There is a general tendency to focus exclusively on the Privacy Act in considering online privacy issues. With few exceptions, in jurisdictions elsewhere the seamless application of the fair information principles lessens the appeal of other legal remedies. However, major gaps exist in the coverage of the Privacy Act and those that have been identified by the EU are mentioned below. This inadequate statutory framework may be insufficient to combat the emergence of a type of `privacy survivalism' where it is solely up to the individual to adopt elaborate defensive measures to protect privacy in routine online transactions. As such the Privacy Act may fail to promote e-commerce unless it generates codes of practice of more extensive application.
The patchy application of the Privacy Act provides these other remedies a continuing relevance. For example, the equitable duty of confidence limits use for a secondary purpose. The Privacy Act specifically provides that principle 2 regulating use and disclosure `does not override any existing legal obligations not to disclose personal information' (principle 2, note 1). Of greater general utility, however, is the law of contract briefly considered below. In addition, the statutory remedy provided by section 52 of the Trade Practices Act (Cth) regarding misleading statements is relevant, online privacy also being a consumer protection issue.
A corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive, or is likely to mislead or deceive.This provision has traditionally been used in conjunction with the common law action of passing off, but its scope is broader and is not to be confined by reference to the prior learning on that tort: Equity Access Pty Ltd v Westpac Banking Corporation[28]. Further, whilst the provision is usually invoked regarding misrepresentations of fact, it has been held that its generality does not support any implied limitations excluding from its scope conduct inducing errors of law, or mixed questions of fact and law such as an incorrect statement about copyright.
Whilst there are no Australian cases on the issue, in the US the GeoCities[29] ruling is persuasive and specific authority that misleading privacy notices will contravene s 52. Under s 5 of the Federal Trade Commission Act the FTC has broad enforcement power over `deceptive acts or practices'. It found that although GeoCities' website included statements assuring members that their personal information would only be disclosed to provide the specific advertising they requested, GeoCities had sold or rented it to third parties for other purposes. The company promptly implemented the FTC's consent order prohibiting any further misrepresentation and ordering the company to post a privacy policy disclosing the classes of information collected, its intended uses, and advising the consumer of her right to access her personal information and to delete or anonymise it. Section 52 is broader than the US legislation because it permits private actions by both consumers and competing traders. It would appear to provide a potent weapon to combat misleading privacy notices. This is particularly so in view of the proactive approach adopted by the Australian Consumer and Competition Commission. The Commission's website `sweeps' are referred to above. In addition it has upgraded its `Slam A Cyberscam' website (www.accc.gov.au/ecomm/cyber/), an automated service for handling complaints concerning illegal on-line selling practices, including the misuse of personal information.
The European Union Directive on data protection took full effect in October 1998. The EU Directive, as its title conveys, is not a legal instrument as such but rather a directive to its member states regarding the minimum standards of their respective domestic laws regulating privacy. As with its other directives, the EU aims to harmonise legal standards in Europe, thereby facilitating the free movement of personal information between its members. Its preamble notes that its proposals `give substance to and amplify' those of the 1968 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. In particular, the Directive extends beyond computerised data to manual personal records. The result is that countries such as the UK have revised their laws to accommodate its more rigorous standards and others have been prompted to enact their first privacy laws.
Article 25(1) of the EU Directive provides that member states shall provide that the transfers of personal information outside the EU may take place `only if' the recipient country ensures an `adequate level' of privacy protection. The EU Directive does not therefore purport to actually incorporate its legal requirements into the laws of non-member states (a legal impossibility). Rather, it indicates that if other countries are to have trade with EU citizens and hence collect their personal information they must respect European standards. As such Europe is (in Lessig's terms) acting as a market regulator rather than a legal regulator.
We see below that the US uses a stripped-down set of privacy principles that inadequately reflects the requirements of the OECD and EU formulations. More fundamentally, it still lacks comprehensive privacy legislation giving them legal force. For two years the US negotiated with the EU endeavouring to avoid having to enact a comprehensive data protection law while continuing to trade with Europe and hence in personal information. A compromise was finally reached which took effect 1 November 2000. The accord exempts American companies from European sanctions if they sign up to join a `safe harbor' self-regulatory program that promises European consumers that their personal data is processed in broad accordance with the EU privacy principles.
To gain a safe harbor exemption from the Directive, US companies must join a self-regulatory program such as a privacy seal (see below) and follow the EU's comprehensive set of fair information principles when processing personal data about European citizens. The agreement calls for policing to be done by private groups and backed up by US agencies such as the FTC. Alternatively, companies can comply with the Directive by including privacy safeguards in transborder contracts transferring the personal data.
Initial fears that the safe harbor accord could founder due to lack of companies prepared to sign up to have eased following Microsoft's decision to joint the programme in May 2001 followed by Intel in June, the latter citing the desirability of a one-stop-shop instead of having to deal with 15 individual EU member states. (It is perhaps no coincidence that the leadership role assumed by Intel and Microsoft follows their previous encounters with consumer rage generated by their (subsequently abandoned) tracking technologies described above). By December 1 2001, 129 companies had signed up. A Staff Working Paper of the Commission of the European Communities published earlier this year notes that although this is less than expected, it should grow steadily.[32] The report notes some problems regarding transparency and enforcement issues, however.
Such confidence was misplaced. The European Union has since warned that the Privacy Act does not provide adequate protection for European citizens. Criticisms include:
On the basis of the above, the working party considers that data transfers to Australia could be regarded as adequate only if appropriate safeguards were introduced to meet the above-mentioned concerns. This could be done for example through voluntary codes of conduct.[34]These criticisms are quite specific and do not represent an attempt to impose holus bolus on Australia the comparatively complex and onerous requirements of the entire directive. This accords with the EU's approach in negotiating the safe harbor agreement, the outcome of which has been applauded by some as more flexible and congenial to U. S. business practices than the Directive itself.
The concerns expressed by the EU concern both the scope and the standards of the Privacy Act. In reality, the two are related and ostensible standards are undermined by the Act's limited scope. This is most apparent in the application of those national privacy principles premised on the exchange of personal data between organisations. The problem is most acute with the application of principle 2 restricting the use of personal data. This essentially provides that an organisation must not disclose personal data to another data user for an unrelated secondary purpose, unless the data subject consents or would reasonably expect the disclosure for the new purpose. The transferor's purpose is coloured by the proposed purpose of the transferee. This was confirmed in Robertson v City of Wakefield Metropolitan Council[35] This English High Court decision is significant on a number of counts, it providing the first judicial consideration of the EU Directive's direct marketing restrictions. It concerned Electoral Registration Officers' (EROs) sale of copies of the Register to commercial interests. The court accepted that it had been `obvious' to the EROs that the Registers have been used for direct marketing purposes. The court held that an ERO who sells the Register to commercial concerns, which he anticipates will use them for direct marketing, is processing personal data `for the purposes of direct marketing'.
This accords with the general legal principle that 'purpose' differs from motive and in criminal law the courts have rejected the proposition that a party only acts for a specified purpose (eg assisting a principal) if that party desires that outcome or is indifferent as to whether it results or not. To similar effect is the recent decision of the English Court of Appeal holding that in the context of the UK Copyright Act 'for the purpose of, [criticism or review] imports an objective test which 'should not ... give any encouragement to the notion that all that is required is for the user to have the sincere belief, however misguided, that he or she is [acting in accordance with the requisite purpose]'. Rather, the likely impact on those affected (the audience in that case but data subjects under the present scenario) is relevant. To similar effect are the US Safe harbor principles which require that a transferor shall be liable if the 'organisation knew or should have known the third party would process [the personal data] in [a non-compliant way] and the organisation has not taken reasonable steps to prevent or stop such processing'.
It follows that an organization can only comply with principle 2 if reasonably satisfied that the transferee's anticipated use accords with the data subject's reasonable expectations. Otherwise her consent is required. But if the transferee is not subject to the Privacy Act among other things it need not disclose the purposes for which it uses personal data. In these ambiguous circumstances the disclosing organisation must do the best it can. The Act does not condone disclosures which effectively launder away the data subject's privacy rights, Corresponding problems arise where an organization collects personal data from a company, which is not subject to the Act and hence did not disclose its data purposes when originally collecting the data from the data subject. Arguably the limited scope of the Act makes compliance more onerous for those companies that are subject to its requirements. Nonetheless these difficulties may well produce a systemic degradation of the privacy standards vouched for by the national privacy principles.
The underlying fallacy of the Privacy Act's limited scope is that larger companies can be sensibly ring fenced and the national privacy principles applied to them in isolation of their smaller trading partners. An ecological analogy would be sprinkling little `nature reserves' throughout an industrial area and expect the denizens to escape pollution and hunting.
The safe harbor agreement represents one mechanism to accommodate the EU's strict data privacy standards-standards that the world's largest economy ultimately had to recognise, longstanding cultural differences notwithstanding. Whether other mechanisms may yet avail Australia remain to be seen. What is clear is that some form of accommodation is inevitable if Australian companies are to continue to do business with Europe. Such is the emerging Realpolitik of international privacy protection.
This has been recognised by organisations such as the Internet Industry Association in developing codes of practice, which will include a EU compliance module for companies wishing to trade internationally on the Internet.
[25] A general overview of this legislation is provided by my earlier article in PLPR
[26] Caspir v Microsoft Network 323 N.J. Superior 118.
[27] The converse situation was addressed by New York Federal Judge Alvin Hellerstein in Specht v Netscape 150 F Supp 2d, 585 (2001). The Court there held that people who downloaded Netscape Communication's SmartDownload software were not bound by an online contract because when downloading they were not provided the opportunity to indicate their consent to the downloading. Instead, only a small box of text asking them to `please review the licensing agreement' was displayed. They were not, however, required to click on any link indicating their active agreement to a license to obtain the software. Accordingly the plaintiffs who alleged that the software had surveillance capabilities were not precluded from an arbitration clause from litigating.
[28] (1990) 16 IPR 431
[29] FTC File no 9823015 13 August 1998
[30] Bergerson, supra
[31] Id
[32] http://europa.eu.int/comm/internatl-market/en/dataprot/news/02-196_en.pdf. See also Analysphere 4 March 2002 at www.caslon.com.au
[33] See my Complying with the Australia's New Privacy Legislation on the uncertain scope of these exclusions
[34] Adopted on 26 January 2001 by the Data Protection Working Party Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000
[35] [2001] EHWC Admin 915