5 PM 20 November 1998
Added on 20 November:
Mr J P O'NeillGraham Greenleaf Tel: +61 2 93852233 (UNSW)
Senior Assistant Commissioner
Australian Competition and Consumer Commission
Dear Mr O'Neill,
Application for Authorisation No. A40077 lodged by Australian Direct
Marketing Association Ltd
I wish to request that the Commission hold a conference in relation to its
Draft Determination in this matter.
I submit that the Commission's draft is not justified in concluding that
once its seven proposed amendments are included in the Code of Practice,
its implementation will give rise to public benefits outweighing any
anti-competitive detriment. I submit that more fundamental changes to the
Code are needed before this conclusion could be reached.
I make my submissions on the basis of over twenty years involvement as a
researcher and advocate on privacy issues, and as the General Editor of the
monthly Privacy Law & Policy Reporter.
I have seen the detailed submissions by the Australian Privacy Charter
Council and the Financial Services Consumer Policy Centre, and give those
submissions my general support. I won't traverse all the matters raised in
those submissions, but only wish to add comments on the following matters:
* The ADMA Code Part E includes a version of the Commonwealth Privacy
Commissioner's National Principles for the Fair Handling of Personal
Information. I attach the 'Privacy and Consumer Organisations' Position
Statement' and an introductory comment 'Privacy and consumer organisations
withhold endorsement of "National Principles"' which sets out how these
principles have not received endorsement from any consumer or privacy
groups, and are still under re-consideration by the Privacy Commissioner.
See in particular para 2.1(c) where the direct marketing provisions in the
current 'National Principles' are explicitly rejected. The draft
Determination does not examine the substance of Part E. I submit that the
Commission should not accept that their implementation in Part E is in the
public interest, without detailed further examination of the content of
* Related to the previous point is that the Commonwealth Privacy
Commission has not released any recommendations about the necessary
compliance and remedial measures for any industry Codes which are to
implement the 'National Principles'. Given the deficiencies in the
compliance and remedial measures identified in part in the draft
Determination, and further identified in this and other submissions, I
submit that the Commission should obtain the views of the Privacy
Commissioner on adequate enforcement mechanisms in privacy Codes before
deciding on the public interest aspects of this Code.
* The Commission's recommended amendment 5 requiring that 'the
remedial orders and sanctions that the Authority is empowered to recommend
are specified' is completely inadequate to protect consumer interests. It
will be no use ADMA specifying the powers unless those powers are in
substance sufficient to protect consumer interests. If the remedies and
sanctions are in substance inadequate, the principal function of this Code
becomes one of providing justification to industry for otherwise highly
controversial and dubious practices, on the basis that the ACCC has
endorsed these practices as being in the public interest. As the Commission
recognises in para. 6.5 of its draft, the 'level of compliance' is 'most
important' in the determination of public benefit. Therefore, I submit,
unless ADMA can demonstrate that the remedies and sanctions it proposes
will actually succeed in providing the consumer protection that the Code
purports to deliver, then it has not satisfied this vital element of the
public interest test.
* The content of the remedies and sanctions in any acceptable code
should at least meet international standards for privacy protection. One of
ADMA's claimed public benefits is to 'increase access to and demand from
off-shore markets'. However, Australian direct marketing organisations will
face prohibition on the import of any personal information for use in
direct marketing from Europe, Hong Kong and other jurisdictions with
personal data export prohibitions unless they meet international privacy
standards, particularly those in the European Union's privacy Directive. As
the Code stands, it does not meet the EU's requirements for appropriate
enforcement mechanisms, particularly in that it does not provide for
compensation to be paid, does not specify other sanctions, and (possibly)
does not have a sufficiently independent system of arbitration.
Quite apart from international standards, it is hard to see how a
self-regulatory code in a consumer area such as this could provide adequate
public interest protection without provision for monetary compensation in
appropriate cases, as is provided for in such schemes as the
Telecommunications Industry Ombudsman scheme, and as is provided for in the
Commonwealth Privacy Act 1988 and similar privacy legislation.
* Part D of the proposed Code relates to the innocuously titled 'Fair
conduct relevant to electronic commerce'. Given that this is a Code
concerning direct marketing, in the internet context this includes what is
generally know as spam, unsolicited direct marketing by email. The ACCC is
being asked to authorise, inter alia, consumer and privacy protection in
relation to spam. Spam is one of the most world's most contentious
marketing practices, and the factors which must be taken into account in
deciding public interest matters in relation to it are very different from
those relating to telemarketing or unsolicited snail mail. Many individuals
and organisations consider that it should simply be prohibited, on the
basis that only 'opt-in' unsolicited commercial email is acceptable. In
para 2.1(c) of the 'Privacy and Consumer Organisations' Position
Statement', one of the main reasons for non-acceptance of the current
National Principles for the Fair Handling of Personal Information. is its
implications for spam.
Since Part D clause 1 of this Code only proposes 'the same level of
protection' in relation to spam as it does for other forms of direct
marketing, I submit that the Commission should not accept that this is in
the public interest, and should subject this aspect to a great deal more
* The Commission's recommended amendment 7 relating to reporting of
complaints in ADMA's Annual Report is inadequate. Most consumers and their
representatives do not have access to such reports. ADMA has a web site,
and should be required to report its complaint-handling via that web site
as well as in its Annual Report.
The lack of public benefit in this Code as it stands, and the detrimental
effect of the very fact of approval of such a Code by the Commission, is
such that it should not be approved, despite the fact that its potential
anti-competitive detriment is not very substantial. Industry Codes of
conduct can make a useful contribution to privacy protection (although my
view is that this should occur within a legislative framework), but the
Authorisation processes of the Trade Practices Act should not be able to be
used to help legitimise practices which are clearly deficient in protecting
the public interest.
I also wish to draw to the attention of the Commission the existence of a
similar industry code of conduct, the General Insurance Information Privacy
Principles, issued in August 1998 by the Insurance Council of Australia. In
light of its consideration of the ADMA Code, the Commission may wish to
examine the Insurance Council's privacy code.
Professor of Law
Xamax Consultancy Pty Ltd ACN: 002 360 456
78 Sidaway St Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916
21 October 1998
Mr J.P. O'Neill
Senior Assistant Commissioner
Australian Competition and Consumer Commission
P.O. Box 1199
Dickson ACT 2602
Dear Mr O'Neill
Re: Application for Authorisation No. A40077 – A.D.M.A.
I have only become aware of the above draft determination during the last few days.
I write to express the most serious concern at the possibility that the A.C.C.C. could possibly grant dispensation on the basis of A.D.M.A.'s flimsy submission and inadequate undertakings.
During the last decade, my specialisations have been in electronic commerce, information infrastructure, and dataveillance and privacy matters. I spent over a decade as a senior academic at the Australian National University, where I continue as a Visiting Fellow. I have been active as a public interest advocate since the early 1970s, with particular reference to privacy and specific consumer issues.
I have undertaken research into direct marketing over an extended period, and summarised 'Direct Marketing and Privacy' issues in a paper of that name in early 1998, at http://www.anu.edu.au/people/Roger.Clarke/DV/DirectMkting.html. I enclose a printed copy.
Very substantial changes are currently taking place in the public acceptability of direct marketing practices. Unsolicited mail has long been regarded as a significant nuisance by much of the population; but it has not been sufficiently annoying to stimulate any major reaction by consumers. Unsolicited telephone calls, on the other hand, or 'outbound telemarketing', as it is dubbed by the industry, is causing a great deal of distress to many people. This, alone, is likely to see a significant revolt by consumer organisations in the near future.
It is in the context of Internet marketing, however, that the turnaround is most apparent. Public confidence has emphatically not been achieved by net-based marketers, and electronic commerce has not enjoyed anything like the growth rates of community-oriented Internet services. The reasons for this, and remedies, are discussed in various papers indexed at http://www.anu.edu.au/people/Roger.Clarke/EC/AnnBibl.html#Trust
In brief (and the very early closing date for comments on your draft determination forces this submission to be brief), consumers have good reason to be very nervous about a number of aspects of electronic commerce, including:
- the security of value (including payments, the delivery of goods and the performance of services, and return-for-credit of inadequate goods);
- the privacy of personal data; and
- the likelihood of marketers making presumptions about a relationship existing as a result of a single transaction.
In recognition of the seriousness of these problems, steps are being taken by authorities in various countries, most notably the U.S. Federal Trade Commission. In addition, industry associations have stampeded into various initiatives that offer nominal, but in most cases not real, protections (e.g. TRUSTe, and the Privacy Alliance). Commercial services are emerging that provide genuine scope for consumer self-protection (e.g. Junkbusters, which, although American-based, is Australian-driven). One genuinely constructive business initiative is the W3C's P3P standard, in whose development I have been a participant. See http://www.anu.edu.au/people/Roger.Clarke/DV/P3POview.html and http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html
Despite the fact that the P3P standard is a product of an industry consortium, it is essentially 'opt-in' rather than 'opt-out' in nature. I believe this to be strong evidence that the balance-point is about to shift: direct marketers have not been subject to effective countervailing power; but they are about to experience backlash against their unreasonable practices. They will be forced to adapt their activities, in order to satisfy the demands of consumers who will be increasingly able to use the Internet to make life as uncomfortable for marketers as it has been for consumers.
Given this imminent threat to marketers' way of life, it is unsurprising that, after decades of inaction, A.D.M.A. chooses this juncture in the history of marketer-consumer relationships to stampede towards a Code.
A.D.M.A. seeks benefits for itself and its members by acquiring the imprimatur of a government agency for a self-regulatory scheme. It contends that the submitted draft code offers public benefits in the form of "significant promotion and enhancement of consumer protection", "promotion of consumer confidence" and "consumer views being taken into account by the presence of an independent chairman and consumer representatives on the Code Authority".
Contrary to the impression that A.D.M.A.'s submission was designed to create, the draft code before the Commission is emphatically not the result of a consultative process involving the participation of advocates for and representatives of privacy and consumer interests. It was prepared by A.D.M.A., and has not been subjected to consideration by the public until the last few days. Even if consumer representatives were prepared to participate on the proposed 'Code Authority', they would be constrained by terms and conditions that were designed by a self-interested organisation with little or no input from the consumer perspective.
A.D.M.A. was a participant in the consultation process conducted by the Privacy Commissioner in relation to the possibility of a set of 'national principles' for the fair handling of personal information. Through that forum, if through no other channels, it has had ample opportunity to seek the participation of consumer and privacy advocates and representatives in the process of code development. It has, signally, failed to do so. The (to A.D.M.A., no doubt desirable) effect is that those advocates and representatives have been provided with just a few days in which to consider a potentially far-reaching document, which already carries your Commission's tentative imprimatur in the form of a draft determination.
It would be a travesty for your Commission to proceed to full determination on the basis of an application that asserts benefits to consumers, but has failed to include meaningful consumer participation in its development. The impression would be that the Competition aspects of the Commission's remit were completely dominant over its Consumer responsibilities.
I submit that A.D.M.A. must be directed to conduct open, public consultation processes, negotiate modification (or, far more likely, wholesale re-writing) of the document. This would lead to the re-submission to the Commission of a consensual document, which consumers' representatives are satisfied reflects their needs as well as those of marketing organisations, and which reflects the contemporary, and necessarily rapid adjustment towards much more consumer-sensitive behaviour on the part of marketers.
I would be pleased to speak to this brief submission at your conference on 29 October.
Roger Clarke MComm UNSW PhD ANU FACS
THE AUSTRALIAN PRIVACY CHARTER COUNCIL
Hosted by the School of Law, University of New South Wales
Convenor : Nigel Waters
Secretary : Tim Dixon
School of Law
University of NSW
Sydney NSW 2052
Mr JP O'Neill
Senior Assistant Commissioner
Australian Competition and Consumer Commission
PO Box 1199
DICKSON ACT 2602
20 October 1998
Dear Mr O'Neill
APPLICATION FOR AUTHORISATION NO A40077 - AUSTRALIAN DIRECT MARKETING ASSOCIATION CODE OF CONDUCT
Thank you for inviting the Council to make a submission on this application.
The Australian Privacy Charter Council exists to promote the Charter Principles, which are a statement of best practice for the protection of privacy, including the fair handling of personal information.
The Charter Council requests a conference under section 90A of the Trade Practices Act. We wish to argue that the the Code of Practice as included in the application should not be authorised by the Commission, because it fails to deliver public benefits which outweigh any lessening of competition that may be involved in adoption of the Code.
This failure arises not from the intention of the Code, which is to provide consumers with a range of protections, rights and remedies, but from the detailed content, which falls well short of recognised standards for self-regulatory initiatives, including the DIST Benchmarks and the Australian Standard for complaints handling. Part E of the Code, which deals with data protection (a synonym for information privacy) also falls short of recognised international standards.
We welcome the identification by the Commission of several weaknesses in the Code, and your provisional determination to require certain changes before authorising the Code. But we do not limit our criticism to these weaknesses - there are other problems with the Code which we also feel strongly about and which we would want to see addressed before the Code could be said to adequately serve the public interest.
We set out our main criticisms in the attachment, but reserve the option of raising further points at the conference, which we understand has been provisionally scheduled for 29 October in Sydney.
Please note also our deep concern about the way in which ADMA has approached the development of the Code. To our knowledge, the Association has not sought to consult with any of the recognised consumer or privacy groups during the drafting of the Code. ADMA is well aware, both from the earlier ACCC led consultations on the MCCA Direct Selling Code, and from the Privacy Commissioner's consultations on National Information Privacy Principles, of a number of key points of difference. Instead of seeking to negotiate about these differences, ADMA has developed the Code behind closed doors and then sought to 'spring it' on the public without any notice or discussion. Had it not been for the need to seek authorisation from the ACCC, the Code may well have been launched without any opportunity for public input.
We look forward to the opportunity to expand on our concerns, and discuss desirable improvements to the Code, at the conference.
We have no objections to our entire submission being made public.
Please note a change of convenor, and amend your recorded contact details. The postal address remains the same, but telephone and E-mail contact should be with Nigel Waters at 02 9810 8013, fax 02 9555 4361 or firstname.lastname@example.org
Application For Authorisation Under The Trade Practices Act - No A40077
The Australian Privacy Charter Council
The Australian Privacy Charter Council was formed in 1992 to promote observance of best practice privacy standards throughout the Australian Community. Under the chairmanship of Justice Michael Kirby, then of the NSW Court of Appeal, the Council brought together privacy, consumer and civil liberties experts with representatives of the business community.
In 1994, the Charter Council launched the Australian Privacy Charter, which is attached to this submission. The Charter sets out 18 principles, reflecting international best practice, which provide a benchmark against which specific proposals for privacy laws and guidelines can be measured.
The Charter Council continues in existence to promote the Charter and its principles, to comment on privacy initiatives, or the lack of them, in particular sectors and jurisdictions, and to provide a forum for discussion of privacy which brings together representatives from a wide range of interests - non-government organisations, business and government.
Lessening of Competition
We note that ADMA itself has made a case for why it believes that the Code has the potential to be anti-competitive. The Charter Council does not necessarily agree with this case. It is highly undesirable, in our view, for any code or arrangement which participants in an industry agree to with the objective of consumer protection to be automatically assumed to be anti-competitive. If this were to be the case, then every legal, ethical and moral obligation that a group of businesses were collectively bound to observe, with sanctions applying, could be seen as anti-competitive. To take this position would be elevating the value of competition far above its legitimate role as only one desirable public interest.
In-principle support for a Code of Practice
In arguing below that the ADMA Code of Practice does not meet the public benefit test, we do not wish to be seen as opposing, in principle, the adoption of Codes of Practice by industry groups which advance the cause of consumer protection, particuarly privacy protection.
Limited Scope of the Code and misleading title
The Code purports to be about direct marketing. But the definition of direct marketing in Appendix 1 is limited to what might best be described as direct selling. It excludes the sending of advertising material where the intention is to induce the recipient to visit a shop or other premises to buy goods or services, or even to make telephone or written contact unless the contract is negotiated at a distance.
While this distinction may have some meaning to the industry, and may also be significant in terms of other consumer remedies (such as quality and cooling off periods), it is irrelevant in relation to the information privacy (data protection) issues addressed in Part E of the Code. So to is the condition in the definition that 'a record of the transaction is captured and maintained on a list ….' While it may be commercially sensible for most businesses employing direct marketing techniques to do this, their failure to do so does not affect the privacy issues arising from their use of individuals personal details to make the initial approach.
Another unacceptable limitation in scope is that 'direct marketer' is apparently defined to exclude 'fundraisers', and Parts B and E of the Code seem to apply only to direct marketers (it is not clear if Parts C & D are so limited). The direct marketing activity of charities and other fundraisers are therefore only covered partially, if at all.
As far as consumers are concerned, personalised unsolicited advertising is an issue whatever it is intended to achieve. Questions such as "where did they get my name?" and "how can I stop them sending me this material?" are equally applicable to promotions for ordinary shops as they are to catalogue or internet sales, and to charities as much as to commercial businesses. It is all 'direct marketing' to most consumers.
We have two concerns about this - the first is that calling the Code a 'Direct Marketing' Code is misleading, as long as the limited definitions are included. The second is that the protection offered by Part E of the Code needs to apply to all forms of personalised unsolicited advertising or solicitation.
Part E - Data Protection
The Charter Council contends that Part E of the Code is deficient in a number of respects. Part E is understood to incorporate, unchanged, the National Principles for the Fair Handling of Personal Information (the National Principles) issued by the Privacy Commissioner in February 1998. (We have noticed a number of minor diffferences which we comment on below - it would be helpful for ADMA to explain clearly where they hav departed from the National Principles and why).
The Charter Council and ADMA have both been involved in the consultation process run by the Privacy Commissioner both prior to the launch of the National Principles and subsequently. The Commissioner made it clear in the foreword to the Principles that they were subject to review in six to twelve months, and in guidance notes that some of the provisions were particularly contentious. The Commissioner has subsequently received feedback on the National Principles from the European Commission (see below) and has been holding further meetings to try to resolve some outstanding difficulties.
One of these difficulties is particularly relevant to the Direct Marketing Code. There is a difference of interpretation over the provisions in National Principle 2 (E.9 in the Code) relating to use and disclosure for direct marketing purposes, which was not anticipated when the Principles were drafted.
This difference relates to whether the 'use' exception at 9.3 amounts to an additional grounds for use, or whether it is a supplementary condition on use when direct marketing is intended. We note that the ADMA Code has omitted the 'or' from the end of exception 9.2 that appears in the Privacy Commissioner's National Principles (2.1(b)). We do not know if this is accidental or is intended to influence the interpretation. We have already suggested to the Privacy Commissioner that she needs to clarify the intention behind 2.1(c) (9.3 in this Code). Organisations cannot be permitted to adopt a self-serving interpretation which does not accord with the Privacy Commissioner's intention. We reserve our opinion on whether the Privacy Commissioner's interpretation is acceptable until it is clarified.
As well as the disputed interpretation of the direct marketing 'exception' in E.9; there is also an issue regarding the explanation to ADMA members of the exception, and its relationship to the collection principle (E.3). The Charter Council is dissappointed that the Code does not attempt to provide the next level of guidance which we would have expected in a sectoral code. In particular, the Code fails to spell out clearly the expectation that direct marketers should as a matter of course (to comply with E.3 and E.9.1-9.3) provide an opt-out opportunity so that recipients of personalised unsolicited advertising can easily register a preference not to receive further communications.
We maintain that it is in the interests of direct marketing organisations to ascertain and respect the views of actual and prospective customers concerning receipt of personalised unsolicited advertising. We have difficulty understanding the grudging approach of the industry to complying fully the informed consent principle. This reluctance to embrace the spirit as well as the letter of privacy principles, when added to the lack of consultation, not surprisingly makes us suspicious of the motives of ADMA in putting forward this Code.
We would also have expected the Code to clearly outline the role of preference schemes, such as the mailing preference service and telemarketing preference service operated by ADMA. The belated proposed addendum to Part E sent to us by ACCC on 19 October (clause 33) goes only some way towards remedying this deficiency. The exception for 'current customers' is unacceptable and undermines the whole purpose of a preference scheme. If a consumer has registered a clear preference not to receive unsolicited approaches, this preference should not be overridden simply because they have chosen to purchase goods or services. The question of for how long recorded 'do not approach' preferences should have effect was contentious during the earlier discussions on the Direct Selling Code. The starting point from a privacy perspective is that an individual's preference should be respected indefinitely while they have the same address or telephone number. The onus should be on ADMA to show cause for unilaterally ceasing to respect preferences after any particular period of time.
It is also important that direct marketers do not see centrally organised preference services as the only, or even the primary, way in which consumers will register choices. Preference services are a useful device which cater for those consumers who do not want to receive any personalised unsolicited advertising. Survey results suggest this is a minority of consumers for postal advertising, but perhaps a majority for telemarketing and e-mail advertising. Many consumers will however wish to receive some unsolicited approaches, but not others, and they should be able to manage their own privacy by making requests directly to specific organisations. It is essential that Code participants are reminded that this is the way in which the provisions of Part E are supposed to work - more detailed guidance, with examples, would be helpful in a customised sectoral code.
Other weaknesses in Part E
The Charter Council has reached a common position with other privacy and consumer groups on the full range of deficiencies in the current National Principles. These concerns are set out in full in Attachment B, and apply equally to the version of the Principles appearing in Part E of the ADMA Code of Practice.
We note that the Code version of the Principles moves an important condition for disclosure to law enforcement agencies - that a record should be kept (National Principle 2.2) to point E.13, under an inappropriate heading of 'Reasonable Expectations. It could usefully be made a separate and more prominent point. We welcome the application of the record-keeping requirement to all disclosures.
Objective of adopting national data protection principles
The National Principles are intended, by the Privacy Commissioner and by the Online Council (of State and Federal Information Ministers), to form the basis of a consistent privacy protection framework across all sectors and jurisdictions. The Victorian government has already declared its intention to legislate the Principles, and other industry bodies have already indicated, like ADMA, that they will incorporate the Principles into Codes of Practice. The Insurance sector has already done so, with its General Insurance Information Privacy Principles launched in August 1998, which all general insurers are expected to adopt.
One of the reasons for developing a set of National Principles is to eliminate the risk of interruptions to transfers of personal data into Australia as result of the implementation of the European Union's Data Protection Directive. Under Article 25 of the Directive, EU member states are required to provide in their domestic law for restrictions on the transfer of data to 'third countries' (ie non-EU states) where there is not 'adequate protection' for personal data. The European Commission has given strong indications that the assessment of adequacy will involve consideration both of privacy standards and of mechanisms for compliance monitoring, enforcement and remedies.
Insufficient overall public benefit
Given the importance of establishing a privacy protection framework which satisfies both domestic and international pressures, the Charter Council contends that there can be no overall public benefit in the authorisation of ADMA's Direct Marketing Code unless it deals with the outstanding issues under discussion by the Privacy Commissioner, and provides acceptable compliance and enforcement mechanisms.
Part D - Electronic Commerce
This part does not deal adequately with the complexities of direct marketing activity over electronic media. There is now a vast amount of material available, both in Australia and overseas, about the issue of unsolicited e-mails or SPAM, and some innovative technological tools are becoming available. While we agree with the general objective of applying the same level of protection on-line as apply in other media, a more sophisticated analysis and advice, drawing on expertise in the Internet community, would be helpful.
Other privacy issues
The Australian Privacy Charter extends beyond information privacy (data protection) concerns. Charter Principle 8, for example, provides that "people have a right to private space in which to conduct their personal affairs", and Principle 1 that " … commercial services … with potential to interfere with privacy should not be used unless the public interest in so doing outweighs any consequent dangers to privacy.
Both of these principles are relevant to the provisions of the ADMA Code relating to telemarketing (Part C), which is acknowledged to raise issues of intrusion. We submit that the permitted 'cold' calling times (C.9) are too generous, and require further discussion with consumer organisations, based on empirical survey evidence of public opinion.
Also, the calling frequency provision (C.12) needs to be clearly subject to the proviso that if an individual expressly requests no further calls that request should be honoured indefinitely - this should be in line with the clarification of the use and disclsosure provisions of Part E, which is required in any case (see above).
Part F - Enforcement
We generally agree with the ACCC in its provisional assessment of weaknesses in Part F, and with the proposed changes. We agree in particular with the need for an independent chair and balanced composition of the code authority; for the right to seek independent review of the decisions of the Code Compliance Officer, and the importance of their being no fees for lodging a complaint. The proposed specification of remedies and sanctions is also very desirable - a scheme which relies only on the blunt and extreme sanction of expulsion from membership is not likely to be effective and may even be counter-productive. There should be a hierarchy of sanctions available which are proportional to the seriousness of breaches of the Code, yet significant enough to act as a deterrent and send the right message to other organisations.End of submission
(Fancier formating later - Robin.)
The Australian Privacy Charter
The Meaning of Privacy
Australians value privacy. They expect that their rights to privacy be recognised and protected.
People have a right to privacy of their own body, private space, privacy of communications, information privacy (rights concerning information about a person), and freedom from surveillance.
'Privacy' is widely used to refer to a group of related rights which are accepted nationally and internationally. This Charter calls these rights 'privacy principles'.
Privacy principles compromise both the rights that each person is entitled to expect and protect, and the obligations of organisations and others to respect those rights.
Personal information is information about an identified person, no matter how it is stored (eg sound, image, data, fingerprints).
Privacy is important
A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organisations to intrude on that autonomy.
Privacy is a key value which underpins human dignity and other key vales such as freedom of association and freedom of speech.
Even those privacy protections and limitations on surveillance that do exist are being progressively undermined by technological and administrative changes. New forms of protection are therefore required.
Interferences with privacy must be justified
Privacy is a basic human right and the reasonable expectation of every person. It should not be assumed that a desire for privacy means that a person has 'something to hide'. People who wish to protect their privacy should not be required to justify their desire to do so.
The maintenance of other social interests (public and private) justifies some interferences with privacy and exceptions to these Principles. The onus is on those who wish to interfere with privacy to justify doing so. The Charter does not attempt to specify where this may occur.
Aim of the principles
The following Privacy Principles are a general statement of the privacy protection that Australians should expect to see observed by both the public and private sectors. They are intended to act as a benchmark against which the practices of business and government, and the adequacy of legislation and codes, may be measured. They inform Australians of the privacy rights that they are entitled to expect, and should observe.
The Privacy Charter does not attempt to specify the appropriate means of ensuring implementation and observance of the Privacy Principles. It does require that their observance be supported by appropriate means, and that appropriate redress be provided for breaches.
1. Justification and exceptions
Technologies, administrative systems, commercial services or individual activities with potential to interfere with privacy should not be used unless the public interest in so doing outweighs any consequent dangers to privacy.
Exceptions to the Principles should be clearly stated, made in accordance with law, proportional to the necessities giving rise to the exception, and compatible with the requirements of a democratic society.
Individual consent justifies exceptions to some Privacy Principles. However, 'consent' is meaningless if people are not given full information or have no option but to consent in order to obtain a benefit or a service. People have the right to withdraw their consent.
In exceptional situations the use or establishment of a technology or personal data system may be against the public interest even if it is with the consent of the individuals concerned.
An organisation is accountable for its compliance with these Principles. An identifiable person should be responsible for ensuring that the organisation complies with each Principle.
Each Principle should be supported by necessary and sufficient measures (legal, administrative or commercial) to ensure its full observance, and to provide adequate redress for any interferences with privacy resulting from its breach.
There should be a policy of openness about the existence and operation of technologies, administrative systems, services or activities with potential to interfere with privacy.
Openness is needed to facilitate participation in accessing justifications for technologies, systems or services; to identify purposes of collection; to facilitate access and correction by the individual concerned; and to assist in ensuring the Principles are observed.
6. Freedom from Surveillance
People have a right to conduct their affairs free from surveillance or fear of surveillance. 'Surveillance' means the systematic observation or recording of one or more people's behaviour, communications, or personal information.
7. Privacy of Communications
People who wish to communicate privately, by whatever means, are entitled to respect for privacy, even when communicating in otherwise public places.
8. Private Space
People have a right to private space in which to conduct their personal affairs. This right applies not only in a person's home, but also, to varying degrees, in the workplace, the use of recreational facilities and public places.
9. Physical Privacy
Interferences with a person's privacy such as searches of a person, monitoring of a person's characteristics or behaviour through bodily samples, physical or psychological measurement, repugnant and require a high degree of justification.
10. Anonymous Transactions
People should have the option of not identifying themselves when entering transactions.
11. Collection Limitation
The minimum amount of personal information should be collected, by lawful and fair means, and for a lawful and precise purpose specified at the time of collection. Collection should not be surreptitious. Collection should be from the person concerned, if practicable.
At the time of collection, personal information should be relevant to the purpose of collection, accurate, complete and up-to-date.
12. Information Quality
Personal information should be relevant to each purpose for which it is used or disclosed, and should be accurate, complete and up-to-date at that time.
13. Access and Correction
People should have a right to access personal information about themselves, and to obtain corrections to ensure its information quality.
Organisations should take reasonable measures to make people aware of the existence of personal information held about them, the purposes for which it is held, any legal authority under which it is held, and how it can be accessed and corrected.
Personal information should be protected by security safeguards commensurate with its sensitivity, and adequate to ensure compliance with these Principles.
15. Use and Disclosure Limitations
Personal information should only be used, or disclosed, for the purposes specified at the time of collection, except if used or disclosed for other purposes authorised by law or with the meaningful consent of the person concerned.
16. Retention Limitation
Personal information should be kept no longer than is necessary for its lawful uses, and should then be destroyed or made anonymous.
17. Public Registers
Where personal information is collected under legislation and public access is allowed, these Principles still apply except to the extent require for the purpose for which public access is allowed.
18. No Disadvantage
People should not have to pay in order to exercise their rights of privacy described in this Charter (subject to any exceptions), nor be denied goods or services or offered them on a less preferential basis. The provision of reasonable facilities for the exercise of privacy rights should be a normal operating cost.
Privacy and Consumer Advocates' Position Statement in relation to the Privacy Commissioner's National Principles for the Fair Handling of Personal Information
28 August 1998
This Position Statement was discussed at a meeting between the Privacy Commissioner, business representatives, and privacy and consumer advocates on 31 August 1998. The numbering in the Position Statement follows that in the Commissioner’s National Principles for the Fair Handling of Personal Information.
This paper documents the revisions which the privacy and consumer advocates believe need to be made to the Privacy Commissioner's 'National Principles' of February 1998, in order to ensure that the Principles provide a minimum level of information privacy protection, sufficient to at least provide Australians with an acceptable set of rules, and to satisfy any reasonable test of international adequacy.
Most of the changes are minor adjustments to wording, in order to ensure that the Principles reflect the intention of the drafters, and to avoid ambiguities. A couple of them are more substantive.
This paper consolidates points made in papers by Graham Greenleaf & Nigel Waters in (1998) 4 PLPR 161 and by Roger Clarke in (1998) 4 PLPR 176, in Ulf Brühann’s letter of June 1998, and during the Privacy Commissioner's meeting of privacy advocates and industry representatives on 18 August.
Notes: These contain a very brief explanation of our position. They are not necessarily intended to be incorporated into the guidance notes Where we specifically suggest changes or additions to guidance notes this is made clear.
Global Matter - Workplace Privacy
In the Introduction, delete the words "whether the principles are applied to personal information about employees".
Note: It must be made clear the standards are relevant to information about employees. The process by which the National Principles are applied then becomes a matter for the implementation phase.
Principles and Guidance Notes
2.1(a) Secondary Purpose
Replace 'reasonably expect' with 'reasonably expect and accept'.
Note: The protection afforded by the existing phrasing is insufficient. The key words "reasonably expect" are capable of being interpreted too broadly.
2.1(c) Direct Marketing
It seems impossible to negotiate an acceptable position on this issue in the time available. We therefore suggest that 2.1(c) is simply deleted, and that the Principles say nothing specific about direct marketing. This will leave a need for guidance as to how 2.1(a) applies to direct marketing, but this can be dealt with during development of the proposed ADMA Code of Practice and in any legislative implementation of the Principles.
Note: Since the consultations leading to the February Principles, the wider privacy and consumer advocacy movement has made it clear that they regard unsolicited direct marketing in general, and especially outbound telemarketing and unsolicited e-mail (spam), as an area of major public concern.
The way in which the drafters intended exception 2.1(c) to operate, in relation to 2.1(a), is not clear enough and has caused misunderstanding. Many privacy advocates interpret it as an unacceptable concession.
2.1(g)-(h) Law Enforcement and National Security
A set of Privacy Principles is not the appropriate place to codify the information collection powers of law enforcement and national security agencies. This should be only be done after a major public debate and by Parliaments.
But it is not acceptable to entrench in the Principles an indefinite continuation of the current loose arrangements which conflict fundamentally with individuals reasonable expectation of confidentiality in their dealings with most private sector organisations.
Many of the examples of disclosures given by law enforcement agencies would be permissible under one of the other exceptions: 2.1(f) "required or specifically authorised by law", 2.1(e) the "organisation has reason to suspect unlawful activity"; 2.1(d) - emergencies, (which may need to be reworded following further discussions in the sub-group).
Exceptions 2.1(g) and (h) are inappropriate and should be unnecessary. However, in order to ensure that other public interests which may currently rely from time to time on exceptional disclosures of personal information, a revised exception (g) should provide for additional exceptions (however they are finally worded) to be detailed in separate Guidelines to be issued by the Privacy Commissioner.
We suggest the following wording:
2.1(g) TEMPORARY PROVISION - If before 1 January [July] 2000 , the use or disclosure complies with the Temporary Guidelines for Disclosure to Public Authorities issued by the Privacy Commissioner.' [The first such Temporary Guidelines to be included with the 'Guidance Notes' to these principles.]
Logging should be standard practice for 'secondary purpose' use and disclosure, and should be required for all instances which fall under 2.1(d) onwards.
Note: The purposes of logging exceptional use and disclosure are to ensure that: - individuals gaining access to their records are aware of such uses and disclosures (subject to exceptions provided in Principle 6 where that knowledge would prejudice the purpose) - suspected instances of abuse can be investigated; and - high standards of accountability are promoted and potential abusers are dissuaded from mis-using the provisions, because they are aware that the accesses are logged, that suspected instances of abuse are investigated, and that miscreants are pursued. Organisations will normally want to make a record of exceptional use or disclosures to safeguard themselves against allegations of improper conduct.
4.2 Data Destruction
Insert "for any purpose provided for under these principles" .
6.1(c) Insert "administratively" before "onerous".
Note: The current wording permits access to a person's record to be denied where this would be "unduly onerous" to the organisation. As discussed on 18 August, this wording accidentally includes onerousness in the sense of the consequences of disclosure to the person, whereas it was intended to refer only to onerousness in terms of the provision of access.
After 6.1 It should be made clear in a guidance note that where an exception applies to some of the information on a record, the rest of it (ie the maximum amount possible) should still be released.
6.4 Intermediary Access
Replace the words commencing with "consider whether ..." with "enable access through an appropriate intermediary".
Note: The present wording merely requires the organisation, where direct access is impracticable or inappropriate, to "consider" the use of intermediaries. The onus must be on the organisation to make use of intermediary access in such cases. On the other hand "mutually agreed" is unnecessarily tough - there only needs to be an independent intermediary - such as an ombudsman or compliance committee, although we would clearly hope that if an individual suggested another suitable intermediary this would be accepted.
Amend the guidance note to make it clear that it is not intended that organisations would be able to achieve full cost recovery - only a nominal contribution to marginal costs, if anything (and we would hope that many businesses would see the customer relations value of not charging). The cost of setting up a machinery for access (large organisations only) should be seen as a business overhead.
7.1 Private Sector Identifiers
In 7.1, replace the words commencing with "government agency" with "another organisation".
Note: there is a great deal of concern arising in relation to the multiple use of identifiers, because it is an enabler of widespread data surveillance and the emergence of a 'dossier society'. The present wording, however, applies only to identifiers assigned by government agencies. The proposed wording would not stop businesses from recording other business numbers eg CRAA or DUNS reference numbers, only from using them as their own primary identifiers.
Append to the Guidance Note the following: "In addition to full anonymity, organisations should consider implementing schemes whereby pseudonymity can be achieved, and the link between the data and a specific person protected by technical, organisational and/or legal means".
9. Data Transfer
(1) In the main text, delete the words "outside Australia"; (2) In the short-form, change the words "outside Australia" to "to another organisation"; and (3) Change the heading to 'Data Transfers".
Note: As discussed on 18 August, data transfers within Australia should be subject to the same limitations as those outside Australia.
10.2(a) Necessary for Medicine
Replace "required" with either "essential" or "necessary".
Note: The word 'required' is ambiguous, because it could be read as allowing any person who requires (i.e. considers that they need) information to take advantage of the exception.
10.2(b)(ii) Competent Bodies
Before "obligations of professional confidentiality", insert "health and medical" to avoid unintended breadth.
Define as any person (see New Zealand Act) and then exempt "personal, family, recreational" uses (see UK Act)
Avoid using short form National Privacy Principles (NPPs) which implies that the Principles are comprehensive (eg relative to Privacy Charter), when they are not. Suggested alternative is FIHPs (Fair Information Handling Principles) - the full title of the February document was carefully crafted, and is highly descriptive.
Add to the end of the Introduction a further section, as follows:
"These principles expressly address only information privacy protections that have become generally accepted. They do not encompass such additional matters as justification for the handling of personal information, freedom from data surveillance, and the prevention of disadvantage for people who exercise privacy rights. They also expressly do not address dimensions of privacy other than information privacy, such as privacy of the person, privacy of behaviour, and privacy of communications".
End of position paper.
16 October 1998
Mr JP O’Neill
Senior Assistant Commissioner
Australian Competition and Consumer Commission
PO Box 1199
Dickson ACT 2602
Dear Mr O’Neill,
Re: Application for Authorisation No. A40077 - Australian Direct Marketing
Association Code of Conduct
Thank you for inviting comments on the above application and the draft
determination. We received a copy of the Code from the Consumers’ Federation
of Australia on 14 October 1998.
The Financial Services Consumer Policy Centre is a non-profit consumer
research organisation, specialising in the study of financial services from
the perspective of low income and disadvantaged consumers. We have a strong
interest in the development of consumer protection measures in relation to
I am writing to formally request a conference under Section 90A of the Trade
Practices Act to discuss this application in greater detail.
We will set out our detailed concerns about the Code at that meeting, but in
short they are:
* The Code does not appear to comply with the ACCC benchmarks in relation to
independence, sanctions and remedies and enforcement.
* The Code does not appear to provide for adequate consumer representation
in the complaints handling process and the code review process.
* The telemarketing aspects of the Code appear to endorse behaviour that is
completely unacceptable from a consumer perspective.
* The Code remains quiet on the provision of national opt out services,
despite the fact that these are available. Compliance with these services
should be mandated under the Code.
* The Code attaches a set of privacy principles which are based on the
Privacy Commissioner’s national principles (version 1). This is despite ADMA
being aware that this set of principles is under review and likely to be
substantially altered in the near future.
* The Code provisions in relation to email, web marketing and general online
services are too vague to be of any practical use to consumers, and may
differ from other Codes in this area – e.g. the Internet Industry
Association draft code.
I would also like to take this opportunity to raise some concerns about the
authorisation process as it appears to have been applied in this particular
* The timeframe for making comments on the Code is too compressed. The Code
is actually a very complicated document from a consumer perspective. It is
also a very important document as it will become the default ‘standard’ for
direct marketing conduct. Fourteen days for comment is the minimum allowed
under Section 90A(2) and this may have been a case where a longer period for
comment would have been of great benefit.
* The Code and the draft determination could have been provided online, so
that copies could be distributed quickly to a wider group of known
interested persons by others, like myself, who were fortunate enough to be
told about the application.
* Provision could have been made for the receipt of comments by email, to
assist those organisations who will struggle to meet the tight deadline.
* The Code does not appear to have been adequately distributed to groups and
fora who have an interest in electronic commerce and online regulatory
issues. Direct marketing is a major issue in the online community. I have
forwarded copies to the Australian Computer Society and Electronic Frontiers
Australia for their comments.
* There does not appear to have been any need to predetermine the date of
the Conference. There is provision in the Act for a period of up to 30 days
notice of the conference date. The date of the conference could have been
set after the receipt of comments and a more appropriate time may have been
determined through such a process.
This Code is of great interest to the community – yet it has been wrapped in
secrecy for some time. This is our first and only opportunity to comment on
the finished product, and we are disappointed that such a short period of
time has been allowed for this process. There is a genuine concern that the
receipt by ADMA of the ACCC’s “authorisation” will create an impression of
government “approval” for the activities of direct marketing companies who
comply with the code. For these reasons, we believe the code should be the
subject of serious public debate.
We look forward to the conference.
Mr J P O'Neill
Senior Assistant Commissioner
Australian Competition and Consumer Commission
19 November 1998
Dear Mr O'Neill
Application for Authorisation No 40077 - Supplementary Submission
Thank you for your letter of 12 November enclosing a copy of the revised
I will not be able to attend the pre-determination hearing next week - I
will be overseas. But Tim Dixon, the Secretary of the Privacy Charter
Council, will represent the Council and speak to our earlier submission. We
will also have a legal adviser present (although I note that the process
does not allow for formal legal representation).
I note that ADMA claims to have addressed the points raised by ACCC in your
draft determination. While there are some significant improvements, their
response to your requirement to specify the range of remedies is in our
view completely inadequate. Also, the relationship of the Code Authority
to the ADMA Board, and the Authority's limited powers, continues to fall
far short of the degree of independence which is an essential part of any
effective self-regulatory scheme.
I would also like to re-iterate our overall submission that in addressing
only the issue of compliance and sanctions in its draft determination, the
ACCC has neglected to consider a range of other issues which must properly
be taken into account in forming any view about 'public benefit'. These
include the adequacy of the standards contained in the Privacy
Commissioner's National Principles, which ADMA has adopted. The Privacy
Commissioner's process for developing those Principles, which are by her
own admission her best effort at achieving a consensus acceptable to
business, is no substitute for a proper balancing of public interests,
particularly in the context of authorising anti-competitive practices. The
ADMA Code, if approved, will legitimise the relatively low standard of use
and disclosure limitations arguably contained in the National Principles
and now in the ADMA Code. This could well have the perverse effect of
preventing more enlightened organisations from using better privacy
protection - such as opt-in for marketing - as a competitive tool. In our
view, the ACCC must consider the adequacy of the rules and standards in the
ADMA Code as well as the surrounding compliance mechanisms.
I acknowledge your 4 November reply to my letter about the launch of the
Code. We remain concerned that the ACCC may have compromised its role in
the authorisation process by the wording of the draft determination and
Professor Fels' comments at the launch, and we reserve the option of
raising this at the conference. It would be helpful if the Commissioner
chairing the conference could clarify at the outset the Commission's
position in relation to the authorisation process, and re-assure all
parties that it has not pre-empted consideration of the full range of
issues raised in submissions.
Australian Privacy Charter Council.
5 Pashley Street, Balmain, SYDNEY, NSW 2041, Australia
Telephone: (02) 9810 8013 E-mail: email@example.com
Mr J.P. O'Neill
Senior Assistant Commissioner
Australian Competition and Consumer Commission
P.O. Box 1199
Dickson ACT 2602
Dear Mr O'Neill
Re: Application for Authorisation No. A40077 - A.D.M.A.
This document is submitted to the Commission in relation to the above
Application for Authorisation.
The Australian Computer Society (ACS), Economic, Legal and Social
Implications Committee (ELSIC), the workings of which I oversight in my ACS
Director, Community Affairs Board (CAB) role, will be represented at the
s.90 ('pre-decision') conference on 26 November, by Dr Roger Clarke FACS, a
member of the ACS Economic, Legal and Social Implications Committee (ELSIC).
Andrew Freeman FACS
Directory, Community Affairs Board
Australian Computer Society Inc.
Australian Computer Society Inc. - ELSIC
Submission to the Australian Competition and Consumer Commission
in relation to Application for Authorisation No. A40077 - A.D.M.A.
19 November 1998
The Australian Computer Society is the professional association of the
country's information technology professionals. It was formed in 1966, has
around 15,000 members, and has long been active in relation to the
economic, legal and social impacts of technology.
Direct marketing is of considerable concern to the Society. Both direct
mail and tele-marketing are heavily reliant on computer technology.
Irresponsible marketing practices are significantly retarding consumer
adoption of the Internet. Each of these industries employ information
technology professionals. Information technology professionals who are
Members of the Society are bound by its Code, which requires members to
"consider and respect people's privacy which might be affected by [their]
Accordingly, the representatives of the Australian Computer Society claim
to be an "interested person" in relation to this Application for
Authorisation, within the meaning of s.90A(12) of the Trade Practices Act
1974,. The ACS, as well as each of its representatives personally, have a
real and substantial interest in ensuring that IT professionals' conduct in
Australia is aligned to consumer-protection and privacy-protection
principles. The ADMA Code purports to reflect such principles.
Direct Mail and Tele-Marketing
There are very considerable public concerns about the practices of direct
marketers, especially in relation to tele-marketing. Marketers and their
associations have nominally operated off-lists for many years; but their
performance has not been such as to create public belief in
self-regulation. The recent, substantial increase in the incidence of
unsolicited telephone calls for sales purposes is causing a great deal of
public disquiet about the interruption of people's home-environment.
In this context, it is critical that the direct marketing industry meet
with representatives of consumer and privacy interests, in order to
negotiate an appropriate means whereby the various interests can be
satisfied. But no such public consultation process has taken place. ADMA
seeks to rely on prior consultation processes with the Commission and the
Privacy Commissioner, which do not represent open, public processes.
The draft code contains provisions that fail to balance the interests of
marketers against those of consumers. Hence, the Society submits, the
draft Code fails the 'public benefit' test. Moreover, for the Commission
to provide its imprimatur to the code in its present form would send the
wrong message about the extent to which Australian regulatory authorities
will intervene to protect the public interest, and would therefore
encourage non-members of ADMA to ignore even the limited protections that
Direct Electronic Marketing
Paragraph D1 of ADMA's proposed Code states that "The same level of
protection provided by the practices that apply to other methods of
commerce should be afforded to customers who participate in electronic
This evidences failure by the code's architects to appreciate the
completely different environment that applies in the electronic context.
The Society expresses especially serious concern about marketers applying
their conventional presumption of 'consumer opt-out opportunities' to
The following are critical factors about charging in the networked world:
- whereas the post and telephone are, in general, financed through a
'sender-pays' model, the Internet tends to be 'receiver-pays';
- hence direct marketing may impose direct dollar-costs on the receiver,
above and beyond the interruption, clutter and receiver-time factors;
- the present tariffs used by ISPs are a mixture of connection-time,
transmission-volume and subscription, but this may well change shortly,
because carriers and carriage service providers may drive retail
tariffs towards volume-based charging as the dominant means of
collecting money from consumers; and
- hence should the Commission give approval to ADMA's code, it would have
the effect of locking consumers into not only receiving, but also
paying for, unsolicited materials.
The matter was already serious while the dominant communications medium was
text-based email. There are currently many projects in train whose purpose
is to provide much more intrusive and bandwidth-intensive
'push-technologies'. Images can be hundreds, or even thousands, of times
larger than the text of a typical message. While one
picture may not be worth a thousand words, it may cost the unwilling
consumer that much more to receive it. During the last few weeks, an
unsolicited email has been offering the means to transmit a video-and-voice
message to large numbers of people via the Internet. Such messages can be
many orders of magnitude larger than text and still images, and will cost
all recipients money and attention-span.
In short, irrespective of the various balances between economic and social
objectives that may be appropriate in respect of direct mail, and of
tele-marketing, it is essential that electronic marketing be
'consumer opt-in', with prior communications of the conditions and costs
The Society submits that ADMA has failed to undertake the public
consultation process that is a necessary pre-cursor to the submission of a
draft code for authorisation by your Commission.
The Society is concerned that the Commission could possibly grant a
determination, without ensuring that such a comprehensive and public
negotiation process has been conducted, resulting in an instrument that
reflects the interests of the public, and of involved professionals.
The Society expressly rejects the suggestion that the formal process of
submissions to the Commission, followed by a structured pre-decision
conference, represents an appropriate form of public consultation. The
pre-decision conference is appropriate means only for the Commission to
satisfy itself that the appropriate public process has been conducted, and
has resulted in a code that is sufficiently consensual that it can be
reasonably argued to satisfy the public interest.
The Australian Computer Society submits that:
* that there is insufficient public interest to support the adoption of the
proposed code, because of the inadequacy of the provisions dealing with
Andrew R. Freeman, FACS Location: Belconnen Canberra ACT Australia
Key e-mail: firstname.lastname@example.org WWWeb: http://www.pcug.org.au/~afreeman
Director, Community Affairs Board, Australian Computer Society (1996/99)
ACS CAB World Wide Web URL: http://www.acs.org.au/boards/cab/cabtr.html