Lessons Learned From Australia Privacy
The United States is not the only country worried about the effects of the EU directive. Hong Kong and New Zealand already have adopted "European-style" privacy laws that apply to the public and private sectors alike.
The Canadian government is trying to develop a law that will cover the private sector, integrate federal and provincial privacy activities and meet the standards of the EU directive. That won't be easy.
However, new laws may not be the only way to meet international data protection standards. The Australian government offers a different model. Australia established a privacy commissioner and enacted a federal-sector privacy law many years ago. For a short time, the Australian government supported private-sector legislation as well, but the government changed its mind last year in favor of a voluntary code of practice for the private sector.
The Federal Privacy Commissioner got the assignment to develop the voluntary standards. In February, commissioner Moira Scollay issued the report "National Principles for the Fair Handling of Personal Information." To read it, point your browser to www.austlii.edu.au.
The goal was to develop a viable self-regulatory approach. The commissioner quickly decided that the major issue is the need for national consistency in privacy standards. A patchwork of different standards applying across industries, technologies and state boundaries was deemed to be confusing and expensive.
Instead, the commissioner proposed a set of general principles that can be supplemented by additional standards to address the needs of specific industries and record keepers. The report acknowledges what just about every other privacy study has concluded: one size doesn't fit all. Broad policies need to be supplemented by more specific codes of practice.
There are lessons for the United States. Self-regulatory efforts have blossomed here in the last several months. Several industries and associations are working to develop privacy policies. So far, every self-regulatory code offers different policies and principles, and the likelihood of a patchwork quilt of different standards here is very real. Maybe the Australians are onto something in trying to avoid too much diversity.
The Australian privacy office was clearly instrumental in the attempt to develop common principles. The office took the lead, talked to all interested parties and struck a balance between privacy and other important values. In the United States, each industry tends to develop its own policies, usually in consultation only with itself. We tend to jump right to the second step, which is local standards. No one in the United States is establishing a common policy framework, and that may ultimately threaten the viability of separate codes.
The substance of the Australian self-regulatory privacy principles is fair information practices. These practices form the basis for the EU data protection directive and other privacy laws around the world, including some U.S. laws. So far, all U.S. self-regulatory codes fall short of meeting international fair information practice standards.
The Australian principles include all the basic elements of fair information practices with a few additional twists. One interesting principle would allow individuals to engage in anonymous transactions whenever lawful and practical. Another would impose restrictions on the transborder transfer of personal data under terms that are similar to, but perhaps a bit more flexible than, those in the EU directive.
The basic policy for controlling use and disclosure is that records should be used or disclosed in accordance with the expectations of data subjects or when required in the public interest. Defining limitations in terms of expectations is novel. Most similar formulations rely on the purpose for which the information was collected.
Because the data collector can define the purpose as broadly as desired, I question the purpose standard as an effective control over use and disclosure. An expectations standard offers the prospect of a somewhat more objective and independent test, albeit still a vague one. It is an interesting idea worth more consideration.
Direct marketing is mentioned specifically in the principles relating to use and disclosure. Disclosure for direct marketing purposes would be allowed without consent under two conditions. First, it must be impractical to seek consent in advance. Second, the data subject must be given an express opportunity to opt out at the time of first contact or thereafter. Exercising an opt-out also must be at no cost.
It remains to be seen how widely these principles will be adopted and implemented in Australia. If the Australian form of privacy self-regulation is successful, it will put even more pressure on the United States to conform to fair information practices.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. He can be contacted at firstname.lastname@example.org.