The report's recommendations are -
Recommendation 1Recommendation is likely to be the most contentious, given the Government's commitment to acceding to the Council of Europe Convention on Cybercrime (here), which was noted earlier this year.
The committee recommends that the government consider and respond to the recommendations in the Cyberspace Law & Policy Centre's report: Communications privacy complaints: In search of the right path, and recommendations from the Australian Communications Consumer Action Network arising from that report.
Recommendation 2
The committee recommends that the Australian Privacy Commissioner's complaint-handling role under paragraph 21(1)(ab) of the Privacy Act be expanded to more effectively address complaints about the misuse of privacy consent forms in the online context.
The committee further recommends that the Office of the Privacy Commissioner examine the issue of consent in the online context and develop guidelines on the appropriate use of privacy consent forms for online services.
Recommendation 3
The committee recommends that the small business exemptions should be amended to ensure that small businesses which hold substantial quantities of personal information, or which transfer personal information offshore are subject to the requirements of the Privacy Act 1988.
To achieve this end, the committee urges the Australian Privacy Commissioner to undertake a review of those categories of small business with significant personal data holdings, and to make recommendations to government about expanding the categories of small business operators prescribed in regulations as subject to the Privacy Act 1988.
The committee further recommends that the second tranche of reforms to the Privacy Act 1988 amend the Act to provide that all Australian organisations which transfer personal information overseas, including small businesses, must ensure that the information will be protected in a manner at least equivalent to the protections provided under Australia's privacy framework.
Recommendation 4
The Committee recommends that the OPC in consultation with web browser developers, ISPs and the advertising industry, should, in accordance with proposed amendments to the Privacy Act, develop and impose a code which includes a 'Do Not Track' model following consultation with stakeholders.
Recommendation 5
The committee recommends that item 19(3)(g)(ii) of the exposure draft of amendments to the Privacy Act 1988 be amended to provide that an organisation has an Australian link if it collects information from Australia, thereby ensuring that information collected from Australia in the online context is protected by the Privacy Act 1988.
Recommendation 6
The committee recommends that the government amend the Privacy Act 1988 to require all Australian organisations that transfer personal information offshore are fully accountable for protecting the privacy of that information.
The committee further recommends that the government consider the enforceability of these provisions and, if necessary, strengthen the powers of the Australian Privacy Commissioner to enforce offshore data transfer provisions.
Recommendation 7
The committee recommends that the Australian government continue to work internationally, and particularly within our region, to develop strong privacy protections for Australians in the online context.
Recommendation 8
The committee recommends that the government accept the ALRC's recommendation to legislate a cause of action for serious invasion of privacy.
Recommendation 9
The committee recommends that before pursuing any mandatory data retention proposal, the government must:• undertake an extensive analysis of the costs, benefits and risks of such a scheme;
• justify the collection and retention of personal data by demonstrating the necessity of that data to law enforcement activities;
• quantify and justify the expense to Internet Service Providers of data collection and storage by demonstrating the utility of the data retained to law enforcement;
• assure Australians that data retained under any such scheme will be subject to appropriate accountability and monitoring mechanisms, and will be stored securely; and
• consult with a range of stakeholders.
