Privacy Commissioner gets tough

Commissioner Malcolm Crompton has been unimpressed with the "bundled consent" requirements of some of Australia's largest banks, insurers and telecommunications companies.

Crompton said if privacy behaviour didn't improve among these large corporate entities, the Commission would use next years' planned review of the Privacy Act to recommend a change from the current "light touch regime" to a heavy handed, interventionist approach.

"It's clear that the only thing that these organisations understand is the black letter of the law," Crompton said.

While the Privacy Commission continued to press the issue with the banking, finance and telecommunications industries through ongoing discussions, if companies continued to force customers to sign away usage rights to their personal information through "bundled consent" agreements, Crompton would recommend legislative changes.

"The point I have been saying to these organisations is that (what they have been doing) might be legal, but it is not within the spirit of the law," he said.

"I'm using this bundled consent issue as a bellwether for the review of the legislation and whether this light touch regime works."

"Bundled consent" refers to behaviour where a company insists that its customers give them consent to use their personal information - as a precondition of offering a service - where the information is to be used in areas other than the specific service the customer has requested.

Earlier this year, iTnews reported that since the Privacy Act became law on December 21 last year, three of the four major banks would not allow customers to open a simple bank account without also giving the bank permission to use their personal information in the sales and marketing of other products, like loans, mortgages and insurance.

Similarly, some telecommunications companies have required that customers seeking a simple phone connection allow their personal information to be used in other areas of the business.

"A person should be able to say 'Look, I just want to open a bank account' (without having their personal details shared with other areas of the bank", Crompton said.

"The same thing goes for telephone services. 'I just want a phone service, I don't want your SMS service'," he said.

When the legislation was enacted on December 21, 2000, companies were given a year to put compliance procedures in place before it became law last year. The legislation required that a review of the law take place in 2003 - a process that Crompton said would be undertaken in December next year.

It is through this review that Crompton has suggested that recommendations for a tougher regulatory regime may be made.

He said the Commission had already started evaluating what data would be required to properly conduct the review, and putting data collection infrastructure in place so that it would have collected 12 months worth of data before the review starts.

Crompton said some large companies had suggested that the infrastructure changes that they would need to make in order to comply with the Privacy Act were too great, running to millions of dollars.

"Some companies have made that point (that it is too expensive). It has been raised (by companies) without providing proof," he said.

"But what I want to hear from them is what programs are they going to put in place to fix (privacy compliance).

Crompton said the commission was in ongoing discussions over privacy compliance with various companies and industry organisations and that he was hopeful behaviour would change.

"I'm not happy with where it (behaviour) is, but it's too early to say whether or not I'm happy with where it's going."

Meanwhile, Crompton said complaints to the commission had "quadrupled" since the Privacy Act came into effect, although many of the complaints related to incidents that occurred prior to the Act becoming law.