Lessons to be learned from Freelancer.com about Privacy

The way that companies deal with personal information is increasingly scrutinised, as individuals become more wary about to whom they give their information and how that information is used. On the 18th of December last year the Acting Australian Information Commissioner, Timothy Pilgrim, ordered that the prominent Australian start-up Freelancer.com pay $20,000 for violating a former user’s privacy.  The bulk of the complaints (all but two of which were dismissed) were about the collection and use of IP address information by Freelancer.com.  However, the decision also stands as an important lesson for businesses about what not to do when managing a privacy related complaint.

Collection of IP address information

Among the complainant’s allegations was that Freelancer.com had unnecessarily and unfairly collected his IP address information in breach of the Privacy Act 1988 (Cth) (Privacy Act).

The Commissioner decided that Freelancer.com did not breach the Privacy Act by collecting the complainant’s IP address information, because such collection was ‘clearly appropriate and relevant to the functions or activities of the organisation.’ In this case, the complainant’s IP address was used to link him with a dummy account he had fraudulently started on Freelancer.com.

The Commissioner agreed with Freelancer.com that users would generally expect that their IP address information would be collected, and that such collection was not unnecessary or unfair under the Privacy Act.

However, the problem for Freelancer was that neither its User Agreement nor Privacy Policy explicitly stated that a users’ IP address information would be used by Freelancer.com for the purpose of risk management, cyber security and protection against fraud. The Commissioner found that this constituted a breach of the Privacy Act.

The takeaway message is that Privacy Policies must be comprehensive, and explicitly state which information will be used and for what purposes.

What not to do if someone makes a privacy complaint.

What’s staggering about this case is the all too public social media stoush between Freelancer.com and the complainant, which followed after the initial privacy complaint.

The complainant, under a pseudonym, wrote a scathing blog post about Freelancer.com, which was subsequently posted on a third party blog site. He also posted on Freelancer.com’s Wikipedia page. Freelancer.com hit back, posting comments on the blog posts, and also on the Wikipedia revisions history page – however, in doing so, it revealed the complainant’s real name, despite that fact that he had used pseudonyms on both sites.

The commissioner found that this was clearly a misuse of the complainant’s personal information in breach of the Privacy Act, stating that Freelancer.com had demonstrated a “reckless indifference to the privacy rights of the complainant.” For this, he awarded $5,000 in aggravated damages, and ordered Freelancer.com to formally apologise to the complainant.

Freelancer.com has stated that they intend to appeal this decision.

The decision demonstrates how important it is for businesses to treat all privacy complaints seriously. By having appropriate privacy complaints procedures in place, businesses are more likely to resolve complaints efficiently, without ending up in the middle of a public relations disaster.

Sainty Law can assist you to review your existing policies, or put new policies in place to ensure that privacy complaints are managed quickly and effectively.

See the full decision here.