Should the Privacy Act be technology neutral?

10.3 The explanatory memorandum to the Privacy Amendment (Private Sector) Bill 2000 noted that the National Privacy Principles (NPPs) were intended to be technology neutral. Technology-neutral privacy principles were intended to ensure that the Privacy Act remained flexible and relevant in the case of technological change.[1] In Chapter 9, the ALRC considers the impact on privacy of several new and developing technologies.These technologies facilitate easier, cheaper and faster methods by which information may be collected, accessed, aggregated and communicated. Further, there is an increasing ability to store large quantities of information. In its submission, the OPC cited a University of California, Berkeley, study that found that only 0.01% of all new information produced in 2002 was paper-based.[2] The OPC submitted that the privacy regulatory framework should be informed by the assumption that ‘information will be handled in electronic form’.[3]

10.4 In light of these technological developments, the ALRC asked in the Issues Paper, Review of Privacy (IP 31) whether the Privacy Act should remain technology neutral.[4] In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted some opposition to the proposition. For example, Professor Roger Clarke queried whether the concept of technology neutrality operates effectively in practice.[5] Clarke has noted previously that the impact of some technologies on privacy may be inconceivable until the technologies have actually been invented and deployed.[6]

10.5 The ALRC, however, proposed in DP 72 that the Privacy Act should remain technology neutral.[7] In making this proposal, the ALRC expressed the view that current technologies do not alter fundamentally the nature of the information-handling cycle. For example, technology such as surveillance devices and radio frequency identification (RFID) systems may facilitate the collection of personal information without the knowledge or consent of an individual, but the collection of the information will still be regulated by the ‘Collection’ principle in the model UPPs. The ALRC expressed the view that the handling of personal information by developing technologies can be regulated by high level and technology-neutral UPPs, although it may be necessary to make some amendments to the Privacy Act to ensure that the Act remains technology aware.

Submissions and consultations

10.6 There was strong support for this proposal.[8] Medicare supported a technology-neutral Privacy Act as ‘it would be impossible for legislation to keep up with the rapid pace at which technology keeps evolving’.[9] Optus submitted that ‘[t]he current principles based, technology neutral regime provides a powerful framework on which to base privacy requirements when assessing new and emerging technology’.[10]

10.7 A number of stakeholders supported the proposal but noted that the effectiveness of a technology-neutral Privacy Act will be dependent upon the technology-aware framework underpinning the legislation. For example, the Department of Finance and Deregulation supported the proposal ‘in principle’, but noted that legislation that does not

apply to any specific technology can still significantly affect how technology operates or is employed. It may be arguable as to whether such legislation is really technologically neutral if it deliberately or unintentionally limits or affects the use or operation of technology.[11]

10.8 The Public Interest Advocacy Centre (PIAC) highlighted the important role of the regulator in a technology-aware privacy regime. PIAC submitted that the OPC should play a more proactive role in the exercise of its research and monitoring function with regard to the impact on privacy of new and emerging technologies.[12] The Australian Privacy Foundation submitted that the ALRC’s final recommendation should acknowledge that the overall privacy regulatory framework ‘should be designed so as to ensure ongoing awareness of the impacts of technology, and to avoid blindness to them’.[13]

ALRC’s view

10.9 In the ALRC’s view, technology-neutral privacy principles provide the most effective way to ensure individual privacy protection in light of developing technology.[14] It would be undesirable to recommend significant changes to the UPPs to accommodate technologies, which are yet to be invented or deployed. Further, where possible, provisions of the Privacy Act should be technology neutral.[15] This approach does not foreclose the possibility of technology-specific regulation or legislative instruments in certain circumstances. The Biometrics Institute Privacy Code is an example of a Part IIIAA code that was initiated by the biometrics industry and, following approval by the OPC, became a legislative instrument.[16] If the OPC found it necessary to initiate a code to address the handling of personal information using a certain technology, such as RFID, the OPC could lobby the minister responsible for administering the Privacy Act to have such a code included in regulations.[17]

10.10 Technology-specific regulations or other legislative instruments of this nature are consistent with the ALRC’s three-tiered approach to privacy regulation, and do not represent a failure of technology-neutral UPPs. Instead, such regulations indicate that information handled by particular technologies may require stronger protection in certain, limited circumstances. Further, to ensure the effectiveness of technology-neutral privacy principles, the OPC should provide technology-specific guidance on meeting the requirements in the model UPPs when certain technologies are used to handle personal information.

10.11 One of the OPC’s functions is to research and monitor developments in technology and to report to the minister responsible for administering the Privacy Act.[18] In the ALRC’s view, the OPC could exercise this function to provide a continuing review mechanism of the adequacy and effectiveness of the Privacy Act in light of further developments in technology.

10.12 A number of concerns raised by stakeholders in this Inquiry about the impact of technology on privacy are dealt with in other sections of this Report. In Part A, the ALRC recommends amendments to the definitions of ‘personal information’, ‘sensitive information’ and ‘record’. In Part D, the ALRC makes a number of recommendations concerning the content of the model UPPs. In Part F, the ALRC recommends additional OPC powers and functions that are relevant to technological developments. These recommendations are discussed below, and in Chapter 11.

[1] Further Supplementary Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 9.

[2] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[3] Ibid.

[4] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 11–4.

[5] R Clarke, Consultation PC 14, Canberra, 30 March 2006.

[6] R Clarke, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 25 February 2005, 2.

[7] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 7–1. This proposal was consistent with the views of the majority of stakeholders that responded to IP 31. See, eg, Australian Communications and Media Authority, Submission PR 268, 26 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Government of South Australia, Submission PR 187, 12 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Telstra, Submission PR 185, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Australian Retailers Association, Submission PR 131, 18 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; M Fenotti, Submission PR 86, 15 January 2007; Australia Post, Submission PR 78, 10 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[8] See Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; ANZ, Submission PR 467, 13 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; Communications Alliance Ltd, Submission PR 439, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Australian Bureau of Statistics, Submission PR 383, 6 December 2007; AAPT Ltd, Submission PR 338, 7 November 2007.

[9] Medicare Australia, Submission PR 534, 21 December 2007.

[10] Optus, Submission PR 532, 21 December 2007.

[11] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008.

[12] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[13] Australian Privacy Foundation, Submission PR 553, 2 January 2008. See also Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[14] This recommendation is made in Ch 18: Rec 18–1. In a submission to IP 31, Professor William Caelli queried whether any legislation could truly be ‘technology neutral’, submitting that ‘artefact neutral’, meaning no reference to any specific manifestation of technology, would be the more correct term: W Caelli, Submission PR 99, 15 January 2007. The ALRC accepted Professor Caelli’s point but decided to use the term ‘technologically neutral’ as it is the more commonly understood term. The ALRC notes, however, that technologically neutral UPPs do not preclude the use of words such as ‘technology’.

[15] See, eg, Rec 47–1.

[16] The ALRC discusses Part IIIAA codes in Ch 48.

[17] In Ch 5, the ALRC recommends that the regulation-making power in the Privacy Act should be amended to provide that the Governor-General may make regulations, consistent with the Act, modifying the operation of the UPPs to impose different or more specific requirements on agencies and organisations: Rec 5–1.

[18] Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].