Peter A Clarke

The latest Harvard Law Review – Privacy Edition

Peter Clarke — Tue, 21 May 2013 10:51:17 +0000

The latest edition of the Harvard Law Review was released today (Volume 126 Number 7). It is notable because it includes papers delivered at a Symposium on Privacy And Technology.

The Papers are:

Introduction: Privacy Self-Management and the Consent Dilemma.

The extract reads as follows:

Symposium by Daniel J. Solove :: During the past decade, the problems involving information privacy — the ascendance of Big Data and fusion centers, the tsunami of data security breaches, the rise of Web 2.0, the growth of behavioral marketing, and the proliferation of tracking technologies — have become thornier. Policymakers have proposed and passed significant new regulation in the United States and abroad, yet the basic approach to protecting privacy has remained largely unchanged since the 1970s. Under the current approach, the law provides people with a set of rights to enable them to make decisions about how to manage their data. These rights consist primarily of rights to notice, access, and consent regarding the collection, use, and disclosure of personal data. The goal of this bundle of rights is to provide people with control over their personal data, and through this control people can decide for themselves how to weigh the costs and benefits of the collection, use, or disclosure of their information. I will refer to this approach to privacy regulation as “privacy self-management.”

What Privacy is For

The extract reads as follows:

Symposium by Julie E. Cohen :: Privacy has an image problem. Over and over again, regardless of the forum in which it is debated, it is cast as old-fashioned at best and downright harmful at worst — antiprogressive, overly costly, and inimical to the welfare of the body politic. Privacy advocates resist this framing but seem unable either to displace it or to articulate a comparably urgent description of privacy’s importance. No single meme or formulation of privacy’s purpose has emerged around which privacy advocacy might coalesce. Pleas to “balance” the harms of privacy invasion against the asserted gains lack visceral force.

The Dangers of Surveillance

The extract reads as follows:

Symposium by Neil M. Richards :: From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, and from the Electronic Communications Privacy Act to films like Minority Report and The Lives of Others, our law and culture are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad and why we should be wary of it. To the extent that the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context and why it matters. We’ve been able to live with this state of affairs largely because the threat of constant surveillance has been relegated to the realms of science fiction and failed totalitarian states.

The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures

The extract reads as follows:

Symposium by Paul M. Schwartz :: Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties.

Toward a Positive Theory of Privacy Law

The extract reads as follows:

Symposium by Lior Jacob Strahilevitz :: Privacy protections create winners and losers. So does the absence of privacy protections. The distributive implications of governmental decisions regarding privacy are often very significant, but they can be subtle too. Policy and academic debates over privacy rules tend not to emphasize the distributive dimensions of those rules, and many privacy advocates mistakenly believe that all consumers and voters win when privacy is enhanced. At the same time, privacy skeptics who do discuss privacy in distributive terms sometimes score cheap rhetorical points by suggesting that only those with shameful secrets to hide benefit from privacy protections. Neither approach is appealing, and privacy scholars ought to do better.

The quality of papers is excellent. While the law in the USA differs significantly from that of Australia, both in term of statutory structure and the common law the principles dealt with in most of these papers deal with the philosophical and policy issues.

Legal expert says drone technlogy requires new privacy laws in US

Peter Clarke — Mon, 20 May 2013 23:57:03 +0000

Salon reports in Senate: Drones require new privacy laws about testimony before a Senate panel calling for an upgrading of privacy protections in light of the increasing proliferation of drones in the US.

The article provides:

As domestic surveillance drones proliferate, the public needs greater protection experts tell hearing

WASHINGTON – Privacy laws urgently need to be updated to protect the public from information-gathering by the thousands of civilian drones expected to be flying in U.S. skies in the next decade or so, legal experts told a Senate panel Wednesday.

A budding commercial drone industry is poised to put mostly small, unmanned aircraft to countless uses, from monitoring crops to acting as lookouts for police SWAT teams, but federal and state privacy laws have been outpaced by advances in drone technology, experts said at a Senate hearing.

Current privacy protections from aerial surveillance are based on court decisions from the 1980s, the Judiciary Committee was told, before the widespread drone use was anticipated. In general, manned helicopters and planes already have the potential to do the same kinds of surveillance and intrusive information gathering as drones, but drones can be flown more cheaply, for longer periods of time and at less risk to human life. That makes it likely that surveillance and information-gathering will become much more widespread, legal experts said.

The Federal Aviation Administration recently predicted about 7,500 civilian drones will be in use within five years after the agency grants them greater access to U.S. skies. Congress has directed the FAA to provide drones with widespread access to domestic airspace by 2015, but the agency is behind in its development of safety regulations and isn’t expected to meet that deadline.

If Americans’ privacy concerns aren’t addressed first, the benefits of potentially “transformative” drone technology may not be realized, Ryan Calo, a University of Washington law professor, told the Judiciary Committee.

It’s in “everyone’s interest to update the law even if only to provide the industry with the kind of bright lines its need to develop this technology,” said Amie Stepanovich of the Electronic Privacy Information Center, a privacy advocacy group.

But Calo and Stepanovich were divided on whether Congress should update federal privacy laws to set a national standard, or whether the responsibility should be left to state lawmakers to craft their own solutions. Several bills have been introduced in Congress that would, among other things, require warrants before drones could be used for surveillance.

Calo said he is concerned that some of the congressional legislation isn’t written broadly enough to cover other types of technology, like robots that can walk up walls.

There is also virtue in allowing states to experiment with their own laws, he said. A variety of drone-related bills have been introduced this year in more than 30 state legislatures.

But Stepanovich urged Congress to pass legislation requiring police to obtain warrants for drone surveillance, with exceptions for emergency situations or when necessary to protect human life.

There is already limited civilian drone use. The FAA has granted more than two hundred permits to state and local governments, police departments, universities and others to experiment with using small drones.

Initially, most civilian drones are expected to be around the size of backpack or smaller, weighing less than 55 pounds and unable to fly higher than most birds. The U.S. military, on the other hand, uses everything from unarmed, hand-launched drones like the 2.9-pound Wasp to systems like the MQ-9 Reaper that flies at an altitude up to 50,000 feet, has a 66-foot wingspan, weighs up to 10,500 pounds and can fire Hellfire missiles and guided bombs.

“I am convinced that the domestic use of drones to conduct surveillance and collect other information will have a broad and significant impact on the everyday lives of millions of Americans going forward,” said the committee’s chairman, Sen. Patrick Leahy, D-Vt.

“Small, quiet unmanned aircraft can easily be built or purchased online for only a few hundred dollars and equipped with high-definition video cameras while flying in areas impossible for manned aircraft to operate without being detected,” Leahy said. “It is not hard to imagine the serious privacy problems that this type of technology could cause.”

Earlier this year, the FAA solicited proposals to create six drone test sites around the country. With a nod to privacy concerns, the FAA said test site applicants will be required to follow federal and state privacy laws and to make a privacy policy publicly available.

The test sites are supposed to evaluate what requirements are needed to ensure the drones don’t collide with planes or endanger people or property on the ground. Remotely controlled drones don’t have a pilot who can see other aircraft the way an onboard plane or helicopter pilot can.

The agency has received 50 applications to create test sites in 37 states. Eventually, every state may have a test site, said Michael Toscano, president and CEO of the Association for Unmanned Vehicle Systems International, a trade association for the domestic drone industry.

The testimony before the Judiciary Committee is found here. Ryan Calo’s evidence before the Committee is found here and provides:

United States Senate Committee on the Judiciary “The Future of Drones In America: Law Enforcement and Privacy Considerations”

March 20, 2013

____________

WRITTEN S TATEMENT OF RYAN CALO

ASSISTANT PROFESSOR UNIVERSITY OF WASHINGTON SCHOOL OF LAW

Thank you Chairman Leahy , ranking Member Grassley, and Members of theCommittee for this opportunity to testify today.

My name is Ryan Calo and I am a law professor at the University of Washington. Iam also the former director for privacy and robotics at the Stanford Law School Center for Internet and Society. Last year, Congress charged the Federal Aviation Administration (FAA) with accelerating the integration of unmanned aircraft systems—known colloquially as “drones”—into domestic airspace.

Drones are notnew; we deployed them for target practice throughout World War II. What is new is the prospect of their widespread use over American cities and towns. Drones have a lot of people worried about privacy — and for good reason. Drones drive down the cost of aerial surveillance to worrisome levels. Unlike fixed cameras, drones need not rely on public infrastructure or private partnerships. And they can be equipped not only with video cameras and microphones, but also the capability to sense heat patterns, chemical signatures, or the presence of a concealed firearm.

American privacy law, meanwhile, places few limits on aerial surveillanc. We enjoy next to no reasonable expectation of privacy in public, or from a public vantage like the nation’s airways. The Supreme Court has made it clear through a series of decisions in the nineteen -eighties that there is no search for Fourth Amendment purposes if an airplane or helicopter permits officers to peer into your backyard. I see no reason why these precedents would not extend readily to drones.

Drones may also follow people around from place to place, even after the recent decision of United States v. Jones Jones held that affixing a global positioning device to a vehicle for the purpose of tracking the location of the occupant is a search within the meaning of the Fourth Amendment. But it is far from certain how Jones would apply to surveillance by a drone, which need not be affixed to anything.

Citizens have no reasonable expectation of privacy in contraband. Dogs can sniff luggage or cars without triggering the Fourth Amendment because, courts assume, dogs only alert in the presence of narcotics or other illegal possessions. A logical extension of this precedent, it seems to me, is that drones could fly around testing the air for drug particles and report back suspicious activity to law enforcement without ever implicating the Constitution. I have heard it suggested that the Supreme Court’s decision in Kyllo v. United States involving thermal imaging limits how drones might be used for surveillance. Kyllo holds, in essence, that officers need probable cause to peer into the home using technology that is unavailable to the general public. Setting aside whether drones would even draw a Kyllo analysis, the technology will indeed be available to the general public as soon as 2015 when the FAA relaxes its ban on commercial use.

The subject of today’s hearing is drones and law enforcement. I pause only to note that, if anything, there are even fewer limits on the use of drones by individuals,corporations, or the press. The common law privacy torts such as intrusion upon seclusion tend to track the constitutional doctrine that there should be no expectation of privacy in public. Some might go further and argue that the press (at least) has a free speech interest in using technology to cover newsworthy events.

This combination of cheap, powerful surveillance and inadequate privacy law has understandably resulted in a backlash against drones, one further compounded by our association of the technology with the theatre of war. This is in many ways a shame. Drones have the potential to be a transformative technology, helping governments, empowering civilians, and fostering innovation in countless ways. As the Congressional Research Service recently stated in a report, “the extent of [drone’s] potential domestic application is bound only by human ingenuity.”

Drones can be lifesavers in the hands of police and firefighters and flying smart phones in the hands of consumers and private industry. I am very concerned that we will not realize the potential of this technology because we have been so remiss in addressing the legitimate privacy concerns that attend it. There are several ways the government could change this picture. Ideally, we would take the opportunity to finally drag privacy law into the twenty- first century by reexamining our outmoded doctrines. This is a slow process, but courts do seem to be making strides in recent years.

Several federal bills have proposed placing limits on drones. I think we should be very careful here for a few reasons. First, the problem is broader than unmanned aircraft systems: flight is not a prerequisite for threatening civil liberties. There are robots that climb the side of buildings, for instance, that would not be covered under the draft bills I’ve read. Second, there is likely some benefit to allowing individual states to adopt different approaches to drones and seeing what works and what does not. There is one approach that I believe could act as stop-gap, and that is for Congress to instruct the FAA to take privacy into ac count as part of its mandate to integratedrones into domestic airspace. The agency has been largely silent on the issue of privacy— only recently did members of the privacy community receive a letter from the FAA asking for input in connection with the selection of drone testing centers.

But the FAA could require public and eventually private applicants to furnish the agency with a plan to minimize their impact on privacy as part of the application. The agency could then consider the plan, and even withdraw the license for those who flout it. This might help allay reasonable concerns over drones in the short term while continuing to permit their innovative and lifesaving uses.

Thank you again for the opportunity to speak today. I look forward to your questions.

The underlying factual issues stated by Calo are as applicable in Australia as in the United States of America. The more decentralised nature of American politics has meant there have been legislative responses to drones on a local basis, including by cities. In Australia legislating on privacy is essentially a State or Federal Government responsibility. At this stage the legislature has not developed any legislation on the issue.

Drones and interference with Privacy

Peter Clarke — Mon, 20 May 2013 04:33:27 +0000

The Atlantic published a story, So This Is How It Begins: Guy Refuses to Stop Drone-Spying on Seattle Woman, regarding the use of a drone in Seattle by a person to interfere with another’s privacy.

It provides:

Back in October, Alexis wrote a piece asking what rights do we have with regard to the air above our property. Walk onto someone’s lawn and you’re trespassing; fly over it in a helicopter and you’re in the clear — “the air is a public highway,” the Supreme Court declared in 1946. But what about the in-between space? Does the availability of unmanned aerial vehicles (aka drones, aka UAVs) throw a wrench in the old legal understandings?

Well, here’s where the rubber meets the road for this abstract line of questioning. The Capitol Hill Seattle Blog is reporting a complaint it received from a resident in the Miller Park neighborhood. She writes:

This afternoon, a stranger set an aerial drone into flight over my yard and beside my house near Miller Playfield. I initially mistook its noisy buzzing for a weed-whacker on this warm spring day. After several minutes, I looked out my third-story window to see a drone hovering a few feet away. My husband went to talk to the man on the sidewalk outside our home who was operating the drone with a remote control, to ask him to not fly his drone near our home. The man insisted that it is legal for him to fly an aerial drone over our yard and adjacent to our windows. He noted that the drone has a camera, which transmits images he viewed through a set of glasses. He purported to be doing “research”. We are extremely concerned, as he could very easily be a criminal who plans to break into our house or a peeping-tom.

The site adds, “The woman tells us she called police but they decided not to show up when the man left.”

But even given the Supreme Court’s finding that Alexis raised, it’s unclear whether this stranger’s drone-flight — not to mention his photography — was legal under current law. John Villasenor, author of a recent Harvard Journal of Law and Public Policy article about the laws governing drones and privacy, explained to me over email that it’s difficult to analyze the legalities of the case without more information. What kind of drone was it? How was it flown? These questions would be instrumental to determining whether it was operated in accordance with FAA regulations.

As for the privacy concerns, one of the most important questions is what was being photographed. “If the camera on the drone was always aimed at the public street,” Villasenor writes, “then that’s very different than if it was capturing images into the home through the window.”

The First Amendment provides a right to gather information, but that right is not unbounded; it ends, Villasenor writes, “when it crosses into an invasion of privacy.” He continued, “Putting a stepladder up against someone else’s home without permission, climbing up the ladder, and then photographing into a second-floor window would be an invasion of privacy. Using a drone just outside the window to obtain those same photographs would be just as much an invasion of privacy.”

New technologies may present new ways of violating people’s privacy, but that doesn’t mean they’re legal. It will take courts years to figure out how to apply our laws to our age of drones (and years for legislators to revise them — they’re not, after all, perfect), but we’re not starting from scratch. That said, police (or other law-enforcement agents) will need to actually enforce existing laws, or they’re not all that helpful.

It was entirely predictable that this type of situation would arise. Drones are easily acquired for civilian use. The technology has advanced to the point where it is cheap to purchase and easy to use. Drones were designed not just to fly around. They are designed to carry a payload. In military use that is commonly a weapons system or advanced camera technology for surveillance and reconnaissance. In its civilian use mounting a camera, still or video, is simple and effective.

In the USA there are a tort of privacy and this action would probably be a breach of a right to seclusion. In Australia an individuals’ ability to take action to protect his or her privacy is, at best, limited. It is unlikely that the Privacy Act 1988 or the Victorian privacy legislation, the Information Privacy Act 2000 and the Health Records Act 2001 would apply. The Charter of Rights and Responsibilities Act 2006 is of limited use. The Surveillance Devices Act 1999 may apply but not easily. The relevant provision is section 7(1) which provides:

(1) Subject to subsection (2), a person must not knowingly install, use or maintain an optical surveillance device to record visually or observe a private activity to which the person is not a party, without the express or implied consent of each party to the activity. Penalty: In the case of a natural person, level 7 imprisonment (2 years maximum) or a level 7 fine (240 penalty units maximum) or both; In the case of a body corporate, 1200 penalty units.

The critical question is therefore what is meant by privacy activity. Private activity is defined as:

private activity means an activity carried on in circumstances that may reasonably be taken to indicate that the parties to it desire it to be observed only by themselves, but does not include- (a) an activity carried on outside a building; or (b) an activity carried on in any circumstances in which the parties to it ought reasonably to expect that it may be observed by someone else;

Given a breach of the Act is a criminal offence the legislation will be construed narrowly and the burden is of beyond reasonable doubt. As importantly for a person whose privacy has been interfered with the carriage of any action, a prosecution, is the State. The individual has no action in his or her right. That includes no ability to seek injunctive relief or sue for damages, a right a citizen should have just as he or she has a right to take action for negligence or a breach of contract.

That the law follows behind the development of technology is such a common phenomanon as to be trite. But at least it does catch up, albeit slowly. In the area of privacy the legislative lethargy is chronic and there are few signs that State or Federal Governments are intending upon providing meaningful rights to privacy for individuals.

At common law or equity it is difficult to take action for this sort of interference. At least comfortably. There may be elements of nuisance in having a drone fly overhead but not so much if it flys next to a property and moves up and down the boundary line. It is even more difficult to fashion a claim in trespass. In the UK the courts hearing misuse of private information cases, grounded in equity and referable to the Human Rights Act 1998, have proven to be quite capable of meeting differing fact situations not usually found in breach of confidence cases. Whether the Australian courts would be so adaptable in developing such an action following Giller v Procopets, which recognised a claim for breach of confidence involving privacy issues, is a matter that awaits judicial consideration.

A stand alone statutory right to privacy would avoid any need for extending and reworking a claim in equity or developing the tort of nuisance or trespass. It is by far, the best solution to a growing problem and a clear gap in the law.

Privacy Commissioner issues media release in National Cyber Security Awareness Week.

Peter Clarke — Mon, 20 May 2013 02:59:17 +0000

Today the Privacy Commissioner issued a press release regarding cyber security in line with National Cyber Security Awareness week, commencing today.

It states, in part:

Australian Privacy Commissioner, Timothy Pilgrim today encouraged all Australians to take steps to protect their personal information during National Cyber Security Awareness Week (20 to 24 May 2013). The aim of the Awareness Week is to help people understand the simple steps they can take to protect their personal and financial information when online.

‘The web has become part of our daily life — the place where we socialise, shop, and do business. At the same time we are sharing more personal information than ever before and potentially exposing ourselves to a number of risks which we need to manage,’ Timothy Pilgrim said.

‘Take the time to protect your personal information. Check the privacy settings on your social networking and mobile sites to make sure your personal information is protected and to reduce the likelihood that someone might take advantage of it,’ he said.

‘Other simple steps are to create strong passwords, change them regularly and think about what personal information you are storing on your mobile or computer,’ Mr Pilgrim added.

Business and government also have a responsibility to protect the personal information they hold about their customers or risk financial costs, lost reputation and customer trust.

‘Businesses and government agencies cannot ignore the need to take steps to protect the personal information of their customers or clients. This is critical to meet the current requirements of the Privacy Act 1988 as well as new privacy requirements due to commence in less than a year,’ Timothy Pilgrim said.

The problems with de anonymisation of data as a privacy protection

Peter Clarke — Thu, 16 May 2013 07:00:41 +0000

In the UK the Open Rights Group (ORG) has called for new EU data protection laws, currently being worked on by EU law makers, to require consent to anonymised data sharing. The ORG made the recommendation after it raised concerns with the practice of anonymisation. The genesis of the concern relates to the attempted sale of anonymised data by a mobile operator to the Metropolitan Police. See EE defends user-data selling scheme following police interest which provides:

Mobile operator EE has defended plans to sell its data, after a newspaper reported personal information was being offered to the Metropolitan Police.

Research company Ipsos Mori has an exclusive deal to sell on EE’s data, and has held talks with the force, according to the Sunday Times.

EE told the BBC the article was “misleading to say the least”.

The company said Ipsos Mori had access only to anonymised data grouped in samples of 50 people or more.

“We would never breach the trust our customers place in us and we always act to comply fully with the Data Protection Act,” a statement from EE said.

“The information is anonymised and aggregated, and cannot be used to identify the personal information of individual customers.”

The newspaper’s report said information about 27 million of EE’s customers was on offer – including their gender, age, postcode, the websites they visited, the time of day they sent texts and their location when making calls.

The Met Police confirmed to the BBC that they had held an “initial meeting” with Ipsos Mori to discuss how the data could be used to tackle crime, but added it “has made no offer to purchase data from Ipsos Mori nor has any intention of doing so”.

The force would not comment on whether it had made similar enquiries with other mobile operators.

In response to the story, Ipsos Mori – which is yet to fully finalise the terms of the deal with EE – told the BBC the data set was “not about individuals – it’s about behaviour”.

On its website, the research company outlined what powers it had:

We can see the volume of people who have visited a website domain, but we cannot see the detail of individual visits, nor what information is entered on that domain
We only ever report on aggregated groups of 50 or more customers
Ipsos Mori only receives anonymised data without any personally identifiable information on an individual customer
We do not have access to any names, personal address information, nor postcodes or phone numbers

Monetisation of mobile-data intelligence is a major new revenue source for operators.Clues about a user’s location, and what they are interested in, are a potential goldmine for retailers looking to offer targeted advertising.

Other networks such as Vodafone and O2 also offer businesses the chance to capitalise on the personal information it holds on its customers.

“Aggregated, anonymised data based on analytics such as footfall and outdoor media tracking can enable an organisation to make informed decisions,” said Vodafone in a recent press release about services it offers.

Likewise, O2 offers “analytical insights” to retailers through parent company Telefonica, whose digital insights team – set up last year – promises “a digital headcount to help them understand the movement of crowds”.

Telefonica hopes that selling analysis of customer data will provide valuable extra income

“Retailers are quite good at measuring footfall inside their stores,” the company said.

“But this data will tell them where people go once they are outside, as well as their age and gender.”

Such schemes have attracted the concern of privacy rights campaigners – particularly at a time when debate over what access the government should have to private data is under scrutiny.

Last week, proposals for the Communications Data Bill – referred to by some as the Snoopers’ Charter – was left out of the Queen’s Speech.

The bill called for greater powers to investigate crime in cyberspace – but was opposed by the Lib Dems who said the measures went too far.

On news the Met Police was in contact with Ipsos Mori about mobile data, one privacy group told the BBC it was “alarmed”.

“There is no point in the government announcing that they don’t want a Snoopers’ Charter only to get a privatised one by the back door,” said Loz Kaye from the Pirate Party UK.

“Companies must start to realise that it is against their interests to treat their customers this way. Otherwise we just end up being commodities in a 21st Century data gold rush.”

The Data Protection Act requires that organisations ensure that personal data is processed fairly and lawfully and only collected for “one or more specified and lawful purposes and not further processed in any manner incompatible with those purposes. The issue is whether data protection law applies to personal data that has been anonymised, and in the UK that it does not.

The UK’s Information Commissioner has issued a code of practice (Anonymiation: managing data protection risk code of practice) which provide that data anonymisation techniques do not have to provide a 100% guarantee to individuals’ privacy in order for it to be lawful for organisations to disclose the information. Anonymised personal data can be disclosed even if there is a “remote” chance that the data can be matched with other information and lead to individuals being identified, it said. The Canadian Privacy Commissioner in Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy, released in June 2011, argues that the issue of re identification is overblown and the concern is unnecessary. I think it is unduly optimistic.

The re identification of data is not a theoretical possibility. It is an actuality. The use of algorithms and other statistical and scientific means to de anonymise data has been the subject of significant research such as De-anonymizing Social Networks, Robust De-anonymization of Large Sparse Datasets, The ‘Re-Identification’ of Governor William Weld’s Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now and De identified data and third party data mining; the risk of re identification of personal information. I discussed this issue at my presentation “Managing Identify on Line” at MIT 8.

There is too much faith placed in de identification of data as a definitive means of privacy protection. Even an effective one. Technology, in particular the use of advanced algorithms, are rendering this technique problematical. Privacy watchdogs seem to want to steer a pragmatic, business friendly path through this issue. The problem is that technology has showed up the UK Information Commissioner’s code of practice to be flawed as far as it relates to de anonymisation.

Privacy Commissioner speech on amendments to the Privacy Act

Peter Clarke — Thu, 09 May 2013 17:19:02 +0000

The Privacy Commissioner has published the speech he gave last week. It can be found here.

Below is a slightly edited transcript. It relevantly provides:

Privacy law reform—Get in on the Act

…………..

Privacy law reform

It should be no surprise that privacy law reform is a priority for business. It is fair to say that the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will bring about the most significant changes in privacy regulation and compliance for over two decades.

In the time I have with you today, I will set out some of the key changes to the Privacy Act. In particular, I will talk about the new Australian Privacy Principles (or APPs) and the enhanced powers that will be available to me to resolve investigations. I also want to let you know how we will assist you prepare for the changes.

The APPs

Thirteen new APPs will apply to both Commonwealth agencies and private sector organisations, or ‘APP entities’ as both will be referred to in the amended Act. These principles will replace the existing Information Privacy Principles (or IPPs) and National Privacy Principles (or NPPs) that apply to government agencies and businesses respectively.

The APPs are structured to more closely reflect the information lifecycle — from ensuring transparency in information collection, through to use and disclosure, quality and security, access and correction.

To make the most of out time today, I am going to focus on the APPs that have some key changes and will be most relevant in your role as privacy professionals.

APP 1—Open and transparent management of personal information

APP 1 seeks to ensure that agencies manage personal information in an open and transparent way and take a proactive approach to informing individuals about how their personal information will be handled.

To that end APP 1 requires organisations to have a clearly expressed and up-to-date privacy policy outlining the way they handle personal information.

Of course, the requirement to have a privacy policy is not new. However, APP 1 expands on the existing requirements in NPP 5 by identifying the minimum information that must be contained in an APP privacy policy.

While these changes will require you to review your privacy policy, there is no denying that greater openness and transparency can only improve customer service and build trust with your customers.

Evidence continues to suggest that few people read privacy policies. And here lies our shared challenge. We need to develop privacy policies that not only create greater transparency, but that also engage, and I commend organisations that are starting to meet this challenge (McAfee’s Privacy Ninja).

Under APP 1 organisations must also take such steps as are reasonable to implement practices, procedures and systems to ensure compliance with the APPs or a registered APP code that binds the entity. Those practices, procedures and systems must also enable entities to deal with inquiries or complaints from individuals.

What is considered ‘reasonable in the circumstances’ will always depend on the specific circumstances. However, some things your organisation could do to fulfil your obligations under APP 1 include:

training staff about the organisation’s policies and practices

establishing procedures to receive and respond to privacy complaints and inquiries, and to identify and manage privacy risks and compliance issues.

APP 1 is a bedrock principle for all APP entities — by complying with this APP you will be establishing a culture and set of processes for your workplace that will assist you in complying with all the other APPs, right from the start.

Aside from this being a legal requirement, it should not be difficult to build a business case for this principle. The adage that prevention is better than the cure rings true, and is more compelling than the case for data breach insurance in my mind.

APP 7—Direct marketing

The use and disclosure of personal information for direct marketing is now addressed in a privacy principle (rather than as an exception in NPP 2). This principle has created some concern and will be one we will spend some time consulting on and addressing in our detailed APP guidelines.

Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.

A welcome reform is the clarification that APP 7 will be displaced where another Act specifically provides for a particular type of direct marketing, such as the Spam Act. But, APP 7 will still apply to organisations involved in direct marketing relating to electronic messages and other activities not covered by such instruments.

We have heard the concerns about this APP. However, it is important to understand that direct marketing continues to be an area of increasing community concern, particularly in the online environment.

In privacy research conducted by the University of Queensland last year, 56 per cent of respondents disapproved of having advertising targeted to them based on their personal information.

There is also evidence that with the growing prevalence of tracking and aggregation, consumers are choosing not to use services due to privacy concerns.

Compliance with APP 7, including the requirement to provide a ‘simple means’ by which the individual can request not to receive any marketing, not only allows individuals to exercise choice, it potentially prevents loss of business. Customers care that you care about how you handle their personal information. They also care that you listen to how they want you to use their personal information.

APP 8—Cross-border disclosure of personal information

APP 8 is an important new principle on the cross-border disclosure of personal information to an overseas recipient, replacing NPP 9. APP 8 requires an entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information, subject to limited exceptions.

APP 8 and the related s 16C create a framework under which a disclosing entity remains accountable for the subsequent handling of that personal information by the overseas recipient. In some circumstances, the disclosing entity will be liable for an act or practice of the overseas recipient that would breach the APPs.

As I mentioned, this is subject to limited exception. One exception is when the organisation expressly informs the individual that if they consent to the disclosure overseas then the organisation will not be required to take reasonable steps to ensure that the overseas recipient does not breach the APPs, and the organisation will not remain accountable for what happens to that information.

Like direct marketing, the disclosure of personal information overseas remains a concern for much of the public and APP 8 reflects this concern.

I understand that being held accountable for the mishandling of personal information by your overseas contractor is a concern. However, I imagine the cost of an overseas data breach (including the costs of remediation, loss of reputation and customer trust and, potentially, customers) is equally concerning. This APP is a compelling business case for you to protect your business when you are planning to send personal information overseas.

APP 11—Security of personal information

APP 11 relates to an entity’s obligation to protect the personal information it holds. While the obligations largely remain the same as those under IPP 4 and NPP 4 there are some differences to note.

Under APP 11, an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The inclusion of ‘interference’ is new and may require additional measures to be taken to protect against computer attacks and other interferences of this nature, but the requirement is conditional on steps being ‘reasonable in the circumstances’.
APP 11 also sets out that an entity has obligations to destroy or de-identify personal information in certain circumstances.

To assist organisations understand their information security requirements this week the Federal Attorney-General launched the OAIC’s new Guide to information security at the OAIC’s business breakfast to launch PAW. The Guide clarifies what ‘reasonable steps’ should be taken under the Privacy Act. The guide isn’t binding but does send a clear message about my expectations in this area, so naturally we intend to refer to the guide when assessing compliance with the data security obligations in the Privacy Act.

What I am seeing in the hacking related data breaches, both here and overseas, are cases of organisations that have not taken reasonable steps to protect the personal information they hold. Reasonable steps include regularly updating their security systems.

Compliance with the security requirements under Privacy Act will not only minimise the risk of the costs of a data breach as I have previously outlined, but potentially the loss of valuable customer information to your competitors.

Commissioner’s new powers

Let’s now look at the Commissioner’s new powers.

From March 2014 I will be able to conduct Performance Assessments of private sector organisations to determine whether they are handling personal information in accordance with the new APPs, the new credit reporting provisions and other rules and codes.

The power will consolidate the existing discretion to conduct audits of Australian Government Agencies, tax file number recipients, credit reporting agencies, credit providers and extend it to include organisations.

These assessments may be conducted at any time, whether the organisation has had a previous Privacy breach or not. So I will be putting businesses on notice that they need to have their systems and processes in place to be ready at all times for a Performance Assessment.

I also have enhanced code making powers that will allow me to approve and register enforceable codes which are developed by entities, on their own initiative or on request from the Commissioner, or by the Commissioner directly.

From the first day of operation, the privacy reforms will provide me with enforcement powers and remedies in regards to own motion investigations – those that commence as a result of my own initiative rather than as a result of a complaint from an individual.

I will be able to make a determination (as I can already with a complaint lodged by an individual), accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

I will not be taking a softly softly approach.

Let’s remember that the public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, so these concepts are not new. Fundamentally the most of the principles remain the same.

Most of the requirements are not new requirements and in my view should already be happening so I will not shy away from taking action where it is appropriate to do so.

However, before you get too excited, I would note that since I became Privacy Commissioner in mid-2010, I have been telling business and government that my focus will always be on resolving the majority of complaints via conciliation.

How we will help

I would now like to outline the resources our office is developing for you to use in your work.

Our office has a role to educate all organisations and agencies, as well as the community more generally, about the changes that are coming. We are doing this on a very limited budget, having received no additional funding from Government, so it is encouraging to see that a number of you are already producing and disseminating helpful guidance on these important changes.

There is guidance to assist agencies and businesses already available. To date, we have published:

a privacy law reform page on the OAIC website to keep you up to date with privacy reform developments

a checklist that sets out action you can take now to comply with the reforms

Fact Sheet 17 which sets out the APPs

posters, a quick references tool and training slides to help you and your employees familiarise yourselves with the new APPs

a consultation draft of guidelines for developing APP codes.

All of these materials are available on the OAIC website, and some are available here today. We acknowledge that the key guidance is yet to come and this will be start with the release of the Guidelines on the APPs for consultation in the next few months.

We will be conducting targeted public consultation processes to assist us in developing this guidance. I would encourage you to contribute to these consultations, so we can arrive at guidance that is practical and meets the needs of business.

To keep across the latest guidance and other materials, if you haven’t already, I encourage you to sign up with the Privacy Connections Network, our network for private sector privacy professionals.

Conclusion

It is an exciting time to be working in the privacy field — the large scale of these reforms present interesting challenges and opportunities for all of us.

Be assured I will have the concerns of business in mind when administering the reformed Privacy Act. I will, though, always balance these concerns against the rights of individuals to control how their personal information is handled. These individuals value their personal information and they choose where they spend their money.

The business case is simply that good privacy practice is good business practice.

New York Times poll on camera surveillance after Boston Bombing

Peter Clarke — Sat, 04 May 2013 10:12:21 +0000

The effect on Boston of the terrorist bombing has been profound. I am currently in Boston at a conference at the MIT. It dominates the news, it permeates discussions. And it seems to be effecting American’s views on street surveillance. The New York Times in Poll Finds Strong Acceptance for Public Surveillance highlights a willingness of the public to allow for greater surveillance and reduce their privacy as a trade off. The poll is found here.

The article provides:

WASHINGTON — Americans overwhelmingly favor installing video surveillance cameras in public places, judging the infringement on their privacy as an acceptable trade-off for greater security from terrorist attacks, according to the latest New York Times/CBS News Poll.

A week after the Boston Marathon attack, which was unraveled after the release of video footage of the two suspects flushed them out of hiding, 78 percent of people said surveillance cameras were a good idea, the poll found.

The receptiveness to cameras on street corners reflects a public that regards terrorism as a fact of life in the United States — 9 out of 10 people polled said Americans would always have to live with the risk — but also a threat that many believe the government can combat effectively through rigorous law enforcement and proper regulation.

For all that confidence, there are lingering questions about the role of the nation’s intelligence agencies before the attacks, with people divided about whether they had collected information that could have prevented them (41 percent said they had; 45 percent said they had not).

The murkiness of the case — the Tsarnaev brothers’ ties to the Caucasus; the warnings from Russian intelligence about potential extremist sympathies — has clearly left an impression on the public. A majority, 53 percent, said the suspects had links to a larger terrorist group, while 32 percent said they had acted alone.

President Obama, in a White House news conference on Tuesday, defended the performance of the Federal Bureau of Investigation and the Department of Homeland Security, saying the agencies had done their job, while acknowledging, “This is hard stuff.”

The poll suggested that Americans are willing to tolerate further tough measures to foil future attacks. Sixty-six percent said information about how to make explosives should not be allowed on the Internet, where it would be available to aspiring terrorists, even if some would view that as a form of censorship. Thirty percent said it should be permitted in the interest of free expression.

More broadly, only 20 percent of people said they believed the government had gone too far in restricting civil liberties in the fight against terrorism, while 26 percent said it had not gone far enough and 49 percent said the balance was about right. In 2011, the share of those worried about losing civil liberties (25 percent) was larger than that favoring more intrusive government approach (17 percent).

“I know some people are paranoid about the government intruding on their privacy,” Judith Richards, a retired teacher from New Paltz, N.Y., said in a follow-up interview. “But with all the horrible things that have been happening, I think you have to trust this as a way to protect our well-being.”

Jennifer Lopez, 26, a saleswoman in Pembroke Pines, Fla., said: “There are cameras in stores and supermarkets. Our families would be safer and surveillance cameras would provide evidence to help agencies pursue people, like they just did in Boston.”

The nationwide poll of 965 adults was conducted on landlines and cellular phones from April 24 to April 28, five days after the manhunt for the surviving suspect in the Boston bombings, Dzhokhar Tsarnaev, ended with his capture in a backyard in Watertown, Mass. It has a margin of sampling error of plus or minus three percentage points.

Polls taken in the aftermath of terrorist attacks often show spikes in the public’s fears of another attack. In a CBS News poll a year ago, just 10 percent of people said another attack in the United States in the next few months was “very likely,” while 27 percent said it was “somewhat likely.” In the most recent survey, 24 percent said it was very likely and 42 percent somewhat likely.

There is also evidence that fears about immigrants have increased modestly. Forty-nine percent said the risk of terrorism had risen in the United States because of legal immigration. The last time that question was asked, in 2007, the percentage was 42 percent.

Still, other responses were unchanged since the Boston bombings: Twenty-three percent said they were very concerned about a terrorist attack in the area in which they live, about the same as said so in 2010. Fifty-six percent said they approved of Mr. Obama’s handling of terrorism, essentially unchanged from a CBS News poll in February.

Mr. Obama said the law enforcement system had functioned as it should in the days after the bombings. He also said the F.B.I. had properly handled the information it received from Russian intelligence agencies about the older of the two suspects, Tamerlan Tsarnaev, even as Mr. Obama conceded the difficulty of preventing attacks. “People, I think, understand that we’ve got to do everything we can to prevent these kinds of attacks from taking place,” Mr. Obama said. But he added, “We’re not going to stop living our lives because warped, twisted individuals try to intimidate us.”

Underscoring the president’s point, a large majority of those polled, 72 percent, said they did not plan to avoid large public events to reduce their exposure to potential terrorist attacks. That confidence came even as people were divided about whether their state and local authorities were prepared to deal with such an attack (48 percent said they were prepared; 41 percent said they were not).

Federal and local law enforcement agencies won high praise in the poll for their handling of the bombings — 84 percent approved — and some people in follow-up interviews seemed to regard the way the F.B.I. worked with the Boston and other police forces as a template for the future.

“If we’re going to have to live with the threat of terrorism, I think it is incredibly important that it be controlled at the local level,” said Lynn Francis, 52, a retired insurance agent in Rowlett, Tex. “If there is national intelligence, it needs to be shared with local government as quickly as possible and followed up on. National and local authorities should work together.”

Kath Buffington, a retired teacher from Rochester, N.Y., said she was rattled by the images of a locked-down Boston, even if it was warranted in this case. But she said that in a country dealing with the threat of terrorism since the September 2001 attacks, the fight against it should not be a pretext for more pervasive forms of surveillance.

“I don’t have a problem with cameras as long as they are public,” Ms. Buffington said. “But wiretapping without a warrant goes too far, now that the immediate 9/11 crisis is over.”

The effectiveness of CCTVs in preventing organised terrorist acts is at best arguable. They are far more effective in investigating the crimes, that is after the event has taken place. For example the London bombings on 7 July 2005 were not thwarted by the ubiquity of that city’s CCTV network. The sober reality is that the collection by human intelligence and traditional forms of investigation and policing are are more effective in preventing crimes. The recent arrest of suspects in Al Quaeda conspiracy to derail a train in Canada was thwarted by human intelligence, not CCTV. See article here.

The cost in establishing, manning and maintaining a CCTV network to the required standard is enormous. Installing an extensive surveillance network and not funding it gives a misleading sense of security. It is a recipe for failure.

Major criminal or terrorist events are triggers for a, often temporary, re evaluation of individual rights. Government action in that environment is often excessive and poorly targeted. The US is still struggling with the poorly drafted Patriot Act. The military commission structure to handle prosecutions of detainees in Guantanamo Bay is moribound.

A pause is needed before any action is taken. Benjamin Franklin, a Bostonian, said “Those who would sacrifice freedom for security deserve neither”. Words to live by.

Tweets last forever……..here’s the proof

Peter Clarke — Fri, 26 Apr 2013 07:09:22 +0000

Recently the World Today the report UK youth commissioner under fire over foul tweets highlights the permanence of the cybersphere and what one in the full bloom of fiery youth may regret as the rules of polite society beckon. Woad warriors could transform themselves into paragons of virtue pre internet. Memories fade and plausible deniability is an active option. Now the the Net sets all matters in in cyber concrete. This has had an impact lately on Paris Brown.

The story provides:

ELEANOR HALL: Teenagers are often warned about what they say on social media sites: that they could come back to haunt them in later life.

A young woman in the UK didn’t have to wait long.

17-year-old Paris Brown’s position as the country’s first Youth Police and Crime Commissioner has been put in doubt by the publication of a string of offensive tweets from her account, as Europe correspondent Barbara Miller reports.

BARBARA MILLER: Paris Brown was chosen from dozens of young applicants to be the UK’s first Youth Police and Crime Commissioner. Many no doubt were attracted in part by the more than $20,000 in salary on offer.

The role was to liaise between police and young people in the county of Kent in south-east England. Her apprenticeship was going well, until someone checked her Twitter account.

There they found racist tweets, homophobic tweets, ones that made reference to sex and drug-taking. Paris Brown says she is sorry for any offence caused on the now-deleted account.

PARIS BROWN: All teenagers make mistakes, all teenagers think at one point, oh I’m annoyed, write something stupid. If you look back at… I look back on our Facebook statuses or tweets that I wrote when I was, like, 13, and they’d just make you cringe. Not because they’re offensive, but because they’re just stupid.

And it is. It’s an age thing. When you are a young person, you do have views that you don’t really agree with yourself.

BARBARA MILLER: The 17-year-old says people her age sometimes tweet before thinking:

PARIS BROWN: Older generations haven’t grown around, grown up with Twitter, social media. They know how to sort of, maybe talk to other people about it, but for young people it’s different. We don’t want to bother people with your problems; you just think, oh I’m annoyed, tweet.

BARBARA MILLER: Paris Brown is adamant that she doesn’t hold the views the tweets appeared to represent.

PARIS BROWN: I’m not homophobic. (upset) I’m not racist. I don’t condone drug-taking. And I do not (upset)…I don’t want people judging me based on a few stupid things that I wrote which I didn’t mean, which were taken out of context, which were not meant as they are portrayed.

BARBARA MILLER: Questions are being asked about whether Paris Brown really is the right person for the job.

Labour MP Keith Vaz is the chairman of the Commons Home Affairs Select Committee.

KEITH VAZ: Of course it’s refreshing to have people in these posts, and I congratulate Ann Barnes for thinking of having the post of Youth and Crime Commissioner, but I just question whether she did proper scrutiny, asked the right questions. These kinds of statements ought to have been dealt with before the appointment.

BARBARA MILLER: Kent’s independent police and crime commissioner Ann Barnes recruited Paris Brown.

She says she has no regrets.

ANN BARNES: I do not condone one single solitary word of these terrible tweets of Paris’. I’m as ashamed of them as she is and her parents are. But you know, she made them – a few out of 4,000 – horrible though they were, when she was 14, 15, 16-year-old. It would be awful for me to stop her having a life chance for something that was done when she was so young, and for which she is truly, truly sorry.

And I hope she really thinks seriously about what she’s done – well, I know she’s going to. And I don’t regret making the appointment, no.

BARBARA MILLER: Ann Barnes says it would be a sorry state of affairs if everyone’s future were determined by what they wrote in social networking sites between the ages of 14 and 16. She at least is prepared to give Paris Brown a second chance.

On Twitter, some users are not nearly so forgiving.

Violet Homes Loans Pty Ltd v Schmidt & Anor [2013] VSCA 56 (25 March 2013): unconscionable conduct

Peter Clarke — Sun, 21 Apr 2013 10:08:15 +0000

In Violet Homes Loans Pty Ltd v Schmidt & Anor [2013] VSCA 56 the Court of Appeal unanimously upheld the trial judge’s decision that a mortgage originator

FACTS

In Perpetual Trustees Australia Limited v Schmidt & Anor [2010] VSC 67 the trial judge, J Forrest J, found that Violet Homes Pty Ltd (“Violet”) had acted unconscionably and in breach of the general law, section 51AC of the Trade Practices Act and section 12CB of the Australian Securities and Investment Commission Act 2001.

In 2003 the Plaintiff (“Schmidt”) responded to an advertisement which claimed an investment of $40,000 in syndicate would lead to a net return of $80,000 within 12 months. Schmidt range the number given and spoke to a Mr Maddocks (“Maddocks”). In next month he invested $80,000 in the syndicate. obtained a line of credit from Perpetual Trustees Australia Ltd [12]. In early 2004 Maddocks pursuaded Schmidt to make further investments. Schmidt was unable to borrow from his bank, the Bank of Melbourne, because he was a pensioner who had no capacity to repay [13]. Maddocks arranged a loan for Schmidt from Perpetual, preparing the loan application and income declaration. The documents contained false information, as to Schmidt’s employment situation and his annual income. Schmidt did not provide the false information but signed the documents without reading them [14]. The documents were provided to a finance broker, Medallion Finance Concepts (“Medallion”) who onforwarded them to Violet [16]. Responding to querries by Ms Bonnici a credit officer at Violet, including a failure to provide an ABN, raised Maddocks prepared an amended the application and had Schmidt sign it [20]. At no time did anyone from Violet deal with Schmidt directly.

DECISION

Unconsionability

The Court found that “..recklessness, in the form of wilful blindness, may in some cases supply the necessary element of moral obloquy”[58]. The court said that there was limited use in comparing facts of particular cases to determine whether the facts in question is unconscionable, by way of compare and contrast. Rather, the court said “.. the task requires a more synthesised approach which takes into account all of the facts relevant to the impugned conduct and determines whether, in all the circumstances, that particular conduct is unconscionable” [59]. In this case:

Here, the discrepancy in the figures in the loan application and income declaration, not just once, but twice and the absence of an ABN, which was requested but never provided, ought to have raised the suspicion of Violet that something may be amiss with the application.

The fact that Violet did not comply with its own procedures told against it in light of its other failures with the court stating, at [67]:

However, sometimes a risk eventuates and, depending on all the circumstances, the lender may be held responsible for the consequences, partly because the very system the lender has established facilitates the perpetration of frauds upon borrowers. No doubt lenders take this into account when pricing their products and determining that, overall, it is in their commercial interests to proceed with the simplified and, in some senses, automated, processing and outsourcing of lending functions.

In light of that the court said, at [68], that:

So it was that when the revised forms were submitted with a reduced figure for Mr Schmidt’s income and no ABN, Ms Bonnici did not question this nor examine nor question more closely the other matters that suggested all was not right (for example the payment of interest out of capital in the Assetbuilder Loan account and Mr Schmidt’s age) that ought to have been apparent from the other information provided. In those circumstances, and without a satisfactory explanation, the failure of Violet to conduct an interview (by telephone or in person) was reprehensible. Whilst a failure to conduct an interview and thus comply with the guidelines may not of itself constitute unconscionable conduct in the generality of cases, in the circumstances of this case, that failure strongly supports the proposition that Violet’s conduct was unconscionable.

Section 12CB of ASIC Act

Section 12CB prohibits unconscionable conduct in relation to a consumer. The appellant claimed that Schmidt’s application was for business credit, not “..were not of a kind ‘ordinarily acquired for personal, domestic or household use’ and therefore not subject of section 12CB.

The Court undertook an anlaysis of the authorities ([72]- [74]) in particular Young J in Bunnings Group Ltd v Laminex Group Ltd where the applicable principles were described as:

(a) the word ‘ordinarily’ means ‘commonly’ or ‘regularly’, not ‘principally’, ‘exclusively’ or ‘predominantly;

(b) it is preferable to ask whether the goods are of a kind ordinarily acquired for personal, domestic or household use or consumption as a single composite question. His Honour referred to a passage from Clean Investments Pty Ltd v Commissioner of Taxation:

For example, an architect’s stool, an office chair and a kitchen stool or chair may be described as ‘stools’ or ‘chairs’ and their purpose as being ‘to provide seating’. Yet it would be wrong to conclude that the architect’s stool or the office chair is of a kind ordinarily used for household purposes for no other reason than that, like the kitchen chair, it is ordinarily used for the purpose of providing seating^.

(c) depending on the precise statutory question and the circumstances of the particular case, it will be relevant to inquire as to the essential character of the goods in question;

(d) the question is ultimately a question of fact and degree^.

and found, at [75] the financial services were of a kind ordinarily acquired for personal use [75] stating:

“.. it is now not uncommon for funds to be borrowed by retirees and used in investment projects, such as the project that Mr Schmidt thought he was investing in. Indeed, the advertisements to which Mr Schmidt responded were headed ‘Retirees/Investors/Superannuation’. Moreover, the type of ‘low doc loan’ obtained by Mr Schmidt was only available if the security property was residential with a loan to value ratio of 80 per cent. The maximum amount that could be borrowed was $600,000. Ordinarily, that type of loan is one that is used for personal investment, rather than for the operation of what might be described as an investment business. ..”

Trade or Commerce

While the Court was not required to consider whether there was a contravention of section 51AC of the Trade Practices Act they cited with approval the New South Wales Court of Appeal in Kowalczuk v Accom Finance Pty Ltd where the Court stated:

“..a transaction is entered ‘for the purpose of trade or commerce’ when it is entered to enable some further activity, that has itself a trading or commercial character, to be engaged in. For a private individual, or a private individual’s company, to make an investment is not, in my view, to enter a transaction ‘for the purpose of trade or commerce’ when it is not itself a part of a business of investing…”

ISSUE

In this case the Court found the recklessness in the form of wilful blindness gave rise to a claim of unconscionable conduct. Unconscionable conduct is a developing area of equity and this case highlights the latest development in expanding the potential liability of financial service providers (and advisors). Here the court was critical of the creditor who breached its own protocols to effect the loan.

McCracken v Phoenix Constructions (Queensland) Pty Ltd [2013] FCAFC 41 (18 April 2013): Bankruptcy, whether debt owing at time of bankruptcy, sections 44(1) and 52(1) of Bankruptcy Act

Peter Clarke — Sun, 21 Apr 2013 09:41:01 +0000

The Full bench of the Federal court in McCracken v Phoenix Constructions (Queensland) Pty Ltd [2013] FCAFC 41 by unanimous decision and per Lander J’s reasons, upheld an appeal against a sequestration order made by the Federal Magistrate’s Court. The issue on appeal, at [34], is succinctly described as:

“..first, whether if a debt is relied upon for the issue of the bankruptcy notice and as an act of bankruptcy, that debt must continue to be owing at the time when the creditor’s petition is heard for the Court to make a sequestration order; secondly, if the debt is no longer owing at that time, whether the petitioning creditor can rely upon a later debt which first arose after the act of bankruptcy and after the filing of a creditor’s petition; and thirdly, if that debt can be relied upon at the hearing of the creditor’s petition and at the time of the making of the sequestration order, must that debt be for a liquidated sum.”

Facts

The Appellant (“McCracken”) and the Respondent (“Phoenix”) were involved in a proceeding which culminated in judgement being entered for Phoenix in the sum of $2,025,212.17 on 15 June 2011. On 7 July 2011 the official receiver issued a bankruptcy notice directed to McCracken [4]. On 12 July 2011 McCracken filed a notice of appeal [5] and on 13 July the trial judge ordered McCracken to pay Phoenix’s cost of the proceedings [6]. Those costs were never assessed. On 10 August 2011 a bankruptcy notice was served on McCracken [12] with Phoenix filing a creditor’s petition on 11 August 2011. The creditors petition relied on a number of acts of bankruptcy including McCracken absenting himself from Australia and his dwelling house to avoid service. It did not rely upon the appellants failure to pay the judgement sum [13]. On 27 September 2011 in the Court of Appeal refused McCracken’s application for a stay of the judgement [15] and the Federal Magistrates Court refused his application for a stay of the bankruptcy proceeding [16]. On 18 October 2011 Phoenix filed an amended creditors petition relying upon McCracken’s failure to comply with the bankruptcy notice [17].

On 18 May 2012 the Court of Appeal allowed McCracken’s appeal and set aside the orders made by the trial judge [19]. On 19 July 2012 the Federal Magistrates Court heard the petition and made a sequestration order against McCracken on 14 September 2012 [22]. Their Honours’ noted that at the time the Federal Magistrates Court heard the creditor’s petition the debt which was relied on in both the bankruptcy notice and the creditor’s petition no longer existed, having been discharged by the Court of Appeal [23]. The Federal Magistrate concluded that even though the amount may have changed there was an ongoing debt that which was still doing due and owing [31] and that once an act of bankruptcy had been committed it remained available for the purposes of a sequestration order and did not rely on other acts of bankruptcy relied upon by Phoenix, such as the conduct of the appellants to avoid service [33].

Decision

Where the debtor who has committed an act of bankruptcy is ordinarily resident in Australia the court may make a sequestration order against the estate of the debtor [51]. The first requirement to found that jurisdiction is that the debtor has committed an act of bankruptcy [52]. The second necessary fact is that the debtor comes within one of the descriptions and section 43(1) (b) of the Bankruptcy Act 1966 (the “Act”).

The Court found that whilst the debt need not be the same debt as was relied upon to the act of bankruptcy it must be a debt which existed at the time of the act of bankruptcy [63]. The debt must also be a debt for liquidated sum payable immediately or at a certain future time [65]. Section 52 (1) requires the creditor by affidavit or viva voce evidence of the matters stated in the petition. That requires proof that an act of bankruptcy occurred as alleged in the proof of debts relied upon in the creditors petition and they can only be those that existed at the time of the act of bankruptcy occurred and when the creditors petition was presented [77]. The creditor must also prove that the debts on which the petitioning creditors rely is or are still owing [79].

The Court found that at the time a hearing of creditor’s petition the debt which was created by the judgement of the Supreme Court of Queensland and relied upon in the act of bankruptcy and in the petition no longer existed [91]. Phoenix could not rely upon it therefore could not satisfy section 52(1)(a) of the Act. Phoenix could not have relied any judgement debt in the form of a costs order. That order only came into existence on 18 May 2012. Further that order in any event was not a debt for liquidated sum [94] and the debt could not become a liquidated sum until the procedures had been finalised and the registrar had made an order in the assessors certificate [94].

The Court rejected Phoenix’s submission that it had not engaged a costs consultant because the McCracken was insolvent and it would not have recovered the costs of the assessment and McCracken could have required Phoenix to assess the costs. Their Honours also rejected Phoenix’s submission that an approved costs assessor had provided opinion that the costs could have been assessed at about $400,000 which could be relied upon [96]. As such no sequestration order could have been made because it is a prerequisite for the making of such an order that at the time of the orders made the creditor is able to provide a liquidated sum in excess of $5000 (section 41 (1) (b) (i)).

Issue

That bankruptcy notices and creditor petitions are technical documents which must comply with the Act is trite This decision highlights the great care in determining what is the debt upon which a notice or petition applies and what act of bankruptcy is relied upon. The fact situation in this case is unusual but highlights the need to always refer back to the legislation to determine whether the creditor’s position changed vis a vis the debtor. Phoenix found itself without a judgement debt and while it had obtained a costs order its favour it had not assessed that order so that it could be calculated and a certificate issued for liquidated sum. Notwithstanding that, it pressed on with and the court found the fatal flaws in the petition. Lander J’s decision will be quite influential as he undertook a very detailed and useful analysis of the operation of bankruptcy notices and creditors petition.