Minister Applauds OBA Best Practice Guideline

01 April 2011

The Hon Brendan O'Connor MP, Minister for Privacy and Freedom of Information was today in Sydney to address ADMA's Cloud Computing Breakfast Briefing.

Before a 100-strong crowd of senior marketers, the Minister cautioned that, from a privacy perspective, Cloud computing required a leap of faith from the customer and called on businesses to give a genuine commitment that information would remain "secure and safe from misuse". Minister O'Connor noted that the launch last week of the Australian Best Practice Guideline for Online Behavioural Advertising by the Australian Digital Advertising Alliance, of which ADMA is a founding member, was a key step in this undertaking, encouraging ongoing development and compliance with the Guideline.

Also on the morning's agenda was a discussion on some of the business opportunities inherent in Cloud technology by a panel including Microsoft's Gianpaolo Carrara, IPscape's Simon Burke and SEMA CEO Mike Adams.

Learn more about the Best Practice Guideline for Online Behavioural Advertising

Learn more about ADMA's Direct Marketing Compliance course

 

Speech by the Hon Brendan O'Connor MP, Minister for Privacy and Freedom of Information

"The increased use of cloud computing should come as no surprise to anyone.  From an economic perspective, there are clear benefits; cost being the most obvious. But cloud computing also presents an opportunity for innovation, and for new and exciting ways to do business.

For several years, individuals have taken advantage of these innovations through the likes of social networking, online storage and internet-based e-mail, image and gaming sites. And similar innovations are available to business. From the small retailer who no longer operates from a physical shopfront, through to larger businesses keeping and making customer data accessible in the cloud, the use of this technology is more widespread and, in some ways, more pervasive, than ever before.

It is that pervasiveness, especially in the context of personal privacy, that I wish to focus on today.

What Does Privacy Mean To You As An Individual?

First, we ought to consider what we mean when we talk about personal privacy or “my private life”.

We don’t have a legislated or constitutional right to privacy in this country in the sense of there being a cause of action giving rise to damages in the case of a breach. There is a Privacy Act, which includes Privacy Principles, a breach of which can be investigated by the Privacy Commissioner; but that is quite a different thing to an enforceable right to privacy. Moreover, I think it’s fair to say that many of us, through our own actions, have chipped away at a “private life” in the absolute sense. What used to be the domain of gossiping neighbours and colleagues is now potentially available to anyone with access to the internet.

Few people realise when they sign up to social media sites, that they are, in some ways, contracting out of a “private life” in the absolute sense. Date of birth, education, employment history, relationship status, sexual preference, religious persuasion, ideological or political leanings, place of birth, residence, mood and physical location at a point in time, invitations and plans, membership of groups, likes, dislikes, friends, and, a term with which I’m newly acquainted, ‘frenemies’; potentially all of this publicly available from a Facebook page, subject to the privacy settings in place. 

It might surprise some people to hear it put that way. It might prompt a person to review their privacy settings and hopefully lead to a greater awareness of the potential consequences of putting that information online. 

But other people have a different view. Some view the surrender of personal information as a consequence of participating in the online space. This is definitely a new and emerging view, especially amongst younger people, at least anecdotally, who have grown up with access to the internet for most (if not all) of their lives. And obviously our different views about privacy - our willingness to share that information, or not, as the case may be - will lead us each to different conclusions about what should constitute a breach of privacy or what amounts to the misuse of personal information.

In any event, I think we can all agree that privacy is essential to us all.  I think we can all agree that each of us should be entitled to some level of protection from invasions of privacy, however that might be defined. It is after all no accident that privacy is a fundamental human right under the International Covenant on Civil and Political Rights.

What Does Privacy Mean To A Marketer?

It hasn’t gone unnoticed to me that you are an audience of marketers, and personal information is a valuable asset to you.  It isn’t a recent development, but personal information is now a commodity, particularly in the context of targeted and behavioural advertising.

With that in mind, I hope it doesn’t offend you for me to ask: what does privacy mean to a marketer?

Hopefully your view of privacy aligns closely with those from whom you collect information, noting that the view of those people may not always be known to you. And, as I’m sure you are aware, direct marketing is covered in the National Privacy Principles for organisations in limited circumstances.

Frequently organisations collect personal information in the pursuit of general functions; delivering goods, billing, carrying out other tasks, for example. Under the National Privacy Principles as they are currently drafted, organisations may use that personal information for the secondary purpose of direct marketing if certain conditions are met. These include important safeguards, such as ensuring that individuals are aware that they may opt-out of receiving direct marketing communications if they wish. 

Privacy Reform

Notwithstanding the safeguards, direct marketing often gives rise to a kind of nervousness among the people it targets - which, it is fair to say, is most of us. Perhaps it has something to do with the Orwellian, ‘big brother’-type nature of the activity, especially when we talk about profile building, data mining and the like.

But, in my view, the nervousness isn’t without justification. There are legitimate questions about personal privacy in this space, and about access to and ownership of information. The nervousness serves to emphasise the priority that many people place on privacy.

Acknowledging that, the Government takes very seriously its role in reforming Australia’s privacy framework; and, to that end, is currently working to implement its first stage response to the Australian Law Reform Commission’s wide-ranging inquiry into privacy law and practice.   

For those unfamiliar with this process, the ALRC has made 295 recommendations for improving privacy protection in this country. The recommendations cover a range of areas, including missing persons, health records, credit reporting, telecommunications, and new and developing technologies, to give you a taste.

The Government has responded to 197 of the recommendations in a first stage response, and is currently working to implement that response in legislation. To date, we have referred draft Australian Privacy Principles and draft comprehensive credit reporting provisions to a Senate Committee for consideration and report. And soon we will finalise draft provisions relating to health records and to the powers and functions of the Privacy Commissioner, which will also be referred to a Senate Committee. 

The Government will respond to the ALRC’s remaining recommendations once the first stage response has been progressed.

Regulation of Direct Marketing

The issue of direct marketing was but one of the issues scrutinised by the ALRC.

In its report, the ALRC noted the very strong response from stakeholders and the community generally on the issue of direct marketing, and the strong views from consumer advocates that the rules in this area could be improved.

The ALRC noted that the environment for regulating direct marketing can be confusing, pointing for example to the ambiguity which can exist when it is unclear whether direct marketing was the primary or secondary purpose for the collection of certain personal information. 

The ALRC went on to recommend a new and separate privacy principle dealing specifically with direct marketing, which should apply irrespective of whether direct marketing was the primary or secondary purpose for the collection of information.

The new and specific principle should also set out the generally applicable requirements for organisations engaged in this practice, but would be displaced to the extent that more specific sectoral legislation applies, such as the Spam Act or Do Not Call Register Act.

The Government has accepted the major elements of the ALRC’s recommendations in this area, and they are now reflected in the proposed Australian Privacy Principle 7.

The new Privacy Principle proposed by the Government will place extra, but appropriate, limitations on organisations that use or disclose personal information to promote or sell goods or services directly to individuals.  Different rules will apply depending on whether the organisation undertaking direct marketing has collected the personal information directly from the individual or indirectly. Additionally, the new Privacy Principle will provide clear guidance for opt-out notifications and for identifying the source of the disclosure of an individual’s own personal information.

I am aware of your concerns that the proposed new principle may not exactly reflect the concepts that you are familiar with in pre-existing legislation [e.g. Spam Act, Do Not Call Register Act].  However, I believe we have implemented the thrust of the Government’s response to the ALRC Report, and I am confident the new system will be effective and workable. I am nevertheless open to receiving representations on these issues and would encourage you to get in touch with my office if there are ongoing concerns. 

What Are The Privacy Implications of Cloud Computing?

I could talk in some detail about the Government’s privacy reforms, but, this being a conference about cloud computing, it is appropriate that I return to that topic.

From a privacy perspective, cloud computing requires something of a leap of faith from the customer, who to some degree loses control over their information once it is placed in the cloud. It therefore makes sense from a commercial perspective for businesses to give customers a genuine commitment that their information, once placed in the cloud, will be secure and safe from misuse. 

The threat of cyber-attack and cyber-crime, for instance, is a legitimate concern. This is an area of my portfolio about which I could say a great deal more, including the significant in-roads we have made into online crime prevention and detection. But given the time constraints I will spare you on this occasion.

In any event, businesses taking advantage of cloud computing must ensure that their customers’ information is secure, and that they are compliant with the Australian privacy regime. It is easy to forget that data used for business purposes is also information that many people consider personal. Organisations that research and apply a best practice approach to protecting private information do a service to themselves and their customers.

Cross-jurisdictional Issues

Another issue relevant to cloud computing, which was covered at some length in the recent ALRC inquiry, is the treatment by Australian law of cross-jurisdictional issues; how do our laws deal with transfers of personal data across borders?

While some cloud providers are located here in Australia, many more are located overseas. That of course gives rise to difficult jurisdictional issues, particularly where the laws of two or more countries could potentially apply.  In this potentially-fraught legal environment, businesses will need to think carefully about who and where they are sending personal information, and about what privacy protections, if any, the recipients of the information have in place. 

The ALRC recommended that an entity that transfers personal information to an overseas recipient should remain accountable for that personal information. The Government has reflected this in new Australian Privacy Principle 8, which sets out the basic rule that, unless an entity can come within an exception, it remains subject to obligations to protect personal information disclosed to an overseas recipient. 

Under the new regime, before an entity can disclose personal information outside Australia, it will be required take such steps, as are reasonable in the circumstances, to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

This is an important development that will prevent organisations from trying to avoid their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards. 

These rules will provide confidence to individuals that their personal information collected in Australia will continue to be subject to acceptable privacy standards no matter where it ends up being stored.   I am sure that can only benefit the industry in the longer term as more Australians begin to feel secure about the use of cloud computing services.

Australian Best Practice Guideline for Online Behavioural Advertising

Before I wrap up, it would be remiss of me not to acknowledge the release last week of a voluntary code of conduct for businesses engaged in targeted and behavioural advertising; an Australian Best Practice Guideline for Online Behavioural Advertising.

For those unfamiliar with the Guideline, it is targeted at organisations engaged in third party online behavioural advertising (or OBA), and articulates seven self-regulatory principles designed to promote consumer awareness and choice, as well business accountability and best practice.   

I understand some of the people behind the Guideline are here today, and I applaud your initiative.

However, as is always the case with initiatives of this kind, the success or failure of the Guideline will very much depend on the conduct of those it intends to regulate. I look forward to seeing how this transpires, and encourage, in particular, the ongoing development of the Guideline in consultation with consumers.

There are literally hours of conversation to be had about privacy – particularly as more and more people put their private lives online. How the use of this information improves the lives of consumers remains to be seen. While there may be a convergence of views about this in this room, I have no doubt the view is very different out there in the community.  

If I am right about that, the hurdle created by that perception is a matter for you to combat through good business. Simply put, it is a matter of trust.

I expect this is a matter about which we will speak much more in the future. I look forward to that, and thank you for having me here to speak today."