Private sector privacy:
Problems of interpretation

Australia's long and winding road toward information privacy legislation covering the private sector reached a destination in December 2000 with the passage of the Privacy Amendment (Private Sector) Act 2000 (Cth). For many who had travelled along this journey it was in many respects the wrong destination [1], but now that we have all reached it, there is little prospect of moving anywhere else for a while.

The time for political debate concerning what should be covered by the Act has passed for the moment [2], and it is time to 'get used to' what is covered by the newly amended Privacy Act 1988[3]. This paper seeks to identify and discuss a range of issues where interpretation of the Act is likely to be difficult or contentious (in the sense of having unexpected consequences). Special attention is given to problems which may affect e-commerce.

Some of the issues considered in this paper are not peculiar to the new privacy sector coverage, but are unresolved matters which also affect the Act's public sector coverage.

2. Problems in interpreting the 'National Privacy Principles'

2.1. Obligations of private sector organisations - The NPPs

The substantive privacy obligations of private sector organisations are principally contained in the ten 'National Privacy Principles' (NPPs) in Schedule 3 of the Act.

The ill-considered legislative history of the NPPs

The NPPs were developed by the former Commonwealth Privacy Commissioner, Moira Scollay, and have a complex and controversial history [4]. They were not developed through anything resembling a normal process of considered law reform. The following factors should be borne in mind:

The Commissioner's consultations with a limited group or business and consumer advocates did not lead to consensus, even within all the organisations and individuals involved in the discussions. The NPPs, which emerged from this process, are best considered as a set of Principles that Commissioner Scollay considered would provide a reasonable level of privacy protection, and one that embodied many points of consensus. Insofar as is known, the Commissioner (who was not a lawyer) did not obtain advice from Parliamentary Counsel on their drafting, no doubt because their principal intended use at that time was as a basis of self-regulation, not legislation.
The 'Core Consultative Group' that met in 1999 to consider the Government's original proposals leading to this legislation did not consider the NPPs, as the Government considered these to be non-negotiable.
It appears that the NPPs were not considered by Parliamentary Counsel, as the NPPs in the Act are identical with those released by the Commissioner.
The NPPs were not the subject of Parliamentary debate during the passage of the Bill, and the two Parliamentary Committees that examined the Bill gave them scant attention, with detailed attention limited to the 'direct marketing exemption' in NPP 2.
Victoria has included the NPPs (with minor changes relating mainly to public sector coverage) as the substantive core of its Information Privacy Act 2000 covering the Victorian public sector [5], but essentially accepted the NPPs as a given .

This legislative history of ill-consideration may explain some of the vices, virtues, and occasional obscurity of the NPPs.

In the following discussion of each NPP, there is first a 'plain English' summary of the NPP which should not be relied on in substitution for the wording of the NPP, but may provide a useful overview.

2.2. NPP 1 Collection

Summary - An organisation may only collect personal information which is necessary for its activities; only by lawful and fair means and not in an unreasonably intrusive way. Wherever reasonable, an organisation must collect personal information about a person only from that person, and must make the person aware of the purpose of collection, any laws requiring the collection, the organisations to which the information is usually disclosed, and other matters. If personal information is collected from a third party, the organisation must still take steps to inform the person about the collection and these matters.

What is 'collection'?

'Collect' is not defined in the Act. NPP 1 only applies to information collected after the commencement of the Act (s16C).

Can information be 'collected' even if it is not 'solicited' or requested by the organisation collecting it? Gunning points out [6] that the wording of IPPs 2 and 3 in s14 [7] implies a distinction between 'collect' and 'solicit' (with 'collect' being the broader term). Normal principles of statutory interpretation would lead to the conclusion that 'collect' has the same meaning in the NPPs.

However, Gunning argues that, insofar as the NPPs are concerned, 'the better view is that the organisation does not "collect" personal information merely by receiving unsolicited information'. He doesn't think NPPs 1.1 (collection necessary for a purpose), or 1.2 (fair means) could apply to unsolicited information, or that Parliament could have intended 1.3 (requirements to notify) to apply. Also, NPP 2.1 assumes that there is a purpose of collection which limits use and disclosure.

This reasoning is questionable, because it does not give sufficient weight to the fact that the Act, for the purposes of the NPPs, only applies to the collection of information 'if the information is collected for inclusion in a record or a generally available publication' (s16B). Mere receipt of information therefore does not make the Act applicable, there must be at least an intention formed by the recipient to 'include' (which could encompass 'retain') the information 'in a record or a generally available publication'. I suggest that at this point 'collection' of unsolicited information takes place, and the collector must have a purpose of collection (NPP 1.1) and disclose that purpose and other information to the subject (NPP 1.3). Otherwise, they can always dispose of the information.

In a nutshell, this means that any information retained in a record or generally available publication will have been collected, no matter how it was received, an interpretation which avoids hair-splitting about what is solicited and what is not. It is also consistent with the usage of 'collect' in IPP 1.

This might still mean that unsolicited written information could be read before immediate disposal, and it would not have been collected, but that is a more minor exception.

Information 'volunteered' by a customer or web site visitor will therefore be collected, as will information about person A volunteered by person B.

E-commerce examples

Some examples of the effect of NPP 1 on e-commerce activities are:

Whenever a person's name or other clearly identifying details are collected by a web site (eg by requiring a user to log in), the range of disclosures required by NPP 1 will be necessary. It is hard to see why such disclosures would not be 'reasonable', and the more difficult questions are likely to concern what forms of notice will be sufficient (eg links to web pages containing notices, which the user may or may not follow).
If machine addresses of people browsing web pages are personal information in a particular context because they are being used with identified data, then the disclosure obligations will apply whenever a person browses a web page. A practical difficulty here is that web users may (usually) browse to any page on a web site, and do not necessarily start at some `front page', so questions of how to provide adequate notice - and avoid giving it repeatedly to the same person - raise difficulties not found in other contexts.
If a company collects identified information from a third party, such as email addresses of potential customers, it seems that they will have to email these people to tell them they have collected the information, as these would be 'reasonable' steps.

Lack of a purpose justification principle

The 'purpose or activities' for which personal information may be collected are not further defined. The NPPs do not contain any 'purpose justification principle' (called 'prior justification' in the Australian Privacy Charter). 'Purpose justification' essentially means that there should be some test of public interest which is satisfied before a personal information system is established at all. None of the existing privacy principles requires system operators to have 'legitimate' purposes for establishing a system, but instead they measure privacy protection against how well it adheres to the original purpose for which the system operator declared that it collected the information, which the Europeans call the 'finality' test.

There is a form of 'purpose justification' principle in the European privacy Directive [8]. Perhaps the first privacy legislation outside Europe to give some recognition to such a principle is s5(3) of the new Canadian Personal Information Protection and Electronic Documents Act 1999, which requires '(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.' [9]

The limit on collection limits the purposes for which systems may be developed by a form of public interest test. This has no counterpart in the Australian Bill.

2.3. NPP 2 Use and disclosure

Summary - An organisation may only use or disclose personal information for the purpose for which it was collected (the primary purpose), except for a use or disclosure (the secondary purpose) that the person would reasonably expect, or where the person has consented. Personal information may be used for the secondary purpose of direct marketing (even where this is not within a person's reasonable expectations) where it is impracticable for the organisation to seek the person's consent before that particular use, the person has been given an opportunity when first contacted to 'opt-out' from receiving further direct marketing communications, but the person has not opted out. There are special rules for sensitive information, and many other exceptions for health information, protection of individual and public health, other uses authorised by law, prevention, investigation and enforcement concerning breaches of the law, and similar matters.

The general test for secondary use and disclosure is the 'reasonable expectations' test.

Does 'disclosure' include information already known?

Gunning found [10] that the leading authorities on the meaning of 'disclose'[11] held that a person only 'discloses' information to another person when the recipient was not previously aware of that information, and that the one case to the contrary [12] could be explained by the mischief the offence was designed to protect against.

He concludes that in relation to the Privacy Act 'it is hard to see any reason why "disclose" should not be interpreted in accordance with its ordinary meaning". How does it enhance your privacy to prevent an organisation from telling someone else something about you they already know? But he points out that this means that a complainant under NPP 2 would have to 'establish that the recipient of the information was not previously aware of that information', though he believes that this would not matter much in the type of inquisitorial procedures followed by the Commissioner.

However, if this interpretation places an impossible task before the complainant, that is in itself good reason to prefer the alternative interpretation. The only consequence is likely to be that if the organisation complained about shows that it already knew the information (which it is uniquely well placed to do), the complainant is likely to be refused any damages by the Commissioner, or any injunction by a Court. This would lead to a much more fair result. I suggest that the better view is therefore that 'disclose' in the Privacy Act does include revealing information already known.

Does 'use' include merely looking?

In R v Brown [1996] 1 AC 543 the House of Lords considered the meaning of 'use' in the context of the UK Data Protection Act 1984. There was evidence that a police office had looked at a person's record in the police national computer database, apparently on behalf of a debt-collector friend, but there was no evidence that he had disclosed the information to anyone else, nor that he had made any other use of the information. The House of Lords held that 'use' was to be given its normal meaning of 'to employ for a purpose', and that merely looking at data in a computer was not a use in itself. This view may well be taken on the meaning of 'use' in the various pieces of Australian legislation that use the term [13].

This interpretation has significant consequences for the rights of access and correction to 'existing information' (discussed later), because those rights only arise if the information is used or disclosed.

The direct marketing opt-out provision

The direct marketing exception NPP 2.1(c) which allows direct marketing for secondary purposes was ambiguous in its use of the words 'at the time of first contact' in that it could require an organisation to give a person the opportunity to opt out each time a direct marketing offer is made to them (the strong interpretation), or only on the first occasion that the organisation sends a direct marketing offer to the person (the weak interpretation).

The Government adopted a House of Representatives Committee recommendation (supported by many submissions) to clarify NPP 2.1(c) so that it provides that the opportunity to opt-out of further direct marketing must be provided every time a marketing communication is sent, not just the first time. There will also be mandatory inclusions in the form of the opt-out offer, to avoid it being made difficult for consumers to contact the business.

Few checks on intra-corporate spamming

The House of Representatives Committee's approach to the provision allowing related corporations to disclose information between each other (new s13B) is that it is not as dangerous as it looks. The Committee was partly correct [14]. As they note (para. 9.23), NPP 2.3 means that although the related corporations provision allows information to be disclosed by corporation A to related corporation B, it is the primary purpose of collection of corporation A that determines what use corporation B can make of the information according to the 'reasonable expectations' test. This is generally true, but not (as was pointed out to the Committee) in relation to the direct marketing exception in NPP 2.3(c), which is why corporate groups are so keen on this provision. In our example, B can send direct marketing to A's customers (with an opt-out of course) without worrying about why A collected the information.

2.4. NPP 3 Data quality

Summary - An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Examples related to e-commerce:

If personal information is collected from a third party, then it may be necessary to take reasonable steps to check its accuracy etc before using it. The nature and source of the information would help determine what (if anything) is reasonable.
Before old information about a person is used, it might be necessary to check with the person whether there is more up-to-date information.

It is important that NPP 3 applies to the use and disclosure of pre-existing information (new s16C). Although NPP 2 does not apply, and therefore use and disclosure of pre-existing information cannot be prevented directly, the organisation will have to take care when using or disclosing the old information that it is accurate, complete and up-to-date.

2.5. NPP 4 Data security (and destruction)

Summary - An organisation must take reasonable steps to protect personal information from misuse, loss or unauthorised access, modification or disclosure. An organisation must destroy or permanently de-identify personal information if it is no longer needed for any purpose under NPP 2.

Examples related to e-commerce:

The Treasury has been held by the Commissioner to be in breach of the equivalent principle applying to Commonwealth agencies (IPP 4) for its failure to maintain the security of personal information on its GST Assist web site, resulting in disclosure of 20,000 BSB and bank account numbers (October 2000)[15].
As in the above example, although it is possible that a hacker may face criminal prosecution for breaches of website security, this would not prevent the site operator from being held to be in breach of the security principle, NPP 4.

The destruction principle may be relatively easy to avoid if possible secondary uses can be taken into account, but we could expect that at a minimum the organisation must at least apply its mind to the question periodically.

2.6. NPP 5 Openness (of personal information policies)

Summary - An organisation must document its policies on its management of personal information and make the document available to anyone who asks for it. On request it must provide general information about what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

NPP 5 does not concern a person's access to their own file, which is covered by NPP 6. Anyone can find out about a company's personal information policies under NPP 5, whether the company holds information about them or not.

This principle is likely to be of considerable use to consumer and civil liberties groups.

Examples related to e-commerce:

A web-based business could be required to disclose what personal information collected by it is disclosed to third parties (which happens under IPP 2 on an individual basis), and also what personal information it collects from third parties and what it uses it for.

2.7. NPP 6 Access and correction

Summary - A person generally has a right of access to personal information held by an organisation about him or her, subject to a list of exceptions. If an exception applies, the organisation must consider the use of a mutually agreed intermediary. If a person is able to establish that information about him or her is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information. In any event, the person has a right to the addition of a statement claiming that information is incorrect.

It is significant that NPP 6 requires intermediary access to be considered, even if the implementation of the principle is rather weak. The availability of intermediary access blunts the extent to the exceptions to access and disclosure.

Onus of proof of correctness

NPP 6.5 surprisingly limits the scope of the correction right to where 'the individual is able to establish that the information is not accurate, complete and up-to-date'. Placing the onus of proof on the individual is an unusual, anti-consumer aspect of the NPPs. In contrast, IPP 7 places the obligation on Commonwealth government agencies to make corrections etc 'reasonable to ensure' that information is accurate, complete, up-to-date etc.

2.8. NPP 7 Identifiers

Summary - Organisations must not use as their own identifiers any personal identifiers assigned by Commonwealth government agencies, and must not use or disclose such identifiers (with limited exceptions).

For example, except if authorised by another law, a Medicare number cannot be used as an identifier by an insurance company or a doctor. It cannot be used or disclosed for any purpose except as authorised by law or for the purpose of dealings with the Health Insurance Commission.

There is an additional exception to this principle for the Australian Business Number (ABN), and for other exceptions to be prescribed.

In contrast, NPP 7 has no effect on the use or disclosure of a driver's licence number issued by a State government (but it may have under the Victorian Act, at least in Victoria).

2.9. NPP 8 Anonymity

Summary - A person must have the option of not identifying himself or herself when entering transactions with an organisation wherever this is lawful and practicable.

This principle, which derives from the Australian Privacy Charter [16] (and indirectly from the German 'Multimedia privacy law'[17]), is innovative and unprecedented in sets of information privacy principles. Its implications for design of new IT systems may be substantial.

An example of when anonymity is 'practicable' is in the operation of transport payment systems such as stored value cards or tokens to pay for passage through toll roads or to pay for journeys on buses or trams. If tokens and cards are designed so that a person is always identifiable when using such a facility, this is likely to breach NPP 8.

Anonymity will not be practicable in such transactions as taking out insurance.

A major issue which will have to be resolved is whether it is legitimate for companies to design facilities such as web sites which require the disclosure of personal information as a condition of use. For example, if digital cash (in the sense of an anonymous digital payment system) becomes in common use, and it is technically possible to allow anonymous use of a web facility, will NPP 8 therefore mean that the option of paying some reasonable price premium for anonymous access must be offered in lieu of requiring disclosure of personal information in return for access?

The principle is somewhat restrictive in that it only refers to anonymity not pseudonymity. For example, it can be argued that Certification Authorities (CAs) should offer to issue digital signatures under people's pseudonyms, but not anonymously. This approach has been used by the Government Public Key Authority (GPKA) as a principle for authorising CAs.

2.10. NPP 9 Transborder data flows

Summary - An organisation in Australia may only transfer personal information to someone else in a foreign country if it reasonably believes that the recipient is subject to a law, binding scheme or contract which effectively upholds principles substantially similar to the NPPs. Transfers may also be made to organisations that have taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs, and for four other reasons.

The question of reasonable belief could be deal with by the Privacy Commissioner publishing a 'white list' of overseas laws, schemes and model contracts which the Commissioner considers are substantially similar and are 'effective'.

For example, what belief is reasonable about the US government's 'Safe Harbor' scheme?

Although a Commissioner's 'white list' might be a basis for a 'reasonable belief', the Act does not make any such device determinative. If there was well publicised evidence, for example, that the 'Safe Harbor' scheme was not being enforced in the USA.

Weak control over onward transfers

NPP 9 prohibits 'transfers' of personal information by an organisation to someone (other than the organisation) in a foreign country unless one of six conditions (a) - (e) is satisfied.

If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual's point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.

It is important to remember that any transfer to a third party overseas also involves a 'disclosure' of personal information, and NPP 2 limiting disclosures for secondary uses must also be complied with.

Where a transfer is to the same organisation overseas, NPP 9 does not apply but the extra-territorial operation of the Act comes into play. However, where it is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and it is Australian law that will apply, not (only) the law of the foreign country.

The six conditions will generally be sufficient to allow any legitimate transfer overseas of personal information.

Condition (a) plays the role of A25 of the Directive (which allows transfers to foreign countries with 'adequate' laws), but is weaker.

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.

Instead of any objective and expert determination by a government or Privacy Commissioner of which overseas countries have 'adequate' laws (the 'white list' approach), the condition is satisfied by the mere 'reasonable belief' of the Australian organisation disclosing the information. The 'reasonable belief' need only be that the overseas arrangement 'effectively upholds' privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.

Conditions (b) - (e) are similar to those in A26(1) of the Directive and largely uncontentious. Condition (f), however, is much weaker than anything found in the Directive:

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

This does not even require that the individual should have some recourse against anyone in the event that the 'reasonable steps' turn out to be inadequate.

The subjective and imprecise nature of condition (a), and the weak and imprecise nature of exception (f), means that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.

The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.

2.11. NPP 10 Sensitive information (Collection limitations)

Summary - An organisation must not collect sensitive information unless the person has consented, or the collection is required by law, or in limited other circumstances. Special rules apply to health information.

NPP 10 is best seen as part of NPP 1.

'Sensitive information' means (s6(1) definition): (a) personal information that is information or an opinion about an individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; or (b) health information about an individual.

2.12. Application of NPPs to existing information

'Existing information' can be used to refer to any information collected up to 21 December 2001. Existing information is not subject to the use and disclosure limits of NPP 2 (s16C(1A)). It is subject to access and correction rights, but only when and if it is 'used or disclosed' (s16C(3), and only then if this is not unreasonably administratively burdensome or expensive.

NPP 4 (data quality), NPP 5 (openness), NPP7 (security and retention) and NPP 9 (transborder data flows) apply irrespective of when the information was collected.

3. Problems of coverage: Gaps and abuses

[18]

3.1. What is 'personal information'?

]The Privacy Act's protections only apply to 'personal information', defined as any information `about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion' in question (s6). In many cyberspace transactions, what will constitute `personal information' is problematic, and this may have a severe effect on the applicability of both the NPPs and the IPPs.

When can a person's identity be 'reasonably ascertained'?

If a person's identity is apparent or obvious from information, then it is clearly personal information. The difficult question arises when the item of information in question does not in itself explicitly identify the person concerned, but where some other source of information must also be consulted in order to identify the person concerned.

The definition in the Australian legislation is unusual in saying that the reasonable ascertaining of identity must be from the information or opinion'. However, the definition does not say that the person's identify must be able to be ascertained solely from the information concerned, it should not be interpreted this way. If it did mean that, then in any system which stored substantive information according to (and containing) a person's identification number, but kept a separate master file containing only ID numbers and identification details, the substantive information plus ID number would not constitute 'personal information' and attract the protections of the Act (security, access etc).

The better view is therefore that other sources of information may be taken into account. I suggest it is a question of fact in any given situation whether an individual's identity can be ascertained, and it is a further question of fact whether it can `reasonably' be so ascertained. Information that one person may easily be able to obtain may be completely inaccessible to another person. Who must be able to 'reasonably ascertain' a person's identity before there is personal information? The most obvious answer is 'the person who may have breached the NPP in question'. This seems clear enough when we are talking about the NPPs concerning collection, use or the provision of access to personal information, but it could lead to surprising results in the case of NPP 2 dealing with disclosure, as the question will be 'is it personal information in the hands of the person disclosing the information?', not 'is it personal information in the hands of the person receiving it?'.

On a similar point, the meaning of 'personal data collection' under Hong Kong's Personal Data (Privacy) Ordinance was considered by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692, and has been the subject of commentary [19]. A press photographer took a photo of an unknown woman in a public place, which his employer's magazine published, without identifying the woman but ridiculing her dress sense ('Japanese Mushroom Head'). The main issue before the Court was whether the publisher had collected personal data using unfair means. The majority of the Court (Ribero JA and Godfrey VP) concluded that this was not personal data collection because the data user was not 'compiling information about an identified person or about a person whom the data user intends or seeks to identify' (emphasis added).

Gunning treats Eastweek as a case on the meaning of 'collection', but I think it makes more sense to read it as a case on the meaning of 'personal data' ('personal information' under the Australian legislation). On this approach, if Eastweek was followed in Australia it would be necessary to assess an information collector's intentions to identify a person before it was possible to determine whether the information they collected was 'personal information'[20].

A case like Eastweek would raise the question under the Australian legislation: 'Is it personal information if you have no intention of ascertaining the person's identity, even if you could do so with reasonable ease?' Gunning gives good examples of where this could be important (though he considers them as questions of 'collection'):

Is an web site that shows continuous filming of a public space not collecting personal information because the operators have no intention to identify the persons concerned?
Is a security camera in a building capturing personal information because there is an intention to identify where occasion arises?

Personal information in cyberspace

It is not clear when the most basic cyberspace identifiers - a-mail addresses and machine addresses - will constitute 'personal information'.

E-mail addresses There are at least four possibilities even in the easiest case, that of e-mail addresses:

Although even an obviously personal e-mail account (eg `g.greenleaf@unsw.edu.au') could be in use by someone else, it would be difficult to argue that collection of transactional information attached to such an address was not `about' some individual (even if the wrong individual was apparently identified).
Many e-mail addresses are apparently those of corporate entities (eg `unsw@unsw.edu.au'), and the IPPs will simply not apply.
Other account names (eg `graham@austlii.edu.au') will not identify any individual without further information. Other sources of information may be taken into account (as argued above), and the existence of internet directories which match names and e-mail addresses may well mean that identity can be `reasonably' ascertained.
Other e-mail addresses are neutral on their face (egs `management@ibm.com', `feedback@austlii.edu.au', `wombat@magna.com.au'), and they may or may not in fact be identifiable with individuals on further enquiry. Consistent with the above approach, it would seem that such addresses are personal information if they can in fact be used to identify a person.

It is therefore a question of fact whether an individual's identity can be ascertained (though only with a degree of probability) from transactional details where only an e-mail address was collected, and it is a further question of fact whether it can `reasonably' be so ascertained.

Machine addresses Every computer connected to the internet has unique addresses (its numerical `IP address' such as 193.110.35.8, and its name under the Domain Name System such as bondi.austlii.ed.au). This applies equally to computers which have many users (either simultaneously or singly) and machines which normally have only a single user (such as on a person's desk at work or home). These addresses are the basis of some internet protocols, most importantly the hypertext transmission protocol (http) which is the basis of the world-wide-web. Machine addresses (eg `law34.law.unsw.edu.au' or `arkady.austlii.edu.au') rarely directly identify a person, though this is not impossible [21].

It is therefore a question of fact whether an individual's identity can be ascertained (though only with a degree of probability) from transactional details where only a machine address was collected, and it is a further question of fact whether it can `reasonably' be so ascertained. There are as yet no generally accessible internet facilities to match machine addresses with individuals. However, it would not be difficult for any police, private investigator or other person to make enquiries to determine who (if anyone) was the predominant user of a particular computer.

This type of argument applies to the use of cookies, and probably makes the contents of the cookie 'personal information'. It also applies to the use of single pixel gifs for monitoring web use.

Conclusion Some Internet businesses now attempt to match information captured from transactions (such as email addresses and machine addresses) with identified individuals (and demographic information about them)[22]. Will any e-business that uses this identified data from third parties to identify those with whom they deal via the internet only via IP addresses or email addresses find that those addresses now constitute 'personal information'?

The scope of the Privacy Act's definition of `personal information' is at present uncertain in its application to cyberspace, and will require clarification by legislation or litigation if the principles in the Act are to have any consistent or sensible application to cyberspace and e-commerce.

More fundamentally, the approach of this definition misses the point to some extent. Information about the interests, understanding or consumption habits of a particular person can be and are aggregated by an internet service provider (particularly providers of advertisements to multiple sites), by use of e-mail or machine addresses, for purposes such as e-mailing customised direct marketing materials to that address, or to customise the appearance of a web page so as to appeal most to requests which come from a particular machine address. In one sense it makes no difference whether the ISP can `reasonably ascertain' the identity of the person who is associated with either the e-mail address or the http request, because the information about their consumption habits has been aggregated and used to market back to them, without them necessarily being aware of this or having consented to it. More serious consequences may also follow from such aggregation, such as decisions to limit access, or to deny some goods or services. If the definition of `personal information' excludes such activity, IPPs will be very weak in cyberspace. The definition of 'personal information' in the Act needs to be amended to include wording such as 'any information which enables interactions with an individual on a personalised basis'. This is not likely to happen for some time.

3.2. Extra-territorial application - 'Australian' businesses overseas

The Act aims to stop avoidance of its provisions by moving personal information overseas. In summary, s5B gives almost all of the Act extra-territorial operation in relation to information about an Australian citizen or resident, provided one of two types of nexus is satisfied:

An organisational link with Australia - The organisation must be an Australian citizen or resident, or a partnership, trust or company formed here, or an unincorporated association managed and controlled here; or
An operational link with Australia - The organisation carries on business here, or the personal information was collected or held here by that organisation either before or at the time of the action about which a complaint is made.

The Privacy Commissioner's powers to investigate and make determinations are extended to cover this extra-territorial operation.

If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian legislation (s13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.

The exact extent of this extra-territorial operation concerning Australians may be more extensive than it looks at first, and could easily catch in its net some overseas e-commerce operators:

What will constitute 'carrying on business' in Australia? Will web sites that have a substantial number of Australian customers, or who send email to a list of customers including Australians be 'carrying on business' here? In areas of law such as passing off and trade marks a relatively small connection with Australia has been sufficient to constitute 'carrying on business'.
When will information be 'collected ... in Australia' ? For example, if a person in Australia fills out a form on a web page of a US business (the server for which is in the US), when the form is being filled out it is on the user's computer in Australia, prior to the data being transferred to the US server. Where is the information 'collected'? This is less clear that the EU Directive, which includes in its scope data collection which 'makes use of equipment' in an EU country (A 4(1)(c)). The better view would be that the 'collection' only takes place on the US server, but while this remains unresolved the possibility of considerable extra-territorial scope remains.

In contrast, it may be less extensive than it needs to be, because s5B does not extend the protection of the Act concerning extra-territorial practices of Australian businesses to benefit anyone who is not an Australian. Therefore, EU or US citizens are unprotected against their data being exported to Australian businesses in privacy-unfriendly foreign countries [23].

Overseas customers dealing with Australian businesses

The converse situation is the question of when will overseas non-Australian customers dealing with Australian web sites be able to use the Australian legislation to assert their privacy rights? The new s5B is not relevant because it only applies to Australian citizens or permanent residents. However, the non-Australian complainant will normally be able to take action simply because the actions complained of take place in Australia, and the Privacy Act does not generally require Australian citizenship or permanent residence as a condition of action.

Australian businesses involved in e-commerce will therefore generally have to treat the personal information of their overseas clients with the same care as their Australian clients. The exception to this is s41(4) of the Act, which limits correction of personal information (NPP 6 or IPP 7) to Australian citizens and permanent residents, in both the prior Act and the new amendments.

[24]

3.3. The `small' business operator (SBO) exemption

]`Small business operators' (SBOs) are exempt from all of the National Privacy Principles (NPPs), provided they do not sell, buy or trade personal information (to put it roughly), or fall into a couple of other narrow exceptions. In essence a SBO is one that carries on one or more 'small' businesses, none of which have an annual turnover of more than $3M.

The government has estimated that 94% of Australian businesses would come within the $3M threshold [25], so the Act will only apply to 6% of all Australian businesses, plus a further unknown percentage that trade in personal information. What percentage of consumer transactions these 94% of businesses are responsible for was not stated [26]. Similarly, the Internet Industry Association estimated that 95% of Australian Internet businesses would be exempt [27].

In the e-commerce context the breadth of this exemption may lead to abuses. The Internet allows quite small businesses to deal with extremely large quantities of personal information, and the rapid dissemination of information possible via the Internet means that harm caused by incorrect or improperly disclosed information can spread rapidly. There is no obvious correlation between the size of an Internet business or activity and the harm that can be done to people's privacy.

The provisions in the Bill will commence twelve months after assent (cl 2), but there is a further delay of twelve months for small businesses, whether or not they are exempt (new s16D).

The 'privacy free zone' - the effect of the SBO exemption

Businesses that come within the `privacy free zone' of the `small' business exemption are then able to abuse people's privacy in the ways listed below (unless some law other than the Privacy Act prevents this):

to collect personal information without saying what they will use it for, including by unfair and obtrusive means, and without disclosing they are collecting it (despite NPP 1);
to use the information for any purpose within the organisation, not matter how unrelated it is to the purpose for which the information was collected, including using it for direct marketing without providing any opportunity for recipients to opt out (despite NPP 2);
to hold the information with no security at all, no matter how sensitive it is (despite NPP 4);
to hold and use incorrect, out-of-date and misleading information (despite NPP 3), and to refuse to allow the individuals concerned to have access to it or to correct it (despite NPP 6).
These blanket exemptions even apply all the types of `sensitive' information, with the exception of health information (despite NPP 10).

The fragile exemption - How businesses can lose it

A business will lose its status as a 'small business operator' (SBO) if (under s6D(4)) at any time it:

(c) discloses personal information about another individual 'to anyone else' for a benefit, service or advantage; or (d) provides a benefit, service or advantage to collect personal information about another individual 'from anyone else'.

SBO status will also be lost by anyone who holds health information and provides a health service, and anyone who is a contracted service provider for a Commonwealth contract (s6D(4)).

It appears from s6D(4) that it is only necessary for a business to disclose or collect information under these circumstances on one occasion for it to lose its exempt status. One disclosure in return for some advantage would be sufficient for the business to lose its exempt status in relation to all information.

SBO status is not lost because of collection with the consent of the person concerned (s6D(8)). However, collection of personal information from a third party for any form or consideration, or collection of personal information (perhaps including an IP address or email address) from a person without their consent, still poses the risk that even one occurrence can cause the loss of exempt status for the whole business.

The fragility of the SBO exemption has these consequences:

The basis on which the exemption is or is not available seems to bear little relationship to the likelihood of harm to people's privacy. It is a random basis for exemption. If the exemption is lost in an equally capricious way, businesses can hardly complain.
It will be very difficult for a consumer, the business itself, or its advisers, to have any real idea whether it is or is not exempt from the Act. Litigation will probably often be able to turn up one instance of disclosure or collection for consideration sufficient to destroy exempt status.
If a business loses its small business status without realising it, this could easily lead to the businesses inadvertently breaching the Act in relation to many individuals because they did not realise they had previously done so in relation to one.
The position is worse is a SBO runs a number of small businesses, as discussed below. Loss of the exemption because of the actions of one of the businesses means that SBO status is lost irretrievably by all of the businesses.
Business advisers will have a complex task advising businesses what they have to do and avoid if they wish to retain their exempt status - and whether the safer course may simply be to 'opt in' to comply with the Act.

The ill-drafted exemption: How businesses can abuse it

A drafting deficiency in the SBO exemption allows avoidance by business operations with much larger turnovers of $3M. This loophole will allow a company or individual SBO to run a set of interconnected 'small' businesses (say with annual combined turnover $10M) based around major use of customer personal information, but with unrestricted swapping and use of that personal information within all units of the business, and still to escape completely from the operation of the Act.

First it is necessary to understand how small businesses operated by the same SBO can swap personal information:

A 'small business operator' (SBO), not a 'small business', is the entity exempted from the operation of the Act, because the definition of 'organisation' excludes a 'small business operator' (s6C). Since only 'organisations' (in the private sector) are obliged to comply with the Act, small business operators ('SBOs') are therefore exempt from complying with the Act.
The definition of a 'small business operator' says a SBO 'carries on one or more small businesses' (s6D(3)(a)). A SBO could therefore carry on a number of businesses, let's call them 'YourInfo (Marketing)', 'YourInfo (Sales)' and 'YourInfo (Collections)'. If any of the businesses carried on by a company, individual etc is 'not a small business', then SBO status is lost (s6D(3)(b) . It is not possible for a business entity to carry on a 'large business' and to also be a SBO in relation to its other businesses. If you want to be a SBO, then all your businesses must be 'small' (ie turnover under $3M). Also, a corporation cannot be a SBO if it is related to a corporation that carries on a business that is 'not a small business' (s6D(9)).
The exemption as a 'small business operator' is lost if any of the businesses of a SBO 'discloses personal information ... to anyone else for a benefit, service or advantage' (s6D(4)(c)), as discussed above. The loophole is that disclosure of personal information between any of the businesses run by the SBO is not disclosure 'to anyone else', it is just disclosure to the same SBO (the fact it is between different businesses is irrelevant). Similarly, the collection of information from the other business does not cause the exemption to be lost because it is not collection 'from anyone else' (s6D(4)(d)). The 'fragility' of the SBO exemption is not endangered simply by swapping information between businesses under the same SBO.
The different businesses run by the SBO can use the personal information received from the other businesses for any purpose they like (since they are exempt from NPP 2), because only disclosure, not use, can cause loss of the SBO exemption.
This is so even if the use is completely unrelated to the purpose of collection, and if the information used is inaccurate, irrelevant, incomplete etc. The individuals concerned have no rights of access or correction. The businesses are still in the 'privacy-free zone'.

The Act is thought to place a ceiling of a $3M annual turnover on what is a 'small business', but the reasoning above opens up three distinct situations where the overall business operations of a SBO can be of unlimited financial size and still operate in the 'privacy free zone'. However, in considering these potential abuses, it must be remembered that it is possible for the government, by regulations, to prescribe that a class of small business operators must comply with the Act (s6E), and abuses of the SBO exemption could be countered in this way.

(i) Splitting a large business into small businesses before the Act commences

For existing businesses, the date at which it is determined whether a business is a small business, and therefore who is and is not a SBO, is the date of commencement of s6D (s6D(4)), which is December 21 2001 (not 21 December 2002, when then the s16D 'delayed application period' for small businesses ceases).

Until this Xmas, a large business could therefore be reorganised into a number of 'small' businesses, each with a turnover of less than $3M, which can be calculated pro-rata on the turnover of the 'new' small-business for the duration of this year (s6DA(2)). Whether this would be worth the costs and risks involved depends on how important it is to the business to stay outside the reach of privacy laws.

(ii) Splitting a business before it reaches the #3M threshold

If a business is approaching the $3M turnover limit, it can be split into a number of the smaller sub-businesses (eg 'YourInfo (Marketing)', 'YourInfo (Sales)' and 'YourInfo (Collections)'), and the annual turnover of the 'original' business and each of the new businesses can be kept under $3M (s6D(4)(a)9i) and s6DA(2)). The process is repeated as any of the new businesses approaches the threshold. As above, whether this would be worth the costs and risks involved depends on how important it is to the business to stay outside the reach of privacy laws.

(iii) Takeovers of one small business by another - Privacy-invasion can increase sale value

The potentilla for abuse of the SBO exemption is made even worse by the way in which it increases the sale value of small businesses that hold potentially valuable personal information, by encouraging the use of this information for interferences with privacy which would otherwise be illegal. This argument requires the following steps:

Many small businesses will hold personal information (often about their customers) which could be misused for purposes for which it was not provided by combining it with other personal information held by other businesses. However, the small business cannot do this, because it would involve disclosure of the information to someone else, which would cause loss of SBO status for both the disclosing business (s6D(4)(c)) and the collecting business (s6D(4)(d)).
At face value, the value of the small business will therefore not include any component based on the commercially valuable disclosure and use of this personal information, because such disclosure is illegal.
However, any SBO who buys the small business in question that has the valuable personal information (as opposed to buying the information) can immediately share all of this personal information with its other small businesses. The combining of the information held by all the businesses is now within the privacy-free zone.
If the combined annual turnover of the two businesses is greeted than $3M, it will be necessary to keep the new business as a separate business from the first (as discussed above), but the two small businesses owned by the same SBO will still be able to swap personal information.
Because of the SBO exemption, the sale value of a business that holds personal information can therefore be higher than its value as a stand-alone business, because what would be an illegal invasion of privacy by a stand-alone business (even a small business), becomes perfectly legal when one 'small' business buys another.

The moral is: don't buy personal information from a business, just buy the business. This Act therefore increases the takeover value of small businesses with privacy-invasive potential. The Act should not operate to distort market mechanisms in this way.

Industry codes, industry associations and small businesses

One of the innovative features of the Bill is the scope it gives in new Part IIIA for co-regulation through industry-based privacy codes. New s18BB allows the Commissioner to approve a privacy code only if satisfied that the code incorporates all the NPPs or sets out obligations that, 'overall, are at least the equivalent of all' of them. The code must also specify the organisations bound by the code or a way of determining them, and must only apply to organisations that consent to be bound. There must be adequate opportunities for public comment on a draft code (s18BB(2)(f)). Codes are not disallowable instruments so there is no opportunity for Parliamentary scrutiny, but this is not so important given that code standards must match those of the NPPs. There is to be a register of approved codes (new s18BG).

For example, a code could apply to all members of an industry association, if a condition of membership was consent to the application of the code.

An 'small' business that is exempt from NPP compliance cannot simply consent to be bound by a code. Only 'organisations' can be bound by a code (s18BB), and an entity that falls outside the definition of 'small business operator' is not an 'organisation' (s6C). An exempt small business must therefore both 'opt-in' to the Act (s6EA), and consent to being bound by a code, before the code has legal force in relation to that business.

Industry associations with codes will therefore need to be vigilant in ensuring that all their members are either not 'small' or have 'opted in', or both they and the relevant members could be involved in false and misleading conduct in falsely holding out compliance with enforceable privacy standards.

4. Problems with enforcement and transparency

4.1. Complaint-handling and appeals under codes

There can be different types of codes under Part IIIA. A code might only provide for a replacement for the NPPs, or it might only provide for an alternative complaints procedure, or it might provide for both.

If a code includes a complaints procedure, the Commissioner must be satisfied, among other things, that it provides for an 'independent adjudicator' (a 'code adjudicator').

Section 52 gives the Commissioner broad powers concerning determinations of complaints, including power to award damages. Section 52(b) (b)(ii) allows him or her to order reasonable acts to redress complaint; and (c) provides for compensation including injury to feelings; (3) expenses; and (3A) corrections and additions to records. In the 12 years of the Act's operation the Commissioner has made only a handful of s52 determinations [28], so little guidance is available on the exercise of these powers.

New s18BB requires that a code adjudicator must be able to make 'the same' 'determinations, findings, declarations, orders and directions' as the Commissioner can make under s52. Further, the code must oblige organisations bound by it to comply with those determinations etc, and to cooperate with the adjudicator (it cannot of course oblige anyone else to cooperate).

If there is an industry code in existence which is relevant to the act or practice complained of and which includes a complaints procedure, a complainant must take their complaint to the code adjudicator (new s36A), and cannot ask the Privacy Commissioner to investigate it at the outset.

There are now three ways in which the Privacy Commissioner can investigate complaints against private sector organisations:

If no industry code applies, only then can a complainant go directly to the Privacy Commissioner to request an investigation. In this case, the Commissioner's investigative powers and remedies are essentially the same as in relation to Commonwealth agencies.
The code adjudicator can refer a complaint made to it to the Commissioner for investigation, provided the Commissioner agrees and the Commissioner first consults the complainant (s40(1A)). This power of referral may be very valuable in cases where a code adjudicator does not have power to require a third party to cooperate with its investigations (but the Commissioner would have).
A dissatisfied complainant may apply to the Privacy Commissioner to review a determination by a code adjudicator (s18BI). This last-minute concession by the Government (to Opposition amendments) created in effect a right of appeal from code adjudicators to the Commissioner. This remedied (at least in part) two of the principal weaknesses in the code provisions of the Bill: (i) the lack of adequate investigative powers in code adjudicators; and (ii) the lack of any right of appeal from industry bodies. The remaining weakness is dealt with below

Organisations that are respondents to determinations made by the Commissioner under s52 or by a code adjudicator under a code must comply with the determination (new s55). The complainant, the Commissioner (for determinations made under s52) or a code adjudicator (for determinations made under a code) can commence proceedings in the Federal Court or the Federal Magistrates Court to enforce the determination (s55A).

4.2 Lack of appeals from Commissioner's decisions - a remaining weakness

The Act does not provide for any right of appeal against determinations by the Privacy Commissioner, both in relation to complaints against public sector bodies, and in relation to any of three ways in which private sector complaints can reach the Commissioner.

However, this does not affect complainants and complainees alike. Businesses complained about have in effect a right of appeal to the Federal Court on the merits of their case, whereas unsuccessful individual complainants will have no such right. This is unfair and biased.

As is currently the case under s55 of the Privacy Act, under the new ss55 and 55A, a determination of a complaint by a Code authority or by the Commissioner can only be enforced by proceedings in the Federal Court (or the new Federal Magistrates Court)[29], and the Court has to deal with the matter by way of a hearing de novo (anew) as to whether there has been conduct constituting an interference with privacy (s55A(5)).

As a result, all that a business has to do if it is aggrieved by the way in which a Code Complaints Body or the Privacy Commissioner has dealt with their complaint, is sit on its hands and not pay the compensation or take the other steps it has been ordered to take. The complainant must then take the matter to the Federal Court, and the business can have the matter heard in full again. In effect, it obtains a right of appeal to a Court.

The problem is that an unsuccessful complainant has no such right of appeal - no right to have the matter heard de novo by any higher authority. They have no redress against a wrong interpretation of an Industry Code or the National Privacy Principles (or of other provisions of a Code or the Act), or of the wrong application of the law to the facts of the complainant's case. This is unfair and has the potential to bias the enforcement structure of the Act against consumers.

A determination will now be prima facie evidence of the facts upon which the determination is based (s55B(3)). It will be possible, however, for those facts to be challenged. This does not address the fundamental problem of unsuccessful complainants having no right of appeal, but is an improvement since the successful complainant is at least not put to proof of those facts all over again.

The defect is not, however, that businesses have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a Court or Tribunal if they wish to persist and run the risk of costs against them. The Privacy Act needs the benefit of occasional interpretation by the Courts on serious issues. Both the Privacy Commissioner's decisions and those of code adjudicators should also be subject to appeal where the issue is important enough. A right of appeal is unlikely to lead to a flood of cases. The Courts will only rarely hear a case concerning the Privacy Act, and only in cases where the code has been interpreted in favour of complainants and is therefore under attack by businesses.

Decisions of the Commissioner are subject to judicial review [30] . This will help ensure that the Commissioner observes procedural fairness, but does not address the problem of lack of appeal rights. It will also fail to provide justice to complainants where the complaint is that the Commissioner has misinterpreted the NPPs or a code, or applied them to the facts of the complaint in a dubious fashion, or has misinterpreted some other provision of the Act.

Riediger v Privacy Commissioner (Federal Court of Australia; Sackville J, 23 September 1998)[31], one of the few cases dealing with the Act, underlines this point. Sackville J, dismissing an application for judicial review under the ADJR Act of a decision by the Privacy Commissioner, stressed that 'an application of this kind must reveal an error related to the making of the decision itself, for example, a denial of natural justice, manifest unreasonableness, the taking into account of irrelevant considerations, and so forth ... the Court simply cannot revisit the merits of the applicant's complaints against either AVCO or OPTUS.'

4.3. Publication of Code decisions

It is of vital importance that the way in which code adjudicators handle complaints, and particularly how they decide the most important complaints (those that go to a full formal determination) is easily accessible to potential complainants and their advisers, and to those generally interested in the way in which the law is being interpreted by Code bodies.

Although there is now provision for appeals to the Commissioner from code adjudicators, it is likely that these will only be a small percentage of all complaints, with most being mediated successfully by code adjudicators, and others where a formal determination by the code adjudicator does not result in an appeal to the Commissioner.

There may be numerous code adjudicators, and it is possible that they may interpret the NPPs and other aspects of the law inconsistently unless the Commissioner and the interested public have effective means to find out what they are doing.

Formal determinations

New s18BB(3)(d) requires determinations (ie decisions on complaints) by Code authorities to be 'the same' as the Commissioner makes under s52, but it is not clear that this would require Code authorities to follow the Commissioner's practice of publishing such determinations. The Bill does not specifically require determinations to be in writing. These matters should be explicit in the terms of a Code.

If there is not full access to determinations, then there is no transparency of the Code process and no guarantee of its integrity. The Commissioner, when issuing guidelines in relation to dealing with complaints (s18BB(3)(ii)), and when approving codes (s18BB(3)), will need to ensure that:

Code authorities are required to make written determinations specifying the reasons for the determination, and to provide a public register of such determinations, and copies of determinations to anyone who asks for one.
Determinations by Code authorities are provided to the Privacy Commissioner when made, so that the Commissioner can publish them. Complainants should be anonymised where necessary. Code adjudicators may of course also wish to publish these determinations in their own publications and web sites.

Informal mediation

Most complaints will not be settled by formal determinations, but by informal mediation by the Code authority. However, even when complaints are settled by mediation, they are settled on the basis of an interpretation of the law (ie of the Code and of other aspects of the Act). For the same reasons as set out above, it is very important that this process has some transparency that will aid others to understand how the law is being interpreted. New s18BB(k) is unclear as to whether anything more than statistical recording of these complaints by Code authorities is necessary, and this is insufficient.

The Commissioner's Guidelines would also be very helpful here if they could:

Require code authorities to keep a brief summary of each complaint resolved without a determination, sufficient to identify the nature of the complaint, the Code provisions applied in resolving it, the nature of the settlement, and any issues of law which were raised in the complaint. Where necessary, both complainant and respondent may be anonymised.
Require the code authority to provide a copy of these summaries to the Commissioner at least annually, for publication by the Commissioner.

4.4. s98 injunctions - Surprise and misunderstanding

Although it is not possible to appeal from a determination by the Commissioner to a Court in relation to a complaint about the NPPs, it is possible to go direct to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the NPPs. Section 98 provides:

98 (1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court or the Federal Magistrates Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court's opinion it is desirable to do so, requiring the person to do any act or thing.

One notable feature is that both the Commissioner and 'any other person' can seek such injunctions, not just a complainant likely to be affected by the breach of the NPPs.

Courts have not in the past had an adequate appreciation that s98 is included in the Act. For example, in Ibarcena v Templar, Federal Court of Australia, Finn J [1999] FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction [32]. Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia, [2000] FCA 1873, French J seemed to give an account of how complainants could come before a Court, but it omitted any mention of s98 injunctions [33].

Notes

[1] See Greenleaf G 'A Bill not worth supporting' (2000) 7 PLPR 44 for one summary of dissatisfaction.

[2] Labor proposed few amendments of substance to the Bill during its passage (see G Greenleaf (2000) 7 PLPR 125), so it is unrealistic to expect any major changes to privacy law for at least some time, even if there is a change of government at the next Federal election.

[3] A HTML version of the consolidated Act is available on my web pages at http://www2.austlii.edu.au/privacy/Privacy_Act_1988/

[4] See G Greenleaf and N Waters 'Putting the "National Principles" in context' (1998) 4 PLPR 161 and G Greenleaf 'Privacy and consumer organisations withhold endorsement of "National Principles" ' (1998) 5 PLPR 41, for one perspective.

[5] See G Greenleaf 'Victoria's Privacy Bill still sets the standard' (2000) 7 PLPR 21

[6] Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)

[7] The Information Privacy Principles (IPPs) applying to Commonwealth Government agencies.

[8] See the discussion in G Greenleaf 'Purposes' and the Directive' in 'Stopping surveillance: Beyond 'efficiency' and the OECD' (1996) 3 PLPR 148, available at <http://www2.austlii.edu.au/itlaw/articles/efficiency.html#Heading8>

[9] <http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_3/C-6_cover-E.html>

[10] Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)

[11] Bank of Credit and Commerce International (overseas) Ltd (in liq) v Price Waterhouse [1997 4 All ER 781; King v South Australian Psychological Board [1998] SASC 6621

[12] R v Glenys Ruth Scott [1996] SASC 5545

[13] cf Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming), who takes this view

[14] The Committee's recommendations would have imposed some checks on this intra-corporate spamming, if adopted. They wanted the Privacy Commissioner to issue guidelines (under NPP 1.3(d)) as to what companies should tell consumers about potential disclosures to their related corporations (Recommendation 21). It is a good point that, once a company has a disclosure practice to related corporations, NPP 1.3(d) requires its to be revealed during collection, but this cannot deal with the post-collection decision to disclose to a related corporation. The Committee also recommended that where corporation A has received personal information from a related corporation B that was exempt from NPP 1 when it collected the information (it might be a small business, or the information might be exempt employee information), corporation B will have to comply with NPP 1 before it discloses the information to A. In doing so, it would presumably have to inform the person concerned that his or her information was being disclosed to A. These recommendations were rejected by the Government.

[15] <http://www.smh.com.au/news/0010/18/text/national6.html>

[16] Tim Dixon'Privacy Charter sets new benchmark in privacy protection' (1995) 2 PLPR 41

[17] See L Bygrave 'Germany's Teleservices Data Protection Act' (1998) 5 PLPR 53

[18] An earlier version of this section was published as G Greenleaf 'Privacy Principles - irrelevant to cyberspace?' (1996) 3 PLPR 114

[19] See Raymond Wacks 'Privacy and media intrusion: A new twist' (1999) 6 PLPR 48 (re first instance decision) ; Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming) (re Court of Appeal)

[20] Gunning treats this question as going to whether the information had been collected.

[21]However, IP address and the domain and sub-domain information (eg `austlii.edu.au') allow the geographical and system location of the computer to be identified, along with the identify of the person with delegated responsibility to allocate the machine's addresses.

[22] The controversy about DoubleClick in the USA concerned this type of service.

[23] See later concerning the significance of this for the EU privacy Directive.

[24] An earlier version of some of this part is in G Greenleaf 'Reps Committee protects the "privacy free zone" ' (2000) 7 PLPR 1

[25] House of Representatives Legal and Constitutional Committee Report, para 2.20

[26] The Committee only gives irrelevant percentages for total business activity (including business-to-business activity.

[27] See dissenting report of Senator Stott-Despoja for discussion

[28] See Determination: Secretary, Department of Defence 1 PLPR 152 and Determination: Minister for Administrative Services 1 PLPR 170 for two examples.

[29] The problem of enforcement of Privacy Commissioner's decisions arises from Brandy v Human Rights and Equal Opportunity Commission (1995) High Court (see Casenotes (1995) 2 PLPR 32) where it was held that, in to complaints against respondents other than the Commonwealth, the previous system for lodging HREOC determinations (including Privacy Act 1988 s52 determinations) in the Federal Court, whereupon they become binding, was an invalid exercise of the judicial power. The 'quick Brandy fix' was to revert to the old system of a de novo hearing in the Federal Court in order to enforce a determination by a HREOC Commissioner or the Privacy Commissioner. Unfortunately, one of the anomalies arising from that expedient is the unfair difference in de facto appeal rights outlined above.

[30] It was proposed that decisions of code adjudicators would be similarly subject to judicial review - see Schedule 2 of the Bill, amendment to the definition of 'enactment' in the Administrative Decisions (Judicial Review) Act 1977 (Cth). However, when their decisions became subject to review by the Commissioner, the provision for judicial review was also dropped.

[31] Federal Privacy Handbook |P85-005 (CCH)

[32] See Casenote by P Gunning (2001) 7 PLPR Issue 10 (forthcoming)

[33] ibid