HomeRegulatoryRegulatory NewsOnline Privacy Inquiry

Online Privacy Inquiry

Regulatory

Online Privacy Senate Committee Report Released

12 April 2011

The Senate Committee report into the adequacies of privacy protections for Australians online was released recently.

The report deals with a number of different elements of online privacy with recommendations that will flow through into the review of the privacy act. From an online behavioural advertising perspective the committee has recommended that the Office of the Privacy Commissioner in consultation with web browser developers, ISPs and the advertising industry, should, in accordance with proposed amendments to the Privacy Act, develop and impose a code which includes a ‘Do Not Track’ model following consultation with stakeholders.

Given ADMA’s expertise in marketing privacy related issues, we will be engaging with the Privacy Commissioner to reduce to the maximum extent possible the regulatory burden that will be applied to the online advertising industry whilst not eroding basic consumer protections.

View the report

Minister Applauds OBA Best Practice Guideline

01 April 2011

The Hon Brendan O'Connor MP, Minister for Privacy and Freedom of Information was today in Sydney to address ADMA's Cloud Computing Breakfast Briefing.

Before a 100-strong crowd of senior marketers, the Minister cautioned that, from a privacy perspective, Cloud computing required a leap of faith from the customer and called on businesses to give a genuine commitment that information would remain "secure and safe from misuse". Minister O'Connor noted that the launch last week of the Australian Best Practice Guideline for Online Behavioural Advertising by the Australian Digital Advertising Alliance, of which ADMA is a founding member, was a key step in this undertaking, encouraging ongoing development and compliance with the Guideline.

Also on the morning's agenda was a discussion on some of the business opportunities inherent in Cloud technology by a panel including Microsoft's Gianpaolo Carrara, IPscape's Simon Burke and SEMA CEO Mike Adams.

Learn more about the Best Practice Guideline for Online Behavioural Advertising

Learn more about ADMA's Direct Marketing Compliance course

 

Speech by the Hon Brendan O'Connor MP, Minister for Privacy and Freedom of Information

"The increased use of cloud computing should come as no surprise to anyone.  From an economic perspective, there are clear benefits; cost being the most obvious. But cloud computing also presents an opportunity for innovation, and for new and exciting ways to do business.

For several years, individuals have taken advantage of these innovations through the likes of social networking, online storage and internet-based e-mail, image and gaming sites. And similar innovations are available to business. From the small retailer who no longer operates from a physical shopfront, through to larger businesses keeping and making customer data accessible in the cloud, the use of this technology is more widespread and, in some ways, more pervasive, than ever before.

It is that pervasiveness, especially in the context of personal privacy, that I wish to focus on today.

What Does Privacy Mean To You As An Individual?

First, we ought to consider what we mean when we talk about personal privacy or “my private life”.

We don’t have a legislated or constitutional right to privacy in this country in the sense of there being a cause of action giving rise to damages in the case of a breach. There is a Privacy Act, which includes Privacy Principles, a breach of which can be investigated by the Privacy Commissioner; but that is quite a different thing to an enforceable right to privacy. Moreover, I think it’s fair to say that many of us, through our own actions, have chipped away at a “private life” in the absolute sense. What used to be the domain of gossiping neighbours and colleagues is now potentially available to anyone with access to the internet.

Few people realise when they sign up to social media sites, that they are, in some ways, contracting out of a “private life” in the absolute sense. Date of birth, education, employment history, relationship status, sexual preference, religious persuasion, ideological or political leanings, place of birth, residence, mood and physical location at a point in time, invitations and plans, membership of groups, likes, dislikes, friends, and, a term with which I’m newly acquainted, ‘frenemies’; potentially all of this publicly available from a Facebook page, subject to the privacy settings in place. 

It might surprise some people to hear it put that way. It might prompt a person to review their privacy settings and hopefully lead to a greater awareness of the potential consequences of putting that information online. 

But other people have a different view. Some view the surrender of personal information as a consequence of participating in the online space. This is definitely a new and emerging view, especially amongst younger people, at least anecdotally, who have grown up with access to the internet for most (if not all) of their lives. And obviously our different views about privacy - our willingness to share that information, or not, as the case may be - will lead us each to different conclusions about what should constitute a breach of privacy or what amounts to the misuse of personal information.

In any event, I think we can all agree that privacy is essential to us all.  I think we can all agree that each of us should be entitled to some level of protection from invasions of privacy, however that might be defined. It is after all no accident that privacy is a fundamental human right under the International Covenant on Civil and Political Rights.

What Does Privacy Mean To A Marketer?

It hasn’t gone unnoticed to me that you are an audience of marketers, and personal information is a valuable asset to you.  It isn’t a recent development, but personal information is now a commodity, particularly in the context of targeted and behavioural advertising.

With that in mind, I hope it doesn’t offend you for me to ask: what does privacy mean to a marketer?

Hopefully your view of privacy aligns closely with those from whom you collect information, noting that the view of those people may not always be known to you. And, as I’m sure you are aware, direct marketing is covered in the National Privacy Principles for organisations in limited circumstances.

Frequently organisations collect personal information in the pursuit of general functions; delivering goods, billing, carrying out other tasks, for example. Under the National Privacy Principles as they are currently drafted, organisations may use that personal information for the secondary purpose of direct marketing if certain conditions are met. These include important safeguards, such as ensuring that individuals are aware that they may opt-out of receiving direct marketing communications if they wish. 

Privacy Reform

Notwithstanding the safeguards, direct marketing often gives rise to a kind of nervousness among the people it targets - which, it is fair to say, is most of us. Perhaps it has something to do with the Orwellian, ‘big brother’-type nature of the activity, especially when we talk about profile building, data mining and the like.

But, in my view, the nervousness isn’t without justification. There are legitimate questions about personal privacy in this space, and about access to and ownership of information. The nervousness serves to emphasise the priority that many people place on privacy.

Acknowledging that, the Government takes very seriously its role in reforming Australia’s privacy framework; and, to that end, is currently working to implement its first stage response to the Australian Law Reform Commission’s wide-ranging inquiry into privacy law and practice.   

For those unfamiliar with this process, the ALRC has made 295 recommendations for improving privacy protection in this country. The recommendations cover a range of areas, including missing persons, health records, credit reporting, telecommunications, and new and developing technologies, to give you a taste.

The Government has responded to 197 of the recommendations in a first stage response, and is currently working to implement that response in legislation. To date, we have referred draft Australian Privacy Principles and draft comprehensive credit reporting provisions to a Senate Committee for consideration and report. And soon we will finalise draft provisions relating to health records and to the powers and functions of the Privacy Commissioner, which will also be referred to a Senate Committee. 

The Government will respond to the ALRC’s remaining recommendations once the first stage response has been progressed.

Regulation of Direct Marketing

The issue of direct marketing was but one of the issues scrutinised by the ALRC.

In its report, the ALRC noted the very strong response from stakeholders and the community generally on the issue of direct marketing, and the strong views from consumer advocates that the rules in this area could be improved.

The ALRC noted that the environment for regulating direct marketing can be confusing, pointing for example to the ambiguity which can exist when it is unclear whether direct marketing was the primary or secondary purpose for the collection of certain personal information. 

The ALRC went on to recommend a new and separate privacy principle dealing specifically with direct marketing, which should apply irrespective of whether direct marketing was the primary or secondary purpose for the collection of information.

The new and specific principle should also set out the generally applicable requirements for organisations engaged in this practice, but would be displaced to the extent that more specific sectoral legislation applies, such as the Spam Act or Do Not Call Register Act.

The Government has accepted the major elements of the ALRC’s recommendations in this area, and they are now reflected in the proposed Australian Privacy Principle 7.

The new Privacy Principle proposed by the Government will place extra, but appropriate, limitations on organisations that use or disclose personal information to promote or sell goods or services directly to individuals.  Different rules will apply depending on whether the organisation undertaking direct marketing has collected the personal information directly from the individual or indirectly. Additionally, the new Privacy Principle will provide clear guidance for opt-out notifications and for identifying the source of the disclosure of an individual’s own personal information.

I am aware of your concerns that the proposed new principle may not exactly reflect the concepts that you are familiar with in pre-existing legislation [e.g. Spam Act, Do Not Call Register Act].  However, I believe we have implemented the thrust of the Government’s response to the ALRC Report, and I am confident the new system will be effective and workable. I am nevertheless open to receiving representations on these issues and would encourage you to get in touch with my office if there are ongoing concerns. 

What Are The Privacy Implications of Cloud Computing?

I could talk in some detail about the Government’s privacy reforms, but, this being a conference about cloud computing, it is appropriate that I return to that topic.

From a privacy perspective, cloud computing requires something of a leap of faith from the customer, who to some degree loses control over their information once it is placed in the cloud. It therefore makes sense from a commercial perspective for businesses to give customers a genuine commitment that their information, once placed in the cloud, will be secure and safe from misuse. 

The threat of cyber-attack and cyber-crime, for instance, is a legitimate concern. This is an area of my portfolio about which I could say a great deal more, including the significant in-roads we have made into online crime prevention and detection. But given the time constraints I will spare you on this occasion.

In any event, businesses taking advantage of cloud computing must ensure that their customers’ information is secure, and that they are compliant with the Australian privacy regime. It is easy to forget that data used for business purposes is also information that many people consider personal. Organisations that research and apply a best practice approach to protecting private information do a service to themselves and their customers.

Cross-jurisdictional Issues

Another issue relevant to cloud computing, which was covered at some length in the recent ALRC inquiry, is the treatment by Australian law of cross-jurisdictional issues; how do our laws deal with transfers of personal data across borders?

While some cloud providers are located here in Australia, many more are located overseas. That of course gives rise to difficult jurisdictional issues, particularly where the laws of two or more countries could potentially apply.  In this potentially-fraught legal environment, businesses will need to think carefully about who and where they are sending personal information, and about what privacy protections, if any, the recipients of the information have in place. 

The ALRC recommended that an entity that transfers personal information to an overseas recipient should remain accountable for that personal information. The Government has reflected this in new Australian Privacy Principle 8, which sets out the basic rule that, unless an entity can come within an exception, it remains subject to obligations to protect personal information disclosed to an overseas recipient. 

Under the new regime, before an entity can disclose personal information outside Australia, it will be required take such steps, as are reasonable in the circumstances, to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

This is an important development that will prevent organisations from trying to avoid their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards. 

These rules will provide confidence to individuals that their personal information collected in Australia will continue to be subject to acceptable privacy standards no matter where it ends up being stored.   I am sure that can only benefit the industry in the longer term as more Australians begin to feel secure about the use of cloud computing services.

Australian Best Practice Guideline for Online Behavioural Advertising

Before I wrap up, it would be remiss of me not to acknowledge the release last week of a voluntary code of conduct for businesses engaged in targeted and behavioural advertising; an Australian Best Practice Guideline for Online Behavioural Advertising.

For those unfamiliar with the Guideline, it is targeted at organisations engaged in third party online behavioural advertising (or OBA), and articulates seven self-regulatory principles designed to promote consumer awareness and choice, as well business accountability and best practice.   

I understand some of the people behind the Guideline are here today, and I applaud your initiative.

However, as is always the case with initiatives of this kind, the success or failure of the Guideline will very much depend on the conduct of those it intends to regulate. I look forward to seeing how this transpires, and encourage, in particular, the ongoing development of the Guideline in consultation with consumers.

There are literally hours of conversation to be had about privacy – particularly as more and more people put their private lives online. How the use of this information improves the lives of consumers remains to be seen. While there may be a convergence of views about this in this room, I have no doubt the view is very different out there in the community.  

If I am right about that, the hurdle created by that perception is a matter for you to combat through good business. Simply put, it is a matter of trust.

I expect this is a matter about which we will speak much more in the future. I look forward to that, and thank you for having me here to speak today."

Australian Best Practice Guideline for Online Behavioural Advertising Introduced

21 March 2011

In what is one of the most significant and broad collaborations within the marketing industry to date, the Australian Digital Advertising Alliance of which ADMA is a part, has today released the Australian Best Practice Guideline for Online Behavioural Advertising.

The Guideline has been developed by leading industry associations and industry participants to set a best practice framework for organisations engaged in Third Party Online Behavioural Advertising in recognition of the fact that Third Party Online Behavioural Advertising is a relatively new type of advertising and that some consumers are not aware that online behavioural advertising occurs.

The Guideline has been created to build community confidence and understanding in online behavioural advertising. The Guideline, in conjunction with the already existing and strong Australian privacy law, is designed to ensure that individual privacy is not compromised.

The Guidelines release is accompanied by a consumer education website, www.youronlinechoices.com.au, that includes a range of resources to help consumers explore and understand what online behavioural advertising is and what it isn’t. In addition to the tools the www.youronlinechoices.com.au website allows consumers a choice mechanism if they do not want to receive ads generated by Third Party Online Behavioural Advertising. Exercising this choice doesn’t mean that consumers won’t receive ads online it means that the ads wont be served based on previous browsing history of the device that the consumer is using.

Learn more

In what is one of the most significant and broad collaborations within the marketing industry to date, the Australian Digital Advertising Alliance has released the Australian Best Practice Guideline for Online Behavioural Advertising.

The Guideline has been developed by leading industry associations and industry participants to set a best practice framework for organisations engaged in Third Party Online Behavioural Advertising in recognition of the fact that Third Party Online Behavioural Advertising is a relatively new type of advertising and that some consumers are not aware that online behavioural advertising occurs.

The Guideline has been created to build community confidence and understanding in online behavioural advertising. The Guideline, in conjunction with the already existing and strong Australian privacy law, is designed to ensure that individual privacy is not compromised.

The Guideline's release is accompanied by a consumer education website, www.youronlinechoices.com.au, that includes a range of resources to help consumers explore and understand what online behavioural advertising is and what it isn’t. In addition to the tools the website allows consumers a choice mechanism if they do not want to receive ads generated by Third Party Online Behavioural Advertising. Exercising this choice doesn’t mean that consumers won’t receive ads online it means that the ads wont be served based on previous browsing history of the device that the consumer is using.

About the Australian Digital Advertising Alliance

The Australian Digital Advertising Alliance is made up of leading industry associations and key industry participants. Members of the Australian Digital Advertising Alliance are the Australian Direct Marketing Association (ADMA), the Australian Association of National Advertisers (AANA), the Interactive Advertising Bureau (IAB), the Internet Industry Association (IIA), the Australian Interactive Media Association (AIMIA), the Communications Council and the Media Federation (MFA), Adconian, Fairfax Digital, Google, Microsoft, News Digital Media, NineMSN, Sensis Digital Media and Yahoo!7.

A significant proportion of the online advertising industry are already signatories. Some companies already comply and exceed the requirements of the Guideline however there is a six month implementation phase for the industry to put in place arrangements.

What changes today?

There are going to be a number of changes that are going to be immediately noticeable to consumers. First there the www.youronlinechoices.com.au website is available now and provides lots of useful information about online behavioural advertising. Also many members of the Australian Digital Advertising Alliance will be doing their bit to promote the site and the launch of the Australian Best Practice Guidelines for Online Behavioural Advertising.

In addition there will be additional notice provided to consumers on websites where Third Party Online Behavioural Advertising occurs.

Consumers will have the ability to exercise their ad preferences through the www.youronlinechoices.com.au website.

There will also be additional consumer protections in place in relation to keeping OBA Data secure, the creation of sensitive market segments and a prohibition on creating OBA data segments for children under the age of 13.

Last but not least consumers will have a place where they can ask for more information, give feedback and raise concerns through the www.youronlinechoices.com.au website.

What do the Guidelines entail?

The Australian Best Practice Guidelines for Online Behavioural Advertising contain seven principles which introduce important consumer mechanisms and have been designed to build consumer confidence and trust in online behavioural adverting.

A summary of the seven principles follows:

I. Personal Information and Third Party OBA

Third Parties who want to combine OBA Data with Personal Information must treat the OBA Data as it if is Personal Information and in accordance with the Privacy Act.

II. Providing Clear Information to Users

Requirement to provide a clear notice for consumers about which data is collected, how it is collected and what it is used for.

III. User choice over OBA

Consumers to be able to make a choice as to whether or not they consent to the collection of data for OBA and given clear user-friendly options to manage their ad choices.

IV. Keeping Data Secure

Companies must ensure data is stored securely and is only kept as long as it fulfils a legitimate business need or as required by law.

V. Careful Handling of Sensitive Segmentation

OBA categories uniquely designed to target children under 13 will not be created.

Companies seeking to use OBA in relation to Sensitive Market Segments must obtain explicit consent.

VI. Educating Users

Companies to provide easily accessible, user-friendly information about OBA.

A consumer education website providing consumer friendly non-technical information on OBA has been developed by industry.

VII. Being Accountable

All businesses are accountable to uphold the principles in the Guideline, develop easily accessible mechanisms to consumers to lodge complaints directly to companies and commit to an ongoing review of the Guideline and its implementation.

To find out more information on the principles download the Australian Best Practice Guidelines.

How do I get more information?

If you want to know more about the Australian Best Practice Guideline for Online Behavioural Advertising or how to become a signatory email us.

What’s Next?

The introduction of the Australian Best Practice Guidelines for Online Behavioural Advertising and the www.youronlinechoices.com.au website is an important first step on a journey.

Now the Guideline is launched, the Australian Digital Advertising Alliance will be:

  • Engaging in broader industry, consumer and Government consultation
  • Developing an open, transparent and independently overseen industry wide complaint handling mechanism
  • Reviewing the guideline and reviewing where necessary
  • Developing an easily recognisable universal ICON which will be presented in or around Third Party Online Behavioural Ads

If you want to be involved, let us know

Download the Guideline.

Privacy protections for Australians online

09 September 2010

ADMA has made a submission to the Senate Inquiry into the adequacies of privacy protections for Australians online.

In the submission ADMA took the view that the current Australian privacy regime is reasonably well suited to handling the current technological environment. ADMA also noted that the changes expected to be delivered in 2011 to the Australian Privacy Act will deliver additional privacy protections that will be well suited to the current technological environment.

Click here for ADMA's submission.

Share |

ADMA Membership

ADMA ensures members' opinions are heard and their interests safeguarded by advocating to government on their behalf and keeping them informed of the legislative developments affecting their business.

We're commited to promoting industry best practice amongst our members, providing guidance and regulatory advice whenever it's needed.

Thinking of becoming an ADMA member?

Learn more

More Information

portrait_Melina_R

Melina Rohan
Director Corporate & Regulatory Affairs

  • Sponsors

About ADMA

Consumer Help

Member Resources

Careers