Location-based services (LBS) regulatory framework in Australia

Abstract

Location-based services (LBS) are defined as those applications that combine the location of a mobile device associated with a given entity (individual or object) together with contextual information to offer a value-added service. LBS solutions are being deployed globally, and in some markets like Australia, without appropriate regulatory provisions in place. Recent debates in Australia have addressed the need to bridge the gap between technological developments and legal/regulatory provisions. This requires an assessment of the regulatory environment within a given social context such as Australia. The core components of such an investigation include: (a) composing a conceptual framework for analysing regulation of technologies such as LBS, one that is sensitive to public policy themes and challenges, and (b) applying this conceptual framework to the Australian setting in order to sketch and define the components of the present framework, and identify areas for improvement through a process of validation. This paper addresses these aims, demonstrating how the current regulatory framework in Australia is bound by legislation with respect to privacy, telecommunications, surveillance, and national security (that is, anti-terrorism), in addition to a set of industry guidelines for location-service providers (LSPs). The existing Australian framework, however, is lacking in its coverage and treatment of LBS and location data, and does not adequately address the themes and challenges in the defined conceptual framework.

1. Introduction

Measuring the need for LBS regulation and engaging in related dialogue requires an informed understanding of regulation and public policy in general, and of existing LBS regulatory practices and frameworks. One approach is to consider regulation in the context of government and governance (Braithwaite et al., 2007, p. 3):

Governments and governance are about providing, distributing, and regulating. Regulation can be conceived as that large subset of governance that is about steering the flow of events and behaviour, as opposed to providing and distributing.

That is, regulation is concerned with “the effects of actions, not on the actions or the means of the actions themselves” (Koops, 2006, p. 6). Various theories and approaches to regulation exist. According to the Australian Law Reform Commission (ALRC), regulatory theory (in relation to information privacy) may include principles-based and compliance- or outcomes-oriented methods (ALRC, 2008, pp. 234–40).

Public policy, on the other hand, can take on various definitions and may involve ambiguity (Bridgman and Davis, 2004, p. 3). In simple terms, public policy is “about what governments do, why, and with what consequences” (Fenna, 1998, p. 3). However, there are a variety of interpretations of the term, as summarised by Maddison and Denniss (2009, pp. 3–4) based on the work of numerous authors in the public policy sphere. Importantly, the authors state that regardless of interpretation, public policy can be viewed in one of two ways: either as “the result of authoritative choice” in which government ministers play a dominant role in decision-making, or as “the result of structured interaction” involving cooperation between players and appreciation of conflicting interests (Maddison and Denniss, 2009, p. 4). That is, regulation is a set of rules designed to govern the operation and intervention of stakeholders. This operation is often in a market setting and thus lends itself to economic analysis (Stigler, 1971). Stigler's work recognised the strong interactions of the regulated with a regulator in the implementation of regulation and its enforcement. This paper similarly argues that regulation and public policy-making processes in the technology realm rely on a process of collaboration and consultation amongst industry stakeholders. With respect to regulatory choices regarding LBS, interaction between government and industry stakeholders is necessary given that the delivery of a given solution is reliant on the involvement of a range of stakeholders such as wireless network operators and handset vendors.

For the purpose of this paper, it should be noted that regulation and public policy-related processes are complex practices that vary from one context to the next and evolve as new debates emerge whereby existing processes and regulatory mechanisms must be reassessed. This interaction is made more complex in the Australian Federal environment where the constitution determines that some aspects of LBS are legislated at a national level and some at a state level. This necessitates an appraisal of current State and Federal legislation relevant to LBS in a manner that allows the regulatory framework and existing measures to be drawn, subsequently allowing the outcomes to be employed as the basis for future work. As such, this paper aims to develop a conceptual framework detailing how to examine LBS regulation, subsequently applying the framework to the Australian case. The outcome will be a sketch of the current LBS regulatory environment in Australia and the subsequent validation of the existing regime. An aspect of Australian law that assists this inquiry is the common approach taken by the States to their legislation. This common basis with a focus on Federal law means that this paper can provide a preliminary sketch of the existing national framework.

Current literature and studies relating to the LBS regulatory environment note that suitable regulatory frameworks are essential to industry development, from the perspective of safeguarding the interests of multiple stakeholders, notably, providers and users, in addition to government entities and society as a whole. Such frameworks should ideally address the ethical dilemmas and social implications of LBS, whilst also being sensitive to the regulatory and public policy challenges associated with emerging technologies in general. Furthermore, and in light of the divergent uses of LBS, Dobson and Fischer (2003, p. 51) call for protective mechanisms that enable the “legitimate uses”, while preventing undesirable exploitation. Similarly, Smith (2006, p. 725) acknowledges the potential benefits, whilst also suggesting further legislation to safeguard personal location information. The significance of adequate regulatory provisions is two-fold. First, regulation encourages fairness and consistent rules for providers. Second, regulation functions to safeguard individuals thereby increasing their support and trust in LBS (Cuijpers and Koops, 2008, p. 881; FIDIS, 2007, p. 10).

Regardless of the potential benefits of LBS, authors such as Clarke and Wigan (2011)indicate that LBS “have far outstripped both public awareness and legal and policy attention”, a situation they claim is exceedingly risky. The consequences of lack of regulation, specifically of tracking services and control over location histories by government, organisations and interested individuals, are great in terms of privacy in particular (Barreras and Mathur, 2007, p. 177). Cho (2005) claims that while concerned individuals are advocating regulation (p. 209) others are advancing the self-regulation movement (p. 253). Determining the most suitable response is indeed a challenge, one that requires the current regulatory environment and/or framework to be mapped out. However, it has been suggested that a single approach to regulation, such as legislation or self-regulation for instance, will fail to suffice. Xu et al. (2009, p. 163) agree that a single approach to regulating privacy in particular will not account for the interests of the diverse stakeholders comprising the LBS industry. Herbert (2006, p. 437), on the other hand, recommends an elementary reassessment of the manner in which emerging technologies, such as human tracking technologies, affect privacy as the basis for initiating a suitable legal response. In fact, the same sentiments apply for any regulatory issue associated with LBS. That is, a fundamental re-evaluation of the implications of LBS, in conjunction with an understanding of the regulatory and public policy challenges that apply, is indispensable.

The following section offers an overview of the significant themes and challenges pertaining to LBS regulation thereby providing a conceptual framework for examining LBS regulation; Section 3 introduces the Australian framework by applying the conceptual framework drawn from Section 2; Section 4 summarises and validates the main components in the Australian framework, noting areas for future research and Section 5provides the concluding remarks for this paper.

2. Conceptual framework for analysing LBS regulation

It is essential that a conceptual framework for LBS regulation be built on a preliminary understanding of the regulatory and public policy challenges associated with emerging technologies such as LBS. It has been noted that regulatory challenges in the LBS domain stem from the mounting gap between technology deployment and the employment of appropriate safeguards, legal or otherwise, to govern various aspects of LBS. For instance, in relation to modern surveillance technologies, Marx (1999, p. 63)observes the increasing gap between technological potential and present measures designed to offer protection. This gap has long been attributed to a lack of response in social and political spheres (Clarke, 2001, p. 13). Relevant scholarship is generally focussed on the inability for law to reflect technological change, a perspective that Moses (2011, p. 787) feels requires adjustment, given the mutually shaping characteristics of law and technology and the belief that “[t]he law should not race ahead by anticipating technological trajectories that may never come to pass. Rather, a useful goal should be to have mechanisms in place to ensure that law is designed around the socio-technical landscape of the present or, more realistically, the recent past.”

Aside from the interaction between technology and law, the study of regulation according to Svantesson (2011, pp. 243–245), often introduces researchers to a persistent set of themes which are centred on the claims that: (a) technological development will inevitably out-pace law-making processes, (b) legal professionals possess inadequate knowledge of technology, (c) globalisation and internationalisation necessitate consideration of multiple jurisdictions, and (d) the growth potential of technology has not been realised in domains such as e-commerce. While originally recommended for the internet regulation context, Svantesson's work is utilised as the basis for this framework in that it offers a clear summary of the themes relevant to all technological domains including LBS. Importantly, Svantesson's work posits that a successful regulatory framework must be sensitive to numerous challenges specific to the regulation of emerging technologies. However, that sensitivity does not mean that regulation has to be technologically determinative. A well-designed principles-based regulatory regime can address each of these four issues.

Fig. 1 provides a summary of these challenges, which have been derived from the secondary literature sources cited in this paper, in addition to a summary of Svantesson's primary themes which directly impact on the challenges. The distinct challenges are discussed below which when combined form a conceptual framework upon which the existing Australian framework and regimes in other contexts can be validated.

Fig. 1. Conceptual framework for examining LBS regulation and the associated regulatory themes impacting on the framework.

2.1. The Australian policy and regulatory context

Regulation refers to the set of rules which apply to a specific environment. These rules might be prescriptive and enforced rigidly, or they may be set by agreement between the entities being regulated. A regulatory environment can be likened to the rules for playing a game. In a regulated industry, there may be legislation, subordinate legislation made under specific laws (confusingly, often called regulations) and a set of conventions, adopted by stakeholders, which form part of the rules. In the Australian context, the rules can be changed by: changing the legislation; changing the subordinate legislation; by ministerial determination; by regulator action; or by stakeholders changing self-regulatory or co-regulatory codes.

Any changes are complicated by the Australian convention of amending legislation much more regularly than repealing and replacing it. By convention, amending legislation is named differently to the amended act. For legislation introduced since about 1990, the intention of legislation is set out in a section of the law entitled “Objects of the Act”. This section is intended to set out the principles behind the legislative framework. In the Australian context, these principles are generally designed to be general and not technology-specific. However, subordinate legislation may be technologically determinative, even if the primary legislation is not.

2.2. Technology-specific versus technology-neutral

A primary regulatory challenge exists in determining the suitability of technology-specific versus technology-neutral legislation. A popular belief in selected literature and in the government domain is the need for inclusive legislation that is broad enough to apply to present and future technologies, ensuring that laws remain up-to-date. This is the basic premise underlying the technology-neutral approach to legislation which “appears to have three main aims: future proofing, online and offline equivalence, and encouraging the development and uptake of the regulated technology” (Reed, 2007, p. 275). This approach is often incorrectly perceived in a positive sense, disregarding the fact that “technology-neutral language” does not necessarily account for the dynamic nature of technological change (Moses, 2007, p. 270). It has been argued by Koops (2006, pp. 5–6)that the phrase technology-neutral can imply different meanings and be examined from regulatory, technological and legislative perspectives (p. 26). For a comprehensive treatment of the concept and the varying interpretations and perspectives, refer to Koops (2006) and Reed (2007). According to Australia's Privacy Commissioner with reference to the Commonwealth Privacy Act 1988, technology-neutral legislation refers to the regulation of “information handling without referring to specific technologies”, granting flexibility and ensuring relevance as new technologies emerge (Pilgrim, 2010, p. 23).

It has been argued that parliaments “are using the spurring notion of ‘technology-neutral’ legislation as one excuse for inaction” (Clarke, 2003), resulting in a situation in which “[n]ew powers are granted through technological ambiguity rather than clear debate” (Escudero-Pascual and Hosein, 2004, p. 82). However, Pilgrim (2010, p. 24) contends that adopting this approach does not necessarily mean overlooking developments in technology. Other authors also insist that “legal regulation should define principles, functions and requirements, drawn from the experience (or anticipation) of using specific technologies, rather than provisions regulating the specific technologies themselves” (Székely et al., 2011, p. 183). Yet, Reed (2007, pp. 279–280) and Moses (2007, pp. 270–274) are sceptical of whether such legislation can be achieved in the drafting process as language that accounts for technology-neutrality is difficult to adequately reflect the nature of technological evolution. Even if accomplished, Hosein (2001, p. 29) claims that the approach is deceitful as it may disregard critical factors unique to certain technologies.

An alternative approach calls for technology-specific legislation, which is not without its drawbacks. Several researchers maintain that seeking technology-specificity will produce issues relating to the future applicability of legislation in that technological progress may render the law ineffectual and redundant (Koops, 2006, p. 27; Székely et al., 2011, pp. 182–183). Nonetheless, authors such as Ohm (2010) declare that there is a compelling case for technology-specific legislation. In an article titled The Argument against Technology-Neutral Surveillance Laws, Ohm explains that technology-neutral concepts are often emphatically embraced (p. 1685). This thereby prohibits the potential benefits of technology-specificity from being garnered, even though there are several flaws in technology-neutrality whereby the benefits of the approach can be offset by limitations specifically in relation to surveillance (p. 1686). However, Ohm claims that “longevity” is an advantage of technology-neutral legislation (p. 1702) but also suggests general principles that can be applied to technology-specific legislation that will address issues of redundancy and achieving a suitable degree of specificity (pp. 1702–1710). The selection of the technology-neutral versus technology-specific approach to legislation should be perceived as a choice, and technology-neutrality should not be presumed the most suitable means of regulating technology (Reed, 2007, p. 282–283; Ohm, 2010, p. 1686).

In the Australian context, the use of technology-neutral primary legislation and technologically determinative, and more frequently amended subordinate legislation, is intended to provide both options to create an optimal regulatory environment. However in the context of LBS, the optimisation function is complicated by the fact that there is no primary or subordinate legislation on LBS. As will be shown in this paper, LBS crosses a range of regulatory regimes, all of which are optimised for the principles set out in the primary legislation. As a result, the extent to which each approach applies to LBS has yet to be examined and cannot be so until the existing regulatory landscape has been defined and reviewed. LBS are positioned in a complex and multi-faceted regulatory environment with no single LBS regulatory framework.

2.3. Legislation versus self-regulation

An additional concern, particularly for industry, is exercising caution in the introduction of legal measures so as not to stifle development of particular technologies or industries. The Telecommunications Act 1997 (Cth) at Section 5 states that telecommunications should be regulated in a manner that promotes the greatest practicable use of industry self-regulation consistent with the objects of the Act. However, the Privacy Act 1988 (Cth)and the Telecommunications (Interception and Access) Act 1979 (Cth) have no such reference.

In the context of LBS, the telecommunications sector stakeholders would anticipate self-regulation as the core of the regulatory environment. On the other hand, a privacy advocate would expect a regulatory approach which is strictly rules based (legislation and subordinate legislation). This creates a potential struggle between the two forms of regulatory implementation. In the context of online privacy, Hirsch (2010, pp. 22–33)describes this struggle. Hirsch (2010, p. 3) also claims that the self-regulation has been dominant to date. Self-regulation is an ideal approach for advancing the growth of the information and communications technologies (ICT) sector (Koops, 2006, p. 9). An overview of industry self-regulation theory and literature is presented in Hemphill (2004, pp. 83–84). While self-regulation can assume many forms, Gunningham and Rees (1997, pp. 364–365) differentiate between the individual and group approaches. The first refers to autonomous regulation by an individual entity and the second to collective regulation, an example of which is industry self-regulation requiring cooperation amongst entities. According to the authors, other distinctions can also be made relative to economic versus social factors, in addition to the level of government involvement in the self-regulation process, including the degree to which self-regulation is mandated (p. 365). There is the belief that self-regulation complemented by some form of government involvement is of greater value than self-regulation alone (p. 366).

The self-regulation approach is typically favoured by industry due to its ability to facilitate and adapt to market and technological developments, and may accompany government regulation particularly in cases where gaps in the latter exist (Cleff, 2010, p. 162). The approach is frequently expressed as a fitting antidote to the limiting nature of legislative action. For example, O'Connor and Godar (2003, pp. 257–260) argue that industry self-regulation is preferable to legislation, eliminating the need for restrictive laws that hamper progress within the industry as was the case in the telemarketing arena. The researchers also state that self-regulatory measures should be developed with sensitivity to ethical concerns, otherwise they will be perceived unfavourably by consumers (O'Connor and Godar, 2003, p. 259). Only then can self-regulation demonstrate potential and be beneficial. Theoretical benefits include “speed, flexibility, sensitivity to market circumstances and lower costs”, but practically self-regulation generally falls short of these expectations (Gunningham and Rees, 1997, p. 366).

This is due to self-regulation being criticised as a means of avoiding State involvement and other forms of regulation (Gunningham and Rees, 1997, p. 370; Clarke, 2003), enabling industry to achieve its goals to the detriment of the public. Furthermore, the capacity for self-regulation to address societal concerns, such as consumer privacy, is questionable due largely to the lack of transparency, and as such the approach can merely serve as an adjunct to government regulation (Cleff, 2010, p. 162). Industry self-regulation should nonetheless be considered earnestly, although an understanding of its dimensions and known restrictions is indispensable (Gunningham and Rees, 1997, p. 405). Self-regulation and industry involvement in regulatory processes may be beneficial to consumers and other stakeholders. However, validating its value when compared with legislation requires an assessment of the level of independent oversight that exists, the manner in which self-regulation is implemented and the extent to which it complements present legislation and regulatory mechanisms.

2.4. Multiple and competing stakeholder interests

In considering the balance between rules-based regulation and self-regulation, a notable challenge emerges surrounding the importance of accounting for multiple and competing interests. That is, how the views of multiple stakeholders can be integrated without creating “regulatory capture” (see for example, Dal Bó, 2006) by the stakeholders with the greatest commercial or political power. This may theoretically be achieved by employing the co-regulatory approach to regulation. While the co-regulatory approach is an involved process that embodies countless complexities and facets (Hirsch, 2010, pp. 6–8, 41–46), and has been regarded a promising means of collaboratively managing multiple interests, it is also essential to recognise that such collaboration will involve reconciling rival perspectives. From the discussion above, it is apparent that certain entities will favour particular forms of and approaches to regulation. For example, there is often opposition from the technical and scientific communities in relation to legislation, which is typically perceived as a possible impediment to the technology development process (Székely et al. 2011, p. 183). Such communities are generally in favour of self-regulation and technology-based approaches in that they ensure industry progress is not hindered. However, these sentiments are not supported by all stakeholders. The LBS industry, with its varied value chain, consists of a wide range of stakeholders and its composition is dependent on a given LBS solution.

2.5. Flexible regulatory structures

In addition to being sensitive to varying stakeholder interests, a regulatory environment must be cognisant of the rapid and/or continual changes caused by technological innovations. This may require contemplation of flexible regulatory structures. However, it is likely that a regulatory framework would have no greater level of flexibility as a standards body dealing with the same innovations. For the purpose of this discussion, flexibility simply refers to the general need for the regulatory environment to deal with constant technological change. This is an important element as the pace of technological development and usage “raises the question whether law in general manages to keep up” (Cleff, 2010, p. 161). The level of flexibility does not require the law to “keep up”. Rather, it requires the regulatory environment to be able to flex. Nonetheless, the introduction of flexible regulatory structures capable of adapting to and incorporating developments in technology remains a challenge, one which technology-neutrality and self-regulation attempt to surmount. The introduction of adaptable structures demands a nuanced understanding of the nature of emerging technologies, and related legal and ethical challenges. Székely et al. (2011, p. 183) claim this to be an issue, given that a relatively limited number of legal experts possess such knowledge, a claim supported by Svantesson (2011, p. 244).

It is within this multi-faceted and intricate regulatory environment that the need for LBS regulation in Australia must be investigated, an environment that is characterised by diverse approaches to ICT regulation and privacy, that complicate regulatory debates associated with technologies such as LBS. The following section identifies the Australian regulatory framework for LBS, which is largely legislation-based but is supplemented by self-regulation. This is followed by the application of the conceptual framework drawn together in this section to the Australian case in order to validate the existing scheme. A sketch of the LBS regulatory framework in Australia has not yet been attempted, nor has the validity of such a framework been previously measured. This paper will consequently provide the foundations for further study into the need for LBS regulation in Australia.

3. LBS regulatory framework in Australia

Research into LBS regulation is very much context-dependent as each setting will inevitably embody a distinctive approach to regulation, based on numerous factors. This approach may involve a review of existing legal frameworks, for example, in addition to an assessment of the unique cultural, political, economic and other factors that define such regulatory frameworks. These differences demand an independent reflection of respective regulatory settings. Initially, context delineates the “structured social settings with characteristics that have evolved over time (sometimes long periods of time), and are subject to a host of causes and contingencies of purpose, place, culture, historical accident, and more” (Nissenbaum, 2010, pp. 129–130). With respect to regulation and the law, context produces challenges across jurisdictions, affecting both internationalisation of legal frameworks pertaining to LBS and interpretation of laws within specific settings. Such issues are evident in the implementation of the European legal framework for LBS, in which Member States have integrated applicable European Union Directives in alternative ways, resulting in varied coverage and distinct difficulties in the respective nations, as demonstrated in a report by the FIDIS Consortium (FIDIS, 2007).

The importance of context to regulatory and public policy discussions is not restricted to the jurisdictional issues but is also apparent in sub-contexts. For example, Marx (1999, p. 46) identifies “setting” as being of particular importance in terms of LBS usability contexts. That is, a location-monitoring solution that aids a skier in the event of an avalanche is perceived in a different light to the same device being covertly installed in an individual's vehicle. To form the foundations for a context-based investigation of LBS regulation in Australia, the Australian regulatory framework for LBS is presented in this section.

The present regime in Australia is comprised of and dominated by a collection or patch-work of federal and state-based laws that relate – albeit to varying degrees – to diverse aspects of LBS, in addition to numerous industry-based codes that seek to protect the interests of consumers and organisations. With respect to legislation, federal laws relating to privacy (Cho, 2005APF, 2007ALRC, 2008Rodrick, 2009), telecommunications(APF, 2007Nicholls and Rowland, 2007Nicholls and Rowland, 2008a,bRodrick, 2009), surveillance (APF, 2007ALRC, 2008Rodrick, 2009VLRC, 2009Attorney General's Department, 2011Michael and Clarke, 2012) and national security/anti-terrorism apply (Rix, 2007VLRC, 2009Attorney General's Department, 2011Michael and Clarke, 2013). With respect to self-regulatory schemes, industry-based guidelines such as those developed by Communications Alliance and the Australian Mobile Telecommunications Association (AMTA) are of significance. The respective approaches are now examined in greater detail.

Author of Geographic Information Systems and the Law: Mapping the Legal Frontiers(1998) and Geographic Information Science: Mastering the Legal Issues (2005) is GIS and legal scholar, George Cho. Both of Cho's works analyse the legal implications of geographic information and related technologies. In the first book, Cho (1998, pp. 27–28)explains that an elementary appreciation of the legal and policy challenges associated with GIS requires disaggregation of the terms geographic, information, and systems to define issues within individual themes. The author claims that information (and data) are central to these challenges (p. 28) given their ability to “be beneficial or detrimental to individuals, groups and ultimately to society at large” (p. 31) and to symbolise various power relations (p. 130). The “double-edged” nature of GIS simultaneously grants access while also enabling abuse and invasion of privacy (p. 131), thus requiring a policy response that may be enacted through “education of the public, facilitation, regulation and the provision of incentives” (p. 166). In sketching the LBS regulatory framework throughout this paper and considering the available regulatory choices, it is crucial to be mindful of this “double-edged” nature of LBS, specifically that LBS applications and devices can enable constructive uses on the one hand and simultaneously facilitate less desirable uses on the other.

In Cho's second book (2005, pp. 17–18) he advances the discussion by outlining the intricacies characterising GIS-related policy development given the multitude of actors, the abundance of applications and the rise in m-commerce and geo- or g-commerce services. Providing introductory material relating to policy, law and the relationship between the latter and GIS, Cho maintains that policy challenges are of equivalent value to technical considerations associated with geographic information access, implementation and usage (p. 27). With respect to GPS, and tracking more specifically, the author asserts that policy debates are generally concerned with privacy and human rights violations (p. 44). The privacy threat is largely the effect of “the new inferences that may be obtained by correlating geographic information with personal information” (p. 211). In Australia, the privacy threat and its varying implications fall within the scope of a regulatory framework that has been described as “ad-hoc”, entailing approaches such as legislation and self-regulation that aim to safeguard personal and information privacy (p. 217). The framework is based on existing legal safeguards that aim to protect public and private sector handling of information in accordance with a collection of privacy principles (p. 257), notably, the Privacy Act 1988 (Cth) (see also, Privacy Amendment (Private Sector) Act 2000 (Cth); Morris, 2010). For a comprehensive listing of privacy-related legislation, including state-based laws omitted from this paper, see Clarke (2010) and APF (2007).

3.1. Privacy legislation

The Privacy Act 1988 was amended in November 2012 to introduce the Australian Privacy Principles (APP). These principles come into effect in March 2014. The APPs are a single set of principles that apply to both agencies and organisations, which are together defined as APP entities. While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to organisations or only to agencies. The APP concerning anonymity or pseudonymity (APP 2) and cross-border disclosure (APP 8) will have an impact on LBS providers. The APPs extend the existing obligations on data collection to rebalance the rights of collectors of personal information and an individual's right to privacy. There are also stricter controls on the collection and use of sensitive information.

The Office of the Australian Information Commission (OAIC) offers further information about the APPs which cover sensitive personal information handling (OAIC, n.d.). The Privacy Act 1988 defines ‘sensitive information’ as: “information or an opinion about an individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; that is also personal information” (Part II, Section 6). Sensitive information can also encompass health and genetic information. In the context of the Privacy Act 1988, personal information refers to “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion” (Part II, Section 6).

It has been argued that the major dilemma in relation to LBS, location privacy and existing legislation is that the location of an individual may not necessarily be regarded as sensitive personal information. However, the obligations under the Privacy Act 1988 in respect to personal information under the APP are relatively onerous. It has been argued that processed LBS data presents sizeable privacy implications (Cho, 2005, p. 258).

The 2012 amendments to the Privacy Act 1988 were guided by The Australian Law Review Commission's (ALRC, 2008) report entitled For Your Information: Australian Privacy Law and Practice. This took into account submissions such as the policy statement by the Australian Privacy Foundation (APF) on “the use of positional data relating to mobile devices as a means of locating and tracking the individuals carrying them” (APF, 2011). That is, current government policy is that the privacy legislation in Australia deals with LBS-related privacy concerns at the federal level. One state, Victoria, has attempted to address these issues through human rights legislation (Michael and Clarke, 2012, pp. 4–5).

3.2. Telecommunications legislation

Location data is not, however, only subject to privacy legislation but also falls within the scope of the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth). These laws collectively deal with telecommunications content and data interception, disclosure and use. The Telecommunications Act 1997 prohibits the disclosure and use of telecommunications metadata and telecommunications content. This prohibition is clarified in section 275A to include location information and a limited exemption to this prohibition for the purpose of providing “location dependent carriage services” is given in section 291A. However, there is no immunity provided for LBS which do not have a carriage component.

Relevant to this discussion, the ALRC's report outlines the interaction between the Privacy Act 1988 and the Telecommunications Act 1997 noting that both laws aim to regulate privacy and various forms of information (ALRC, 2008). The Privacy Act relates to safeguarding personal information, while Part 13 of the Telecommunications Act “regulates the use or disclosure of information or a document” (ALRC, 2008, p. 2381). The review, questions whether both privacy regimes are required, outlining a number of differing stakeholder opinions (ALRC, 2008, pp. 2385–8). Furthermore, it concludes with the opinion that while there is observable “merit in the promulgation of telecommunications privacy regulations under the Privacy Act to regulate the handling of personal information” (ALRC, 2008, p. 2388), “both the Telecommunications Act and the Privacy Act should continue to regulate privacy in the telecommunications industry” (p. 2389), however, the exchange between the two laws requires clarification (p. 2391). It would have been feasible, if it were government policy, for the amendments to the Privacy Act that were made in 2012 to have a set of consequential amendments to other legislation such as the Telecommunications Act 1997. The absence of such an amendment implies that there is no policy imperative requiring such a change.

The Telecommunications (Interception and Access) Act 1979, on the other hand, is intended “to protect the privacy of personal communications by generally prohibiting interception of those communications, subject to limited exceptions in which privacy is outweighed by other considerations”, and functions alongside Part 13 of the Telecommunications Act 1997 (Nicholls and Rowland, 2007, pp. 86–87). However, the Telecommunications (Interception and Access) Act 1979 does not have the objects of the Telecommunications Act (Nicholls and Rowland, 2008a, p. 349). Significantly, the Telecommunication (Interception and Access) Act 1979 generates three regimes for intercepting telecommunications content and data. The first deals with communications metadata (including in real time), the second with stored communications, and the third is concerned with the content of communications itself (Rodrick, 2009, pp. 376–378). The regulatory framework for this legislation can be analysed by using the European Telecommunications Standards Institute (ETSI) approach set out in TS 101 671. This sets out three handover interfaces that relate to (in ascending order): the relationship between the communications operator and the law enforcement agency; the request for and delivery of communications metadata; and the request for and delivery of communications content. This is depicted in Fig. 2.

Fig. 2. Interaction between communications operators and law enforcement agencies.

In Australia, there is an obligation on all communications providers (carriers and carriage service providers) to provide assistance to law enforcement agencies. Handover Interface 1 does this by legislation and by contract with law enforcement agencies in the case of the largest carriers. Handover Interface 2 is used for the delivery of communications metadata and this does not require a warrant (Rodrick, 2009, p. 384). The absence of a requirement for a warrant in Australia and merely consideration of the target's privacy expectations in the case of real-time metadata is unusual (Nicholls, 2012, p. 49). Communications content, either stored or being carried across a network is delivered over Handover Interface 3 in response to a warrant.

Relevant to LBS and this paper, it is crucial to determine the extent to which location information falls within the scope of federal telecommunications legislation, specifically the Telecommunications (Interception and Access) Act 1979. Of particular value is ascertaining whether location information signifies telecommunications data, in which case the implications for disclosure to and access by specific agencies is great given that such data may then be lawfully “disclosed to ASIO and law enforcement agencies without a warrant and without any independent oversight” (Rodrick, 2009, p. 391). In an article titled Regulating the Use of Telecommunications Location Data by Australian Law Enforcement AgenciesNicholls and Rowland (2008b, p. 174) argue that telecommunications data, or the metadata relevant to communications including location details, are increasingly being provided to law enforcement agencies in the absence of a warrant. The authors also note that an oversight process is lacking, a situation that is inconsistent with European and US models (Nicholls and Rowland, 2008b, p. 181).

That is, Australia “appears to be isolated in its approach of placing the power to have location metadata supplied on a prospective basis to law enforcement agencies” (Nicholls and Rowland, 2008b, p. 181). This is exceedingly problematic given that a definition of telecommunications data is non-existent in the legislation (Nicholls and Rowland, 2008b, p. 174) and that a certain degree of ambiguity is required in incorporating future technologies (p. 179). However, this is likely to result in issues whereby the agencies seeking location data are able to independently control the definition or the type of metadata requested (Nicholls and Rowland, 2008b, p. 180). Thus, agencies are lawfully able to access location data on a prospective basis. This ability for close to real-time access of location data will facilitate “live tracking” (Nicholls and Rowland, 2008b, p. 176).

As examined earlier in reference to federal privacy legislation, the (privacy) risks are intensified with increases in accuracy and greater use of mobile devices for tracking purposes, further questioning the suitability of present telecommunications legislation in Australia, especially given the capability for telecommunications data to be accessed without a warrant and devoid of an “independent oversight” process (Rodrick, 2009, p. 404). There has been a push for more rigorous safeguards, summarised succinctly by Rodrick (2009, p. 407): “In light of the fact that prospective location information is tantamount to surveillance, access to it should be procured only via a warrant, and, as is the case with the interception and stored communications regimes, in deciding whether to issue a warrant, the issuing authority should be required to have regard to the degree to which the privacy of a person would be interfered with”.

3.3. Surveillance legislation

The use of surveillance devices is generally prohibited under the laws of the states and territories in Australia. Each state and territory prohibits the use of tracking devices and then provides an exception to the prohibition for law enforcement agencies. A tracking device is usually defined to mean “any electronic device capable of determining or monitoring the location of a person or an object or the status of an object”. That is, an LBS device would generally be prohibited under state law if it was used for surveillance. However, if the person being tracked by the device was aware of the tracking then the use of the device would not be prohibited. Example LBS tracking devices could include smart phone-based location-monitoring solutions and dedicated data logging devices that may be mounted to a particular surface or wired into a vehicle.

The state-based exceptions refer to the law enforcement agencies of that state. As a result, the Surveillance Devices Act 2004(Cth) was introduced to provide a regime that permitted the use of surveillance devices (including tracking devices) across state and territory boundaries. The Surveillance Devices Act 2004 sets out the process through which warrants, emergency and tracking device authorisations can be obtained in relation to surveillance devices for law enforcement and other purposes (Attorney General's Department, 2011). Part 1, Section 6 of the act presents a number of definitions important for this article: “data surveillance device means any device or program capable of being used to record or monitor the input of information into, or the output of information from, a computer, but does not include an optical surveillance device…device includes instrument, apparatus and equipment… surveillance device means: (a) a data surveillance device, a listening device, an optical surveillance device or a tracking device; or (b) a device that is a combination of any 2 or more of the devices referred to in paragraph (a); or (c) a device of a kind prescribed by the regulations… tracking device means any electronic device capable of being used to determine or monitor the location of a person or an object or the status of an object.”

Michael and Clarke (2013) note that law enforcement agencies, in particular, may utilise LBS for personal and mass surveillance, which are often justified as means of maintaining security, despite the lack of an adequate judicial process in some cases.

The Victorian Law Reform Commission (VLRC) published a consultation-based report on the subject of Surveillance in Public Places (VLRC, 2010). While the report is largely state-focused, it covers many aspects relevant to this investigation and discusses limitations in current surveillance laws and the need for “modernising” existing state-based legislation (refer to Chapter 6 of the report). With specific reference to the Surveillance Devices Act 2004, the VLRC's accompanying consultation paper specifies its applicability to national security and surveillance efforts, explaining that the federal law does not seek to overrule state-based legislation (VLRC, 2009). In combination with the Telecommunications (Interception and Access) Act 1979, the Surveillance Devices Act 2004 does, nevertheless, intend to “provide enforcement and national security agencies with significant investigative tools, including the ability to obtain warrants to intercept communications, obtain access to stored communications, install and use surveillance devices, and to obtain access to telecommunications data while still protecting the privacy of individuals” (Attorney General's Department, n.d.).

While the federal Surveillance Devices Act 2004 generally requires a warrant for surveillance, Sections 37–39 of the legislation indicate the conditions or circumstances under which a warrant is not required. Explicitly section 39 outlines the provisions in relation to tracking devices; that is: “(1) A law enforcement officer may, with the written permission of an appropriate authorising officer, use a tracking device without a warrant in the investigation of a relevant offence” and “(3) A law enforcement officer may, with the written permission of an appropriate authorising officer, use a tracking device without a warrant in the location and safe recovery of a child to whom a recovery order relates”. A tracking device can also be used by a law enforcement agency without a warrant if there is now requirement to enter premises or a vehicle (for example, by installing a magnetically mounted GPS device).

Additional rules relating to the authorisation also apply. For example, the authorisation must specify the period of validity, which should not exceed 90 days (section 39 (7)). It is clear that there are situations in which a location-enabled tracking device may be lawfully deployed, utilised and retrieved by certain law enforcement agencies. In cases where personal information has been collected using such surveillance devices, the Privacy Act 1988 will then apply.

3.4. National security and anti-terrorism legislation

Federal anti-terrorism laws also grant organisations, notably ASIO and the Australian Federal Police (AFP), the facility to conduct surveillance activities and gather information believed to be in the interest of national security. For example, The Australian Security Intelligence Organisation Act 1979 (Cth) enables ASIO to gather information considered to be of value in the deterrence of an act of terrorism (Attorney General's Department, 2011). ASIO is specifically granted the ability “to obtain a warrant to detain and question persons (who do not themselves have to be suspected of terrorism offences) in order to gather intelligence related to terrorist activity” as a form of preventative measure (Rix, 2007, p. 104). The Criminal Code Act 1995 (Cth), grants the AFP powers relating to questioning and surveillance (VLRC, 2010, p. 21). It also covers procedures relating to court orders, detention, questioning and search, and the collection of information and documents (Rix, 2007, p. 106). The implications of these pieces of legislation in particular, and the extent to which they apply to LBS, surveillance, tracking and location information have not been sufficiently examined and remain unclear. It has previously been suggested that these laws fail to protect human rights (Rix, 2007, p. 107), and with respect to the ASIO Act, the government has “unquestioningly granted powers to national security agencies to use location technology to track citizens”, justifying surveillance as a necessary means of ensuring Australians are protected from terrorist threats (Michael and Clarke, 2012, p. 2).

3.5. Industry guidelines for location-service providers

The LBS regulatory framework in Australia is not limited to legislation, but also includes self-regulation in the form of industry guidelines. The main industry body for all telecommunications operators in Australia is Communications Alliance. Its Guideline G557:2009 Standardised Mobile Service Area and Location Indicator Register, uses a coarse LBS to identify the geographic location of calls from mobile and nomadic devices to the emergency services.

Guidelines have also been released by the Australian Mobile Telecommunications Association (AMTA). AMTA is “the peak industry body representing Australia's mobile telecommunications industry” (AMTA, n.d.). In 2010, AMTA released guidelines intended for location-service providers (LSP) to mitigate the threats associated with misuse of passive LBS (AMTA, 2010, p. 4), which are services that do not rely on active participation by the user once initial consent has been granted (p. 5). The guidelines were developed by AMTA's working party that comprised major stakeholders in Australia, including Nokia, Optus, Telstra and Vodafone Hutchison Australia (AMTA, 2010, p. 26), providing an example of the self-regulation approach in practice. Although AMTA's guidelines were built on the NPPs and other relevant legislation (AMTA, 2010, p. 5), by April 2013 they had not been updated to reflect the amendments to the Privacy Act. The guidelines document also encourages compliance with relevant Australian laws (AMTA, 2010, p. 17) including a selection of those identified throughout this paper.

In theory, industry guidelines are significant in that they are a form of self-regulation aimed at addressing regulatory concerns, such as the risks associated with LBS usage, without the need for legislative action. As such, they form a crucial component of the LBS regulatory framework. AMTA's guidelines represent the industry's effort to ensure consumer privacy protection and safety when utilising available LBS applications – yet they have not been amended to reflect legislative change in the privacy arena. It is noteworthy that the industry-based self-regulation approach has its critics. For instance, Cho (2005, p. 236) himself claims that while self-regulation affords flexibility to industry stakeholders and symbolises a proactive approach to privacy concerns, it may by the same token be perceived an inadequate safeguard. In the context of AMTA's guidelines, Michael and Clarke (2012, p. 5) are similarly critical of the efficacy of self-regulation, claiming that industry guidelines and codes are typically “a political tool to avoid regulation.”

4. Discussion: validating the Australian framework

4.1. Summarising and sketching the LBS regulatory framework in Australia

This paper serves to sketch the current LBS regulatory framework in Australia, identifying the components comprising the overall framework, as summarised in Fig. 3. Section 3demonstrated that the LBS regulatory framework in Australia is largely dominated by legal and industry-based regulatory approaches, in particular, commonwealth-based (federal) legislation and self-regulatory mechanisms applying across Australia. The extent to which each regulatory tool applies to LBS and location data was also covered.

Fig. 3. Components of the current LBS regulatory framework in Australia.

A number of issues inevitably emerge upon closer examination of the current LBS regulatory framework in Australia. With regards to privacy legislation, it was noted that (location) information derived from LBS solutions might or might not be personal information and is unlikely to be sensitive personal information. The Privacy Act may not cover the data. Regarding Australian telecommunications legislation, location data may not specifically be classed ‘telecommunications data’ in all circumstances. The location dependent carriage service introduces ambiguity regarding definitions. The state-based prohibition on the use of tracking devices means that the provision of LBS will require explicit permission of the users of an LBS device. This is similarly the case with respect to surveillance legislation, in which tracking devices can be deployed for surveillance purposes, and without a warrant, in specific situations as outlined in the federal legislation. The implications of this lawful but covert deployment of tracking devices are yet to be fully explored. Correspondingly, national security legislation grants increasing powers to various agencies to monitor individuals under the guise of maintaining national security and protecting the interests of Australian citizens. The legal mechanisms that apply to LBS require further review, as they fail to adequately cover various aspects relevant to LBS and location data and the laws are not necessarily consistent or matching. However, opportunities for policy implementing such a review have not been seized in recent legislative change.

Similarly, industry-based guidelines are lacking in their coverage of LBS. For example, AMTA's guidelines merely cover passive LBS or those that do not require user input once initial consent is given. This is not surprising as industry bodies self-regulate a narrow group. Self-regulation is poor at involving users and other industry representatives. Supplementary to these individual issues, it is essential at this point to validate the Australian regulatory scheme in view of the conceptual framework defined earlier in this paper, in order to identify the broad challenges that surface in examining the existing framework, summarised in Table 1.

Table 1. Validation of the LBS regulatory framework in Australia.

Challenges/considerations | Validation | Areas for improvement

Technology-specific versus technology-neutral

Australian framework is largely technology-neutral (with exception of industry guidelines) and is not LBS specific.

- Subordinate legislation and regulation could be extended to cover specifics of LBS and location data.

- This may necessitate continual review of regulatory settings as LBS solutions and underlying technologies evolve.

Legislation versus self-regulation

Existing framework draws on combined legal and industry-based approach to regulation, which allows for both government and industry involvement. However, self-regulation is a characteristic of telecommunications and not privacy legislation.

- Self-regulation is created by narrow industry groups and is lacking in its involvement of users.

- There could be closer collaboration between industry and government.

- Drawbacks of current regulation and industry-based tools identified in this paper should be addressed

Multiple and competing stakeholder interests

Government and industry have largely established the current Australian framework for LBS. However, it lacks a stronger level of collaboration and user involvement.

- Collaboration and consultation are crucial in the regulatory process to ensure stakeholder representation.

- Users, in particular, must be encouraged to participate.

- Individual stakeholders in government, industry and user segments should be identified and approached.

Flexible regulatory structures

Legislation in the present framework is not particularly flexible and does not easily cater for LBS solutions in the marketplace or any future developments. Subordinate legislation is more flexible.

- Technology-specificity is required to incorporate LBS and location data into subordinate legislation.

- Industry-based tools should be continually developed and should be adaptable to technological developments.

4.2. Validation: extent to which the existing framework is specific to LBS

When considering the technology-specific versus technology-neutral debate in light of the LBS regulatory framework in Australia, it is evident that the current framework entails largely technology-neutral elements. This suggests that the framework fails to account for the specifics of LBS in that it does not adequately account for location data. This generates a risk that concerns, unique to LBS, will be overlooked in the Australian context. Technology-neutrality creates ambiguity in definitions, as can be seen in the case of the Australian privacy and telecommunications legislation in particular. However, as Australian government policy has consistently adopted technology-neutral legislation, the focus of change needs to be on subordinate legislation and self-regulatory mechanisms. The absence of an appropriate regulatory environment for LBS is undesirable from the perspective of all stakeholders, particularly individuals. The existing framework requires further provisions for LBS and location data, and it is therefore expected that legal and industry-based regulatory mechanisms will require continual review in the present technological landscape that is dominated by constant developments in both underlying technologies and emerging (and novel) usability contexts.

4.3. Validation: value of existing legislative and self-regulatory mechanisms

The Australian regulatory framework for LBS demonstrates a combined approach to regulation, in which legal and industry-based mechanisms are concurrently implemented. It is often believed that the combined approach allows for the specifics of a given technology to be better incorporated, especially at the industry level and via self-regulatory mechanisms. The Australian initiative led by AMTA can be perceived as a move towards increased industry involvement and representation, and an attempt to avoid unnecessarily stifling the LBS industry. The concern, however, lies in the limitations of self-regulation and the consequence that the guidelines are narrow in their scope and their coverage of a wide range of LBS solutions. In terms of legislation, the specific drawbacks of existing laws have been identified, requiring a review of federal legislation to ensure their applicability to LBS and that the laws are consistent and corresponding. Furthermore, closer collaboration between government, industry and users would improve the legal and industry-based mechanisms in the current framework. That is, government and other stakeholders need to be involved in industry-based processes. This type of co-regulation reduces the negative impacts of self-regulation allowing industry to impart feedback, which informs legislative processes. Importantly, consumers have an opportunity to express ‘real-world’ concerns that would directly support both legislative and co-regulatory processes.

4.4. Validation: degree to which stakeholder interests are accounted for

While government and industry perspectives have somewhat been represented in the existing framework, further collaboration is required to account for the views of users. Furthermore, individual stakeholder types must be identified within the government, industry and user segments and collaboration of individual stakeholders must be encouraged to ensure that all interests are represented in the regulatory process. In the Australian context, collaboration and consultation with a wide range of LBS value chain stakeholders in lacking, but is essential in order to incorporate multiple and competing stakeholder interests.

4.5. Validation: level of flexibility

The Australian legislative framework does not provide a flexible regulatory structure. That is, the legislation is out-dated with respect to LBS and existing provisions do not naturally enable the absorption of new LBS solutions and features. It is suggested that a higher degree of technology-specificity is required in subordinate legislation, given the unique characteristics of LBS and location data which do not always fall within the scope of current definitions. However, this approach must be carefully constructed to ensure that the chosen regulatory mechanisms are adaptable as the technology evolves. In combination with considered co-regulatory tools and guidelines that have been developed in an objective manner, this should ensure a degree of flexibility, given that regulatory systems can adapt more quickly than legislative systems.

4.6. Future research and extending the Australian framework

This paper has set the groundwork for understanding the nature and extent of the LBS regulatory framework in Australia by sketching the components of the existing scheme and defining the extent to which the respective elements apply at the federal level. It has additionally set out the regulatory and public policy context within which the framework exists and the challenges that demand a certain degree of sensitivity by presenting a conceptual framework for analysing LBS regulation. It is recommended that future studies: (a) utilise the conceptual framework as a means of measuring the validity of a given regulatory framework in a specific setting, and (b) employ the defined Australian framework as the basis for examining the need for LBS regulation in Australia and understanding the manner in which LBS regulation should be implemented.

The Australian framework presented in this paper can be further extended as part of future work. Explicit areas for prospective research include: (a) broadening the scope of the framework to account for state-based legislation and additional industry-based mechanisms, (b) encouraging a greater focus on cross-cultural comparisons by comparing the Australian case with other, more mature examples such as the European data protection regime for LBS, (c) consulting with relevant stakeholders regarding the applicability and adequacy of the Australian framework and existing regulatory measures and contrasting the results with the outcomes of the validation process presented in this paper, and (d) improving the framework based on the suggested areas for improvement.

5. Conclusion

The focus of this paper was on developing a conceptual framework for analysing LBS regulation, presenting the components of the existing Australian framework and subsequently engaging in a process of validation. The validation process indicated that the LBS regulatory framework in Australia should: (i) account more specifically for LBS and location data, (ii) better incorporate legislative, self-regulatory and co-regulatory mechanisms, (iii) encourage a higher degree of collaboration with stakeholders in the LBS value chain, and (iv) encompass a higher degree of flexibility to ensure technological developments are integrated. The benefits to be garnered from this exercise include an accurate and detailed understanding of the current framework in Australia which has allowed areas for improvement to be identified. The ensuing outcomes can be used as the basis for future research in the LBS regulation field and provide a useful starting point for determining the need for LBS regulation in Australia.

Acknowledgements

The authors wish to acknowledge the funding support of the Australian Research Council (ARC) – Discovery Grant DP0881191 titled “Toward the Regulation of the Location-Based Services Industry: Influencing Australian Government Telecommunications Policy.” The views expressed herein are those of the authors and are not necessarily those of the ARC.

References

ALRC, For your information: Australian privacy law and practice, (2008), (ALRC report 108). 12 January 2012, http://www.alrc.gov.au.ezproxy.uow.edu.au/publications/report-108

AMTA, AMTA guidelines, 24 April 2012, www.amta.org.au/files/Location.Based.Services.Guidelines.pdf (2010)

About AMTA; n.d. 21 February 2012. http://www.amta.org.au/pages/About.AMTA.

APF, Privacy laws – Commonwealth of Australia, 20 February 2012, http://www.privacy.org.au/Resources/PLawsClth.html (2007)

APF, Location and tracking of individuals through their mobile devices, 20 February 2012, http://www.privacy.org.au/Papers/LocData.html (2011)

Attorney General's Department, Australian laws to combat terrorism, 20 February 2012, http://www.nationalsecurity.gov.au/agd/www/nationalsecurity.nsf/AllDocs/826190776D49EA90CA256FAB001BA5EA?OpenDocument (2011)

Attorney General's Department. Telecommunications interception and surveillance; n.d., 20 January 2012. http://www.ag.gov.au/Telecommunicationsinterceptionandsurveillance/Pages/default.aspx.

A. Barreras, A. Mathur, Wireless location tracking, [chapter 18], K.R. Larsen, Z.A. Voronovich (Eds.), Convenient or invasive: the information age, Ethica Publishing, United States (2007), pp. 176-186

J. Braithwaite, C. Coglianese, D. Levi-FaurCan regulation and governance make a difference? Regulation & Governance, 1 (2007), pp. 1-7

P. Bridgman, G. Davis, The Australian policy handbook, (3rd ed.), Allen & Unwin, Crows Nest, NSW (2004), 198 p.

G. Cho, Geographic information systems and the law: Mapping the legal frontiers, John Wiley & Sons, Chichester, West Sussex (1998), 337 p.

G. Cho, Geographic information science: mastering the legal issues, John Wiley & Sons Inc, Hoboken, NJ (2005), 440 p.

R. Clarke, While you were sleeping… surveillance technologies arrived, Australian Quarterly, 73 (1) (2001), pp. 10-14

R. Clarke, Privacy on the move: the impacts of mobile technologies on consumers and citizens, http://www.anu.edu.au/people/Roger.Clarke/DV/MPrivacy.html (2003)

R. Clarke, PAIs in Australia – a work-in-progress report, http://www.rogerclarke.com/DV/PIAsAust-11.html (2010)

R. Clarke, M. Wigan, You are where you've been: the privacy implications of location and tracking technologies, http://www.rogerclarke.com/DV/YAWYB-CWP.html (2011)

E.B. Cleff, Effective approaches to regulate mobile advertising: moving towards a coordinated legal, self-regulatory and technical response, Computer Law & Security Review, 26 (2010) (2010), pp. 158-169

C. Cuijpers, B.J. Koops, How fragmentation in European law undermines consumer protection: the case of location-based services, European Law Review, 33 (2008), pp. 880-897

E. Dal Bó, Regulatory capture: a review, Oxford Review of Economic Policy, 22 (2006), pp. 203-225

J.E. Dobson, P.F. Fisher, Geoslavery, IEEE Technology and Society Magazine, 22 (1) (2003), pp. 47-52

A. Escudero-Pascual, I. Hosein, Questioning lawful access to traffic data, Communications of the ACM, 47 (3) (2004), pp. 77-83

A. Fenna, Introduction to Australian public policy, Addison Wesley Longman Australia Pty Limited, South Melbourne, Australia (1998), 454 p.

FIDISD, 11.5: the legal framework for location-based services in Europe, http://www.fidis.net/ (2007)

N. Gunningham, J. Rees, Industry self-regulation: an institutional perspective, Law & Policy, 19 (4) (1997), pp. 363-414

T.A. Hemphill, Monitoring global corporate citizenship: industry self-regulation at a crossroads, The Journal of Corporate Citizenship, 14 (Summer 2004) (2004), pp. 81-95

W. Herbert, No direction home: will the law keep pace with human tracking technology to protect individual privacy and stop geoslavery?, I/S: A Journal of Law and Policy, 2 (2) (2006), pp. 409-473

D.D. Hirsch, The law and policy of online privacy: regulation, self-regulation, or co-regulation? (2010), p. 1–62, http://works.bepress.com.ezproxy.uow.edu.au/dennis_hirsch/61/

I. Hosein, The collision of regulatory convergence and divergence: updating policies of surveillance and information technology, The Southern African Journal of Information and Communication, 2 (1) (2001), pp. 18-33

B.J. Koops, Should ICT regulation be technology-neutral? [chapter 4], B.J. Koops, M. Lips, C. Prins, M. Schellekens (Eds.), Starting points for ICT regulation. Deconstructing prevalent policy one-liners, IT & law series, vol. 9, T.M.C. Asser Press, The Hague (2006), pp. 1-28, (online version). p. 77–108 (original version), http://papers.ssrn.com/sol103/papers.cfm?abstract_id=918746

S. Maddison, R. Denniss, An introduction to Australian public policy: theory and practice, Cambridge University Press, Port Melbourne, Victoria (2009), 281 p.

G.T. Marx, Ethics for the new surveillance, [chapter 2], C.J. Bennett, R. Grant (Eds.), Visions of privacy: policy choices for the digital age, University of Toronto Press, Toronto (1999), pp. 37-67

K. Michael, R. Clarke, Location privacy under dire threat as uberveillance stalks the streets, Precedent (Focus on Privacy/FOI), 108 (2012), pp. 1-8, (online version) & 24–9 (original article), http://works.bepress.com.ezproxy.uow.edu.au/kmichael/245/

K. Michael, R. Clarke, Location and tracking of mobile devices: uberveillance stalks the streets, Computer Law and Security Review, 29 (2) (2013), http://works.bepress.com.ezproxy.uow.edu.au/kmichael/305/

J.B. Morris, The privacy implications of commercial location-based services, Testimony before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet: 1–15, http://inews.berkeley.edu/files/CDT-MorrisLocationTestimony.pdf (2010)

L.B. Moses, Recurring dilemmas: the law's race to keep up with technological change, Journal of Law, Technology and Policy, 2007 (2) (2007), pp. 239-285

L.B. Moses, Agents of change: how the law ‘copes’ with technological change, Griffith Law Review, 20 (4) (2011), pp. 763-794

R. Nicholls, Right to privacy: telephone interception and access in Australia, Technology and Society Magazine, IEEE, 31 (2012), pp. 42-49

R. Nicholls, M. Rowland, Regulating the use of telecommunications location data by Australian law enforcement agencies, Criminal Law Journal, 32 (2008), pp. 343-350

R. Nicholls, M. Rowland, Message in a bottle: stored communications interception as practised in Australia, [chapter 7], K. Michael, M.G. Michael (Eds.), The second workshop on the social implications of national security (from Dataveillance to Uberveillance and the Realpolitik of the Transparent Society), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics) and Centre for Transnational Crime Prevention (Faculty of Law), Wollongong, Australia (2007), pp. 83-96

Nicholls and Rowland, 2008b, R. Nicholls, M. RowlandRegulating the use of telecommunications location data by Australian law enforcement agencies, [chapter 14], K. Michael, M.G. Michael (Eds.), The third workshop on the social implications of national security (Australia and the New Technologies: Evidence Based Policy in Public Administration), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics), Wollongong, Australia (2008), pp. 173-184

H. Nissenbaum, Privacy in context: technology, policy, and the integrity of social life, Stanford Law Books, Stanford, California (2010), 288 p.

P.J. O'Connor, S.H. Godar, We know where you are: the ethics of LBS advertising, [chapter Xiii], B.E. Mennecke, T.J. Strader (Eds.), Mobile commerce: technology, theory and applications, Idea Group Publishing, Hershey, US (2003), pp. 245-261

OAIC. Privacy Act; n.d. 20 February 2012. http://www.privacy.gov.au/law/act#.

P. Ohm, The argument against technology-neutral surveillance laws, Texas Law Review, 88 (2010) (2010), pp. 1685-1713

T. Pilgrim, Speech to biometrics institute privacy in Australia: challenges and opportunities, 27 May 2010, Amora Hotel Jamison, Sydney. p. 1–29, www.privacy.gov.au/materials/types/download/9516/7089 (2010)

Privacy Act 1988 (Cth). Commonwealth of Australia; 2 February, 2012. http://www.comlaw.gov.au/Details/C2011C00503/Download.

Privacy Amendment (Private Sector) Act 2000 (Cth), Privacy Amendment (Private Sector) Act 2000 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2004A00748/Download.

C. Reed, Taking sides on technology neutrality, SCRIPT-ed, 4 (3) (2007), pp. 263-284

M. Rix, Australia and the ‘war against terrorism’: terrorism, national security and human rights, [chapter 8], K. Michael, M.G. Michael (Eds.), The second workshop on the social implications of national security (from Dataveillance to Uberveillance and the Realpolitik of the Transparent Society), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics) and Centre for Transnational Crime Prevention (Faculty of Law), Wollongong, Australia (2007), pp. 97-112

S. Rodrick, Accessing telecommunications data for national security and law enforcement purposes, Federal Law Review, 37 (2009), pp. 375-415

G.D. Smith, Private eyes are watching you: with the implementation of the E-911 mandate, who will watch every move you make? Federal Communications Law Journal, 58 (2006), pp. 705-726

G.J. Stigler, The theory of economic regulation, The Bell Journal of Economics and Management Science, 2 (1971), pp. 3-21

Surveillance Devices Act 2004 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2011C00646/Download.

D. Svantesson, A legal method for solving issues of internet regulation, International Journal of Law and Information Technology, 19 (3) (2011), pp. 243-263

I. Székely, M.D. Szabó, B. Vissy, Regulating the future? Law, ethics, and emerging technologies, Journal of Information, Communication & Ethics in Society, 9 (3) (2011), pp. 180-194

Telecommunications (Interception and Access) Act 1979 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2012C00081/Download.

(Cth)Telecommunications Act 1997 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2012C00084/Download.

The ASIO Legislation Amendment Act 2003 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2004A01228/Download.

The Australian Security Intelligence Organisation Act 1979 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2011C00585/Download.

VLRC, Surveillance in public places consultation paper, Victorian Law Reform Commission, Melbourne (2009), http://www.lawreform.vic.gov.au/projects/surveillance-public-places/surveillance-public-places-consultation-paper

VLRC Surveillance in public places, Final report 18, Victorian Law Reform Commission, Melbourne (2010), http://www.lawreform.vic.gov.au/projects/surveillance-public-places/surveillance-public-places-final-report

H. Xu, H.H. Teo, B.Y.C. Tan, R. Agarwal, The role of push–pull technology in privacy calculus: the case of location-based services, Journal of Management Information Systems, 26 (3) (2009), pp. 135-173

Keywords: Location-based services, Regulation, Legislation, Law, Self-regulation, Co-regulation, Industry guidelines, Privacy, Australia

Citation: Roba Abbas, Katina Michael, M.G. Michael, Rob Nicholls, Sketching and validating the location-based services (LBS) regulatory framework in Australia, Computer Law & Security Review, Vol. 29, No. 5, October 2013, pp. 576-589, DOI: https://doi.org/10.1016/j.clsr.2013.07.014