Paper presented at ''The New Australian Privacy Landscape' , UNSW Continuing Legal Education Seminar, Wednesday 14
Cite as: N Waters 'Adequacy of Australian privacy laws in relation to the European Union Directive' [2001] CyberLRes 1
Australian privacy laws have long been influenced by overseas jurisdictions and international agreements. The Commonwealth Privacy Act 1988 expressly references both the 1980 Guidelines of the Organisation for Economic Co-operation and Development (OECD) and the International Covenant on Civil and Political Rights (Article 17).
During the 1990's, much of the debate about extension of the Privacy Act to the private sector revolved around the perceived `adequacy' of Australian law in the context of the European Union's data protection Directive. This Directive, developed in the early 1990s, `enacted' in 1995 and taking effect in 1998, requires all EU member states to have consistent privacy laws. Those laws must contain `trans-border data flow' provisions which control the export of personal data to third countries outside the EU. The basic principle is that export will only be allowed if either the third country has adequate laws or if specific protection arrangements are put in place for the specific transfer - eg: by contract. The EU has issued successive waves of guidance about how these provisions will work in practice[1]. Also, in 2000, the EU Commission reached agreement with the US government about a so-called Safe Harbour arrangement for transfer of personal data from Europe to the US. This provided for a largely self-regulatory scheme of privacy protection to be considered adequate for the purposes of the Directive and EU laws. The Safe Harbour agreement has been widely criticized, not only by privacy advocates but also by the EU Parliament and the Article 29 Working Group of EU Data Protection Commissioners. It is seen as an essentially political compromise necessitated by the American economic dominance, and cannot necessarily be taken as a model for application elsewhere in the world. New Zealand has already moved to amend its 1993 Privacy Act to include a trans-border data flow provision and to address other weaknesses that might prevent it being judged inadequate. Hong Kong's forward thinking in 1995 when enacting its Personal Data (Privacy ) Ordinance means that it already well placed to be found `adequate' as the EI works its way through assessments of its trading partners.[2]
The debate over privacy laws in New South Wales and Victoria also referenced the EU Directive. Although the resulting laws in both States only apply to the public sector, and therefore have less need to meet international standards, consistency and avoidance of a patchwork of differential regulation were seen as important. The Victorian Information Privacy Act 2000 seeks to achieve this objective by adopting the Privacy Commissioner's National Privacy Principles, and its success will therefore depend on how adequate those principles are judged to be. The NSW government, by adopting its own version of the principles, must be judged separately.
How adequate will the new Australian privacy laws be in meeting the international standards? Part 2 of this paper attempts to answer this question with a detailed analysis.
Before doing so however, it should be noted that the long term future of privacy protection goes well beyond the relatively simple adoption of internationally recognized privacy principles. These principles are still a good foundation for `good housekeeping' and for giving individuals remedies for deliberate or inadvertent breaches. But the principles alone do not address the more significant privacy issues facing modern society. These are the threshold issues about how much personal data we allow to be collected in the first place, including such highly sensitive data as our genetic makeup; and the extent to which we allow other public and private interests to override individuals' privacy preferences.
Traditional collection, use and disclosure principles only go so far in dealing with the private sector's assertions of a freedom to communicate as part of a competitive market economy. Neither do they in themselves provide the answers to a range of important public policy questions. These include:
In the ACT, Territory government agencies are subject to the Commonwealth Privacy Act, and there is also a separate law covering the handling of health information in both the public and private sectors (Health Records (Access and Privacy) Act 1997).
While both New South Wales and Queensland have had statutory Privacy Committees with an Ombudsman complaint handling function, the only State to currently have a fully fledged data protection law is New South Wales (NSW), which passed the Privacy and Personal Information Protection Act in 1998. The NSW Act, which came fully into effect in most respects on 1 July 2000, applies to most government agencies, but not to state owned corporations and there are also major exemptions which will be discussed later. There is a NSW Privacy Commissioner[4] with powers of investigation, while complaints of alleged breaches of the Information Protection Principles are dealt with either by the Commissioner, who can attempt to conciliate, or by the Administrative Decisions Tribunal, which can make binding orders including for compensation of up to $40,000.
In Victoria, the Information Privacy Act was passed in late 2000 and commences in September 2001. The Victorian Act is more comprehensive than the NSW Act, having fewer exemptions, and covering state owned enterprises. There will be a Victorian Privacy Commissioner with strong powers including the issue of compliance notices, and complaints, if not conciliated, can be decided by the Victorian Civil and Administrative Tribunal which can make binding orders, including for compensation of up to $100,000. A separate Health Records Bill was introduced into the Victorian Parliament in 2000 and is expected to pass in 2001. It contains similar complaints and enforcement arrangements to the Information Privacy Act, with the Health Services Commissioner playing an equivalent role to that of the Privacy Commissioner.
South Australia, Tasmania and Western Australia have all adopted versions of Information Privacy Principles as administrative instructions to their departments and agencies, but these do not have the force of law and there are no supervisory or enforcement mechanisms (South Australia has a part time Privacy Committee with some advisory and ombudsman functions).
Contractors in general are not subject directly to the Act, although eligible employment agencies are. However, in order to comply with the security principle (see below), agencies need to bind contractors with contractual terms to observe the privacy principles.
The Commonwealth Act provides a mechanism for waivers from the application of one or more of the principles through a Public Interest Determination by the Privacy Commissioner. However the process involved is complex and transparent and any such Determinations are subject to disallowance by Parliament. As a result, only a handful of Determinations have been made in the eleven years of the Act's operation, mostly for specific and non-controversial matters.
The application of the Act is complicated by the fact that most of the principles apply to records containing personal information - not to the information itself. The definition of record confirms that documents, databases and photographs are all covered, but an important exemption is provided by the exclusion from the definition of "generally available publications"[6]. This means that the Act cannot address the serious privacy issues that arise from the secondary use of public registers. Some laws governing individual public registers already contain limited privacy protections such as restrictions on direct marketing uses and facilities for suppression for individuals at risk, and there is a growing debate at both Commonwealth and State level about the need for more general rules on use of public registers. The exemption also creates a risk of deliberate circumvention of privacy controls by a policy decision to publish personal information.
Another definitional problem is that "personal information" may not include data such as e-mail addresses or phone numbers which are typically used as surrogate identifiers and which can be used to interact with individuals even if the user is unaware of the holders true identity.[13]
A significant exemption is that only citizens and permanent residents have the right to seek correction (rectification) of personal information.[14] This contrasts with the application of all the other principles and all other rights under the Act to any individual, whatever their nationality or place of residence.
There is provision in the Act for 'waivers' from the application of the IPPs, going beyond any of the statutory exemptions already discussed above. The Privacy Act contains a mechanism for the Privacy Commissioner to make a Public Interest Determination allowing a derogation from the IPPs.[15] Determinations are subject to an elaborate and public consultation process and are subject to disallowance by Parliament.
Contractors providing data services are directly subject to the Act.
The NSW Act provides for agencies to receive further exemptions by means of either a Code of Practice or a Direction by the Privacy Commissioner (both of which have to be approved by the Minister, but not by Parliament). These can weaken (but not increase) the level of protection. Several Codes of Practice and Directions have already been approved, creating further exemptions[16].
The Act applies directly to personal information, but generally available publications are exempt
Victoria
The Information Privacy Act applies to most public sector agencies and other bodies. Courts and tribunals are exempt in respect of their judicial functions, and law enforcement agencies are exempt from some of the principles but only where non-compliance is considered necessary on reasonable grounds.
Contractors to public sector agencies are directly subject to the Act.
The Act applies directly to personal information, but generally available publications are exempt. Health information (broadly defined) is excluded, but is covered by the separate Health Records Bill.
The provision in the Information Privacy Act for Codes of Practice expressly rules out Codes which set less stringent standards than the statutory principles, and there is no other mechanism in the Act for further waivers or exemptions other than provision for a government Order exempting an organization where it is covered by an alternative statutory scheme.
The basic principle in all three laws is that personal information should only be used or disclosed for the primary or original purpose of collection. Use and disclosure for secondary purposes is only permitted:
All three laws also include, under the security principle, a principle of 'keeping no longer than necessary'[19] imposing a similar requirement to Article 6(1)(e).
There are some significant differences in the detail of these requirements. Unlike the NSW and Victorian Acts, the Commonwealth Act does not expressly require individuals to be notified of the identity of the collector; of access and correction rights, and of any consequences of not supplying information. Both the Commonwealth and NSW Acts only apply the notice requirement where an organization is collecting directly from an individual (the Article 10 situation), whereas the Victorian Act applies a similar obligation where information is collected indirectly (equivalent to Article 11).
The Commonwealth and NSW Acts provide for publication of a Personal Information Digest by the respective Privacy Commissioners giving general information about the personal information holdings of agencies[22]. Under the Commonwealth Act, publication is mandatory, but there has been relatively little use of the hard copy Digest published annually. Under the NSW Act, the Commissioner has a discretion to publish a Digest, but has no immediate plans to do so.
The Commonwealth, NSW and Victorian Acts include rights of access and correction. In all three cases, this principle is complicated by interaction with existing Freedom of Information laws which even before the enactment of privacy laws gave individuals a right of access and correction to information held by government agencies.
The approach taken by the privacy laws is to create separate rights[23] but to defer to the FoI laws for the implementation of those rights. The Commonwealth Privacy Act adds a further ground for correction (relevance), but limits the correction right to Australian citizens and permanent residents.[24] All three privacy laws provide additionally for individuals to add 'challenges' to their files where correction is inappropriate, and the NSW Act also provides for third party recipients of information to be notified of corrections or challenges, where practicable.
The FoI laws contain a number of exemptions or grounds for withholding access or refusing correction, which are either designed to protect the privacy of third parties or directed towards important public interests of the kind acknowledged in Articles 12 &13. (The Victorian Act includes a detailed list of exemptions, and access and correction mechanisms to apply to contracted service providers who are not already subject to FoI). There is a constant public debate about the exemptions, which many critics argue provide too many grounds for public servants and governments to withhold access, and is subject to abuse which undermines the objective of the access right.
Rights of Opposition
The right to object to particular types of processing, established by Article 14 of the EU Directive, is not provided in the Australian laws governing the public sector. None of the laws provides for the right to object generally as in Article 14(a), although it is likely that in most public sector contexts either an express legal authority, or one of the Article 13 exemptions would override any expectation of a right to object. The right of opposition to direct marketing (Article 14(b)) arguably has limited application to the public sector and is not provided in any of the three Acts. However, following a well publicized controversy in June 2000, the Commonwealth government has agreed to amend the legislation setting up an Australian Business Register to give individual registrants an 'opt-out' from direct marketing uses.
More generally, there is considerable debate about the direct marketing uses of personal information in public register information. The NSW Act has specific provisions relating to public registers[25] and these include a right for individuals to have details suppressed if their safety or well being is at risk (this right already exists in relation to some specific registers), but a desire to avoid direct marketing would not satisfy this test. The Victorian government is currently studying the public register issue.
The NSW Act includes a specific sensitive data principle[29] which imposes tighter conditions on the disclosure (but not collection or use) of certain categories of personal information, being:
Disclosure is generally permitted only to prevent a serious or imminent threat to life or health, but a number of the exemptions apply, including express consent; where authorized or required by law; where reasonably necessary for law enforcement; and in certain circumstances for health care or treatment.
The Victorian Act also has a sensitive data principle which applies to collection (but not use or disclosure) of personal information about:
The grounds under which sensitive information can be collected include: consent; required by law; serious and imminent threat to life or health; incapacity for consent; legal defence; and research.
Note: In Victoria, health information (which is broadly defined) is excluded from the definition of personal information and therefore from the scope of the Information Privacy Act, but is to be protected by a separate law - set out in the Health Records Bill 2000.
The Victorian Act also contains a specific principle concerning unique identifiers[31] designed to provide a safeguard against the creation of a single identifier that could be used to crossmatch data across all government departments.
The NSW and Victorian Acts both expressly address the issue of onward transfer in an attempt to meet the requirements of the Directive.
Under the NSW Act, the 'Special restrictions' principle[33] which deals with sensitive data also prohibits public sector agencies from disclosing personal information outside the State unless either a relevant privacy law is in force, or the disclosure is permitted under a privacy Code of Practice. The Privacy Commissioner is required to develop a Code concerning onward transfers by 1 July 2001. He can also issue determinations as to which laws in other jurisdictions qualify as having a relevant privacy law in force.
The extent to which this provision meets the criteria expected in relation to the Directive's onward transfer provisions will depend on the content of the Code and/or basis of any determinations by the Commissioner.
Many of the general exemptions apply to this onward transfer principle - so that it does not restrict transfers which are reasonably necessary for law enforcement; authorized or required by law; or with the express consent of the individual, or made by specified investigative agencies[34].
The Victorian Act adopts the onward transfer principle[35] developed by the Privacy Commissioner to put limits on the flow of information outside Victoria. An organisation is only allowed to transfer personal information outside Victoria if it reasonably believes the recipient is subject to a law, or other binding obligation, which imposes restrictions on the use of that information that are substantially similar to the information privacy principles.
Personal information may also be transferred with the individual's consent or if the transfer is necessary for the performance of a contract. If consent of the individual cannot practically be obtained, the organisation can only transfer the information if it is for the benefit of the individual and if the individual would be likely to give the consent.
As there are few exemptions from any of the principles, this provision in the Victorian Act would seem to satisfy the criteria expected in relation to the Directive's onward transfer provisions, but only if there is some mechanism for giving rulings or guidance on what constitutes an adequate level of protection in other jurisdictions. The Act gives the Privacy Commissioner a function of publishing model terms for a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria[36]. But there is no express provision for more general guidance on adequacy.
In all cases, the Commissioner's resources are provided through a sponsoring government department and they are subject to a range of budgetary and other pressures which have led at times to their effective independence being questioned. But this is no different from the situation in most countries, and Australian jurisdictions have not only a strong tradition of respect for the independence of statutory officers but also a highly developed system of administrative law which would allow any 'suspect' decisions to be challenged.
The remedies available to individuals whose privacy rights are infringed include, in all three jurisdictions, directions to perform specified actions, and the possibility of compensation for loss or damage (capped at $40,000 in NSW and $100,000 in Victoria). There is an emphasis in all three laws on conciliation and mediated settlements. Under the Commonwealth law there have been many such settlements, some including payment of compensation, but only a handful of formal determinations. The NSW and Victorian schemes are too new to have any 'case law'.
The complaints handling and enforcement aspects of the three statutory public sector privacy regimes generally appear to meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision. (But see comments below in relation to the recent private sector amendments to the federal law concerning defects in enforcement which may become more obvious with private sector application).
The Credit Reporting regime relies on definitions of credit provider, consumer credit to apply to a business activity rather than to any specified organizations, although credit reporting agencies are also defined and subject to additional rules. Although Part IIIA and the Code of Conduct do not exactly follow the normal sequence of information privacy principles, they cover the same ground with rules on collection, storage, use and disclosure, and rights of access and correction. The Credit reporting regime is subject to the same supervisory and enforcement mechanisms as the public sector principles, with the Privacy Commissioner able to audit, investigate complaints, and make orders which are enforceable through the Federal Court.
The effect of the 'boundaries' of this jurisdiction depend on whether it is seen as imposing stricter privacy protection than applies elsewhere, or as permitting use of personal information which would otherwise be 'off-limits'. In the context of an otherwise unregulated private sector (the position for the last ten years), the former view is more accurate. Once privacy law applies to the rest of the private sector (see below) it may be more accurate to see the boundaries as conferring benefits - authorizing membership of an exclusive 'club' with privileged access to personal information without the express consent of individuals (although credit assessment would most likely be considered a related purpose under the normal application of privacy principles).
Some of these notices take the form of 'consent for disclosure' to be signed by individuals when applying for credit, but as they are effectively a condition of credit, and applicants cannot decline to allow disclosure, they are more accurately described as providing notice rather than obtaining consent.
Credit providers are also required to give individuals additional information if they refuse them credit on the basis of a credit report. This information includes reference to the individual's right of access and rectification
The Privacy Act provides individuals with a right of access to credit information files held by credit reporting agencies and to credit reports held by credit providers or reporting agencies[47]. The Act and Code of Conduct contain detailed provisions relating to correction of inaccurate data.
In relation to credit information files, the dominant reporting agency has a well established system for handling requests for access and correction which is periodically audited by the Privacy Commissioner and appears to work well, dealing with many thousands of requests each year.
Rights of Opposition
There are no specific rights of 'opposition' in Part IIIA or the Code but the issue of 'secondary' direct marketing does not arise as it is not a permitted use of credit information files or credit reports in the first place - although 'primary' direct marketing in relation to credit (eg other loans that might be of interest) is arguably permitted.[48]
Provided any disclosures are lawful under the general disclosure provisions of Part IIIA, it makes no difference currently whether they are to organizations within or outside Australia. However, under the proposed general private sector amendments to the Act, credit reporting agencies and credit providers will have to comply with the onward transfer principle (see below) as well as with all of the credit specific provisions.
The complaints handling and enforcement aspects of the credit reporting privacy regime meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.
The Act also provides for industry developed Codes of Practice to be given statutory force, and two privacy codes, a general one including all of the information privacy principles and a specific code for calling number display have been developed. In 2000, these Codes were registered by the Australian Communications Authority (ACA)[56] and are now binding on all participants in the industry (carriers and service providers).
Individual complaints about breaches of the Code rules are handled by an industry funded Telecommunications Industry Ombudsman (TIO), while complaints about breaches of a more systemic nature, or of the underlying law, can be taken to the Australian Communications Industry Forum (ACIF - which developed the Codes) or to the ACA.
These rules are consistent with Articles 6 & 7 of the EU Directive.
However, unlike NPP 2, there are no special protections for health data in Rules 6 & 7. (see under sensitive data below in this section), and the special conditions applying to direct marketing only apply to use, not disclosure (see under rights of opposition below in this section).
Special provisions relating to collection, use and disclosure of Calling Number Display information are contained in a separate Industry Code which has also been registered by the ACA and is therefore now binding on all telecommunications providers.[60]
Rule 11 of the binding Industry Code repeats National Privacy Principle 6, with some minor variations to reflect the telecommunications environment and specific provisions in the Telecommunications Act. To all intents and purposes it provides the same access and correction rights, exemptions and processes, as NPP6.
These rules are consistent with Article 12 of the EU Directive.
Rights of Opposition
Rule 6 includes special conditions where personal information is intended for use for direct marketing, and provides for individuals to be offered an 'opt-out' opportunity[61], but only where the intended use is not part of the original purpose of collection or directly related and within the reasonable expectation of the individual. There is no equivalent provision in Rule 7 in relation to disclosure for direct marketing, which could take place without the individual's consent, or any opportunity for them to opt-out. These rules therefore only partly provide the protection envisaged by Article 14 of the EU Directive.
Complaints about breaches of the Code will however initially be investigated by the Telecommunications Industry Ombudsman (TIO) an industry appointed and funded body which nevertheless meets most of the standards of independence and autonomy generally regarded as necessary for a credible self-regulatory complaints scheme.[62] All telecommunications providers are required by law to join the TIO scheme and there are over 850 members.
The TIO has since its inception been able to handle complaints about breaches of privacy - initially by reference to the Privacy Act IPPs which used to apply to the government owned Telstra corporation. The TIO will now use the new registered privacy Codes as the standard against which complaints will be assessed. The TIO can make binding determinations including awards of compensation where appropriate of up to $10,000 and can recommend payments of up to $50,000.
Unauthorised uses or disclosures of personal data in breach of Part 13 are criminal offences punishable by up to 2 years imprisonment.
The complaints handling and enforcement aspects of the telecommunications privacy regime meet many of the standards envisaged in Articles 22-24 and 28 of the EU Directive, except that there is no provision for remedies to be enforced by a constitutionally independent judiciary, and the supervisory responsibilities are somewhat fragmented between ACIF, the ACA and the TIO.
It is however expected that the Code on Customer Personal Information will be submitted for approval by the Privacy Commissioner under the new general private sector legislation[63]. If this happens, then depending on what role for the Privacy Commissioner is envisaged, the complaints handling and enforcement and supervisory aspects of the telecommunications regime may come into line with those applying more generally (see below).
Private businesses providing services under contract to government agencies may have been subject to contractual provisions relating to privacy. The federal Privacy Commissioner has taken the view that this is a requirement under the security principle of the 1988 Act and has issued model contractual clauses for use by Commonwealth agencies. The NSW Privacy Commissioner has issued similar advice.
Some sectors have taken the initiative and developed voluntary codes of practice incorporating some or all of the National Privacy Principles (NPPs). These principles were developed by the Privacy Commissioner through a consultative process between 1997 and 1999 as a template for self regulation (during this period the federal government's position was to favour self-regulation over statutory controls). The main Codes of Practice are as follows:
General Insurance Industry Information Privacy Principles
This scheme, launched in 1998, incorporates all of the National Privacy Principles (1998 version) except for the anonymity principle, and has a supervisory and complaint handling mechanism through a privacy compliance committee of the existing insurance industry complaint body. Insurance Enquiries and Complaints Ltd. General insurers have been invited to adopt the principles and implement them no later than August 2000, but to date only some 30 insurers, representing less than 10% of general insurance business, have done so. Many insurers have taken the view that they will await the forthcoming legislation.
Internet Industry Association Code of Practice
The Internet Industry Association (IIA) has developed a Code of Practice which contains both general privacy principles and specific rules relating to unsolicited e-mail (spam). Although the privacy section, which incorporates the National Privacy Principles, has been settled since 1998, it is only recommended by IIA for voluntary adoption by members, and there is as yet no supervisory or complaint handling machinery.
The new legislation.
In December 1999 the federal government announced that it would now legislate for private sector privacy. After another round of consultation, in April 2000 a Privacy Amendment (Private Sector) Bill was introduced into Parliament. It was referred to a House of Representatives Committee (HoR Committee) which reported in July, recommending several significant changes[64]. Two Senate Committees also examined the legislation and also made suggestions for changes[65]. The legislation was finally enacted in December 2000 with only relatively minor amendments.
The scheme of the Act is expressly intended to meet international concerns and obligations.[66] One specific way in which it seeks to meet this objective is by provision for extra-territorial effect. The Actl provides for the law to apply to acts or practices engaged in outside Australia by organizations subject to Australian law, including non-resident organizations carrying on business in Australia in respect of personal information collected or held in Australia.[67] The same clause also provides for the Privacy Commissioner to take action overseas to investigate complaints. While this is a generally helpful provision, it is limited to information about Australian citizens or permanent residents. This means that the Act would not apply to data about foreigners transferred out of Australia, and undermines significantly the effectiveness of the onward transfer principle (NPP9) discussed below.
The definitional problems which apply under the existing Privacy Act (discussed above under public sector - scope and overview) are extended by the amendments to the private sector. They include the concept of a record, the exclusion of generally available publications (expressly extended by the new amendments by the addition of 'however published'[68], which increases the risk of abuse) and the uncertain application of the Act to e-mail addresses.
The amendments only apply some of the National Principles to information collected before the commencement of the legislation. Those principles dealing with collection (NPPs 1,10 and part of 3) and use (NPP2) and access (NPP6); and the anonymity principle (NPP8) apply only to information collected, or transactions, after commencement. The other principles apply to all information whenever it was collected.[69]
The legislation will commence on 22 December 2001 (12 months after receiving the Royal Assent[70]. Small businesses are granted a further twelve months to comply with some principles.[71]
There is an unconditional exemption for state owned government business enterprises.[72] Given the exemption for state owned corporations in the NSW Act this leaves most state owned enterprises in the country without any statutory privacy controls (although the Victorian Act covers theirs).
There is a conditional exemption for small businesses defined as those with an annual turnover of less than $3 million.[73] According to the government, this will have the effect of exempting over 1 million or 94% of all businesses[74]. The exemption is conditional on the business not holding health information other than as part of employee records, and not collecting or disclosing personal information for a consideration. All small businesses are given an extra 12 months to comply. As the HoR Committee Report noted, the exemption is quite complex and may be very difficult to apply in practice. The report recommended that otherwise exempt small businesses be allowed to opt-in, but accepts the government's arguments for a broad exemption. The government accepted the opt-in proposal[75].
There is a conditional exemption from the collection and disclosure principles for 'related bodies corporate'.[76] This would have the effect of allowing (non-sensitive) personal information to be transferred between different businesses entities that are related through ownership without the normal application of the notice requirements and use and disclosure limitations, provided it did not exceed individuals' reasonable expectations. Critics of the then Bill suggested that this could be a major loophole through which corporate groups could evade the purpose limitation objective, and could even act as an incentive, in combination with the small business exemption, for structuring of business groups expressly to weaken the effect of the privacy law.[77]
There is a conditional exemption for employee records, broadly defined[78]. The HoR Report rejected the government's contention that sufficient protection was contained in workplace relations legislation, and recommended a significant narrowing of the exemption.[79] The government refused to accept any changes to this exemption, but has established a working party to look at the issue of privacy protection for employee records.
There is a conditional exemption for media organizations in the course of journalism. Journalism is very broadly defined (essentially covering any activity with the aim of publication) and was the subject of critical submissions to the HoR Committee. The Committee's report stops short of recommending limits to the exemption but does suggest it be made subject to a code, and that it be kept under review. The government accepted this suggestion.[80]
There is an exemption for political acts and practices[81] which means that none of the Principles will apply to political parties, their volunteers and contractors, or to elected representatives. The HoR Committee recommended that some conditions be placed on this exemption but this was not accepted by the government and the exemption passed unaltered.
There is also an uncontroversial exemption for individuals undertaking activities 'other than in the course of business' designed to exempt processing for personal, family or household affairs.[82]
Contractors to Commonwealth and State agencies are exempted from the private sector National Privacy Principles (NPPs) in relation to those records for which they are contractually bound to observe the public sector IPPs or state equivalents (see above)[83]. A contractor to the Commonwealth which is a small business otherwise exempt from the NPPs remains covered by the Act in relation to the IPPs.[84]
The discussion of the principles which follows takes the default National Privacy Principles as the standard with which all organizations will have to comply under the legislation. This is not strictly correct in that organisations can apply for approval of Codes of Practice. However, any Code must either incorporate the National Privacy principles or 'set out obligations that, overall, are at least the equivalent of all the obligations set out in [the NPPs]'.[85] On the assumption that the Privacy Commissioner will not approve any Code that set out lesser standards (he/she could be judicially reviewed if he/she did so), it is safe to refer to the NPPs throughout the remainder of this paper.
There is however provision in the legislation for 'waivers' from the application of the NPPs, going beyond any of the statutory exemptions already discussed above. As noted in the Public Sector section of this paper, the existing Privacy Act contains a mechanism for the Privacy Commissioner to make a Public Interest Determination allowing a derogation from the IPPs. Under the private sector amendments, this mechanism is extended to the NPPs, and a new facility is introduced for temporary determinations, pending consideration of a full Determination.[86] Full determinations are subject to an elaborate and public consultation process and both full and temporary determinations are subject to disallowance by Parliament.
These provisions are broadly consistent with Articles 6 & 7 of the Directive, but with at least two significant differences.
NPP 2 arguably goes further than Articles 6 & 7 in allowing unconditional processing (use and disclosure) for the 'primary' purpose of collection and 'related purposes within the reasonable expectation of the individual'.[89] The 'exceptions' in the rest of the principle only apply to 'secondary' purposes. The related purpose exception in particular appears much broader than the 'not incompatible' in Article 6.1(b).
One of the secondary use/disclosure exceptions in NPP 2 is where
the use/disclosure is 'required or authorized by or under law' - similar
to that in IPPs 10 & 11 in the public sector regime. As already noted,
this is a wider exception than the criteria in Article 7 of the Directive[90]
Both the banking and health sectors claim in debate that they are already subject to strict common law duties of confidentiality. While this duty provides useful support to a non-disclosure principle, it does not apply to internal uses, and even to some external transfers for the purposes of the organization. The common law duty is also limited to information which is inherently confidential - and the courts have defined this much more narrowly than the scope of personal information with which privacy laws are concerned.
NPP 6 provides a right of access for individuals to personal information about themselves and a right of correction, subject to various exceptions. Both the rights and the exceptions are broadly consistent with the equivalent provisions in Articles 12 & 13 of the EU Directive. However, the Act now expressly extends the limitation of the correction right to Australian citizens and permanent residents, referred to already in the public sector section, to NPP6[94], thereby leaving citizens of other countries no opportunity for remedies for breaches of this Principle.
There is no express provision encouraging organizations to provide as much information as possible, even where an exception is claimed, by severing or selectively deleting the withheld information. Case law under Freedom of Information Acts, which has been the mechanism for delivering the access right in the public sector, has clearly established that this is required. It has been suggested that private sector organizations are more likely to use an exception as an excuse for total withholding, and that a statutory requirement to provide as much information as possible would be desirable.
Rights of Opposition
NPP 2.1(c) provides for a partial right of opposition to direct marketing, by requiring organizations to offer individuals an opt-out. However, this provision only applies where the use for direct marketing is not part of the primary purpose or 'directly related and within the individual's reasonable expectations'.[95] This means that in practice, there will be many direct marketing activities where individuals do not have to be offered an opt-out opportunity.
It remains unclear whether the omission of 'disclosure' from NPP 2.1(c) works to the advantage or disadvantage of individuals. On one view, it means that disclosure for direct marketing (eg sale of lists) has to satisfy one of the other exceptions in NPP 2 - such as consent (NPP2.1(b)). On another view, which sees 2.1(c) as an 'extra' condition, then there is never a statutory requirement to offer an opt-out from disclosure, and organizations are free to make it part of their primary purpose or try to influence their customers expectations so as to satisfy 2.1(a).
The Codes of Practice which incorporate earlier versions of the NPPs (including the ADMA Direct Marketing Code mentioned above) and which are already being followed by some organizations, are subject to the same limitations and ambiguities in relation to NPP 2.1(c) as the Act itself. The best that can be said is that NPP 2.1(c) wherever it appears only partially provides the protection envisaged by Article 14 of the EU Directive.
There is considerable debate about whether the special health information provisions actually provide a higher level of protection, or have the opposite effect of authorizing a wider range of uses and disclosures than would otherwise be the case[96]. Health consumer groups are generally opposed to the provisions for health privacy, and are campaigning for separate tougher legislation with more emphasis on patient consent - along the lines of the existing ACT legislation.[97] As already noted, the Victorian government has already decided to legislate separately and has introduced a Health Records Bill to cover not only state agencies but any organizations funded by the State.
The proposed private sector privacy regime does not generally provide equivalent protection for sensitive data to that envisaged in Article 8 of the EU Directive.
Unlike the earlier versions of this principle, which dealt with 'other jurisdictions' rather than foreign countries, NPP9 does not now provide any protection where personal information is transferred either to a State or Territory government which is not subject to a privacy law or to one of the large number of private sector organizations which will be exempt from the Commonwealth regime (see above).
The principle itself, in its application to 'foreign' transfers, differs in some significant respects from the terms of Articles 25 & 26.
Private sector organizations can develop a Code of Practice and submit it to the Privacy Commissioner for approval. A Code may contain a customized version of the National Privacy Principles (provided they are at least equivalent) and may also contain procedures for making and dealing with complaints (which have to meet prescribed standards - some set out in the Act[101] and some in a government benchmark.[102] A Code of Practice could establish a Code Adjudicator body which would fulfil some of the functions of the Privacy Commissioner.
For organizations not subject to an approved Code, the default provisions of the Act will apply. These include most of the complaint handling and enforcement provisions that apply to public sector agencies under the pre-existing Act. As already noted above, these appear at first sight to meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.
However, critics of the private sector amendments pointed out an inequity and defect in the enforcement provisions.[103] The Act provides for determinations of Code Adjudicators to be enforced by the Federal Court or Magistrates Court (after a de novo hearing) in the same way as determinations of the Privacy Commissioner; Code Adjudicators, like the Commissioner, are also subject to judicial review on points of law. But there was no provision for complainants to appeal against an adverse decision by the Commissioner or a Code Adjudicator. This effectively meant that while a respondent organization has a right of appeal on the merits of a complaint (by refusing to comply with a determination and having their case re-heard in court); a complainant can only appeal against a procedural defect.
While this flaw has also applied to the public sector regime which has been in operation for 12 years, critics suggest that it only becomes a serious matter with the extension of the law to the private sector. Public sector agencies are less likely to refuse to comply with determinations (it has not happened yet, although there have only been a handful of determinations), whereas experience in other rights tribunals suggests that many private sector respondents may resist. The government accepted this argument and made a last-minute change to the legislation to provide a right of appeal from decisions of Code Adjudicators to the Privacy Commissioner.[104]
While Code Adjudicators will not have the same powers as the Privacy Commissioner - to investigate, call witnesses, require the provision of information etc, their ability to refer complaints to the Commissioner[105], and more importantly the right of appeal should prevent this from being a major weakness.
It is not clear from the Act whether Code Adjudicators will be required to publish their determinations, as the Commissioner is required to do. At least one critic has suggested that this is a serious lack of transparency and hinder public scrutiny of the effectiveness of Codes of Practice.[106]
Of the existing voluntary Codes of Practice that incorporate earlier versions of the National Privacy Principles, only the ADMA Direct Marketing Code and the General Insurance Industry Privacy Principles have established and theoretically functioning complaint bodies. However the Insurance Privacy Compliance Committee has yet to receive any complaints, and there is no information publicly available about the operation of the ADMA scheme. Both have been criticized by consumer groups for not meeting all of the standards for independent complaint handling which are proposed as the minimum under the Act as amended[107]. They certainly do not meet all of the EU Directive standards in relation to judicial remedies, compensation, sanctions and supervision.[108]
[2] The EU Commission has already issued adequacy assessments of Hungary, Switzerland and the US http://www.europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm , while the Article 29 Working Party has issued an opinion on Canada - see <http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm>
[3] See http://www.privacy.gov.au/
[4] See http://www.lawlink.nsw.gov.au/pc
[5] The exemptions are to be found partly in the definitions in s.6 and partly in Schedules to the Freedom of Information Act which are 'imported' by reference in s.7.
[6] Privacy Act 1988 (Cwth) s.41(4).
7 Privacy Act 1988 (Cwth), s.14 - IPPs 1,10 & 11; Privacy and Personal Information Protection Act 1998 (NSW), ss.8,17 & 18; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.1 and 2.
8 Privacy Act 1988 (Cwth), s.14 - IPPs 3 & 8; Privacy and Personal Information Protection Act 1998 (NSW), ss.11 & 16; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 3.
9 Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
10 Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
11 Privacy Act 1988 (Cwth), s.14 - IPP 2; Privacy and Personal Information Protection Act 1998 (NSW), s.10; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.3 & 1.5.
12 Privacy Act 1988 (Cwth), s.6
[13] see Submission to House of Representatives Committee on the Privacy Amendment (Private Sector) Bill 2000, s.6.2.
[14] Privacy Act 1988 (Cwth) s.41(4).
[15] Privacy Act 1988 (Cwth) Pt VI.
[16] As at February 2001, the Minister had approved ten Codes, covering health, police, local government, housing, Legal Aid Commission, Dept of Fair Trading, Bureau of Crime statistics, workforce profiling, the DPP, and law enforcement and investigative agency access to public registers. A further eight codes were listed by Privacy NSW as submitted, proposed or released for consultation
[17] Privacy Act 1988 (Cwth), s.14 - IPPs 1,10 & 11; Privacy and Personal Information Protection Act 1998 (NSW), ss.8,17 & 18; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.1 and 2.
[18] Privacy Act 1988 (Cwth), s.14 - IPPs 3 & 8; Privacy and Personal Information Protection Act 1998 (NSW), ss.11 & 16; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 3.
[19] Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
[20] Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
[21] Privacy Act 1988 (Cwth), s.14 - IPP 2; Privacy and Personal Information Protection Act 1998 (NSW), s.10; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.3 & 1.5.
[22] Privacy Act 1988 (Cwth), s.27(1)(g); Privacy and Personal Information Protection Act 1998 (NSW), s.40.
[23] Privacy Act 1988 (Cwth), s.14, IPPs 6 & 7; Privacy and Personal Information Protection Act 1998 (NSW), ss.14 & 15; Information Privacy Act 2000 (Vic), Schedule 1, IPP 6.
[24] Privacy Act 1988 (Cwth) s.41(4).
[25] Privacy and Personal Information Protection Act 1998 (NSW), ss 57-59
[26] Privacy Act 1988 (Cwth), s.14, IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), s.12; Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.
[27] Crimes Act 1914, Part VIIC.
[28] National Health Act 1953 s.135AA.
[29] Privacy and Personal Information Protection Act 1998 (NSW), s.19(1).
[30] IPP2
[31] Information Privacy Act 2000 (Vic), Schedule 1, IPP 7.
[32] Privacy Act 1988 (Cwth), s.14, IPP4
[33] Privacy and Personal Information Protection Act 1998 (NSW), s.19(2)-(5).
[34] Privacy and Personal Information Protection Act 1998 (NSW), ss.23-28.
[35] Information Privacy Act 2000 (Vic), Schedule 1, IPP 9.
[36] Information Privacy Act 2000 (Vic), s.58(f)
[37] Privacy Act 1988 (Cwth), Part V; Privacy and Personal Information Protection Act 1998 (NSW), Part 4 Division 3.
[38] Privacy Act 1988 (Cwth), Part IV Division 1; Privacy and Personal Information Protection Act 1998 (NSW), Schedule 1; Information Privacy Act 2000 (Vic), Part 7.
[39] Information Privacy Act 2000 (Vic), Part 7 and
[40] The Federal Court or Magistracy; the NSW Adminstrative Decisions Tribunal and the Victorian Civil and Administrative Tribunal.
[41] Privacy Act 1988 (Cwth), s.18K.
[42] Privacy Act 1988 (Cwth) ss.18L, 18N.
[43] Privacy Act 1988 (Cwth) s.18G.
[44] Credit Reporting Code of Conduct 1996, 1.3-1.5
[45] see Privacy Act 1988 (Cwth) s.18E(8)(c).
[46] see Credit Reporting Advice Summaries, Part 8.
[47] Privacy Act 1988 (Cwth) s.18H.
[48] Privacy Act 1988 (Cwth) s.18L(c).
[49] Privacy Act 1988 (Cwth) s.18G.
[50] Privacy Act 1988 (Cwth) s.18E(2).
[51] Privacy Act 1988 (Cwth) s.18G(c).
[52] see the section on public sector privacy, and the Privacy Commissioner's web site at http://www.privacy.gov.au/
[53] being a breach of ss.18J, 18L, 18N, 18P or 18Q of the Privacy Act 1988 (Cwth).
[54] Privacy act 1988 (Cwth) s.18R.
[55] Privacy act 1988 (Cwth) ss.18S and 18T.
[56] see http://www.aca.gov.au
[57] Telecommunications Act 1997 (Cwth), Part 13.
[58] The same NPPs which now form the core of the proposed 'private sector' amendments to the Commonwealth Privacy Act 1988.
[59] Industry Code Protection of Personal Information of Customers of Telecommunications Providers, developed by the Australian Communications Industry Forum and registered by the Australian Communications Authority on 1 May 2000.
[60] Industry Code Calling Number Display, developed by the Australian Communications Industry Forum and registered by the Australian Communications Authority on 1 July 2000
[61] Rule 6.1(c).
[62] see http://www.tio.com.au
[63] See Explanatory Memorandum on the Privacy Amendment (Private Sector) Bill 2000, paras 383-385.
[64] House of Representatives Legal & Constitutional Affairs Committee Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, July 2000 (HoR Report) - available on line at
http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm
[65] Senate Standing Committee on Legal & Constitutional Affairs - report on the Privacy Amendment (Private Sector) Bill 2000 at http://www.aph.gov.au/senate/committee/legcon_ctte/privacy/index.htm ; and Select Committee on Information Technologies inquiry into e-Privacy - no final report.
[66] Privacy Amendment (Private Sector) Act 2000, s.3(b)(i).
[67] Privacy Act 1988, as amended in 2000, s.5B.
[68] Privacy Amendment (Private Sector) Act 2000, Schedule 1, s.l.14 .
[69] Privacy Act 1988, as amended in 2000, s.16C.
[70] Privacy Amendment (Private Sector) Act 2000, s.2.
[71] Privacy Act 1988, as amended in 2000, s.16D.
[72] Privacy Act 1988, as amended in 2000, s.6C(1)(3) &(4).
[73] Privacy Act 1988, as amended in 2000 s.6C(1) and 6D.
[74] HoR Report, p11.
[75] Privacy Act 1988, as amended in 2000, new s.6EA.
[76] Privacy Act 1988, as amended in 2000, s.13B
[77] HoR Report, Chapter 9.
[78] Privacy Act 1988, as amended in 2000, s.7B(3).
[79] HoR Report, Chapter 3.
[80] Privacy Act 1988, as amended in 2000, s.7B(4)
[81] Privacy Act 1988, as amended in 2000, s.7C
[82] Privacy Act 1988, as amended in 2000, s.7B(1)
[83] Privacy Act 1988, as amended in 2000, s.7B(5)
[84] Privacy Act 1988, as amended in 2000s .7B(2)
[85] Privacy Act 1988, as amended in 2000, s.18BB.
[86] Privacy Act 1988, as amended in 2000, Part VI Division 2.
[87] Privacy Act 1988, as amended in 2000, Schedule 3, NPP1.1 & 1.2
[88] Privacy Act 1988, as amended in 2000, Schedule 3, NPP2
[89] Privacy Act 1988, as amended in 2000, Schedule 3, NPP2.1 and 2.1(a).
[90] in particular, Article 7(c) and (e).
[91] Privacy Act 1988 (Cwth), s.14 - IPP3(c).
[92] Privacy and Personal Information Protection Act 1998 (NSW) s.11.
[93] Privacy Act 1988, as amended in 2000, Schedule 3, NPP1.3.
[94] Privacy Act 1988, as amended in 2000, s.41(4).
[95] being alternative bases for use in NPP 2.1 and 2.1(a).
[96] HoR Report, Chapters 6 & 7
[97] Health Records (Access and Privacy) Act (ACT) 1997
[98] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(b) and (e).
[99] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(a).
[100] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(f).
[101] Privacy Act 1988, as amended in 2000, s.18BB(3).
[102] Benchmarks for Industry-Based Customer Dispute Resolution Schemes published by the Consumer Affairs Division of what was then known as the Department of Industry, Science and Tourism (August 1997).
[103] HoR Report, Chapter 10.
[104] Privacy Act 1988, as amended in 2000, s.18BI
[105] Privacy Act 1988, as amended in 2000, s.40(1B).
[106] Submission to the HoR Committee by Professor Graham Greenleaf, University of New South Wales.
[107] Benchmarks for Industry-Based Customer Dispute Resolution Schemes See footnote 85
[108] Articles 22-24 and 28