Online copyright infringement discussion paper

4 September 2014

Our reference: 12/000213

Mr Andrew Walter
Assistant Secretary
Commercial and Administrative Law Branch
Attorney-General’s Department

By email: copyrightconsultation@ag.gov.au

Dear Mr Walter

Online copyright infringement discussion paper

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Australian Government’s Online copyright infringement discussion paper (the discussion paper).

Our comments respond to question 5 in the discussion paper, about what rights consumers should have if the liability for authorising an act that infringes copyright (the authorisation liability) in the Copyright Act 1968 (Copyright Act) as it applies to internet service providers (ISPs) is extended.

Privacy implications of extending the authorisation liability in the Copyright Act

Proposal 1 in the discussion paper contemplates extending the authorisation liability in ss 36 and 101 of the Copyright Act to reflect the Government’s view that, even where an ISP does not have direct power to prevent a person from infringing copyright, the ISP may still be able to take ‘reasonable steps’ to discourage or reduce that infringement. The discussion paper notes that the Government ‘is looking to industry to reach agreement on appropriate industry schemes or commercial arrangements on what would constitute “reasonable steps”’.

The OAIC notes that, to effectively identify potential copyright infringement, these ‘reasonable steps’ are likely to necessitate ISPs to collect and use data about individuals’ internet usage, such as the fact that an individual downloaded or uploaded particular data. This information could be considered ‘personal information’ under the Privacy Act 1988 (Privacy Act). Given this potential for monitoring of customer internet usage and the privacy impacts of such monitoring, the OAIC recommends that the associated privacy implications be given careful consideration if the proposal goes ahead. For that reason, the OAIC suggests that a privacy impact assessment is undertaken to identify and mitigate privacy risks associated with any legislative amendment to the Copyright Act.

Australian ISPs covered by the Privacy Act must comply with the Australian Privacy Principles (APPs) which regulate how organisations handle, hold and correct personal information. Importantly, an organisation may only collect personal information if the information is reasonably necessary for one or more of the organisation’s functions or activities (APP 3.2). Further, an organisation can only use or disclose personal information for a purpose that would otherwise not be permitted under the APPs if that use or disclosure is authorised or required by law (APP 6.2(b)). Depending on how an amendment to the Copyright Act is framed, Proposal 1 may provide authorisation under APP 6.2(b) for ISPs to use or disclose customer internet usage information when taking reasonable steps to discourage or reduce copyright infringement.

The OAIC suggests that, if Proposal 1 is implemented, the amendments should include mechanisms to ensure that the new arrangements prescribe how ISPs must manage personal information when taking these reasonable steps, and place limits on how personal information can be collected, used and disclosed. This could be done, for example, by mandating minimum privacy requirements that industry schemes or commercial arrangements developed to establish what constitutes ‘reasonable steps’ must meet. Mandating privacy requirements as part of any extended authorisation liability would have the additional benefit of ensuring that smaller ISPs which may not be covered by the Privacy Act appropriately manage any personal information they collect in the course of taking ‘reasonable steps’.

A particularly important issue is the retention of personal information used to take reasonable steps to discourage or reduce copyright infringement. Retaining large amounts of personal information for an extended period of time increases the risk of a data breach. The OAIC suggests that any extended authorisation liability should specifically require ISPs not to retain data about individuals’ internet usage for any longer than is needed to take reasonable steps to discourage or reduce copyright infringement.

I trust that these comments are of assistance. If you would like to discuss this matter further, please contact Natasha Roberts (Assistant Director — Regulation and Strategy) on [contact details removed].

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner

4 September 2014

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au