All of you know that information is valuable, particularly details regarding your customers, and in turn, their customers. As a consequence of the quest to make money out of the Internet, the following issues have become very contentious:
1. The collection of information about Internet surfers without their knowledge or consent;
2. The use of cookie technology;
3. The development of undetectable information tracking devices. One of the more recent information tracking devices is the "Web bug" or "1-pixel gif". Unlike cookies, however, Web bugs are difficult to detect because anti-cookie filters do not catch them. One of the benefits of the devices is their ability to store passwords and log on information;
4. The use of collected information to build up consumer profiles of individuals to produce targeted advertising.
Obviously, advertising agencies and Web site owners find this technology extremely valuable for marketing, assessing the effectiveness and popularity of their current and future advertisements and Web sites. Many have insisted that the identities of site visitors remain anonymous and that information collected remains private, even if evidence suggests these claims are somewhat overstated. Privacy advocates however, have become increasingly concerned with the collection of private information about individuals' knowledge, and further, with the actual or potential linking of an individual's surfing habits to personal information (eg, an e-mail address). This has led to the commencement of litigation in the US alleging the secret collection and subsequent use of the personal information of Internet users.
The "DoubleClick" case
The concern about the linking of general surfing information with an individual's personal information has been a key reason for the commencement of litigation against the US corporation, DoubleClick.
In November 1999, DoubleClick purchased Abacus Direct, a company possessing detailed consumer profiles on more than 90 per cent of US households. Out of this arose the very real possibility that the merging of Abacus' consumer databases with DoubleClick's Internet databases would result in DoubleClick linking information about individual's surfing habits with their personal identifying information.
After the merger, several private suits were filed against DoubleClick claiming that DoubleClick's cookies secretly tracked users' activities on the Internet and collected personal information, and in February the state Attorney-General of Michigan also commenced proceedings against the company, claiming it had violated consumer protection laws.
In response to public concerns over DoubleClick's merger with Abacus, DoubleClick has announced that it will not link its Internet data with Abacus' consumer data until the government and industry agree upon privacy standards.
The Australian response
The Commonwealth Privacy Amend-ment (Private Sector) Bill 2000, which amends the Commonwealth Privacy Act 1988, has been introduced into Federal Parliament. The Bill will become law 12 months after royal assent and contains requirements for organisations collecting and dealing with personal information. Amongst other things, the Bill sets out for organisations that collect personal information:
1. Standards for the collection, use, disclosure and storage of the information;
2. Requirements for maintaining the quality and security of the data held and the anonymity of individuals dealing with the organisation;
3. The requirement to set out the organisation's policy for the management of the information;
4. The requirement to provide individuals with access to any of their personal information held by those organisations; and
5. Restrictions on transfer of information (collectively, the "Principles").
If the Bill is enacted in its present form, its provisions will apply to "organisations" which includes individuals acting in a business capacity, companies, partnerships, other unincorporated associations and trusts, but does not include businesses with an annual turnover of less than $3 million unless those businesses hold sensitive or health information or collect or disclose personal information for a benefit, are contracted to provide a service to the Commonwealth or are prescribed by legislation as being covered by the Bill.
Organisations covered by the Bill must not breach any of the Principles in relation to personal information relating to the individual or, if the organisation is bound by an approved privacy code in relation to the personal information, the organisation must not breach the approved privacy code.
The way forward
(With thanks to Fiona McGuire, solicitor, Barker Gosling. The material contained in this article is no more than general comment. Readers should not act on the basis of this material without professional advice relating to their particular circumstance.)
Mark Addison is IT partner at Barker Gosling Lawyers. Contact him at firstname.lastname@example.org