The revelations of NSA whistleblower Edward Snowden have altered the way we think about accountability, transparency and the rule of law with regard to both the activities of security agencies and the value of privacy, according to a detailed report released this week.
But this change in thinking has not led to practical reform, according to the report:
While there has been a notable volume of “activity” in the form of diplomatic representations, parliamentary inquiries, media coverage, campaign strategies, draft legislation and industry initiatives, there has – at the global level – been an insignificant number of tangible reforms adopted to address the concerns raised by the Snowden disclosures. Two thirds of legal professionals and technology experts from 29 countries surveyed for this study reported that they could recall no tangible measure taken by government.
The Snowden revelations received wide coverage in the Australian media, which was not the case in all countries included in the study.
The report notes Australia’s inquiry into a comprehensive revision of the Telecommunications (Interception and Access) Act 1979, and how the Joint Parliamentary Committee on Intelligence and Surveillance, in June 2013, decided not to endorse the then Attorney-General’s proposal for data retention on an increased scale.
Where Australia’s law falls short
The key issue discussed in relation to Australia is, however, the soon to be decided fate of the proposed new tort of serious invasion of privacy. In discussion papers released in October 2013 and in March 2014, the Australian Law Reform Commission discussed the possibility of introducing such a tort to complement the recently amended Privacy Act.
The proposal has widespread support and would help bring Australian privacy law in line with that of many other countries. However, the Snowden report concludes that:
The new conservative government seems unlikely to implement the proposed privacy tort or give the Privacy Commissioner adequate resources. It also seems uninterested in reining in powers or activities of intelligence and law enforcement agencies, or considering risks and harm to individuals, businesses or the public interest from erosion of trust in communications confidentiality, IT security and privacy.
The consequences of a failure to introduce a tort of serious invasion of privacy go way beyond the matters brought to light by Snowden. As I have pointed out elsewhere, Australian privacy law contains serious gaps, for example in relation to “sexting” situations. A carefully drafted tort such as that discussed would help a great deal.
The Australian Law Reform Commission is due to deliver its final report to the Attorney-General this month - we really should not miss this opportunity to improve Australia’s law.
The Australian correspondent of the Snowden report, Dr Jenny Ng, concludes that the higher profile of privacy and surveillance issues may in the longer term lead to improvements in legal privacy protection. However, this conclusion is accompanied by the statement that “the outcome is by no means certain, with the capacity for inhibiting stronger privacy laws ever present”.
More generally, one of the report’s most interesting observations relates to the international political responses to the disclosures made by Edward Snowden:
While, for example, President Obama declared an interest in providing some protections for non-US persons, the protections themselves were marginal at best, and have so far failed to materialise. Indeed the available evidence indicates that the US administration has engaged in a global campaign to neutralise attempts by some governments to create reform of international security relationships.
But the reverberations from the Snowden revelations go beyond the big stage of international politics. The report also notes changes in corporate attitudes:
A significant number of corporations have responded to the disclosures by introducing a range of accountability and security measures (transparency reports, end-to-end encryption etc). Nonetheless, while acknowledging that these reforms are “a promising start” nearly sixty percent of legal and IT professionals surveyed for this report believe that they do not go far enough, with more than a third of respondents reporting that they felt the measures were “little more than window dressing” or are of “little value” outside the US".
The concerns are obvious; any time we decide to entrust our personal information to a foreign business, for example through one of the many cloud computing providers, we are exposing ourselves to three-letter agencies such as the NSA. And if we decide only to trust Australian businesses, the weakness of the Privacy Act’s regulation of data transfers overseas will mean we are still at risk. Indeed, our own government shares our personal information with those overseas three-letter agencies.
So is the conclusion that we must surrender our interest in privacy? I do not think so. Rights, like our fundamental human right to privacy, are always of the greatest importance where they are most difficult to uphold. The right to water, for example, means a lot more to us in a desert than amongst lakes and rivers of fresh water. In the same way, the right to privacy is made even more important in the privacy-hostile environment we operate in online.