Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
JOINT SELECT COMMITTEE ON CYBER-SAFETY
09/12/2010
Cybersafety issues affecting children and young people

CHAIR —Welcome. Thank you for making the time to come a little earlier than scheduled. Before proceeding I would like to remind you that this is a public hearing. Although the committee does not require you to give evidence under oath, I should advise that this hearing is a legal proceeding of parliament and warrants the same respect as the House and the Senate. The giving of false or misleading information is a serious matter and may be regarded as a contempt of the parliament. Do you wish to make an opening statement?

Ms Versey —There is not a great deal I want to say in opening. I think the committee has seen our written submission. Our submission is focused very much on our area of expertise, which is privacy. It looks at how privacy laws can assist and identifies some of the gaps. The submission focuses on various ways that the privacy laws operate to address some of the problems. One thing I would like to emphasise—we talk about this in the submission—and I think this is important, is our concern about overcollection of personal information, especially through the use of mandatory fields online, whereby users cannot progress or access a service unless they give over significant amounts of their personal information. So we are focusing on the responsibilities of organisations that are collecting information online which may then be accessed illegally and may be misused.

We need to bear in mind that information collected through the use of mandatory fields is sometimes used for unrelated purposes, such as marketing, statistics, advertisements or even profit motives. Our submission refers to the fact that the sale of information databases is a large industry in the United States. I remind the committee that social networking sites such as Facebook insist that real people register. Obviously that is for good reason but it does mean that people are again forced to provide quite a lot of personal information. For example, Facebook limit the age of people who use it to 13 years and over, but of course that is a very difficult thing for them to actually verify. The downside of doing a proper verification process would be that people would have to provide even more information. So that is one concern.

I have identified in the submission the gaps in privacy laws, with one of the greatest being small business exemption and also the fact that privacy laws do not apply to individuals acting in a private capacity. That gap was identified by the Australian Law Reform Commission, which recommended that it be filled by a statutory tort of privacy. The other thing I want to emphasise—and we emphasised this in our submission—is the need to support young people in protecting themselves but not just by relying on technical means and thus perhaps limiting or undermining what is in fact a positive experience in the use of technology and interacting online. I have mentioned in our submission that we have been focusing on young people. We have a youth advisory group of 15- to 25-year-olds who assist and advise us in relation to privacy and young people. It is certainly the case in my view that young people do value their privacy and are open to understanding and educating themselves about how they can make themselves safer online. I think we gave some examples of how young people have engaged in developing their own material to educate themselves and each other.

I would like to note one thing that has come up since we wrote our submission. Dr Bendall and I recently attended a meeting of Asia-Pacific privacy authorities, and one of our new members is the Federal Trade Commission for the US. They have undertaken a major review of their approach to privacy and how they regulate organisations in relation to privacy. They use focus groups, and they have come up with some ideas about a different approach to their work. It is called ‘Privacy by design’, and it has been around for quite a long time. This is where you require providers and organisations to build in privacy considerations at the start. There were some quite interesting models. The commission has done a report, which the committee might wish to look at. But I will hand over to Dr Bendall because he will be able to give you a little bit more information on that report.

CHAIR —Thank you, Ms Versey.

Dr Bendall —At the meeting we heard from a staff member from the Federal Trade Commission. Its report Protecting consumer privacy in an era of rapid change: a proposed framework for businesses and policymakers was released only last week. Although it is not focused on children and young people, it does deal with issues relating to children and young people. The Federal Trade Commission has a fairly long history of privacy protection using the consumer protection laws in the United States. At the moment it is focused on two existing models. Firstly, the notice-and-choice model—which is among the types of things that we discuss in our submission—is where you require people to give sufficient notice to allow users online to make choices. Secondly, the harm based model is where the focus is on the most harmful types of intrusions such as physical safety, economic security and unwanted intrusions. Although both models have worked to an extent, they have been criticised.

The notice-and-choice model has been criticised on the basis that it has led to long and incomprehensible privacy policies in legalese, which is not really notice at all. This is really about protecting the organisation involved from liability rather than about giving proper notice to users, particularly to young people. Adult lay people find it difficult to understand these policies, let alone young people. The harm based model has been criticised for ignoring some concerns, such as threats to reputation or the desire ‘not to be monitored’. It does not necessarily mean that your physical safety or your economic future is threatened; you just do not want to be monitored while you are going about your business. Rapidly changing technologies was another thing about which there is concern. There is need to look at the pace at which the technology is changing.

As the commissioner said, they engaged in a year-long series of roundtable discussions with stakeholders and received 116 submissions. They have come up with a draft framework for businesses and policy makers. There are three main components to the framework. Privacy by design builds in things like adequate notice and security measures. The basic privacy protections are there from the very beginning both in the online world and in those businesses that are offline—so controls on staff and access to information that is not online. Even online businesses still maintain some information with paper records and those sorts of things. A simpler more streamlined and timely system of notice and choices relates to such things as providing services and goods—online sales, basically—where you are collecting somebody’s name and address simply to send them something, you would not need to give them any notice at all about what you are going to use the information for, if all you are going to use it for is to provide the service or deliver the good. Depending on what you are going to use the information for, you give proper streamlined notice about that and have templates that allow people to use it rather than long legal documents. Notice should be given at the time that you are asking the person to make the decision so that the point at which they decide to provide the information would be the point at which the notice would be given rather than a generic document that they are meant to look at the first time they go online or every time they go online and which can be changed whenever a business likes—which is another practice that some online businesses engage in.

CHAIR —Yes.

Dr Bendall —One of the things that they propose as part of those choices is a do-not-track model, which is somewhat similar to the do-not-call model, which Australia has legislated on. In a sense, the do-not-track model is easier to do than the do-not-call model because in implementing the do-not-call model you have to maintain a register of phone numbers, which is in itself privacy invasive. With that model, you have to be put on a register somewhere, whereas the do-not-track model allows for a technical control to be placed on your browser. and I am not in the position to understand how that would work, but it simply means that you make a choice either to be completely not tracked for the purposes of the type of behavioural advertising that tracks where you go and watches what you look at or to have control of that. For instance, it may be that some of the places you go to are tracked and you might get some of the behavioural advertising. Some people would welcome that because they want to be told about the services and goods that they do want to get. It would seem to me that particularly for parents it would be an interesting choice to control that type of tracking for their children so that they are not exposed to the type of behavioural advertising that they might be concerned about online. It is an interesting model that they propose, and it has been put in their paper for discussion. They are engaging with the industry about how that could be better developed and implemented. It is the one in which we are particularly interested.

CHAIR —Yes. I am sure that there will be some questions about that.

CHAIR —Yes, I am sure there will be some questions about that. Mr Geary, thank you for getting here early today. Would you like to make an opening statement?

Mr Geary —I am sure you have heard submissions across the full spectrum of life but our submission and our concern is predominantly around those children who are in the much more marginal area of life. There are over 5,000 children in Victoria who live in what we call out-of-home care. That might be in kinship care or in foster care or the pointy end of kids who live in residential care. I am really keen to ensure that those children have access to this world and have safe access. I think if we get it right for them we get it right for the rest of the world, to be perfectly honest. It seems to me to be a balance: rather than insisting that parents impose strict rules on children, it is really a balance between what parents and children can come to grips with. I think parents learn off children and vice versa. But security for a child is probably a lot different from what security for an adult is. Security and particularly privacy for a child are different. For a child privacy is sometimes not letting your mum and dad know what you are doing online. Privacy and security for a parent is to ensure that their child is safe. So it is important that they learn off each other and work with each other in terms of coming up with safe but educative and world-opening experiences for their children.

CHAIR —Ms Scannell, would you like to add to that?

Ms Scannell —No, thank you.

Senator PRATT —On the ‘do not track’ potential proposal, I suppose there can be benefits from tracking as well in terms of research about, for example, young people’s risk-taking behaviour online or their help-seeking behaviour online. How do we get the balance right in terms of the use of that kind of information?

Dr Bendall —I am not sure the Federal Trade Commissioner goes into that in great detail. One of the other difficulties that they raise is that the behavioural advertising actually funds a lot of the free internet access, so that is also one of the difficulties that they have raised. I think what they are proposing is really a balanced approach again so that in a sense it may be that you do not completely limit the ability for people to be tracked and that you come up with some kind of hybrid model that allowed some type of tracking. But in a sense involuntary research we would not find all that ethical anyway in that if it involves recording of an IP address there are some views that that would allow the individual through some mechanisms to be identified. In fact, if you go to research into those sorts of mechanisms, the types of ethical processes that you go through to do other types of research should be followed, which it is not always online. So in a sense we would also be concerned about some of those practices as well. One of the collateral benefits might be to put limits on that.

Senator PRATT —You have said that young people do value their privacy, and I accept that. But there is I would think also a phenomenon that some people share everything online except with their parents. I am interested in the take on cyber-safety and the extent to which young people’s right to a private relationship with their GP is kind accepted, but do we legally navigate social interactions for young people which might be the equivalent of trying to pick up the telephone and monitor what you and I might have said to our friends.

Ms Versey —I think that is where education comes in, because one of the problems which has come out in some of our discussions with young people is that when they are interacting online they do not necessarily understand that they are not just having a conversation with the people they choose to have a conversation with but there is potential for others to access the information as well.

Senator PRATT —Adults.

Ms Versey —And adults. It is quite true about adults as well. Until Facebook improved things after the Canadian privacy commissioner had a go at them, I bet that most adults did not understand the privacy settings on Facebook either. It is about children understanding how it all works, and that is where we put quite an emphasis on education, so that they do understand that others might have access to that information.

Senator PRATT —It is not very easy to work out how it works. I found it difficult enough to work out the privacy settings on my Facebook account.

Mr Geary —It is important to develop a dynamic around a parent and a child or a carer and a child. The dynamic of the relationship must be: ‘We have our issues and we have our concerns, but, if you get into trouble, please come to me,’ rather than pushing a child into a corner to the extent that, if they do find themselves with any sort of an issue, they will not go to their parents. It is really important that good parenting becomes part of the real secret of this issue.

Senator PRATT —To what extent is a lack of privacy in some instances helping young people? A cry for help made online will be picked up and passed back to someone in terms of help-seeking behaviour, and young people have a propensity to reach out for help online as opposed to asking their parents. Sometimes the openness of the internet is a good thing as opposed to restricting too much discussion and dialogue.

Ms Scannell —There is some research about where children or young people go for information. There is a parent or a trusted carer and then there is online. There are those online benefits. There are organisations like the Inspire Foundation and their Reach Out website which offer a lot of support to children and young people around a whole range of things. Once a child or a young person has engaged their service, they try to work with them to take the next step and seek some one-to-one support, if that is what they need. There is a fair bit of research. The fact that it is anonymous and confidential for all sorts of reasons makes it a wonderful resource for children and young people. Regarding privacy, vulnerable kids and children in and out of home care have extra layers of complexity because there are restrictions on, for example, the publication of their photo and their life stories, for all sorts of reasons. The other issue for some of them is that, because of trauma and their past experiences, they may not have the same checks on protecting themselves in privacy as other kids do.

Senator PRATT —From a product point of view, is work being done with Apple, the iPhone and any number of ISPs to push greater privacy protections for people? It appears to me that more and more of this content is now being exchanged, not just on the internet but via specific apps. From that point of view, if you are making a mobile phone available to your child, there really should be some established processes that providers of this technology have—an obligation to make sure that the product is suitable for a child as opposed to an adult. What kind of work is emerging in that area?

Ms Versey —I think that is one area that the federal Trade Commission has been particularly looking at. Also one of the focuses internationally of privacy commissioners and data protection commissioners is forcing organisations themselves to have a look at what they are doing. For instance, I think Facebook now has had to modify its provision of apps, to have control over the applications collecting information when they are being used. So forcing the organisations themselves to control the collection of information is very much at the forefront of what data protection commissioners are looking at.

Senator PRATT —Can I give you a hypothetical: say I have an iPhone here; as someone who is over 18, I can purchase whatever apps I want. If I were to make an iPhone available to my child, in order to download applications they would need access to a credit card. But if a parent makes a credit card number available to their child or their child somehow acquires that, then surely the phone plan that they have made available to them, the phone plan itself, should be blocking those applications—as opposed to just depending on the parent’s good management of their child and that phone, which you would hope would be up to scratch. Are those kinds of dialogues happening in terms of the kinds of products that are on the market?

Dr Bendall —My understanding is somewhat limited about this, but I think that, certainly in the case of Apple and the applications for iPhones, there is a dialogue between Apple and the authorities about doing that and having a kind of granular or segmented way of marketing the apps where you can block off particular types of apps. They also have a particularly strong rule about the content of all their apps so that certain types of content cannot be put on any app on an iPhone. So, for instance, you cannot have pornography on any of the applications on an iPhone. So they are one corporation that are actually quite open to dialogue about putting on those types of controls.

Senator PRATT —But you could get into an adult chat site very easily just by saying, ‘Yes, I am over 18,’ even though you are not.

Dr Bendall —That is true.

CHAIR —Before we move to Senator Ludlam, I would just like to ask: how do you deal with a situation where you have got young people getting on the internet where there might be all of the privacy information but generally they just click okay, okay, okay—they do not read; they just click okay, okay, okay, and away they go. How do we address that issue? We are talking about one group—children whose parents might sit with them and go through it all, and who start at a relatively young age and so have learnt that and understand—but there are others who just want to get to where they are going as fast as they can who will just click okay, and maybe even put in whatever information is required without any thought.

Ms Versey —I think that is really what our whole submission is addressing and what, internationally, privacy commissioners and data protection commissioners are looking at: making the organisations more responsible in terms of, I suppose, giving more notice, and also controlling, and not forcing children, or anyone really, to give over lots of information. That goes back to the amount of information you have to give to get access. So really those are the basic rules around data protection: only collecting what is necessary to be able to provide the service, not forcing people to provide more information than is needed to access a particular service, and putting controls on what other organisations get access to that service.

CHAIR —In many ways, though, you are faced with a situation that is a bit of a catch-22. On the one hand we are saying that we want them to provide information so they can verify who you are and that you are supposed to be on that particular website. On the other hand we are saying, for our own children, that we do not want them to provide that much information. We do not want them to provide their date of birth and name and even the school they attend and everything else, because we want their privacy protected—for the very reason that there may be people out there who are undesirable people with whom to start up a conversation.

Ms Versey —I do not think that there is an easy answer. Frankly, I do not think we are ever going to find an answer that will protect every child all of the time. I just think that is why you have to have a multifaceted approach. I do not necessarily mean that that is down the road of such strict censorship that nobody benefits because you just destroy the benefits of being able to go online. It has to be education. It has to be parental or, if it is the state, state education. We need to find ways to educate children not to just click okay but to think about it. Plus we have to put responsibility back on the organisations that are providing these services.

I agree with you in terms of verifying children’s age. It is very difficult to do that without actually collecting a lot more information. That is why you have to think of other ways of doing it and do it by a multifaceted approach. There has always been danger to children and you have always had to work out how you allow them to take some risks and not cushion them so much that they do not learn and at the same time find ways of educating them so that they understand and can protect themselves.

Dr Bendall —One of the interesting things is the verification of the information. Often a whole lot of information is collected by websites, but there is no mechanism for them to verify that that information is true. When you give your date of birth, they do not have access to birth records to check that you are actually that person, so you could quite easily give a false date of birth anyway. So in a sense the nexus between collecting necessary information is missing in that as well. It is very difficult when setting up websites for children and young people to verify that someone is under a certain age. That is very difficult because most of our systems are designed the other way around in a sense—to verify that you are over 18. Keeping predatory people out of sites you have set up that are meant to be a safe environment for young people is a problem. I do not think there is a very easy answer to that.

CHAIR —So the child just registering could be a lesson in itself for them.

Dr Bendall —That is true.

Ms Versey —At the same meeting we attended that we have just mentioned there was a representative from Facebook addressing the privacy commissioners. Although he was marketing a little bit of Facebook and trying to smooth over the concerns of privacy commissioners, he was asked: ‘You say that children under 13 cannot use Facebook, but how on earth do you verify that?’ He said they actually have quite intricate mechanisms for looking at the information which the child is providing, such as the sort of language they use. They often give themselves away when they get on Facebook and start posting things because their language skills are so basic, for example, that they clearly are not 13 years old. Some people actually notify Facebook if they realise that there is a child under 13 clearly using Facebook.

Dr Bendall —Although this in itself is a bit of a concern for privacy people, they are kind of monitoring the community. People who are genuine friends of someone do realise that the child should not be on there. There is some kind of self-monitoring in a sense happening in these online communities in the same way that that happens in real world communities.

Mr Geary —I do not think we will ever get the solutions from people who are selling us a product. I think the gambling industry is a pretty good example of that. I will give you an example. Some years ago we talked to 140 children who are at the pointy end of kids in the state when we were trying to develop a charter of rights for those children. We asked them what they needed the most. The first thing they said was to be safe and to feel safe, to be provided with information and to tell someone if they are happy. It behoves adults, parents and carers to ensure that they are okay.

You talk about them clicking okay, but that is not happening while a parent is looking over their shoulder obviously. We have taught parents to ensure that seatbelts are buckled. Surely we need to embark upon stronger advocacy around teaching parents that they need to be with their children in online situations.

CHAIR —Have you ever seen how quickly your child will flick from homework to a website and then back again?

Mr Geary —I have. The worst decision I ever made as a parent was probably 40 years ago, before this was an issue, when I looked at my daughter’s diary. It was probably the worst thing I ever did as a parent.

CHAIR —And she found out.

Mr Geary —Yes, she found out—but that is not the point. She is 42 now and we still talk about it. The fact of the matter is that we need to be developing a dynamic. Even though a child might flick over because they do not want you to know what they are saying to their very best friend, children need to know that if they are in danger, if there is something risky or if they are not sure of something they can talk to their parent or their carer about it—or to another adult.

CHAIR —Thank you. I went to check that we have Senator Ludlam on the line.

Senator LUDLAM —I am here, but I am happy to just keep listening in because most of my questions have been asked.

CHAIR —Senator Ludlam, I could feel that there were questions that you had coming through. I thought you would be chomping at the bit!

Senator LUDLAM —No, but you folk are already asking such great questions. I might have missed a bit of the opening statement. I wanted to check the reference provided for the ‘do not track’ button on all browsers, which I think there has been a bit of press about in the last couple of days. Did you provide a reference to the committee, or could you do so?

CHAIR —That was Dr Bendall, I believe.

Dr Bendall —The Federal Trade Commission in the US produced a report which has been published in the last week called Protecting consumer privacy in an era of rapid change: a proposed framework for businesses and policymakers, which I think is downloadable from the Federal Trade Commission’s website.

Senator LUDLAM —Is there anything that you are aware of that would prevent us from enacting a similar provision, and what would it actually require? We are asking, presumably, the authors of the popular web browsers to make it mandatory to have some kind of switch.

Dr Bendall —Yes, to have that available. I think the proposal from the Federal Trade Commission is that some kind of enforcement mechanism needs to be available as well. So they propose either that there be some kind of regulator you can make complaints to or that there be very robust self-regulation. We are a bit sceptical about that proposal for robust self-regulation, because that has been proposed in the United States over and over again and it really has not emerged. There is not particularly robust self-regulation of the internet industry at all in the United States, which is a particular problem because so many of the internet and social media sites that are available everywhere else are based in the United States. Until there is some kind of legal reform in the United States, the other jurisdictions in a sense struggle to enforce laws that are passed here. I think that is a problem.

It seems to me that there is growing traction, though, for some kind of law reform in the United States. There seems to be a dialogue coming from both sides of the aisle in the new congress in the United States because there is such concern about the internet and both the threat to privacy and just general threats to the American populace. There have been bills before the congress before which have not succeeded, but I think there is some evidence that there is now an impetus for them to enact some kind of law, whether it is the Federal Trade Commission’s model or something else, to protect Americans and, by doing that, indirectly everyone else.

Senator LUDLAM —We are protected by the American Bill of Rights even though we do not have one ourselves! Maybe I will chase that paper. Thank you for raising it, because it is something that I want to put on the agenda for the committee as well. It seems to me that it is something very practical that remains locked in. If the marketers are genuine in their belief that these rather obtrusive tracking devices are all for our benefit, then they will not mind if we are given the ability to switch them off. So I think it is really quite a useful initiative, and thanks for raising it.

Mr PERRETT —My question is a little bit off what we have been discussing, but in your opening comments you stated that the 5,000 children you have dealt with particularly came from—

Mr Geary —Out of home care.

Mr PERRETT —out of home care.

Mr Geary —They are children who for whatever reason cannot live with their families, with their parents.

Mr PERRETT —I was wondering if they were more likely to be in a situation where they are doing something inappropriate with someone else underage.

Mr Geary —Those children who experience out of home care are more vulnerable to abuse than children in the broader world, and so the issues are exacerbated. Their issues in the real world are just as exacerbated as those in the digital world, so their quest for concerned adults and people to talk to about the issues that they face, whether in the digital world or elsewhere, is much trickier because they do not necessarily have people on hand.

CHAIR —In the conclusion of the privacy commission’s submission, you said:

… educating young people of the implications of releasing their personal information is the best method to achieving a safer online environment.

When we talk about educating, are we talking about the school environment? What happens if we have 15- and 16-year-olds who are not at school? How do we manage to get to those people as well?

Ms Versey —It would not just be in the school environment. Obviously we need to educate parents and carers as well. So no, it cannot just be left to schools. Education must come from parents, from caregivers, from such organisations as our office. We try to target young people with education, which we do through our youth advisory group, who we are using to develop materials specifically for young people. We give an example in our submission where a lady called Robyn Treyvaud, who was a speaker at our conference, worked with young people in Bendigo to teach them about the dangers of sexting. The young people wrote and put together a video. It was a very powerful video which she showed at our conference. That was developed by the young people themselves and it also brought the message home to them as they did it. We had a lot of young people at our conference because we targeted schools to get the young people themselves along, and it was interesting to see the impact that that short video had on them. A lot of them had not thought through the issues at all for themselves. So I think we all have a responsibility to educate young people to protect themselves.

Mr Geary —And their parents and families—I agree. And we must not be looking at the cyberworld as the enemy.

Ms Versey —No.

CHAIR —No, and that has come across clearly throughout the roundtables that we have held already. Having a background in both education and media, it is interesting to hear where a lot of the comments are coming from. A lot of responsibility seems to be being put back to schools. Even in educating parents, it is about getting parents to the school so that they can inform them, have the forums or whatever so that they are in a position to have the information for their children to support them. Having been a teacher, I know that the parents that turn up are often the parents that you think—

Mr Geary —Preaching to the choir.

CHAIR —That is right. I expected you to be here. How do we get the message across to those parents? How is information given to the parents who are not going to turn up at the school forum on cybersafety for whatever reason? Because they do not have the time in their lives to attend it or they do not have an interest in that particular area or whatever. How do we do that?

Mr Geary —As I said before, I do not want to sound simplistic but children need to be supporting adults in this dynamic as well as adults supporting children. Very often it is the children who can work with the adults and say, ‘Listen, this is not as big a deal as you think it is. We get a lot of fun. We enjoy this. We’re educated by it.’ They can bring the adults into their world, and the adults are being prepared to come to that world without freaking out. That sounds utopian, I know. We can have all the regulations in the world but if people are not user-friendly, we will not get anywhere.

CHAIR —Ms Rishworth, do you have any questions?

Ms RISHWORTH —I only just came on at the end of that but I was quite interested in what you were saying that children have a role to play in educating the parents. How do you suggest you get parents and children to sit down together to discuss this and whether the information is coming from the parents or from the children to the parents? A lot of kids have the attitude: ‘Mum and Dad just don’t get this. They don’t understand Facebook or they don’t understand this.’ How would you facilitate that conversation?

Mr Geary —I think it is a dynamic. I have five children and nine grandchildren. I learn a lot from them, and it has to do with the creation of a dynamic where it is two-way. I do not think it is a process whereby you say, ‘Okay Mum, let’s sit down. We’re going to do this tonight.’ I think it is a dynamic of cooperation and preparedness from an adult to learn what is going on in that child’s life. Does that sound too utopian?

Ms RISHWORTH —It sounds lovely. I think it is an interesting point as I think a lot of adults almost do not want to delve into it because they do not feel they understand it. Parents are showing children how to do things all the time.

Ms Scannell —I think it is about two things: first, encouraging parents to feel confident in their parenting skills. It is often not the technology that is the source of the problem. Even if you do not understand the technology you might have something to say about the solution. The second issue is: trying to find ways, particularly for parents who do not use technology much themselves, to give them positive experiences of technology; giving them the opportunity to learn and develop skills not just to keep their children safe but from the benefits that might come the more they enjoy and use the technology themselves. It is not just coming up to the school to learn about cybersafety; it is having an opportunity to develop your own technical skills or whatever it is to make the technology something that you want to engage in. That then opens pathways to have more conversations with your children about it all.

Mr Geary —I would agree with you there, Senator. It should not be an issue that is left to teachers.

CHAIR —There are no further questions. Finally, I will just read a little from the submission of the Office of the Victorian Privacy Commissioner. You say:

The Canadian Privacy Commissioner initiated investigations into Facebook’s handling of personal information, finding Facebook had “serious privacy gaps”, which resulted in Facebook changing its privacy settings so that users have more control over their personal information.

We also had a roundtable at which a Facebook representative was present. It was very interesting. The submission further states:

Such examples demonstrate the collaborative response that is required to fully address data protection concerns.

Are there areas still out there that you think could be addressed and, if so, are you prepared to speak about some of those?

Ms Versey —I think we have already addressed the gaps in privacy laws that exist in Australia, one of which is that they do not cover individual behaviour in a private capacity. The other is that, in the private sector, we still have the small business exemption for businesses with an annual turnover of $3 million or less, so there is a large proportion of the private sector which is not subject to privacy laws at all. The Canadian Privacy Commissioner was able to investigate and find gaps in Facebook’s handling of personal information. The investigation focused on the privacy settings and the fact that, with the default privacy setting, there was no privacy for people going on to Facebook. Privacy notices and the way that you protected your privacy were so complex and difficult to understand that most people didn’t.

CHAIR —Was it not the case that they could also be changed at any time?

Ms Versey —Yes. That was a way in which our privacy law was used to enable us to go to a big organisation such as Facebook, and say, ‘You have got to improve things so that people can better protect themselves.’ I suppose I am advocating, which is not surprising, that privacy laws can be used in this space. But currently in Australia there are large gaps in privacy laws where people and organisations are not regulated. I think that needs to be looked at.

CHAIR —Just before we finish, is there anything that you would like to say that has not been covered? Is there any particular area that you would like to touch on where you have not had questions directed to you? Do you have any closing statements?

Mr Geary —Thank you for letting us appear.

Ms Versey —Thank you for letting us appear. I do not have anything to add.

CHAIR —Thank you for appearing today. Some committee members may still have questions and, if they do, the secretariat will contact you with regard to those. Thank you for making the time. I understand that you made a big effort to change those times. We really appreciate that.

Committee adjourned at 4.08 pm