Privacy law: Making it stick

From March 2014, Australian businesses were obliged to comply with an amended set of federal privacy laws that aimed to bring privacy and security practices in line with consumer expectations in an increasingly digital world. 

Australia's Privacy Commissioner Timothy Pilgrim. Source: AISA

Crucially, the amended laws demanded that organisations seek more appropriate forms of consent from users as to how their data would be used and whether it would be transferred offshore.

It also gave the Office of the Privacy Commissioner newfound powers when a breach is uncovered – powers to demand an organisation undertake remediation or some other form of enforceable undertaking, not to mention the power to levy fines.

Thus far, however, the Commissioner’s powers have been held in check by a conservative federal government that is stripping resources away from the Office just as it gained the authority to make a real difference.

Australia’s largest organisations, yet to be bound by mandatory data breach notification laws, have by and large responded by paying lip service to privacy laws.

The question for Privacy Commissioner Timothy Pilgrim, who sat down in recent days with iTnews editor Brett Winterford, was how would he make the laws stick?

Brett Winterford, iTnews:

Privacy is understood by most organisations as a compliance issue. Recently we’ve seen companies like Apple position it as a brand value, or as something you can market yourself and differentiate on.

Do you think a sound approach to the privacy of your customer’s data could be a marketable characteristic? 

Timothy Pilgrim, Privacy Commissioner:

This time last year we looked at community attitudes towards privacy. One of the key, if not sobering statistics that came out of that was 63 percent of respondents said they decided not to deal with an organisation because they were concerned about what was going to happen to their personal information and how it would be handled.

[They'd] made a conscious decision when they were about to deal with an organisation to say ‘no, I’ve looked at what they’re going to do with my personal information and I’m not prepared to do that’.

People often say that young people are careless about their privacy. In a survey last year in the United States, we saw figures of around half of young people decided to stop using a mobile app they’d already downloaded because they found out what was happening to their personal information and how little control they had over it. Close to another 30 percent decided not to download an app once they saw what was going to happen with their personal information.

So I think across the board we can move away from the idea that there will be differences between generations about how they view privacy. On the whole, I think we’re seeing a consistent view that people still do care what is happening to their personal information and they’re taking steps to not deal with organisations as a result, and businesses need to be really aware of that. 

A few years ago you would hear the expression “privacy’s dead, and we need to get over it” ---- [whereas] I think every time technologies change, people become more aware of what’s happening to their personal information. They’re actually becoming more conscious about it and are still actively looking for ways to protect it and to keep control of it.

So businesses need to make careful choices, because people will take their business elsewhere.

Brett Winterford, iTnews:

We are still talking about avoiding a potential negative when we say ‘I won’t do business with someone, because of…..’ But is it possible in your opinion that someone might choose to do business with you because you make an outward expression of confidence in the privacy associated with your services?

Timothy Pilgrim, Privacy Commissioner:

I’m surprised that I haven’t seen many businesses pushing a good privacy message, because again, as I say, people are very conscious and concerned about what happens to their personal information.

I think there is an opportunity there for businesses, particularly those who are required to collect lots of customer information, to push how they’re going to protect it and limit its uses. 

I think that’s part of building trust. Being upfront and clear about what’s going to happen to a customer’s personal information will engender that trust. 

Brett Winterford, iTnews:

At a lot of organisations, their version of being ‘clear and upfront’ about how customer data will be used is a 120 page document of click-wrap terms that say, ‘click here to agree’.

So even someone who’s very conscious about privacy probably won’t choose to read it. What in the eyes of Australian law constitutes providing users clear communication about how you will use their data? 

Timothy Pilgrim, Privacy Commissioner:

It’s a requirement of the Privacy Act for organisations to be transparent and open about how they’re going to use peoples’ personal information. This can be achieved through notices and through policies.

This doesn’t mean that it requires a 120 page document. In fact, the longer the document, the greater risk organisations face in it being found that people were not able to get a clear understanding of what’s going to happen to their personal information. If it’s not clear and not easily understood, then it may not be compliant with the Act.

We recommend organisations consider approaches such as layered notices. That means summarising the key facts upfront about what happens to personal information, but also providing the ability for people to click down to further levels of more detailed amounts of information on more specific issues.

This is particularly relevant in terms of providing this sort of information on mobile devices where you don’t have a lot of screen space. Organisations are going to have to find innovative ways to gain consent as increasingly they’re using mobile devices to ask people to sign up to a service.

Last year we participated in some survey work with a forum called The Global Privacy Enforcement Network, which is set up under the auspices of the OACD. Our office and a number of other regulators around the world decided to look at the policies of a number of the top 50 most used online companies.

We found that on the whole, most policies were far too long and far too complex and really difficult for people to work through and understand. Organisations need to take a clever approach to pulling out what the key information a person needs to know about that interaction.

Brett Winterford, iTnews:

Has the validity of click-wrap terms been tested in any of those jurisdictions in court? Has it ever been found that because the consent or privacy policy couldn’t be easily understood, that it wasn’t compliant?

Timothy Pilgrim, Privacy Commissioner:

I can’t recall off the top of my head.

Brett Winterford, iTnews:

We published a piece after the amendments were enacted, where we looked at what text had changed in the privacy policies of the top 20 or 30 companies in Australia. Most added vague lines like: ‘Your data might be used in a third world country for processing purposes – and we would do that with a trusted party. By clicking this, you are consenting’. 

I and others felt that such a statement wasn’t in the spirit of the legislation. Do we need court action or something to happen before organisations will pay more than lip service to compliance?

Timothy Pilgrim, Privacy Commissioner:

My starting point is that I hope that we don’t need court action. I think organisations are becoming more and more aware, particularly in Australia, about the concerns that the community has about personal information.

Following the changes that we saw this year in the Act, I think there was quite a considered approach by a number of large organisations to get their privacy policies and notices right.

There is still work that could be done, but in terms of things like the length of documents and how some of them are structured, there has been a concerted effort. I know there was some issues the French government had with Google around their privacy policies, and we also participated in some work here with Google Australia about their notices and talked about how they might improve.

I would say that Google in Australia was fairly receptive at looking at how they could improve what were some quite complex matters. 

Brett Winterford, iTnews:

Was that only about the complexity of Google’s privacy notices?

Timothy Pilgrim, Privacy Commissioner:

It was around how you can communicate quite a number of uses, so the person is clear about what’s going to happen to their information. Some of the terms are clearly too broad in a number of organisations’ policies, and there may need to be some requirement for those to give people a bit of a better idea.

One of the things that changed in our laws this year was the need to be more explicit about information being sent overseas and trying to identify those countries or jurisdictions where that information is going to go.

Next: Pilgrim discusses how businesses can adapt their systems to adhere to the Act