More like this

Business

Arrow

Law

Freelancer.com fined for 'reckless indifference to privacy rights'

Vows appeal after collecting IP addresses and listing user's personal details on blog

Freelancer.com is “exercising our rights to appeal” a finding by the Office of the Australian Information Commissioner (OAIC) that it displayed “reckless indifference to the privacy rights of the complainant.”

The OAIC decision (PDF) on the matter awarded the complainant AUD$15,000 in general damages and a further AUD$5,000 in aggravated damages “for the additional hurt to the complainant caused by the manner in which the interference with his privacy was committed.” The latter award is unusual in privacy matters.

The complainant's case had two strands, the first of which related to the collection of his IP address. That part of the case is quite simple: Freelancer.com argued that it collects IP addresses because it needs to for the site's operation, but also for risk management and fraud protection. But the site's legalese at the time the dispute commenced mentioned only that it collected IP addresses to help it improve the site. Absent specific wording about fraud and risk management, the complainant's assertion that Australia's national privacy principles (NPPs) breached was upheld.

The argument about IP address protection for fraud protection came about because the complainant and Freelancer.com were in dispute about the use of anonymous accounts. The complainant took to blogging about the case, criticising Freelancer.com freely on his own blog, the company's Facebook site and Wikipedia.

Much of the criticism concerned Freelancer.com's IP address collection, which the complainant had explained to Freelancer.com. The site's staff knew about the complaint and the complainant's concerns.

Action on the Wikipedia site became heated and it was there that Freelancer.com staffers revealed some of the complainant's personal details in discussions about the reasons for edits to its page and that of CEO and founder Matt Barrie. A staffer also posted to a third-party blog with the following text:

Yes [complainant’s pseudonym] aka [pseudonym] aka [pseudonym] aka [real name – first name and surname initial]. We are well aware of your grievances and your racist comments on your [blog site name] blog. You are well aware of the reasons your particular account was closed.

Commissioner Pilgrim found that the disclosure of the complainant's details on Wikipedia and the third-party blog breached the NPPs and that, given Freelancer.com knew of the complainant's concerns about its privacy practices, the company should have done better.

Pilgrim's decision therefore contains the following stinging paragraphs:

Freelancer’s conduct in improperly disclosing the complainant’s personal information was in my view aggravated by its apparent lack of disregard for the complainant’s privacy and its own privacy obligations. Freelancer continued to publish the complainant’s information online despite being made aware by the complainant that such action breached privacy legislation and was contrary to Freelancer’s own privacy policy.

From the complainant’s own evidence, it is clear that the manner in which Freelancer conducted itself highlighted Freelancer’s apparent contempt of, or at best, indifference to, the complainant’s complaints about its interference with his privacy. I am of the view that this conduct could be described as malicious, oppressive and/or high-handed ...”

Freelancer.com's deputy chief financial officer Christopher Koch told The Register the company “... disagrees with the outcome of this determination and in particular some of the facts that have been accepted as part of it. We are in the process of exercising our rights to appeal. As this matter is currently before the courts it would not be appropriate to comment further at this time.”

Pilgrim also ordered Freelancer.com to train its staff in its new privacy policies, which his decision notes have been updated and are now rather more impressive and comprehensive than they were at the time the dispute commenced, in 2012. ®

Sponsored: 2016 Cyberthreat defense report