Gov't 'travesty' in Google privacy case

James Riley
Wednesday, 03 November 2010 20:44

IT Policy - Regulation

The Office of the Australian Privacy Commissioner's handling of the Google StreetView WiFi privacy breach had been "a travesty" and an abrogation of specific responsibilities, the Australian Privacy Foundation has charged.

APF chairman Roger Clarke says the Office under former privacy commissioner Karen Curtis had been "utterly unprotective of privacy," had taken an "anti-privacy stance" on issues related to individuals, and had consistently favoured government or business rights over that of individuals.

The OAPC had refused to divulge any information related to Google's systematic and unauthorised collection of Australians personal data and had actively stood in the way of individuals trying to find out whether their own personal information had been breached.

Google admitted in May that it had collected "payload data" - including whole emails, bank account details and passwords of Australians - through its StreetView cars as it was collected data on WiFi networks throughout the country.

The company says the payload data was collected inadvertently and that it never intended to use the data for any purpose. It has subsequently apologised for the "mistake."

The company admitted it had collected personal information across the world in markets where its StreetView cars were in operation. The breach has been under investigation in various jurisdictions ever since.

"The OAPC, during Karen Curtis' reign, was utterly protective of business and government, and utterly unprotective of privacy," Clarke told iTWire.

"They spent their complaints-handling budget looking for ways to avoid considering complaints. The Act is such a mess that they could almost always find several excuses."

Clarke said the new Privacy Commissioner Timothy Pilgrim - who took up the position in July - deserved time to put his stamp on the organisation. But so far it looked like business as usual.

The Office will not take any action against an organisation until it has received a complaint from an individual - and the individual must have specific knowledge that a privacy breach had occurred.

In the case of Google unauthorised collection of personal information, the company has admitted to collecting payload data from potentially millions of Australian homes through its fleet of StreetView cars.

But it will not make public the precise information that it inadvertently stole, and the OAPC won't force them to inform individuals' that their personal information - including bank account details and passwords - had been compromised. It is therefore impossible for individuals to make a complaint.

The Australian Privacy Foundation says the Privacy Commissioner's refusal to consider "representative complaints" - from industry or lobby groups is probably wrong in law and has not ruled out legal action to test the law.

"The Privacy Act is very weak in the complaints area," Clarke told iTWire. "A 'complaint' has to be made by a person directly affected by whatever act or behaviour is being complained about."

"Even a 'representative complaint', which can be submitted by a better-resourced organisation than a mere affected individual, is commonly treated by the OAPC is requiring at least one such person to be directly involved."

"We suspect that it may be wrong in law for the PC'er to refuse to consider representative complaints in such circumstances. It appears that - because of the anti-privacy stance adopted by Karen Curtis - privacy advocates may have to go to court in order to force the Privacy Commissioner to do their job," Clarke said.

In the absence of a complaint from an individual, the Office of the Australian Privacy Commissioner had conducted its own investigation of Google Australia - an investigation that had been conducted behind closed doors, providing no detail at all to the individuals that had their private communications and personal data collected by Google without permission.

"It's been the OAPC's practice to refuse to divulge anything to anyone about such investigations," Clarke said. "The OAPC came out with a limp conclusion.  It's a travesty for a regulator to neither take action nor be accountable."

Clarke maintains that while it might be appropriate for the Privacy Commissioner to take no action in the Google WiFi case, it was impossible to know - because not enough information was in the public domain for a judgement to be made.

It had also secured an undertaking from Google Australia that did little more than have the company write a blog post apologising for the unauthorised collection of Australians personal information.