Government tables new privacy legislation

Tim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)

 
 

Legislation to extend the Privacy Act to the private sector is now before the Australian Parliament, following the release of the Privacy Amendment (Private Sector) Bill 2000 by the Attorney-General Daryl Williams. The legislation is now being considered by a parliamentary committee and while some distance still needs to be covered before the final shape of the legislation is known, its general framework is unlikely to change.

Background to Current Privacy Legislation

The legislation is the latest stage in a long path towards national privacy legislation since the election of the Howard Government:

Coverage

The amendments to the Privacy Act 1988 extend a set of National Privacy Principles (NPPs) to the private sector. The NPPs were originally developed by the Privacy Commissioner in 1997 through a process of consultation with industry and consumer groups. In turning them into legislative provisions, the detail of these principles has been substantially expanded. The NPPs differ from the Information Privacy Principles (IPPs) which apply to Commonwealth Government agencies.

 The National Privacy Principles set out minimum standards for the handling of personal information. These relate to:

The NPPs apply to all organisations (other than public sector organisations, which are already covered by the Information Privacy Principles). This includes a body corporate, an unincorporated association, a partnership, a trust or an individual. However, exceptions are granted to the following organisations:

Scope

The legislation will cover all types of personal information which are not publicly available but, will exclude: (i)     a holding company of another body corporate;
(ii)    a subsidiary of another body corporate;
(iii)   a subsidiary of a holding company of another body corporate, Under section 46, a body corporate (in this section called the first body) is a subsidiary of another body corporate if, and only if:
(i)     the other body:
        (A)     controls the composition of the first body's board;
        (B)     controls more than one-half of the maximum number of possible votes at a general meeting of the first body; or
        (C)     hold more than one-half of the issued share capital of the first body;
(ii)    the first body is a subsidiary of a subsidiary of the other body.

This might allow a large organisation with diverse businesses to pool its personal data collections without the knowledge of its customers. Restrictions still apply to the use and disclosure of this information, but an organisation which was able to conduct direct marketing to customers apparently conduct direct marketing in respect of all of the operations of its related bodies corporate.

The NPPs

The heart of the legislation is the National Privacy Principles. The NPPs are broadly similar to privacy principles embodied in privacy laws introduced throughout the industrialised world in recent years, broadly based on the 1980 OECD privacy principles. The principles impose restrictions on the collection, use and disclosure of personal information. They impose requirements relating to the quality and security of personal information as well as requiring openness about information practices and where practicable, giving individuals the option to remain anonymous in transactions. Individuals are given rights to access personal information, subject to restrictions. There are controls on the transfer of personal information to someone in a foreign country which does not have similar privacy protection. A higher standard of privacy protection is required for "sensitive information" - defined to include information about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, union membership, sexual preference or practices, criminal records and health information.

Privacy Codes

By default, the NPPs apply to organisations - that is, unless the organisation is a signatory to a voluntary code which has been approved by the Privacy Commissioner. However, the legislation leaves open the option of industry groups or individual firms developing their own codes of conduct in place of the NPPs. Codes can be developed by any organisation or group, but cannot impose a lower standard or privacy protection than the NPPs. Codes must be approved by the Privacy Commissioner after a process of consultation. The codes are intended to give the legislation maximum flexibility while retaining a consistent standard of privacy protection.

Enforcement

Once in place, an individual who believes that the code has been breached may make a complaint to the organisation concerned. If it is not resolved satisfactorily, they may make a complaint to the Privacy Commissioner, or if an independent adjudicator has been appointed to administer the code, they must make the complaint to that body. Breach of the NPPs can result in an order from either a code authority or the Privacy Commissioner to restrain an action, undertake an action, or to give monetary compensation.

A decision to give an individual a remedy can be appealed in the Federal Magistrate's Court, and can be enforced through the Court if it is not given effect. A decision against an individual cannot be appealed although the decision itself is subject to the process of administrative review.
One of the key weaknesses in the enforcement mechanism is that while Code authorities will be required to submit an annual report on their complaint handling, there is no other mechanism for accountability in the decision making process for handling complaints. There is, for example, no process for the Privacy Commissioner to issue binding rulings or interpretations, which may be needed because of the generality of many provisions of the legislation. This is especially a problem since individuals will have no general appeal right or recourse (other than a formal review under the Administrative Division Judicial Review Act 1977) if a code authority rules against a complainant. Under the ADJR Act, the review of the decision is restricted to review for errors of law and does not extend to review of the merits of a decision, such as the policy used in the decision making by a code authority, and the weight given to primary evidence for the purpose of inferring factual conclusions. The ADJR Act will nevertheless allow individuals to obtain an explanation as to why an unfavourable decision was reached.

Conclusions

While there are strengths in the general framework of the legislation - a set of overarching principles which can be applied with some flexibility - the Bill is flawed by exemptions which are, by international standards, quite extraordinary. These exemptions create significant problems:
  • Given the complexity of the legislation and its broad exemptions, the Government will have a difficult time arguing that consumer confidence in ecommerce will be bolstered. For example, the overwhelming majority of Australian businesses have a general exemption from the legislation (subject to limitations) through the small business provision. Consumers will often not know whether the organisation they are dealing with is covered by the legislation or not. The complexity of the legislation is likely to add to confusion rather than create clarity. This is especially the case in the online environment when consumers have no pre-existing relationship or knowledge of companies with whom they may be doing business. Forrester Research in the United States has estimated that a lack of consumer confidence about the protection of personal information online resulted in a loss of $2.8 billion in potential ecommerce business last year. These concerns can be addressed directly with a world-standard privacy regime; but a confusing, compromised proposal such as this one will not overcome the lack of consumer confidence which continues to retard the growth of ecommerce in Australia.
  • The implications of this exemption are not entirely clear. For example, if a small business is involved in one transfer of information for some kind of benefit, does this mean that it is covered by the privacy legislation in respect of all of its holdings of personal information? Is it only covered in respect of the handling of that particular record? If it makes available a set of records for some kind of benefit to a third party at one point in time, for how long is that set of information records covered by the provisions of the Act? Likewise, does the fact that some information collected by an organisation is made available to the public mean that the organisation is exempted from the operation of the Act in respect of all other processes of collecting, using, handling and disclosing this information? If political parties are exempted from the legislation in relation to practices associated with elections, referenda or the political process generally, does this allow the political party to on-sell information to other organisations without the individual's consent? By creating so many broad exemptions, the legislation creates uncertainty in many
  • With such broad exemptions, Australia is unlikely to make it on to the anticipated European Union "White List" of countries whose privacy protection is "adequate", and with whom European businesses can confidently exchange personal information. This undermines Australian efforts to position itself as the leading data processing in the Asia Pacific centre, especially as Hong Kong and New Zealand both have privacy legislation which is likely to meet the EU standards.
  • The decentralised nature of the complaint handling process may result in the development of different interpretations and privacy standards. This could be especially difficult for some companies which may belong to a number of industry organisations and whose activities may extend across several industry sectors.
  • These issues are likely to receive a hearing through the parliamentary process as the legislation gives through the two House of Representatives. There is strong public support for legal protection for privacy - according to a 1999 Roy Morgan survey, 56% say that they are worried by invasion of privacy through new technology, and consistently surveys show more than four out of five people supporting privacy legislation for businesses. As yet, that public concern has not been fully reflected in the Government's legislative plans.

    Tim Dixon is an associate at Baker & McKenzie in Sydney and is Chairman of the Australian Privacy Foundation.