Australia and UK join forces to fight unwanted calls and messages
That was the headline offered by the Australian Communications and Media Authority (ACMA) after they recently signed what they described as a ‘strategic’ Memorandum of Understanding (MoU) with the UK Information Commissioner’s Office (ICO). This latest MoU extends a web of bilateral international agreements about nuisance calls and messages, but each new agreement serves as a reminder that no tangible benefits have yet been claimed for any of the previous agreements. This latest deal also illustrates why consumers should be skeptical about regulators engaging in international travel without seemingly committing to delivering any measurable reduction in spam. Here are three simple questions that illustrate how little regulators have explained about the plethora of MoUs surrounding nuisance communications.
If this agreement is strategic, then where is the strategy?
The Australian Communications and Media Authority (ACMA) and the UK Information Commissioner’s Office (ICO) signed a strategic Memorandum of Understanding (MOU) in London this week that will see them share intelligence, assist each other in appropriate investigations and coordinate enforcement against cross-border entities.
The word ‘strategic’ also appears up in the wording of the MoU, but a strategy is a plan of action. Nothing in the MoU resembles a plan, even in the vaguest sense. And the actions listed in the document are feeble:
…the Participants may jointly identify one or more areas or initiatives for cooperation, including:
(a) sharing of experiences and exchange of best practices on unsolicited communications compliance and enforcement, education, and training programmes;
Sharing information is not action.
(b) implementation of joint research projects;
Research is not action.
(c) exchange of information (excluding personal data) involving potential or on-going investigations of organisations in the respective jurisdictions in relation to a contravention of applicable laws;
Sharing of information is still not action.
(d) explore the feasibility of staff exchanges;
Foreign travel is not action.
(e) joint investigations into cross border Covered Violations involving organisations in both jurisdictions (excluding sharing of personal data);
An investigation might involve action; when will the first investigation begin?
(f) participate in regular teleconferences to discuss ongoing and future opportunities for cooperation; and
Sharing information over a phone call is still not action.
(g) any other areas of cooperation as mutually decided by the Participants.
Nobody needs a written agreement to agree that other things may later be agreed.
Why is one country’s privacy regulator signing an agreement with another country’s comms regulator?
The UK has a communications regulator; it is called Ofcom and its Australian counterpart is the ACMA. Australia has a privacy regulator; it is called The Office of the Australian Information Commissioner and its British counterpart is ICO. If the two countries are going to help each other by sharing information, then why have two out of these four regulators just signed an agreement without involving the other two?
Ofcom has announced so many consultations and plans about nuisance calls that foreign experts claim to know what Ofcom will do in 2025, despite the British regulator supposedly needing to engage in a conversation with the British public before new regulations are imposed. Somehow, ICO is going to tell the ACMA about progress being made in the UK, even though most of that progress will be made by Ofcom.
Meanwhile, the ACMA has reportedly made huge progress in reducing scams, especially when the scam calls originate outside of Australia. I struggle to see how this will interest Britain’s ICO, which has never shown any appetite for prosecuting foreign businesses that break UK laws, and will play no useful role in deciding if calls and messages should be preemptively blocked.
No sharing of personal data
You may recall that half of the ‘action’ described in this MoU involves sharing information. But none of it will involve personal information.
NO SHARING OF PERSONAL DATA
6.1 The Participants do not intend that this MoU will cover any sharing of personal data by the Participants.
You may recall that the most action-y of the actions was the maybe-kinda-promise to run joint investigations into people and businesses that break laws. But as noted above, and confirmed again below, such investigations had better not involve investigating any person, because information about people is the kind of thing that has been super-excluded from this comprehensive joint strategy. If the two regulators were ever going to investigate somebody in such a way that they might actually help each other to punish someone then they would likely need a new agreement to share information about that person.
6.2 If the Participants wish to share personal data, for example in relation to any cross border joint investigations involving organisations in both jurisdictions, each Participant will consider compliance with its own applicable data protection laws, which may require the Participants to enter into a written agreement or further arrangements governing the sharing of such personal data.
Summary
The new plan of action opens the door to more:
- gossiping between regulators;
- international travel for regulators; and
- commissioning of research showing how important these regulators are.
The new plan of action cannot promise:
- any of the information shared between the regulators will be used to reduce crime or punish criminals.
So how would you rate this strategy?
