Government tables new privacy legislation

Tim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)

Background to Current Privacy Legislation
Coverage
Scope
The NPPs
Privacy Codes
Enforcement
Conclusions

Legislation to extend the Privacy Act to the private sector is now before the Australian Parliament, following the release of the Privacy Amendment (Private Sector) Bill 2000 by the Attorney-General Daryl Williams. The legislation is now being considered by a parliamentary committee and while some distance still needs to be covered before the final shape of the legislation is known, its general framework is unlikely to change.

Background to Current Privacy Legislation

The legislation is the latest stage in a long path towards national privacy legislation since the election of the Howard Government:

Initially, the Coalition's 1996 election manifesto included a commitment to "world best" privacy legislation covering the private sector, and was critical of the slow response of the previous Government to public concerns over the erosion of personal privacy.
In September 1996 the Attorney-General, Daryl Williams, released a discussion paper on the proposed extension of the Privacy Act 1988 to the private sector. It involved extending the existing Information Privacy Principles to the private sector, with minimal changes to the overall regulatory regime. However, the Bill had several design flaws and this prompted intensive private lobbying for its abandonment by key industry groups.
In March 1997 the Prime Minister, Mr Howard, announced that the Government would not be extending privacy legislation to the private sector, citing the problem of the regulatory imposition of compliance for small businesses. Instead, the Prime Minister indicated that privacy should be dealt with under self-regulatory processes.
Over the course of 1997, the then Privacy Commissioner, Moira Scollay, initiated a consultation process in which industry groups, privacy experts, advocates and consumer organisations worked on the development of a set of privacy principles which could apply to businesses either through industry codes or national legislation.
In February 1998, the Privacy Commissioner launched the National Principles for the Fair Handling of Personal Information (generally known as the National Privacy Principles). Industry groups such as the Insurance Council of Australia, the Australian Direct Marketing Association, the Australian Communications Industry Forum and the Internet Industry Association sought to insert these principles (sometimes with some modifications) into their industry codes. A revised set of Principles was released in January 1999 after further consultations over the issue of exemptions for law enforcement agencies.
Between 1997 and 1998 the development of the internet and a growing number of well publicised privacy invasions gave increasing public profile to the privacy issue. A public campaign to extend privacy legislation to the private sector gained increasing support. By the second half of 1998, several industry groups were publicly and privately advocating the extension of the legislation to the private sector. The support of business groups was prompted by increasing concerns that in the absence of a consistent national scheme, a patchwork of different industry standards and legislation would emerge. This fear was heightened by the development of a Victorian Data Protection Bill for privacy protection which aimed to cover the public and private sector.
In December 1998 Attorney-General Daryl Williams and the Minister for Communications, Information Technology and the Arts Senator Richard Alston jointly announced that the government would implement a "light touch" extension of the Act to the private sector, which would provide for a default set of privacy standards in the absence of industry codes to be approved by the Privacy Commissioner. This legislative proposal was developed throughout 1999 through the Core Consultative Group, a similar group to that which was involved in the development of the National Privacy Principles.
In December 1999 the Government released Key Provisions of its Privacy Amendment (Private Sector) Bill 2000. After further public consultations the Government tabled the Bill in Parliament in April 2000.
The legislation went for review to the House of Representatives Committee on Legal and Constitutional Affairs during the May Budget sitting. The Committee will release its report on 19 June 2000 and it will still take some time before the Bill makes its way through the Senate, which is unlikely to complete its deliberations on the Bill until the spring session of Parliament. The amended legislation will then return to the House of Representatives, where its approval is uncertain.

Coverage

The amendments to the Privacy Act 1988 extend a set of National Privacy Principles (NPPs) to the private sector. The NPPs were originally developed by the Privacy Commissioner in 1997 through a process of consultation with industry and consumer groups. In turning them into legislative provisions, the detail of these principles has been substantially expanded. The NPPs differ from the Information Privacy Principles (IPPs) which apply to Commonwealth Government agencies.

The National Privacy Principles set out minimum standards for the handling of personal information. These relate to:

Collection of personal information: Collection must be necessary for an organisations activities, must be collected lawfully and fairly and as a general principle with the individual's consent.
Use and disclosure of personal information: As a general principle, information can only be used or disclosed for its original purpose unless the person has consented to its use or disclosure for another purpose. Exemptions apply to initial contact for direct marketing (if consent wasn't practicable originally) and other situations such as when there are issues of law enforcement, public safety or protecting the company from fraud.
Accuracy of personal information: Organisations must take reasonable steps to ensure that they keep personal information accurate, complete and up to date.
Security of personal information: Organisations must take reasonable steps to protect the personal information which they hold from misuse, loss unauthorised access, modification or disclosure.
Openness in relation to the organisations practices: Organisations which collect personal information must be able to document their practices and must make this information available on request.
Access and correction rights: As a general principle, organisations must give individuals access to their personal information and must allow them to correct it or explain something with which they disagree, unless disclosing this would have an unreasonable impact on someone else's privacy. This principle is subject to exemptions such as if this disclosure would compromise a fraud investigation.
Use of government identifiers: Organisations cannot use a government agency's identifier as its identifier. This would cover items such as drivers' licence numbers, Medicare numbers, a Tax File Number (which in my case is covered by other legislation) or any future identity numbers assigned by a government agency.
Anonymity: Organisations must give people the option of entering into transactions anonymously where it is lawful and practicable. For example, this would apply to travel on a bus but not to opening a bank account.
Restrictions on transborder data flows: As a general principle, organisations can only transfer the personal information about an individual to a foreign country if they believe that the information will be protected by a law or a contract which upholds privacy principles similar to the NPPs.
Special provision for sensitive personal information: A higher level of privacy protection applies to sensitive personal information, which includes information about a person's health, political or religious beliefs or affiliation, and sexual preference. This information must only be collected with the individual's consent.

The NPPs apply to all organisations (other than public sector organisations, which are already covered by the Information Privacy Principles). This includes a body corporate, an unincorporated association, a partnership, a trust or an individual. However, exceptions are granted to the following organisations:

Small Businesses: A small business is defined as a business with an annual turnover of $3 million or less, which does not provide a health service or hold health information, which does not provide contractual services to the Commonwealth and does not transfer personal information about an individual to anyone else for any kind of benefit. In other words, small businesses are covered if they are involved in the sale of personal information.
The Media: Acts or practices done by an organisation in the course of journalism will be exempt from the legislation. Journalism is defined broadly to mean the collection, preparation and dissemination of news, current affairs, documentaries and other information for the purpose of making the material available to the public. This provision explicitly aims to strike a balance between the public interest in providing adequate privacy safeguards with the public interest in allowing a free flow of information to the public through the media. The scope of this exemption is especially broad. An organisation can be classified as a media organisation if it is engaged in the provision of information to the public, and its "activities consist of ..... dissemination of ..... material having the character of news, current affairs, information or a documentary". This has attracted criticism because it would be open for the exemption to be claimed for privacy invasive practices.
Political parties: Registered political parties will be exempt from the legislation for their activities in connection with an election, a referendum, or other participation in the political process. This was a surprise inclusion in the legislation, as it had never previously been raised during the extensive consultations over the legislation. The Government has argued that it is necessary to give this exemption in order to give effect to the implied constitutional freedom of political speech outside of governments this argument does not appear to have been taken seriously. It is generally accepted that this exemption protects the sophisticated direct marketing strategies and little-known uses of databases by the major parties.
Domestic use: This exemption applies to use of personal information related to personal, family or household affairs relating to personal information.

Scope

The legislation will cover all types of personal information which are not publicly available but, will exclude:

Employee records: Employee records are defined as a record relating to the employment of an employee including engagement, training, disciplining, resignation, termination, terms and conditions, contact details, performance or conduct, remuneration, the union membership, health information and financial affairs. It is extends to current and former employers.
Personal information already in existence when the amendments come into operation.
State government contractors: The acts and practices of contractors to state and territory governments and agencies in relation to handling personal information under contracts need only to comply with the applicable standards of the state or territory and will otherwise be exempt from the Act.
Transfers of personal information between "related bodies corporate", as defined under section 50 of the Corporations Law. Related bodies corporate are essentially businesses which have a shared controlling interest. Under section 50, where a body corporate is:

(i)     a holding company of another body corporate;
(ii)    a subsidiary of another body corporate;
(iii)   a subsidiary of a holding company of another body corporate,

the bodies are related to each other. Under section 46, a body corporate (in this section called the first body) is a subsidiary of another body corporate if, and only if:
(i)     the other body:
        (A)     controls the composition of the first body's board;
        (B)     controls more than one-half of the maximum number of possible votes at a general meeting of the first body; or
        (C)     hold more than one-half of the issued share capital of the first body;
(ii)    the first body is a subsidiary of a subsidiary of the other body.

This might allow a large organisation with diverse businesses to pool its personal data collections without the knowledge of its customers. Restrictions still apply to the use and disclosure of this information, but an organisation which was able to conduct direct marketing to customers apparently conduct direct marketing in respect of all of the operations of its related bodies corporate.

The NPPs

The heart of the legislation is the National Privacy Principles. The NPPs are broadly similar to privacy principles embodied in privacy laws introduced throughout the industrialised world in recent years, broadly based on the 1980 OECD privacy principles. The principles impose restrictions on the collection, use and disclosure of personal information. They impose requirements relating to the quality and security of personal information as well as requiring openness about information practices and where practicable, giving individuals the option to remain anonymous in transactions. Individuals are given rights to access personal information, subject to restrictions. There are controls on the transfer of personal information to someone in a foreign country which does not have similar privacy protection. A higher standard of privacy protection is required for "sensitive information" - defined to include information about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, union membership, sexual preference or practices, criminal records and health information.

Privacy Codes

By default, the NPPs apply to organisations - that is, unless the organisation is a signatory to a voluntary code which has been approved by the Privacy Commissioner. However, the legislation leaves open the option of industry groups or individual firms developing their own codes of conduct in place of the NPPs. Codes can be developed by any organisation or group, but cannot impose a lower standard or privacy protection than the NPPs. Codes must be approved by the Privacy Commissioner after a process of consultation. The codes are intended to give the legislation maximum flexibility while retaining a consistent standard of privacy protection.

Enforcement

Once in place, an individual who believes that the code has been breached may make a complaint to the organisation concerned. If it is not resolved satisfactorily, they may make a complaint to the Privacy Commissioner, or if an independent adjudicator has been appointed to administer the code, they must make the complaint to that body.

If there is an approved code of conduct in place, the complaint will normally be handled by a code authority. In practical terms, this might be the Telecommunications Industry Ombudsman, the Banking Industry Ombudsman or the code authority for the Australian Direct Marketing Association code of conduct.
If there is no approved code of conduct in place, the complaint is handled by the Privacy Commissioner.

Breach of the NPPs can result in an order from either a code authority or the Privacy Commissioner to restrain an action, undertake an action, or to give monetary compensation.

A decision to give an individual a remedy can be appealed in the Federal Magistrate's Court, and can be enforced through the Court if it is not given effect. A decision against an individual cannot be appealed although the decision itself is subject to the process of administrative review.
One of the key weaknesses in the enforcement mechanism is that while Code authorities will be required to submit an annual report on their complaint handling, there is no other mechanism for accountability in the decision making process for handling complaints. There is, for example, no process for the Privacy Commissioner to issue binding rulings or interpretations, which may be needed because of the generality of many provisions of the legislation. This is especially a problem since individuals will have no general appeal right or recourse (other than a formal review under the Administrative Division Judicial Review Act 1977) if a code authority rules against a complainant. Under the ADJR Act, the review of the decision is restricted to review for errors of law and does not extend to review of the merits of a decision, such as the policy used in the decision making by a code authority, and the weight given to primary evidence for the purpose of inferring factual conclusions. The ADJR Act will nevertheless allow individuals to obtain an explanation as to why an unfavourable decision was reached.

Conclusions

While there are strengths in the general framework of the legislation - a set of overarching principles which can be applied with some flexibility - the Bill is flawed by exemptions which are, by international standards, quite extraordinary. These exemptions create significant problems:

Given the complexity of the legislation and its broad exemptions, the Government will have a difficult time arguing that consumer confidence in ecommerce will be bolstered. For example, the overwhelming majority of Australian businesses have a general exemption from the legislation (subject to limitations) through the small business provision. Consumers will often not know whether the organisation they are dealing with is covered by the legislation or not. The complexity of the legislation is likely to add to confusion rather than create clarity. This is especially the case in the online environment when consumers have no pre-existing relationship or knowledge of companies with whom they may be doing business. Forrester Research in the United States has estimated that a lack of consumer confidence about the protection of personal information online resulted in a loss of $2.8 billion in potential ecommerce business last year. These concerns can be addressed directly with a world-standard privacy regime; but a confusing, compromised proposal such as this one will not overcome the lack of consumer confidence which continues to retard the growth of ecommerce in Australia.

The implications of this exemption are not entirely clear. For example, if a small business is involved in one transfer of information for some kind of benefit, does this mean that it is covered by the privacy legislation in respect of all of its holdings of personal information? Is it only covered in respect of the handling of that particular record? If it makes available a set of records for some kind of benefit to a third party at one point in time, for how long is that set of information records covered by the provisions of the Act? Likewise, does the fact that some information collected by an organisation is made available to the public mean that the organisation is exempted from the operation of the Act in respect of all other processes of collecting, using, handling and disclosing this information? If political parties are exempted from the legislation in relation to practices associated with elections, referenda or the political process generally, does this allow the political party to on-sell information to other organisations without the individual's consent? By creating so many broad exemptions, the legislation creates uncertainty in many

With such broad exemptions, Australia is unlikely to make it on to the anticipated European Union "White List" of countries whose privacy protection is "adequate", and with whom European businesses can confidently exchange personal information. This undermines Australian efforts to position itself as the leading data processing in the Asia Pacific centre, especially as Hong Kong and New Zealand both have privacy legislation which is likely to meet the EU standards.

The decentralised nature of the complaint handling process may result in the development of different interpretations and privacy standards. This could be especially difficult for some companies which may belong to a number of industry organisations and whose activities may extend across several industry sectors.

These issues are likely to receive a hearing through the parliamentary process as the legislation gives through the two House of Representatives. There is strong public support for legal protection for privacy - according to a 1999 Roy Morgan survey, 56% say that they are worried by invasion of privacy through new technology, and consistently surveys show more than four out of five people supporting privacy legislation for businesses. As yet, that public concern has not been fully reflected in the Government's legislative plans.

Tim Dixon is an associate at Baker & McKenzie in Sydney and is Chairman of the Australian Privacy Foundation.