Asia Pacific Privacy Authorities commit to collaboration

We are seeing the growth of formal and informal structures being put in place by privacy commissioners and their counterparts worldwide to foster interjurisdictional collaboration. We've recently seen the establishment of the Global Privacy Enforcement Network and now the Asia Pacific Privacy Authorities form has concluded in Auckland with a further commitment to cross-border collaboration:

Privacy Commissioners Commit To Continue International Collaboration | Voxy.co.nz

The importance of privacy to the public on both sides of the Pacific Ocean has been demonstrated in a meeting of privacy and data protection commissioners from three continents in the Asia Pacific region.

Hosted by the Office of the New Zealand Privacy Commissioner, the Asia Pacific Privacy Authorities (APPA) forum concluded in Auckland yesterday, with members affirming their commitment to continue to collaborate on international data protection issues.

The New Zealand Privacy Commissioner, Marie Shroff was delighted with the success of the meeting.

"This APPA meeting was one of the largest that we have held and it was pleasing to welcome three new members: Mexico, United States and Queensland. The last two days have reinforced our commitment to continue international collaboration amongst members. This will strengthen our ability to get the best possible outcome for the public's privacy rights."

The APPA members discussed a variety of contemporary privacy issues that face members right across the Asia Pacific region including ways to tackle privacy concerns about social networking, direct marketing and credit reporting.

"I think it is no surprise that issues such as online privacy are a common concern for all jurisdictions but there are practical steps that we can all take to educate the public and the business community on their privacy rights and responsibilities," Australian Privacy Commissioner Timothy Pilgrim said.

For instance, APPA members affirmed their commitment to jointly promote Privacy Awareness Week, which will be held from 1-7 May 2011. APPA has also established a working group on technology issues.

The next APPA meeting will be in South Korea in June 2011.

Queensland Privacy Commissioner calls Facebook suspect because of its profit motive

A day after the Canadian Privacy Commissioner stated that Facebook had gotten its house in order, the Privacy Commissioner of Queensland, Australia, has piled on the social networking site.

I have to take issue with some of her comments. She claims that Facebook is deceptive because it bills itself as a site for users to share and connect with friends, while its motives are to make money.

Give me a break. I've had issues with Facebook and their policies, but the suggestion that somehow they are suspect simply because it's a for-profit venture does nothing to move the privacy discussion forward. This is a notion I've been hearing more and more from speakers at conferences. Feel free to criticize them for for what they do or how they do it. Even be suspicious of their motives, but never lose sight of the fact that the service is what it is only because they make money.

Facebook is free to all of its users, paid for by advertisers. The company operates multi-million dollar data centres loaded with expensive servers. Bandwidth isn't cheap, either. Would they have 500,000,000 users if they required each of them to pony up cash? Nope. Most of the internet is advertising supported and users are used to online services being free.

Part of the implicit contract that users have with almost all free services (broadcast TV included) is that it is paid for by ads. If the ads don't generate enough revenue, the users either have to pay or the service goes away. Often, if the users have to pay, they go away and the service goes away. This, in and of itself, is really a non-issue and Facebook is not at all unique in this.

Feel free to criticize Facebook for its privacy policies, its privacy practices and how it manages user information, but don't confuse the issue by pointing to the simple fact that they make their money from advertising.

Here is the full article from iTnews.com.au:

Facebook slammed for ‘deceptive’ approach - Security - Technology - News - iTnews.com.au

Queensland Privacy Commissioner Linda Matthews has criticised Facebook for deceiving potential users about its purpose.

Speaking on a panel at the World Computer Congress in Brisbane, Matthews highlighted the "enormous power" wielded by the social network with more than 500 million users.

Facebook promoted itself as a community; a place to share and connect with other human beings. But like most companies, its goal was to make money, she said.

"There's nothing wrong with making money; what's wrong is that it deceives potential users about that," Matthews said.

"There's a big difference [to users] between choosing to share your personal information to make friends, and sharing your personal information to make someone lots of money."

Corporate advisory lawyer Anna Sharpe, who was also on the panel, described her work on brand networks, which companies used to build rapport with their customers.

Rather than the vague, oft-used statement, "we will use your information for marketing", Sharpe said companies should disclose the information stored, its use and the parties that may access it.

"Given the complexity, I think the onus is on organisations to be a lot clearer on their privacy wordings," she said.

Although companies like Facebook, Google and Sun Microsystems have previously claimed that privacy was a thing of the past, panellists said the case for privacy still could be won.

"The auction is in full swing," said Goethe University professor Kai Rannenberg, addressing the session's theme: "Privacy ... going, going, gone?"

Rannenberg highlighted "privacy gateway infrastructure components" used by mobile telcos T-mobile Germany and Deutche Telekom that allowed users to determine how their information was used and with whom it was shared.

Personal information, he said, was an asset, and privacy required: the minimisation and decentralisation of data; empowering users; user-controlled identity management; privacy by design; and privacy standards.

Fellow panellist and Australian Privacy Foundation chair Roger Clarke observed that privacy would become more of a concern for those born after 1995, the i-Generation.

He observed that as Generation Y - those born between 1980 and 1995 - faced the impact of having their information stored and published online, 'iGen' would become more careful.

"Youth have always been risk-talkers," Clarke said. "The big thing that's changed is not the behaviour; it's the impact of the behaviour, how long that data exists and how many people have access to it."

"iGens are already absorbing those messages ... What will actually happen is that the young generation of right now will be more privacy conscious and more privacy demanding than their predecessors were."

Former Australian Privacy Commissioner Malcolm Crompton noted, "privacy is a cloudy term", highlighting linked elements of control, trust, risk and accountability.

He said users could exercise "people power" by deciding whether or not to use Facebook, and any other consumer services that came with privacy risks.

International data protection authorities form Global Privacy Enforcement Network

Privacy regulators from around the world have joined forces to establish the "Global Privacy Enforcement Network" to facilitate interjurisdictional cooperation on privacy matters. The network includes:

• U.S. Federal Trade Commission
• Office of the Privacy Commissioner of Canada
• Commission Nationale de l’Informatique et des Libertés (France)
• Office of the Privacy Commissioner, New Zealand
• Israeli Law, Information and Technology Authority
• Office of the Privacy Commissioner, Australia
• Office of the Data Protection Commissioner, Ireland
• Agencia Española de Protección de Datos (Spain)
• Information Commissioner’s Office (United Kingdom)
• Garante Per La Protezione Dei Dati Personali (Italy)
• Dutch Data Protection Authority (the Netherlands)
• Federal Commissioner for Data Protection and Freedom of Information (Germany)
• Office of the Victorian Privacy Commissioner, (Victoria, Australia)

Here is the announcement from the Canadian Commissioner's office: Announcement: Canada joins privacy enforcement agencies in establishing Global Privacy Enforcement Network - September 21, 2010.

Here is the joint press release:

Global Privacy Enforcement Network Launches Website

Page created on 21 September 2010 - 11:35.

September 21, 2010

Thirteen privacy enforcement agencies around the world have joined forces to launch the “Global Privacy Enforcement Network” (GPEN), a network designed to facilitate cross-border cooperation in the enforcement of privacy laws. In developing this network, the participating agencies recognized the need for greater international cooperation in this area. In the Action Plan launching the network, the founding privacy enforcement authorities stressed that “it is important that government authorities charged with enforcing domestic privacy laws strengthen their understanding of different privacy enforcement regimes as well as their capacities for cross-border cooperation.”

“Cooperation is critical in the enforcement of privacy laws. GPEN will provide us with the necessary tools to facilitate cooperation with our international counterparts,” stated Jon Leibowitz, Chairman of the US Federal Trade Commission, one of the network’s launching members.

Discussions that led to the creation of GPEN began in the fall of 2009, and on March 10, 2010, representatives from many of the founding GPEN agencies met in Paris to discuss the network’s direction and to officially launch GPEN.

“We live in a globalized world with new technologies providing infinite possibilities for sharing and re-using information globally. Privacy has thereby also become a global issue. If we want to continue to protect the privacy rights of our national citizens, it is essential that we work together internationally,” stated Jacob Kohnstamm, Chair of the Dutch Data Protection Authority, another founding GPEN member.

The need for greater cooperation in the enforcement of privacy laws has been recognized not only by privacy regulators, but also by multilateral organizations, including the Organisation for Economic Cooperation and Development (OECD) and the Asia Pacific Economic Cooperation (APEC) forum.

The agencies participating in GPEN are pleased to unveil the public GPEN website today, www.privacyenforcement.net, and thank the OECD for supporting the website. Government agencies interested in participating in GPEN are encouraged to review the guidelines and instructions available on the GPEN website.

“The challenges in obtaining redress for consumers whose privacy has been compromised in today’s digital environment can be daunting. GPEN is part of a collective effort to provide more effective cross-border enforcement and complaints resolution. This is as relevant for a small economy in the South Pacific as it is for Europe and North America and New Zealand is pleased to play its part,” said New Zealand Privacy Commissioner, Marie Shroff, another GPEN founding member.

“As host of the 32nd International Conference of Data Protection and Privacy Commissioners, which will take place next month in Jerusalem, I have decided to devote part of the regulators’ closed session to discussion of collaboration not only among data protection regulators, but also between data protection regulators and additional regulatory authorities, such as consumer protection, competition, and securities authorities. I hope the Jerusalem conference will mark the first step in establishing innovative modules for such collaboration,” said Yoram Hacohen, Head of ILITA, the Israeli Law, Information and Technology Authority, another GPEN founding member.

New Pacific rim privacy commissioners

In the last week or so, new Privacy Commissioners have been named for both Australia and Hong Kong:

Allan Chiang named Privacy Commissioner (Hong Kong)

The Chief Executive has appointed former Postmaster General Allan Chiang as the new Privacy Commissioner for Personal Data for five years from August 4.

Secretary for Constitutional & Mainland Affairs Stephen Lam said today Mr Chiang has rich experience in public administration, served in senior public positions and possesses proven leadership, management and communication skills.

"With his commitment, experience and knowledge he is well placed to perform the roles of the Privacy Commissioner. We are confident under his leadership the office will strive to promote the protection of personal data privacy in the community," Mr Lam said.

Mr Chiang, 59, has served in the Government for 33 years and was Postmaster General from 2003 to 2006. He has since been Chief Executive Officer of the Hong Kong Design Centre.

Mr Chiang said he will work with the incumbent Roderick Woo, whose term of office will expire July 31, to ensure a smooth transition.

Mr Lam said Mr Woo has taken steps to strengthen the enforcement of the Personal Data (Privacy) Ordinance and initiated inspections and investigations of major personal data systems of public concern to facilitate their compliance with the ordinance.

Mr Woo also conducted a comprehensive review of the ordinance having regard to developments in the last decade.

Government appoints new Privacy Commissioner (Australia)

Commissioner touts technology for privacy.

Special Minister of State Joe Ludwig has appointed Timothy Pilgrim as Australia's Privacy Commissioner, replacing Karen Curtis whose term ended on July 12.

Pilgrim was appointed as Deputy Privacy Commissioner in February 1998. He has now been appointed Privacy Commissioner for a five year term.

Senator Ludwig's office said Pilgrim was selected following an "open merit based" selection process, in accordance with the Guidelines introduced by the Government in 2008 after previous Privacy Commissioner, Curtis' term expired on July 12.

"I am confident that Mr Pilgrim's experience and operational knowledge of the office will be of great assistance when the office transitions to form part of the new Office of the Australian Information Commissioner, which will open its doors on 1 November 2010," Senator Ludwig said in a statement.

Pilgrim said he will focus his attention on informing the public about how technology can be used to protect privacy. He will also work with agencies and organisations to design new and developing technologies in a privacy-enhancing way.

"I note that advances in information, communication and surveillance technologies have created and intensified a range of privacy issues.

"While Australians value their privacy, they also appreciate that other interests intersect such as freedom of speech and law enforcement.

"People also want the significant benefits of new technologies, such as communicating with friends and family around the world, and shopping and banking online," he said.

US added to CDA, AUS and UK immigration information sharing program

The Secretary of Homeland Security and our Minister of Public Safety just wrapped up a bi-annual meeting and announced the addition of the United States to an existing program that uses biometric information to match immigration and refugee applicants to information in foreign databases. From the media release:

Secretary Napolitano and Minister Van Loan announce initiatives to combat common threats and expedite travel and trade

Immigration Information Sharing: Secretary Napolitano announced that the United States will join a biometric data sharing initiative involving Canada, Australia, the United Kingdom and, eventually, New Zealand – an initiative designed to strengthen the integrity of immigration systems and the security of each country while protecting privacy and civil rights. Minister Van Loan, with the Canadian Minister of Citizenship, Immigration and Multiculturalism, Jason Kenney, welcomed the United States’ participation.

“Previous trials show that biometric information sharing works. For example, when the fingerprints of some asylum claimants in Canada were checked against the U.S. database, more than a third matched and 12 percent of these individuals presented a different identity in the United States,” said Minister Kenney. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”

I'm trying to get my hands on the Privacy Impact Assessment for the program, but as with most such documents they are well hidden on the department's website.

Lawful access to ISP subscriber information reintroduced

The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.

---

Update: Here's the media release from the government:

Government Of Canada Introduces Legislation To Fight Crime In The 21st Century

OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.

“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.

“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”

The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An online version of the legislation will be available at http://www.parl.gc.ca/.

See also:

Technical Assistance for Law Enforcement in the 21st Century Act

Investigative Powers for the 21st Century (IP21C) Act -->

Information:

Darren Eke Press Secretary Office of the Minister of Justice 613-992-4621

Media Relations Department of Justice 613-957-4207

Media Relations Public Safety Canada 613-991-0657

Here is the government's summary of the warrantless access to customer information provisions:

Technical Assistance for Law Enforcement in the 21st Century Act

Subscriber Information Component

Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.

Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.

A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.

This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.

Google execs testify about Street View and privacy

Yesterday, executives from Google Canada testified to the Parliamentary Standing Committee on Ethics, Privacy and Access to Information about their Street View product and how Google is addressing privacy concerns.

Here's some of the media coverage from the Ottawa Citizen, which I'll supplement with the actual testimony when it's posted on the Committee's site:

Google ‘Street View’ amended to allay privacy concerns, executive tells MPs

OTTAWA — Google’s controversial “Street View” feature won’t infringe on Canadians’ privacy rights, the company’s head of Canadian operations said Wednesday in advance of an appearance before a House of Commons committee.

Jonathan Lister, head of Google Canada, was to stand before a federal government committee Wednesday afternoon to defend Google’s Street View service.

Lister came to Ottawa equipped with testimonials from Street View users all over the world — including Boris Johnson, mayor of London. He also offered data that suggest Canadians might be eager to see their home country represented on the new service, as more than 100 million Street View images from other countries have been pulled up by Canadians.

“It has been extremely well received and as people use it, they find more uses for it,” said Lister. “We’re getting indications that it’s going to be popular in Canada. We’ve got testimonials and accolades from tourism officials, the mayor of London, and Australian tourism officials that support the fact that it’s been widely well received.”

Lister was being brought before the access to information, privacy and ethics committee after the committee passed a motion demanding Google explain any impact its new Street View service may have on Canadians’ privacy rights.

The feature allows someone using Google Maps or Google Earth to click on a street or a building and see a picture of the area. The cameras used to capture the picture allow onlookers to swivel 360 degrees within the image and even allows Internet users the ability to take a virtual stroll through neighbourhoods.

Google has been preparing for the roll-out of Street View in Canada since March. The Internet search giant has also been in intense discussions with the federal privacy commissioner’s office since that time, trying to negotiate a solution that would allow Google to offer Street View images from Canada to the rest of the world without contravening Canadian privacy law.

“We think the product is compliant, but we are certainly not going to launch it until we have satisfied our concerns,” said Lister. “We continue to work with the commissioner’s office. As we get closer to rolling the product out we plan on working with local law enforcement officials and stakeholder groups.”

Lister said Google has recently revamped its internal policies to cut the amount of time the company will archive Street View pictures. The move addresses one of the privacy commissioner’s biggest concerns.

“Recently we’ve revised our retention policy such that we have made a decision to only retain these images for an adequate but not-excessive period of time, after which they will be deleted,” said Lister.

Street View also automatically blurs the faces and identifying features of people or licence plates caught by Street View’s cameras and anyone who sees their picture, or a picture of their home or vehicle can ask Google to remove the image.

Lister would not define how long an “adequate” period of time will be. He also refused to commit to a date for the official launch of Street View in Canada. Vehicles having been cruising Canadian streets and suburbs in 32 cities taking pictures for the new service over the past two months.

The access to information, privacy and ethics committee is reviewing Canada’s privacy laws to determine whether they need to be updated. The committee will roll Lister’s comments into a final report on the state of Canadian privacy legislation, which is due later this year.

Pedophile fears as student profiles, pictures go in Queensland education database

Just because you can doesn't mean you should.

Parents' groups are up in arms in Australia after it was revealed that an intranet database of all students in Queensland State is being implemented that will be available to all employees of the education system. The database will include a vast range of information:

The intranet database, dubbed OneSchool, will profile each of the state's 480,000 public school students enrolled from Prep to Year 12.

Photographs, personal details, career aspirations, off-campus activities and student performance records are being collected from all 1251 state schools.

Parents fear that it will become a catalog for pedophiles while the Eduation Minister for the State says inclusion will be mandatory.

However Civil Liberties Council vice-president Terry O'Gorman yesterday said parents should be concerned, warning the OneSchool system could put students' privacy at risk.

Mr O'Gorman called for the system to be restricted so principals and teachers could access data only on their own students, with non-teaching staff excluded and no access for home computers or laptops.

"Why should anyone other than the teacher of a particular student and the principal of that school have a right to know what a child's academic performance is, behavioural status is or what their life aims are?" he said.

"It just puzzles me as to how it can have any possible benefit to centralise that information, whereas it has a clear privacy downside."

See: Pedophile fears as student profiles, pictures go on net The Courier-Mail. Via Australian educational authority forcing kids into invasive database - Boing Boing.

Hong Kong Privacy official jailed for fiddling expenses

Anthony Lam Wing-hong has been sentenced to nine months in jail for "flddling" travel expenses:

The Standard - Hong Kong's First FREE English Newspaper

Privacy official jailed for fiddling expenses

Former deputy privacy commissioner Anthony Lam Wing-hong was yesterday jailed for nine months for fiddling his travel expenses to Australia involving more than HK$100,000.

For some background, see: Canadian Privacy Law Blog: Hong Kong ex-privacy boss found guilty in dishonest expense claims

Austrialian Commissioner seeks comments on draft breach notification guidelines

The Australian Privacy Commissioner has issued draft breach notification guidelines and is seeking comments by June 16, 2008. See: Voluntary Information Security Breach Notification Guide - Consultation Draft (April 2008).

Software to protect toll payers' privacy

An Australian researcher says he has developed an anonymous electronic tolling system so that users of such systems don't leave a data trail of their travels. See: Software to protect toll payers' privacy Australian IT.

FBI wants instant access to international identity data

According to the Guardian, the FBI is looking to get a number of nations onboard an internatioal biometric database creepily named "Server in the Sky":

FBI wants instant access to British identity data Special reports Guardian Unlimited

... The FBI told the Guardian: "Server in the Sky is an FBI initiative designed to foster the advanced search and exchange of biometric information on a global scale. While it is currently in the concept and design stages, once complete it will provide a technical forum for member nations to submit biometric search requests to other nations. It will maintain a core holding of the world's 'worst of the worst' individuals. Any identifications of these people will be sent as a priority message to the requesting nation."

Participants in this initiative include the US, UK, Australia, Canada and New Zealand as part of a working group called the "International Information Consortium".

Australian law reform commission calls for overhaul of country's privacy laws

The Australian Law Reform Commission has just released a hefty report calling for reforms to the country's privacy laws: ALRC Discussion Paper 72 Review of Privacy Laws - Contents.

Here's the media release accompanying the report:

ALRC - On-line

Australian Law Reform Commission

Wednesday 12 September 2007

ALRC proposes overhaul of ‘complex and costly’ privacy laws

The Australian Law Reform Commission (ALRC) today released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

Releasing Discussion Paper 72, Review of Australian Privacy Law, ALRC President Prof David Weisbrot said it was the product of the largest public consultation process in ALRC history: “We have received over 300 submissions and held over 170 meetings to date, including with business, consumers, young people, health officials, technology experts and privacy advocates and regulators.

“The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy.

“The ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

“The protection of personal information stored or processed overseas, as is now routine, is another serious concern. The ALRC wants to ensure that such information has at least the same level of protection as is provided domestically. We propose that a government agency or company that transfers personal information overseas without consent should remain accountable for any breach of privacy that occurs as a result of the transfer”, Prof Weisbrot said.

Commissioner in charge of the Inquiry, Prof Les McCrimmon, said that the ALRC also is proposing a new system of data breach notification: “There is currently no requirement to notify individuals when there has been unauthorised access to their information, such as when lists of credit card details are inadvertently published. Where there is a real risk of serious harm to individuals, we say they must be notified.”

Professor McCrimmon said that the ALRC also proposes the removal of the exemption for political parties from the Privacy Act. “Political parties and MPs should be required to take the same level of care when handling personal information as any other agency or organisation.”

Other key proposals include:

• introducing a new statutory cause of action where an individual’s reasonable expectation of privacy has been breached;
• abolishing the fee for ‘silent’ telephone numbers;
• expanding the enforcement powers of the Privacy Commissioner;
• imposing civil penalties for serious breaches of the Act; and
• introducing a more comprehensive system of credit reporting.

Review of Australian Privacy Law is available at no cost from the ALRC website, www.alrc.gov.au. The ALRC is seeking community feedback on these proposals before a final report and recommendations are completed in March 2008. Submissions close on 7 December 2007.

Thanks to Michel-Adrien Sheppard for the link: Library Boy: Review of Australian Privacy Law.

Australian Commissioner fears breach notification could backfire

The Australian Privacy Commissioner is coming out against mandatory breach notification, which is a bit surprising given that the trends elsewhere are clearly in favour of notification. Just last week, the NZ Commissioner introduced breach notification guidelines.

Also of interest in this article is the fear over how pubs and bars use patrons' drivers license information:

Computerworld > 'Name-and-shame' disclosure could backfire

Australian federal privacy commissioner Karen Curtis is warning that calls for Australian companies to be subject to a compulsory name-and-shame data breach regime could backfire and create a compliance nightmare.

The statement is the strongest indication yet that a looming shake-up of the private sector provisions of the Privacy Act in Australia will not take the lead of US regulators, which have compelled corporations and government agencies to publish details of even minor infractions against customer data protection laws.

The warning comes as New Zealand organisations get to grips with our own Privacy Commissioner’s draft data breach disclosure guidelines, unveiled last week. Privacy Commissioner Marie Shroff has indicated she will consider whether breach guidelines should become a mandatory.

Curtis says serious consideration is being given to publicly identifying companies or agencies involved in incidents when there was a tangible risk of harm to consumers.

This is backed by research undertaken by her office over the past nine years that shows consumers favour pragmatism and common sense over onerous bureaucracy.

“The guts of it is that mandatory reporting for breaches should be examined, but you have to find the right threshold,” Curtis says. “We think there is merit, but not in all circumstances. Direct comparisons [with the US] are not ideal.”

...

Curtis says the ALRC review, which will make formal recommendations to Attorney-General Philip Ruddock next year, was needed because there was a mishmash of private, public, federal, state and local privacy regimes that sometimes acted to confuse people as to where they could go to seek advice and justice.

...

Curtis confirms her office is looking at a number of complaints about the alleged circulation of the personal details of pub patrons, who had been forced to provide identification that is electronically scanned and retained. Many licensed pubs and clubs now claim they are required to collect such information under liquor licensing laws. Curtis says she wants to know where the information collected from scans of drivers’ licences or other documents is going and how it is being used. Australia’s Office of the Privacy Commissioner was expected to release new guidelines for pubs last week and will warn establishments that have an annual turnover of more than A$3 million that they are subject to federal privacy protection laws. The pub ID problem has become a serious issue in Queensland. The state’s licensing authority, Queensland Transport, has started to remove addresses from drivers’ licences because they were being used by pub bouncers to find out where female patrons live.

Curtis says she intends to use Privacy Awareness Week, which started in Australia as in New Zealand last weekend, to emphasise the benefits that good privacy protections bring the community at large.

Australian Commissioner: ID scanners may breach privacy laws

I've blogged a few times before about the growing practice of bars and nightclubs scanning patrons' ID (see: Canadian Privacy Law Blog: New technologies for scanning IDs, Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID, Canadian Privacy Law Blog: Article: Swiping driver's licenses - instant marketing lists?).

It appears to also be a concern for the Privacy Commissioner in Australia.

ID scanners may breach privacy laws - Queensland - brisbanetimes.com.au

...

The Australian Privacy Commissioner Karen Curtis yesterday warned publicans to "seriously consider their obligations" under the Privacy Act.

"If pubs and clubs that scan people's ID fail to heed their obligations under the Privacy Act, they run the risk of breaching their customers' privacy and having a privacy complaint lodged against them," Ms Curtis said.

At least 12 licensed venues in and around Brisbane use the technology to combat what they see as a rise in alcohol-fuelled violence.

...

"People are understandably concerned that having their ID scanned could lead to identity theft or that their details will be used by the pubs or clubs for unrelated purposes, such as direct marketing," she said.

Ms Curtis said her office received its first complaint about the devices in 2001 - but more than 100 phone calls and numerous written complaints had been made in recent months.

Companies should take a close look at their duties under the Privacy Act, she said, which include allowing customers to interact anonymously where possible and only scanning an ID if a business can prove it is totally necessary.....

Privacy awareness week

Yesterday was the first day of Privacy Awareness Week in Canada. I haven't seen the commissioners making a visible fuss out of it, but CAPAPA has issued a release:

CAPAPA supports Canadian’s Right to Know
“Privacy IS Your Business”(Calgary, Alberta)

August 26, 2007 – CAPAPA (Canadian Association of Professional Access and Privacy Administrators) is pleased to support international Privacy Awareness Week, August 26th to September 1st, 2007. Privacy Awareness Week, a campaign first initiated by Privacy Victoria (Australia) in 2001, has for the first time gone international.

As Canada’s leading association serving privacy and access professionals, CAPAPA is spearheading the campaign to promote privacy awareness in Canada. “Identity theft and information security breaches are happening more often than ever,” says CAPAPA National Chair Sharon Polsky. “To reverse that trend, Canadians must recognize the importance of protecting their personal information — at home, in the workplace, and in the consumer marketplace.”

Privacy Awareness Week provides an opportunity for individuals to raise questions about privacy legislation and its impact on how individuals conduct their business and personal lives. Privacy Awareness Week spotlights the need for Canadians to recognize their rights and obligations to maintain the privacy of their personal information. The theme for Privacy Awareness Week 2007 is ‘Privacy is your business'.

Know your Rights and Obligations


Canadian organizations, governments, and government agencies are bound by a variety of wide-reaching privacy laws. Ms. Polsky notes that, “As consumers, each of us is responsible to understand what our rights and responsibilities are under those laws.”

CAPAPA is a key source for helping Canadians recognize their privacy rights and responsibilities, and is the privacy advocate’s source for issues such as the passenger name record exchange, emerging RFID CHIP technology, and CAPAPA's Submission to the Senate on proposed changes to Canada’s Election Act.

More information on these and other Canadian privacy issues is at http://www.capapa.org./ For more information on how you can promote Privacy Awareness Week 2007, visit http://www.capapa.org/ or contact CAPAPA at: info@capapa.org.

French officials warned about Blackberry eavesdropping

This appears to be a non-story as messages using the Blackberry Enterprise Server are encrypted end-to-end, but who knows?

The fact that your employer can read the messages much more easily than the NSA may give pause for thought.

France warns officials on BlackBerry use - Yahoo! News

By JOHN LEICESTER, Associated Press Writer Wed Jun 20, 5:04 PM ET

PARIS - BlackBerry handhelds have been called addictive, invasive, wonderful — and now, a threat to French state secrets.

That, at least, is the fear of French government defense experts, who have advised against their use by officials in France's corridors of power, reportedly to avoid snooping by U.S. intelligence agencies.

"It's not a question of trust," French lawmaker Pierre Lasbordes told The Associated Press. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

Le Monde newspaper, which broke the story, described BlackBerry withdrawal among those who have given them up. "We feel that we are wasting huge amounts of time, having to relearn how to work in the old way," the daily quoted a ministry office director as saying.

E-mails sent from "Le BlackBerry" pass through servers in the United States and Britain, and France fears that makes the system vulnerable to snooping by the U.S. National Security Agency, Le Monde reported. The company that makes BlackBerrys, however, denies such spying is possible.

Lasbordes, who was commissioned in 2005 by then-Prime Minister Dominique de Villepin to look into such issues, said he alerted the government to this "weakness" months ago. He said he met with BlackBerry maker Research In Motion Ltd. to discuss the problem in the course of preparing his report on the security of French information systems.

The Canadian company "admitted that there was a certain fragility in the protection of information when you use the e-mail system" and promised it would be resolved, said Lasbordes, adding: "That was more than a year ago."

BlackBerrys pose "a problem with the protection of information" and "the risks of interception are real," Alain Juillet, in charge of economic intelligence for the government, told Le Monde.

Research In Motion insisted that BlackBerry e-mails cannot be read by the NSA or other organizations. The e-mails are more heavily encrypted than online banking Web sites, Research In Motion said in a statement.

"No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution," the company said.

The BlackBerry system has been accredited by security agencies in the United States, Australia, New Zealand, Austria and Canada, Research in Motion said, adding that a certification process is under way in the Netherlands and Germany.

In France, the circular on BlackBerries from the General Secretariat for National Defense applies in theory to all ministries, and "it's up to everyone to be responsible," Lasbordes said.

Another official in a major ministry who got rid of his BlackBerry following the order said authorities are looking at other types of hand-held computers to use instead.

The prime minister's office would not confirm that it and the presidential palace were included in the circular, as Le Monde reported. But a spokesman, Severin Naudet, cited the General Secretariat for National Defense as saying that no type of hand-held computer is risk-free.

"It's not a problem if you're writing to your mother-in-law," Lasbordes said. But "one can imagine a minister coming from a meeting of the G-8 or G-7, et cetera, or a meeting in Brussels, and he sends information to his colleagues. It goes via Canada and the United States and that's it, game over."

Suspicion goes both ways. At a Group of Eight summit in Germany this month, White House aides were instructed to leave their wireless e-mail devices behind, apparently for fear of Russian eavesdropping.

Australian Court awards damages for breach of privacy

This is an interesting development.

An Australian court has awarded damages for breach of privacy following the revelation by the Australian Broadcasting Corporation of the identity of a rape victim. This is important to Australia, but may also have a secondary effect here in the great white north, as Canadian courts are relatively open in citing and following other common law decisions. For the full scoop, check out Open and Shut: Victorian Court awards damages for breach of privacy.

CIPPIC releases working papers on ID theft

The Canadian Internet Policy and Public Interest Clinic has released a number of very interesting working papers on the topic of identity theft. Check 'em out:

CIPPIC News « CIPPIC

CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC).

Canadian Legislation

U.S. Legislation

Australian, French, and U.K. Legislation

Thanks to Library Boy for the link.

Australia's Attorney General presses India on privacy

Individual countries tend to leave each other alone in the area of law reform, privacy and data protection. So it is rather unusual that the Attorney General of Australia is pushing India's government to strengthen privacy in the outsourcing sector. Currently, NSSCOM (the Indian outsourcing advocacy group) is working on voluntary guidelines for data protection, which the Indian government says may be replaced with legislation if they are not robust enough. See: Australia's Attorney General presses India on privacy data .:. NewKerala.Com, India News Channel.