Information companies and the Use Limitation Principle

Google has copped a lot of flak over its move to join up all services with the cover story that it’s simply rationalising its privacy policies. Amongst those defending Google is another information company, Bloomberg. In this post, I want to draw attention to details of Australian privacy law that Bloomberg is oblivious to. Other jurisdictions with OECD based data protection legislation (and that’s a lot of the world) may present the same challenge to Google’s and Bloomberg’s simplistic view of privacy. Let’s take a closer look.

In an editorial on March 1, Bloomberg positively thrilled to an alleged over-reaction of privacy advocates:

You’d think Google had announced it would start collecting terabytes of data about you, your neighbor and your dog, if he’s ever online.

Then Bloomberg’s editors asserted:

You’d be wrong: Google already does that. Google is not collecting any new information; rather, it is sharing (with itself) more of the information it already has [emphasis added].

But it is Bloomberg that’s wrong.

The Use Limitation principle holds that custodians of Personal Information should not put that PI to secondary uses unrelated to the primary purpose for which it was collected. Nobody using Blogger or YouTube for instance over the years could have foreseen that one day their posts and videos would be mashed up with Google’s boundless data mines and put to any old comemrcial purpose Google sees fit.

Use Limitation is really basic. One cannot really believe Google doesn’t get it; their ambit claim that what they’re doing is good for privacy because now there’s a single simple privacy policy just doesn’t pass muster.

But in Australia, the situation for the big infomopolies is potentially even more restrictive, with recent legally enforceable interpretations of the Use Limitation principle expressly nullifying the presumption that ‘sharing information with itself’ is ok for heterogeneous organisations.

The Privacy Commissioner for the State of Victoria has advised that “entities within the Victorian public sector should not assume that, because one part of the organisation collected some personal information, this can disclosed to any other part of the organisation without regard for [the Use & Disclosure Principle]” Ref: Guidelines to the Information Privacy Principles, Office of the Victorian Privacy Commissioner, Edition 3, November 2011.

This advice derives from a tribunal ruling elsewhere in Australia, which I discussed at length in another blog post: In that case, patient information collected by a counsellor in a hospital was shared without the patient’s consent with another specialist, and the patient’s rights were ruled to have been violated.

The relevance of these matters in the current discussion about Google amalgamating services is that the Australian legal system has taken a conservative view of what it means to share personal information within large organisations. Technically, the ruling is that individuals have the right to be informed about internal disclosures, and they may have the right to withdraw their consent.

Let’s remember that Australian law is not as strict as that of European states like Germany, and is not enforced as energetically. With OECD principles forming the basis for all these sorts of data protection regulations, I suspect that European states will reach the same conclusions, that Google is not in fact entirely free to share information ‘with itself’.

Case law around OECD Privacy Principles is clearly fluid. Big infomopolies need to take more care not to presume what the law actually says.

But let’s be less legalistic about this, and instead make this appeal to Google: If you truly have the interests of customers at heart, then please heed civil rights, reconsider how people expect their treasured private information to be handled, and try not to take their online permissiveness for granted.