TELECOMMUNICATIONS PRIVACY - THE INTERACTION OF THE PRIVACY AND TELECOMMUNICATIONS REGULATORY SYSTEMS

by

HOLLY RAICHE

Presented at
The New Australian Privacy Landscape
UNSW Continuing Legal Education Seminar
Wednesday 14 March 2001


 
  • 1. PERSONAL INFORMATION WHICH IS PROTECTED UNDER TELECOMMUNICATIONS LEGISLATION
  • 1.1 Privacy Regulation of Content: Interception Legislation

  • The three Issues which I will address in this paper are:

    1. PERSONAL INFORMATION WHICH IS PROTECTED UNDER TELECOMMUNICATIONS LEGISLATION

    * Content -

    Telecommunications content issues which raise privacy concerns are generally considered to concern the protection of conversations between individuals. Increasingly, however, content issues also include data communication such as emails and whether the inter-personal exchange of data is covered by telecommunications legislation

     * Carriage -

     Telecommunications carriage is also a privacy issue because carriers and carriage service providers necessarily collect personal information about individuals. That information includes:

    Both sorts of personal information must be passed between service providers in a competitive telecommunications environment. Indeed, under Part 13 of the Telecommunications Act 1997, there is a specific exemption from the prohibitions for exchange of information between carriers and carriage service providers for a purpose connected with the carrier/CSP carrying on business as a carrier or CSP.[1]

    1.1 Privacy Regulation of Content: Interception Legislation

    The protection of content is covered by two different pieces of telecommunications legislation: The Telecommunications (Interception) Act 1979 and related state legislation on listening devices provides the prohibition on listening to or recording of a communication passing over a telecommunications system without the knowledge of the person making the communication.[2] There are, however, some significant gaps in that protection.

     Those gaps include

    There is open question as to whether the National Privacy Principles[5] can also be used to protect the privacy of inter-personal communications passing over a telecommunications system. For example, would the listening to or recording of personal communications be protected by the Collection Principle.[6]

     For the purposes of this paper, however, I will concentrate on the protections provided under the Telecommunications Act 1997 for both content and carriage issues.

    1.2 Part 13, Telecommunications Act 1997

    The primary prohibition on the disclosure of both content and carriage information is contained in Part 13 of the Telecommunications Act 1997.

     Specifically, section 276 prohibits:

    Exemptions to the prohibition include use or disclosure of information for law enforcement purposes, the protection of public revenue, assistance to the regulators, emergency services purposes, provision of information to the IPND or the business needs of that or other carriers of carriage service providers,[7]

     Disclosures under Part 13 are, however, monitored by the Privacy Commissioner, who may report to the Minister on such disclosures.[8] and a breach of Part 13 would be a criminal offence and would attract criminal sanctions.

    1.3 Telecommunications Privacy Codes and Supporting Regulatory Structures

    Apart from provisions of the Telecommunications Act itself, there are additional privacy protections under industry codes developed under the Act and the surrounding telecommunications regulatory structure.

     Part 6 of the Telecommunications Act 1997 provides for industry to develop codes of practice. The industry codes to date have been developed by the telecommunications industry body, the Australian Communications Industry Forum (ACIF).

    * ACIF

    ACIF is a telecommunications industry forum established and funded by the industry that develops Codes and Standards on a variety of telecommunications issues including customer equipment, cabling, radiocommunications, network, and inter industry operational issues.

     ACIF Codes Dealing with privacy issues include:

    The main provisions of the CPI Code are based on the National Privacy Principles, as included in the recent amendments to the Privacy Act, and the CPI Code applies to all telecommunications carriers and carriage service providers.[9]

     Enforcement of ACIF Codes is, at an individual complaints level, through the Telecommunications Industry Ombudsman (TIO), with the regulator, the Australian Communications Authority (ACA), also having powers in relation to the enforcement of industry codes.

     * Telecommunications Industry Ombudsman (TIO)

    The TIO is established under Part 6 of the Telecommunications (Consumer Protection and Service Standards) Act 1999. All `eligible carriage service providers' (which supply a standard telephone service, a mobile service or a service that enables end users to access the internet) must join and comply with the TIO scheme.[10] The TIO has general jurisdiction to handle complaints, including complaints about privacy under provisions of the Constitution of the TIO[11].

    If industry Codes are registered by the ACA, the TIO treats the Code provisions as industry standards against which the behaviour of the industry member is measured, and reports on all Code breaches to both ACIF and the ACA

     Under the TIO corporate documentation, the TIO can, after investigating a complaint, make binding decisions on all TIO members for payment of up to $10,000, and/or orders for the carrier or carriage service provider to do or refrain from doing an act.[12]

     * The Australian Communications Authority (ACA)

    The ACA has the power to register codes covering sections of the industry engaged in telecommunications activities.[13] Once a Code is registered, the ACA can enforce Code provisions against all those subject to the Code, whether or not they have signed the Code.

     ACA enforcement can be either through Formal Warnings or Directions for compliance with Codes, and ACA Directions can be enforced through court proceedings.[14]

     If the ACA is satisfied that a registered Code is deficient (ie, does not provide appropriate community safeguards or is not otherwise operating to regulate adequately participants in the relevant section (s) of the industry) it can determine an industry standard on the matter.[15] Once the ACA has determined an industry standard, compliance with that standard is required under the Act and a breach can be brought before the Federal Court.[16]

    The ACA is also required to report to the Minister and publish annual reports on carrier and carriage service provider compliance with codes and standards.[17]
     
     

    2. PRIVACY AMENDMENT (PRIVATE SECTOR) AMENDMENT ACT 2000: RELEVANT PROVISIONS

    2.1 Privacy Prohibition - With/Without Approved Code

    The amended Privacy Act will apply to private sector organisations (with some exceptions) and will ensure the National Privacy Principles - contained in Schedule 3 of the Act- apply to telecommunications through the new prohibitions under Section 16A of the Act.

     The new amendments require that organisations do not do an act or engage in a practice that breaches an approved privacy Code that binds the organisation.[18] To the extent that an organisation is not bound by an approved code, an organisation will be required not to do an act or engage in a practice that breaches the National Privacy Principles.[19]

     Given the requirement that an approved code either incorporates all the National Privacy Principles or sets out obligations which are at least the equivalent of the National Privacy Principles, the effect is that the private sector will be bound by the National Privacy Principles, or their equivalent.

    2.2 What is a privacy code: -

    The first requirement for a Code to be an `approved code' is that it be a privacy code. Under the Act, a privacy code is defined as a written code regulating acts and practices that affect privacy.[20] In the telecommunications arena, that definition would cover a range of ACIF codes, including the Calling Number Display and Integrated Public Number Database Codes, codes on the Handling of Life Threatening or Unwelcome Calls as well as other operations and network codes

    2.3 What is An Approved Code

    Under the Act, the Privacy Commissioner must be satisfied about a range of matters before approving a Code. (see Appendix A)

     The most important requirement is clearly that the Code either incorporates all of the National Privacy Principles or at least their equivalent.

     If the Code contains a complaints handling mechanism, there are additional criteria which must be satisfied including:

    2.4 Consequences of approval of a Code by the Privacy Commissioner:

    If there is a complaints mechanism in the Code, then the complaint about an interference with privacy[22] is initially handled under the complaints mechanism provided by the Code rather than by the Privacy Commissioner and the Commissioner cannot initially handle that complaint; a person who has used the complaints mechanism in an approved code, however, can appeal to the Privacy Commissioner against a determination made by the complaints' mechanism's adjudicator.[23]) In all other cases, the Privacy Commissioner may handle the complaint, whether or not the organisation the subject of the complaint is bound by a code which is not an approved code.

     There is also provision for the Privacy Commissioner to handle complaints if they are referred to the Commissioner by the independent adjudicator.[24]
     
     

    3. INTERACTION OF TELECOMMUNICATIONS LEGISLATION AND THE PRIVACY LEGISLATION

    3.1 Part 13 of the Telecommunications Act 1997 and the Privacy Act 1988

    Coverage of the National Privacy Principles in the Privacy legislation is broader than Part 13 of the Telecommunications Act. The privacy legislation goes beyond the use and disclosure provisions of Part 13, to other privacy issues covered by the NPPs such as data quality and security, access, anonymity, etc. The Privacy legislation will also provide an accessible complaints mechanism (the Privacy Commissioner's office) for the public which is not now available under Part 13, as a breach of the Telecommunications Act is a criminal offence.

    3.2. Interaction of Telecommunications Codes and the Privacy Legislation

    Under the privacy legislation, to be an approved code, the Code must either incorporate the NPPs or provide equivalent obligations to the Principles. Therefore, only the CPI Code could be considered for approval.

    In one sense, that is not an issue. The CPI Code will be enforceable against all carriers and carriage service providers and therefore any interference with an individual's privacy will be determined in accordance with the NPPs. If therefore the CPI Code becomes an approved Code, while an individual will not be able to have their complaint handled by the Privacy Commissioner, their complaint will be dealt with in accordance with the NPPs and by an adjudicator with similar powers to those of the Commissioner.

     However, some of what would be considered telecommunications privacy codes (eg, the CND Code or the IPND Code) have far more detailed provisions for privacy protection in the context of the issues the Codes are dealing with. Yet because those codes cannot be privacy codes, an individual will still be able to take their complaint about breaches of those codes either to the industry regulatory structures or to the privacy commissioner.

    3.3 Options for the Telecommunications Industry

    * Seek Approval of the CPI Code and Surrounding regulatory structure

    Consequence of Approval of CPI Code: All complaints on a breach of the CPI code would be handled only through the current regulatory structure unless the adjudicator, under the approved complaints scheme, has referred the complaint to the Privacy Commissioner and the Commissioner has consented to handle the complaint. For all other alleged interferences with privacy a complainant could use the current telecommunications regulatory structure or complain directly to the Privacy Commissioner. The issue is the handling of interferences with privacy that fall outside of the NPPs.

     * Approval of the CPI Code without surrounding structure (ie, not submitted as containing a complaints mechanism

    Consequence: Complaints for interferences with privacy (ie, a can be handled under the current regulatory structure or the complainant can go to the Privacy Commissioner's office, as would be the case for all Codes which raise privacy issues but are not approved codes.

     * CPI Code not submitted for approval

    Consequence: Complaints can be handled under the current telecommunications regulatory structure or the complainant can go to the Privacy Commissioner's office

    3.4 Submission for Approval - Or Not

    [1] Section 291, Telecommunications Act 1997.

    [2] Sections 6 and 7 Telecommunications (Interception) Act 1979.

    [3] See, for example, Duncan v The Queen (1991) 5 WAR 249, T. v Medical Board of South Australia (1992) 58 SASR 382, Carbone and anor v National Crime Authority (1994) 52 FCR 516 and Green v R (1995) 135 ALR 181 for differing views on this issue.

    [4] See Miller v Miller (1978) 141 CLR 269.

    [5] Contained in Schedule 3, Privacy Act 1988.

    [6] Clause 1, Schedule 3, Privacy Act 1988.

    [7] Sections 277-297 Telecommunications Act 1997.

    [8] Section 309. Telecommunications Act 1997.

    [9] All published ACIF codes are available on the ACIF website www.acif.org.au. The CPI Code is ACIF C523:1999, the CND Code is ACIF C522:2000, and the IPND Code is ACIF C555:2000.

    [10] Sections 128 and 132 Telecommunications (Consumer Protection and Service Standards) Act 1999.

    [11] Clause 4.1, Constitution, Telecommunications Industry Ombudsman.

    [12] Clause 6, Constitution, Telecommunications Industry Ombudsman.

    [13] Section 117 Telecommunications Act 1997.

    [14] Sections 121-122 and 570 Telecommunications Act 1997.

    [15] Section 125 Telecommunications Act 1997.

    [16] Section 128 Telecommunications Act 1997.

    [17] Section 105 Telecommunications Act 1997.

    [18] Section 16A(1) Privacy Act 1988.

    [19] Section 16A(2) Privacy Act 1988.

    [20] Section 6(1) Privacy Act 1988.

    [21] For a complete list of the matters about which the Privacy Commissioner must be satisfied under section 18BB, Privacy Act 1988, see Appendix A.

    [22] Interference with privacy is defined in Section 13A of the Privacy Act 1988 to mean, generally, an act or practices in relation to personal information that relates to the individual which either breaches the NPPs or an approved code which binds the organisation.

    [23] Sections 36(1a) and 18BHI(1) Privacy Act 1988.

    [24] Section 36(1B) Privacy Act 1988.

    [25] A new section 122A Telecommunications Act 1997.