12 March 2011

Thwack

From Thursday's SMH 'ID protection at crisis point' article -
professor of law and information systems at the University of NSW, Graham Greenleaf, believes much of the blame for what some see as an unchecked escalation in demands for personal data rests with successive federal privacy commissioners.

He says the fault lies not with the powers entrusted to the commissioner but in how rarely those powers are exercised.

Lane, Zinn and Nigel Waters of the Australian Privacy Foundation all voice similar concerns.
Readers of this blog and of my papers will be unsurprised that I concur.

The article goes on that -
Greenleaf acknowledges the commission has a good record for mediating disputes. But he says the commission's strongest power - the ability to issue formal rulings (known as Section 52 determinations) to clarify what constitutes a breach of privacy - has been used for only one case in the 10 years since the commissioner was granted authority over the private sector.

The commission can grant compensation to an aggrieved consumer but, Greenleaf says, details of those are all but unknown.

"We know absolutely nothing - not a scintilla - about what a breach of privacy is worth, because the privacy commissioner refuses to publish any information that actually reveals that," he says. "It's not the sorry state of enforcement powers. It's the sorry state of enforcement."

Pilgrim, who has been privacy commissioner since last July, has not yet issued a Section 52 determination but he says the commission has published case notes on about two dozen complaints to educate businesses. He says the commission shuns using its biggest guns in favour of mediation.

In the 2009-10 enforcement year, the commission handled 1201 complaints. Pilgrim anticipates a 10 per cent increase in complaints this year, largely because of online practices.

"We think if you take the less adversarial role, it is a better way to get a better outcome," he says.

Greenleaf argues the commission's apparent reluctance to exert its Section 52 power has robbed the system of its ability to deter bad behaviour. "There are no signals sent out as to what really are breaches of the Privacy Act and what the consequences of a breach are," he says.

He also sees the system as "biased" against consumers: companies can, in effect, appeal against the commissioner's decisions. Individuals who believe their privacy has been breached have no such right.