs and keeps data well protected, and Business Spectator does not suggest the supermarket chain is doing anything but protecting client information to the highest standards.

However, vague definitions plague the new APPs; the amendments are dotted with terms like "reasonable" and "may" which leave the Act open to interpretation which in turn creates uncertainty for businesses and consumers alike.

A good example of the uncertainty lies in the definition of small businesses that are exempt from the APPs. The general rule is if a business turns over less than $3m then it’s not subject to the rules, unless it falls into certain categories. One of these is "related to a larger business".

The Office of the Australian Information Commissioner was asked what exactly being related to a larger businesses actually means but again was unable to answer prior to this story being published. The agency’s explanatory notes indicate that definition may lie in the Corporations Act, but again this is not clear.

Lack of disclosure

Possibly the greatest failing in the revised privacy guidelines is the absence of any mechanism that warns individuals if their information has been compromised. The lack of mandatory disclosure means that should a breach like like Sony’s or Experian’s happen, customers may not be told if their personal details have been given away to identity thieves.

Again, the Act prescribes everything but ultimately leaves the consumer in the dark.

That deficiency is further compounded by the fact that the penalties prescribed are weak. Only civil remedies are available and the fines, which can total up to $1.7m, are impressive on paper but in practice do little to punish companies that don’t comply.

In Telstra’s case, the company was fined $10,000 by the Australian Media and Communications Authority for its breach. For a company that booked $4bn in profits last year, this will no doubt mean the group general manager's chocolate biscuit budget will take a hit this quarter.

Facing the future

In many respects the Privacy Act and its explanatory notes are curiously naive documents that fail to recognise the massive technological change that’s happening in the way data is collected, and the sheer volume of information pouring into businesses.

A good example of this is where the OAIC attempts to define personal data in respect to vehicle licence plates:

“Most entities and individuals would encounter difficulty in using a licence plate number to identify the registrant of a car, as they would not have access to the car registration database. By contrast, an agency or individual with access to that database may be able to identify the registrant. Accordingly, the licence plate number may be ‘personal information’ held by that agency or individual, but may not be personal information if held by another entity.”

This overlooks that most organisations are interested in the driver and passengers of the car than who owns the vehicle. The 2011 leak of number plate information at Westfield Bondi is a good example of how retailers are using number plate recognition and the risks involved.

With the Internet of Machines now being touted as the next frontier for marketers and business intelligence, numberplates are joined by iBeacons, smartphones, wearable technology and home automation equipment as data sources that can be cross matched.

In this respect, the Federal Parliament has miserably failed in its objective to modernise the Privacy Act and instead consumers only have half the protections they require while businesses are lumbered with complex rules that only add cost and uncertainty.

At a time when governments chant the mantra of cutting red tape and regulations, it’s a shame more thought isn’t being given to the effectiveness of new laws in fields where technology is rapidly changing.