Weak privacy laws are better than none

By David Walker (Google profile)

The Internet may well have been the making of privacy as a political issue. Th 6.30pm telemarketing calls came more frequently through the 1990s; the surveillance cameras bubbled out of more walls; the grocery store's database grew. But it took Internet commerce to really show people just how much sensitive information is out there. From Real Jukebox's quiet transmissions to corporate HQ, to DoubleClick's cross-site profiling of ad banner viewers, to Amazon's declaration that its database is a saleable business asset whatever its privacy statement says, Internet-based businesses have sucked attention towards privacy issues. Internet users have reacted by lying about their identities, cursing the daily barrage of spam emails, and often simply steering clear of online commerce altogether.

The Internet looms large in any discussion of consumer privacy because it lets people easily describe who they are, and because it can pipe those descriptions straight into a computer system. But high levels of business partnership and business failure have made the problem even more obvious.

And anyone who doubts Australians' concerns about privacy should cast their mind back to 1987, when the public rebelled against the idea of a national identity card, the Australia Card. "None of your business" just about qualifies as a national motto..

New Australian privacy laws came into force on December 21, 2001. Will they give Australians more confidence to disclose personal information over the Internet?.

You wouldn't want to bet on it. The new laws gave Privacy Commissioner Malcolm Crompton formal powers over private companies, where he previously wielded only a fistful of "guidelines". But this new legal formality may not count for much. The laws themselves do not merely create a toothless tiger. They clip its claws and hide its dentures. They contain a specific exception for direct marketers, and a swag of vague demands for "reasonable" behaviour. At the same time, they avoid actually penalising anyone for breaking the privacy laws. Before the Commissioner can even uphold a complaint, the victim of a privacy breach must suffer through a long process of complaint resolution which large companies and their legal counsel can probably prolong until the complainant gets frustrated, or dies of old age. If complaint resolution fails, the worst an offender can suffer is a tongue-lashing in the media. It's small wonder that critics like the Australian National University's Roger Clarke call the latest laws "anti-privacy legislation"..

Laws have an effect beyond their formal limits, though. They set a standard of behaviour for the community. In some cases - legal philosophers debate the details - this standard-setting can create a far greater effect than formal legal impact would suggest..

This may be the case with the new privacy laws. Given their lack of bite, you might expect businesses to yawn and then return to the task of extracting a buck from the customer any way they can. In fact, the prospect of December 21 has provoked a flurry of activity. One large financial services group reportedly had 50 people working on privacy issues at one point this year..

It may be that the December 21 laws provoke many Australian companies to begin building a culture of respect for their customers' private, personal information, both on the Internet and offline..

And as a consumer, you'd better hope this happens. Because a strong privacy culture is ultimately the only protection that a company's customers have against privacy breaches. Study the privacy problem for very long, and you realise that information can escape from a company at hundreds of different points, through hacked databases, stolen briefcases, misdirected faxes, virus broadcasts from PCs and idle chatter in the corporate kitchen. No set of rules and procedures can cover every potential problem. A consumer's only true defense against privacy breaches is the good judgement of a company's staff and partner businesses..

The Privacy Commissioner has made it plain that companies are more likely to have their privacy breaches kept quiet if they have a stack of privacy paperwork by December 21. I suspect most current corporate privacy efforts aim in large part to generate an impressive pile of documents, to be dragged out if a complaint ever does arrive. Given the shape of the legislation, who could blame them? But if that's all that December 21 delivers, it will be judged a rank failure..

If the new laws help create a true culture of respect for customer privacy, on the other hand, they will be judged at least partially successful. Here's hoping..