Trustmarks

31.59 One feature of the APEC Privacy Framework that may have application in the Australian context is a trustmark scheme.[91] A number of countries already have adopted trustmark schemes, including privacy trustmark schemes. Some of these schemes are beginning to recognise each others’ trustmarks and develop global trustmark principles.[92] Trustmark schemes vary in nature and structure. For example, in the United States (US), trustmark bodies are private sector organisations,[93] whereas in Singapore, the National Trust Council’s trustmark ‘TrustSg’ is publicly supported by Singapore’s Infocomm Development Authority.[94]

31.60 Trustmark bodies not only provide accreditation and allow the use of trustmarks, they also can provide advice to organisations and consumers about privacy laws, and handle privacy complaints.[95] One advantage of adopting a trustmark scheme is that it can deal with low-level privacy breaches and the provision of advice on privacy matters, leaving government regulators and law enforcement bodies to focus on serious and harmful privacy breaches.

31.61 One option would be to introduce an Australian privacy trustmark scheme. An Australian privacy trustmark scheme could approve privacy policies for the purpose of the ‘Openness’ principle in the model UPPs. On approval, an agency or organisation would be permitted to display a privacy trustmark. If an agency or organisation breaches an individual’s privacy, a privacy trustmark body could provide an external dispute resolution scheme and could refer appropriate matters to the OPC. One enforcement option would be to prevent an agency or organisation displaying a trustmark. Once established, an Australian trustmark scheme could seek recognition by overseas trustmark schemes, and could be used to approve CBPRs for the purposes of the APEC Privacy Framework or other international privacy regimes.

31.62 In DP 72, the ALRC asked whether the use of trustmarks would be an effective method of promoting compliance with, and enforcement of, the Privacy Act and other international privacy regimes.[96]

Submissions and consultations

31.63 The OPC stated that it had not yet considered a model of how trustmarks might interact with the Privacy Act, but expressed interest in examining any such proposals, if and when they are put forward.[97] In the view of the Office of the NSW Privacy Commissioner (Privacy NSW), the value of trustmarks is ‘dependent on the rigour of the compliance and audit functions which support them’. It submitted that, if it was proposed that the OPC would have power to issue or approve trustmarks, thought should be given to how compliance with a trustmark would be audited and how the complaint process for individuals would work. Privacy NSW also referred to the current discussions in APEC about the use of trustmarks. In its view, these discussions offered ‘some hope of realistic, widely recognised and respected use of trustmarks’ and the possibility that APEC itself could be the issuer of trustmarks.[98]

31.64 Other stakeholders expressed strong support for the use of trustmarks. Unisys Asia Pacific, for example, argued that ‘there is an opportunity and an imperative to go further’. It submitted that ‘steps [should] be taken towards an international privacy standards body’ because without this, ‘the national privacy framework would be potentially undermined by the lack of internationally consistent standards’.

Establishing global standards can have a profound social and economic impact through enabling the potential to be realized while ensuring that minimum commonality in approach is maintained. This could be a stand alone organisation, sit within an existing body (such as International Standards Organisation or WTO) or be established by some other construct. Similar to the CEIA, an important end goal of a privacy standards body would be to create a baseline for adoptable global practices in privacy, allowing privacy certifications to operate across international borders and encourage confidence and trust from organisations and individuals across the world.[99]

31.65 Smartnet submitted that trustmarks are important, especially for internet services. It expressed a desire to see some form of trustmark on the websites of all Australian organisations that hold or use large amounts of personal data, particularly those organisations that require people to disclose personal data in order to receive services.[100]

31.66 The Australian Bankers’ Association (ABA) also expressed the view that trustmarks should be encouraged if they give confidence to users of e-commerce. It noted that one possibility would be to allow Australian banks to recognise the issue of a trustmark to an overseas entity as an ‘authentication’ that the overseas entity is subject to a ‘law, binding scheme or contract’ for the purposes of the UPPs. It submitted, however, that incorporating trustmarks in the Privacy Act required further consideration. The ABA stated that the role of a trustmark entity should not overlap with the role of the OPC, ‘so that agencies and organisations are not exposed to dual “regulatory” bodies’.[101]

31.67 Similarly, the National Australia Bank, while indicating that it appreciated the effectiveness of trademarks, submitted that further details were required in relation to the proposed scheme. Such details would include which body would administer the scheme, its framework and how the responsibilities of that body would be separated from those of the OPC. It indicated that any such scheme should not detract from the OPC’s primary responsibilities which are providing advice to organisations and consumers about privacy laws, and handling complaints.[102]

31.68 Some stakeholders disagreed with the proposal. The Public Interest Advocacy Centre (PIAC) was ‘unconvinced’ by the utility of trustmarks which, in its view, do not provide a sufficient guarantee of privacy protection.[103] The Australian Privacy Foundation submitted that there should be no provision for trustmarks under the Privacy Act and the OPC should not be involved with them, unless there is a ‘compelling case of value to consumers’.[104] One stakeholder expressed a concern about the effect on privacy protection in Australia when trademarks are issued by companies based in countries where privacy legislation is less robust than in Australia.[105] Another stakeholder submitted that while the idea had merit, it ‘would be open to abuse and would therefore require constant enforcement and possibly penalties for false use in order to retain the confidence of the public’.[106]

31.69 In the view of the Office of the Victorian Privacy Commissioner (OVPC):

The benchmark should be legislation, with strong and effective independent regulators. This will be the case in Australia if the proposed UPPs and regulatory models are adopted and could provide a regional and international model for privacy regulation.

However, in jurisdictions where this benchmark is unable or unlikely to be achieved, alternative arrangements, including the use of trustmarks, could be considered. In my view, current international schemes, such as the APEC Privacy Framework, are not yet sufficiently well developed to be recognised legislatively.[107]

ALRC’s view

31.70 The use of trustmarks as a method of promoting compliance with, and enforcement of, the Privacy Act and other international privacy regimes should be explored. It is premature, however, to introduce the concept of trustmarks into the Privacy Act. The concept needs to be developed further before it would be appropriate for introduction as a mechanism under the Privacy Act.

[91] The ALRC notes that the EU is currently considering the use of ‘trust seals’ in the context of privacy-enhancing technologies. See Commission of the European Communities, Communication from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Technologies (PETs) (2007), 228.

[92] Examples include the BBBOnline, BBBOnline Japanese Privacy Seal <www.bbbonline.org/privacy/
jipdec.asp> at 6 May 2008; Asia Trustmark Alliance (ATA): TrustSg, Asia Trustmark Alliance <www.trustsg.com/radiantrust/tsg/rel1_0/html/asiatrust.html> at 6 May 2008; Global Trustmark Alliance, Website <www.globaltrustmarkalliance.org> at 6 May 2008.

[93] See, eg, TRUSTe, Website <www.truste.org> at 6 May 2008.

[94] TrustSg, National Trust Councils & ACOs <www.trustsg.com/radiantrust/tsg/rel1_0/html/TrustCouncil
.html> at 6 May 2008.

[95] See, eg, TRUSTe, Website <www.truste.org> at 6 May 2008.

[96]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 28–2.

[97]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[98]Privacy NSW, Submission PR 468, 14 December 2007.

[99]Unisys, Submission PR 569, 12 February 2008.

[100]Smartnet, Submission PR 457, 11 December 2007.

[101]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[102]National Australia Bank, Submission PR 408, 7 December 2007.

[103]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[104]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[105]P Youngman, Submission PR 394, 7 December 2007.

[106]S Hawkins, Submission PR 382, 6 December 2007.

[107]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.