Private sector privacy: 
Problems of interpretation

Graham Greenleaf
Professor of Law, University of New South Wales


Paper presented at 'The New Australian Privacy Landscape' seminar - University of New South Wales Faculty of Law  - 14 March 2001

Cite as: Greenleaf, Graham 'Private sector privacy: Problems of interpretation' [2001] CyberLRes 3

1. Privacy: 'Get used to it...'

Australia's long and winding road toward information privacy legislation covering the private sector reached a destination in December 2000 with the passage of the Privacy Amendment (Private Sector) Act 2000 (Cth). For many who had travelled along this journey it was in many respects the wrong destination[1], but now that we have all reached it, there is little prospect of moving anywhere else for a while.

The time for political debate concerning what should be covered by the Act has passed for the moment[2], and it is time to 'get used to' what is covered by the newly amended Privacy Act 1988[3]. This paper seeks to identify and discuss a range of issues where interpretation of the Act is likely to be difficult or contentious (in the sense of having unexpected consequences). Special attention is given to problems which may affect e-commerce.

 Some of the issues considered in this paper are not peculiar to the new privacy sector coverage, but are unresolved matters which also affect the Act's public sector coverage.

2. Problems in interpreting the 'National Privacy Principles'

2.1. Obligations of private sector organisations - The NPPs

The substantive privacy obligations of private sector organisations are principally contained in the ten 'National Privacy Principles' (NPPs) in Schedule 3 of the Act.

The ill-considered legislative history of the NPPs

The NPPs were developed by the former Commonwealth Privacy Commissioner, Moira Scollay, and have a complex and controversial history[4]. They were not developed through anything resembling a normal process of considered law reform. The following factors should be borne in mind: This legislative history of ill-consideration may explain some of the vices, virtues, and occasional obscurity of the NPPs.

In the following discussion of each NPP, there is first a 'plain English' summary of the NPP which should not be relied on in substitution for the wording of the NPP, but may provide a useful overview.

2.2. NPP 1 Collection

Summary - An organisation may only collect personal information which is necessary for its activities; only by lawful and fair means and not in an unreasonably intrusive way. Wherever reasonable, an organisation must collect personal information about a person only from that person, and must make the person aware of the purpose of collection, any laws requiring the collection, the organisations to which the information is usually disclosed, and other matters. If personal information is collected from a third party, the organisation must still take steps to inform the person about the collection and these matters.

What is 'collection'?

What is 'collection'?

'Collect' is not defined in the Act. NPP 1 only applies to information collected after the commencement of the Act (s16C).

 Can information be 'collected' even if it is not 'solicited' or requested by the organisation collecting it? Gunning points out[6] that the wording of IPPs 2 and 3 in s14[7] implies a distinction between 'collect' and 'solicit' (with 'collect' being the broader term). Normal principles of statutory interpretation would lead to the conclusion that 'collect' has the same meaning in the NPPs.

However, Gunning argues that, insofar as the NPPs are concerned, 'the better view is that the organisation does not "collect" personal information merely by receiving unsolicited information'. He doesn't think NPPs 1.1 (collection necessary for a purpose), or 1.2 (fair means) could apply to unsolicited information, or that Parliament could have intended 1.3 (requirements to notify) to apply. Also, NPP 2.1 assumes that there is a purpose of collection which limits use and disclosure.

This reasoning is questionable, because it does not give sufficient weight to the fact that the Act, for the purposes of the NPPs, only applies to the collection of information 'if the information is collected for inclusion in a record or a generally available publication' (s16B). Mere receipt of information therefore does not make the Act applicable, there must be at least an intention formed by the recipient to 'include' (which could encompass 'retain') the information 'in a record or a generally available publication'. I suggest that at this point 'collection' of unsolicited information takes place, and the collector must have a purpose of collection (NPP 1.1) and disclose that purpose and other information to the subject (NPP 1.3). Otherwise, they can always dispose of the information.

 In a nutshell, this means that any information retained in a record or generally available publication will have been collected, no matter how it was received, an interpretation which avoids hair-splitting about what is solicited and what is not. It is also consistent with the usage of 'collect' in IPP 1.

 This might still mean that unsolicited written information could be read before immediate disposal, and it would not have been collected, but that is a more minor exception.

 Information 'volunteered' by a customer or web site visitor will therefore be collected, as will information about person A volunteered by person B.

E-commerce examples

Some examples of the effect of NPP 1 on e-commerce activities are:

Lack of a purpose justification principle

The 'purpose or activities' for which personal information may be collected are not further defined. The NPPs do not contain any 'purpose justification principle' (called 'prior justification' in the Australian Privacy Charter). 'Purpose justification' essentially means that there should be some test of public interest which is satisfied before a personal information system is established at all. None of the existing privacy principles requires system operators to have 'legitimate' purposes for establishing a system, but instead they measure privacy protection against how well it adheres to the original purpose for which the system operator declared that it collected the information, which the Europeans call the 'finality' test.

 There is a form of 'purpose justification' principle in the European privacy Directive [8]. Perhaps the first privacy legislation outside Europe to give some recognition to such a principle is s5(3) of the new Canadian Personal Information Protection and Electronic Documents Act 1999, which requires '(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.' [9]

 The limit on collection limits the purposes for which systems may be developed by a form of public interest test. This has no counterpart in the Australian Bill.

2.3. NPP 2 Use and disclosure

Summary - An organisation may only use or disclose personal information for the purpose for which it was collected (the primary purpose), except for a use or disclosure (the secondary purpose) that the person would reasonably expect, or where the person has consented. Personal information may be used for the secondary purpose of direct marketing (even where this is not within a person's reasonable expectations) where it is impracticable for the organisation to seek the person's consent before that particular use, the person has been given an opportunity when first contacted to 'opt-out' from receiving further direct marketing communications, but the person has not opted out. There are special rules for sensitive information, and many other exceptions for health information, protection of individual and public health, other uses authorised by law, prevention, investigation and enforcement concerning breaches of the law, and similar matters.
The general test for secondary use and disclosure is the 'reasonable expectations' test.

Does 'disclosure' include information already known?

Gunning found[10] that the leading authorities on the meaning of 'disclose'[11] held that a person only 'discloses' information to another person when the recipient was not previously aware of that information, and that the one case to the contrary[12] could be explained by the mischief the offence was designed to protect against.

He concludes that in relation to the Privacy Act 'it is hard to see any reason why "disclose" should not be interpreted in accordance with its ordinary meaning". How does it enhance your privacy to prevent an organisation from telling someone else something about you they already know? But he points out that this means that a complainant under NPP 2 would have to 'establish that the recipient of the information was not previously aware of that information', though he believes that this would not matter much in the type of inquisitorial procedures followed by the Commissioner.

 However, if this interpretation places an impossible task before the complainant, that is in itself good reason to prefer the alternative interpretation. The only consequence is likely to be that if the organisation complained about shows that it already knew the information (which it is uniquely well placed to do), the complainant is likely to be refused any damages by the Commissioner, or any injunction by a Court. This would lead to a much more fair result. I suggest that the better view is therefore that 'disclose' in the Privacy Act does include revealing information already known.

Does 'use' include merely looking?

In R v Brown [1996] 1 AC 543 the House of Lords considered the meaning of 'use' in the context of the UK Data Protection Act 1984. There was evidence that a police office had looked at a person's record in the police national computer database, apparently on behalf of a debt-collector friend, but there was no evidence that he had disclosed the information to anyone else, nor that he had made any other use of the information. The House of Lords held that 'use' was to be given its normal meaning of 'to employ for a purpose', and that merely looking at data in a computer was not a use in itself. This view may well be taken on the meaning of 'use' in the various pieces of Australian legislation that use the term[13].

 This interpretation has significant consequences for the rights of access and correction to 'existing information' (discussed later), because those rights only arise if the information is used or disclosed.

The direct marketing opt-out provision

The direct marketing exception NPP 2.1(c) which allows direct marketing for secondary purposes was ambiguous in its use of the words 'at the time of first contact' in that it could require an organisation to give a person the opportunity to opt out each time a direct marketing offer is made to them (the strong interpretation), or only on the first occasion that the organisation sends a direct marketing offer to the person (the weak interpretation).

The Government adopted a House of Representatives Committee recommendation (supported by many submissions) to clarify NPP 2.1(c) so that it provides that the opportunity to opt-out of further direct marketing must be provided every time a marketing communication is sent, not just the first time. There will also be mandatory inclusions in the form of the opt-out offer, to avoid it being made difficult for consumers to contact the business.

Few checks on intra-corporate spamming

The House of Representatives Committee's approach to the provision allowing related corporations to disclose information between each other (new s13B) is that it is not as dangerous as it looks. The Committee was partly correct[14]. As they note (para. 9.23), NPP 2.3 means that although the related corporations provision allows information to be disclosed by corporation A to related corporation B, it is the primary purpose of collection of corporation A that determines what use corporation B can make of the information according to the 'reasonable expectations' test. This is generally true, but not (as was pointed out to the Committee) in relation to the direct marketing exception in NPP 2.3(c), which is why corporate groups are so keen on this provision. In our example, B can send direct marketing to A's customers (with an opt-out of course) without worrying about why A collected the information.

2.4. NPP 3 Data quality

Summary - An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
Examples related to e-commerce: It is important that NPP 3 applies to the use and disclosure of pre-existing information (new s16C). Although NPP 2 does not apply, and therefore use and disclosure of pre-existing information cannot be prevented directly, the organisation will have to take care when using or disclosing the old information that it is accurate, complete and up-to-date.

2.5. NPP 4 Data security (and destruction)

Summary - An organisation must take reasonable steps to protect personal information from misuse, loss or unauthorised access, modification or disclosure. An organisation must destroy or permanently de-identify personal information if it is no longer needed for any purpose under NPP 2.
Examples related to e-commerce: The destruction principle may be relatively easy to avoid if possible secondary uses can be taken into account, but we could expect that at a minimum the organisation must at least apply its mind to the question periodically.

2.6. NPP 5 Openness (of personal information policies)

Summary - An organisation must document its policies on its management of personal information and make the document available to anyone who asks for it. On request it must provide general information about what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
NPP 5 does not concern a person's access to their own file, which is covered by NPP 6. Anyone can find out about a company's personal information policies under NPP 5, whether the company holds information about them or not.

 This principle is likely to be of considerable use to consumer and civil liberties groups.

Examples related to e-commerce:

2.7. NPP 6 Access and correction

Summary - A person generally has a right of access to personal information held by an organisation about him or her, subject to a list of exceptions. If an exception applies, the organisation must consider the use of a mutually agreed intermediary. If a person is able to establish that information about him or her is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information. In any event, the person has a right to the addition of a statement claiming that information is incorrect.
It is significant that NPP 6 requires intermediary access to be considered, even if the implementation of the principle is rather weak. The availability of intermediary access blunts the extent to the exceptions to access and disclosure.

Onus of proof of correctness

NPP 6.5 surprisingly limits the scope of the correction right to where 'the individual is able to establish that the information is not accurate, complete and up-to-date'. Placing the onus of proof on the individual is an unusual, anti-consumer aspect of the NPPs. In contrast, IPP 7 places the obligation on Commonwealth government agencies to make corrections etc 'reasonable to ensure' that information is accurate, complete, up-to-date etc.

2.8. NPP 7 Identifiers

Summary - Organisations must not use as their own identifiers any personal identifiers assigned by Commonwealth government agencies, and must not use or disclose such identifiers (with limited exceptions).
For example, except if authorised by another law, a Medicare number cannot be used as an identifier by an insurance company or a doctor. It cannot be used or disclosed for any purpose except as authorised by law or for the purpose of dealings with the Health Insurance Commission.

 There is an additional exception to this principle for the Australian Business Number (ABN), and for other exceptions to be prescribed.

 In contrast, NPP 7 has no effect on the use or disclosure of a driver's licence number issued by a State government (but it may have under the Victorian Act, at least in Victoria).

2.9. NPP 8 Anonymity

Summary - A person must have the option of not identifying himself or herself when entering transactions with an organisation wherever this is lawful and practicable.
This principle, which derives from the Australian Privacy Charter[16] (and indirectly from the German 'Multimedia privacy law'[17]), is innovative and unprecedented in sets of information privacy principles. Its implications for design of new IT systems may be substantial.

 An example of when anonymity is 'practicable' is in the operation of transport payment systems such as stored value cards or tokens to pay for passage through toll roads or to pay for journeys on buses or trams. If tokens and cards are designed so that a person is always identifiable when using such a facility, this is likely to breach NPP 8.

 Anonymity will not be practicable in such transactions as taking out insurance.

A major issue which will have to be resolved is whether it is legitimate for companies to design facilities such as web sites which require the disclosure of personal information as a condition of use. For example, if digital cash (in the sense of an anonymous digital payment system) becomes in common use, and it is technically possible to allow anonymous use of a web facility, will NPP 8 therefore mean that the option of paying some reasonable price premium for anonymous access must be offered in lieu of requiring disclosure of personal information in return for access?

 The principle is somewhat restrictive in that it only refers to anonymity not pseudonymity. For example, it can be argued that Certification Authorities (CAs) should offer to issue digital signatures under people's pseudonyms, but not anonymously. This approach has been used by the Government Public Key Authority (GPKA) as a principle for authorising CAs.

2.10. NPP 9 Transborder data flows

Summary - An organisation in Australia may only transfer personal information to someone else in a foreign country if it reasonably believes that the recipient is subject to a law, binding scheme or contract which effectively upholds principles substantially similar to the NPPs. Transfers may also be made to organisations that have taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs, and for four other reasons.
The question of reasonable belief could be deal with by the Privacy Commissioner publishing a 'white list' of overseas laws, schemes and model contracts which the Commissioner considers are substantially similar and are 'effective'.

 For example, what belief is reasonable about the US government's 'Safe Harbor' scheme?

 Although a Commissioner's 'white list' might be a basis for a 'reasonable belief', the Act does not make any such device determinative. If there was well publicised evidence, for example, that the 'Safe Harbor' scheme was not being enforced in the USA.

Weak control over onward transfers

NPP 9 prohibits 'transfers' of personal information by an organisation to someone (other than the organisation) in a foreign country unless one of six conditions (a) - (e) is satisfied.

If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual's point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.

It is important to remember that any transfer to a third party overseas also involves a 'disclosure' of personal information, and NPP 2 limiting disclosures for secondary uses must also be complied with.

 Where a transfer is to the same organisation overseas, NPP 9 does not apply but the extra-territorial operation of the Act comes into play. However, where it is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and it is Australian law that will apply, not (only) the law of the foreign country.

 The six conditions will generally be sufficient to allow any legitimate transfer overseas of personal information.

Condition (a) plays the role of A25 of the Directive (which allows transfers to foreign countries with 'adequate' laws), but is weaker.

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.
Instead of any objective and expert determination by a government or Privacy Commissioner of which overseas countries have 'adequate' laws (the 'white list' approach), the condition is satisfied by the mere 'reasonable belief' of the Australian organisation disclosing the information. The 'reasonable belief' need only be that the overseas arrangement 'effectively upholds' privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.

 Conditions (b) - (e) are similar to those in A26(1) of the Directive and largely uncontentious. Condition (f), however, is much weaker than anything found in the Directive:

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
This does not even require that the individual should have some recourse against anyone in the event that the 'reasonable steps' turn out to be inadequate.

 The subjective and imprecise nature of condition (a), and the weak and imprecise nature of exception (f), means that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.

 The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.

2.11. NPP 10 Sensitive information (Collection limitations)

Summary - An organisation must not collect sensitive information unless the person has consented, or the collection is required by law, or in limited other circumstances. Special rules apply to health information.
NPP 10 is best seen as part of NPP 1.

 'Sensitive information' means (s6(1) definition): (a) personal information that is information or an opinion about an individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; or (b) health information about an individual.

2.12. Application of NPPs to existing information

'Existing information' can be used to refer to any information collected up to 21 December 2001. Existing information is not subject to the use and disclosure limits of NPP 2 (s16C(1A)). It is subject to access and correction rights, but only when and if it is 'used or disclosed' (s16C(3), and only then if this is not unreasonably administratively burdensome or expensive.

NPP 4 (data quality), NPP 5 (openness), NPP7 (security and retention) and NPP 9 (transborder data flows) apply irrespective of when the information was collected.

3. Problems of coverage: Gaps and abuses


3.1. What is 'personal information'?

]The Privacy Act's protections only apply to 'personal information', defined as any information `about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion' in question (s6). In many cyberspace transactions, what will constitute `personal information' is problematic, and this may have a severe effect on the applicability of both the NPPs and the IPPs.

When can a person's identity be 'reasonably ascertained'?

If a person's identity is apparent or obvious from information, then it is clearly personal information. The difficult question arises when the item of information in question does not in itself explicitly identify the person concerned, but where some other source of information must also be consulted in order to identify the person concerned.

The definition in the Australian legislation is unusual in saying that the reasonable ascertaining of identity must be from the information or opinion'. However, the definition does not say that the person's identify must be able to be ascertained solely from the information concerned, it should not be interpreted this way. If it did mean that, then in any system which stored substantive information according to (and containing) a person's identification number, but kept a separate master file containing only ID numbers and identification details, the substantive information plus ID number would not constitute 'personal information' and attract the protections of the Act (security, access etc).

The better view is therefore that other sources of information may be taken into account. I suggest it is a question of fact in any given situation whether an individual's identity can be ascertained, and it is a further question of fact whether it can `reasonably' be so ascertained. Information that one person may easily be able to obtain may be completely inaccessible to another person. Who must be able to 'reasonably ascertain' a person's identity before there is personal information? The most obvious answer is 'the person who may have breached the NPP in question'. This seems clear enough when we are talking about the NPPs concerning collection, use or the provision of access to personal information, but it could lead to surprising results in the case of NPP 2 dealing with disclosure, as the question will be 'is it personal information in the hands of the person disclosing the information?', not 'is it personal information in the hands of the person receiving it?'.

 On a similar point, the meaning of 'personal data collection' under Hong Kong's Personal Data (Privacy) Ordinance was considered by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692, and has been the subject of commentary[19]. A press photographer took a photo of an unknown woman in a public place, which his employer's magazine published, without identifying the woman but ridiculing her dress sense ('Japanese Mushroom Head'). The main issue before the Court was whether the publisher had collected personal data using unfair means. The majority of the Court (Ribero JA and Godfrey VP) concluded that this was not personal data collection because the data user was not 'compiling information about an identified person or about a person whom the data user intends or seeks to identify' (emphasis added).

Gunning treats Eastweek as a case on the meaning of 'collection', but I think it makes more sense to read it as a case on the meaning of 'personal data' ('personal information' under the Australian legislation). On this approach, if Eastweek was followed in Australia it would be necessary to assess an information collector's intentions to identify a person before it was possible to determine whether the information they collected was 'personal information'[20].

 A case like Eastweek would raise the question under the Australian legislation: 'Is it personal information if you have no intention of ascertaining the person's identity, even if you could do so with reasonable ease?' Gunning gives good examples of where this could be important (though he considers them as questions of 'collection'):

Personal information in cyberspace

It is not clear when the most basic cyberspace identifiers - a-mail addresses and machine addresses - will constitute 'personal information'.

E-mail addresses There are at least four possibilities even in the easiest case, that of e-mail addresses:

It is therefore a question of fact whether an individual's identity can be ascertained (though only with a degree of probability) from transactional details where only an e-mail address was collected, and it is a further question of fact whether it can `reasonably' be so ascertained.

Machine addresses Every computer connected to the internet has unique addresses (its numerical `IP address' such as, and its name under the Domain Name System such as This applies equally to computers which have many users (either simultaneously or singly) and machines which normally have only a single user (such as on a person's desk at work or home). These addresses are the basis of some internet protocols, most importantly the hypertext transmission protocol (http) which is the basis of the world-wide-web. Machine addresses (eg `' or `') rarely directly identify a person, though this is not impossible[21].

It is therefore a question of fact whether an individual's identity can be ascertained (though only with a degree of probability) from transactional details where only a machine address was collected, and it is a further question of fact whether it can `reasonably' be so ascertained. There are as yet no generally accessible internet facilities to match machine addresses with individuals. However, it would not be difficult for any police, private investigator or other person to make enquiries to determine who (if anyone) was the predominant user of a particular computer.

This type of argument applies to the use of cookies, and probably makes the contents of the cookie 'personal information'. It also applies to the use of single pixel gifs for monitoring web use.

Conclusion Some Internet businesses now attempt to match information captured from transactions (such as email addresses and machine addresses) with identified individuals (and demographic information about them)[22]. Will any e-business that uses this identified data from third parties to identify those with whom they deal via the internet only via IP addresses or email addresses find that those addresses now constitute 'personal information'?

 The scope of the Privacy Act's definition of `personal information' is at present uncertain in its application to cyberspace, and will require clarification by legislation or litigation if the principles in the Act are to have any consistent or sensible application to cyberspace and e-commerce.

 More fundamentally, the approach of this definition misses the point to some extent. Information about the interests, understanding or consumption habits of a particular person can be and are aggregated by an internet service provider (particularly providers of advertisements to multiple sites), by use of e-mail or machine addresses, for purposes such as e-mailing customised direct marketing materials to that address, or to customise the appearance of a web page so as to appeal most to requests which come from a particular machine address. In one sense it makes no difference whether the ISP can `reasonably ascertain' the identity of the person who is associated with either the e-mail address or the http request, because the information about their consumption habits has been aggregated and used to market back to them, without them necessarily being aware of this or having consented to it. More serious consequences may also follow from such aggregation, such as decisions to limit access, or to deny some goods or services. If the definition of `personal information' excludes such activity, IPPs will be very weak in cyberspace. The definition of 'personal information' in the Act needs to be amended to include wording such as 'any information which enables interactions with an individual on a personalised basis'. This is not likely to happen for some time.

3.2. Extra-territorial application - 'Australian' businesses overseas

The Act aims to stop avoidance of its provisions by moving personal information overseas. In summary, s5B gives almost all of the Act extra-territorial operation in relation to information about an Australian citizen or resident, provided one of two types of nexus is satisfied: The Privacy Commissioner's powers to investigate and make determinations are extended to cover this extra-territorial operation.

 If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian legislation (s13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.

 The exact extent of this extra-territorial operation concerning Australians may be more extensive than it looks at first, and could easily catch in its net some overseas e-commerce operators:

In contrast, it may be less extensive than it needs to be, because s5B does not extend the protection of the Act concerning extra-territorial practices of Australian businesses to benefit anyone who is not an Australian. Therefore, EU or US citizens are unprotected against their data being exported to Australian businesses in privacy-unfriendly foreign countries[23].

Overseas customers dealing with Australian businesses

The converse situation is the question of when will overseas non-Australian customers dealing with Australian web sites be able to use the Australian legislation to assert their privacy rights? The new s5B is not relevant because it only applies to Australian citizens or permanent residents. However, the non-Australian complainant will normally be able to take action simply because the actions complained of take place in Australia, and the Privacy Act does not generally require Australian citizenship or permanent residence as a condition of action.

Australian businesses involved in e-commerce will therefore generally have to treat the personal information of their overseas clients with the same care as their Australian clients. The exception to this is s41(4) of the Act, which limits correction of personal information (NPP 6 or IPP 7) to Australian citizens and permanent residents, in both the prior Act and the new amendments.


3.3. The `small' business operator (SBO) exemption

]`Small business operators' (SBOs) are exempt from all of the National Privacy Principles (NPPs), provided they do not sell, buy or trade personal information (to put it roughly), or fall into a couple of other narrow exceptions. In essence a SBO is one that carries on one or more 'small' businesses, none of which have an annual turnover of more than $3M.

 The government has estimated that 94% of Australian businesses would come within the $3M threshold[25], so the Act will only apply to 6% of all Australian businesses, plus a further unknown percentage that trade in personal information. What percentage of consumer transactions these 94% of businesses are responsible for was not stated[26]. Similarly, the Internet Industry Association estimated that 95% of Australian Internet businesses would be exempt[27].

In the e-commerce context the breadth of this exemption may lead to abuses. The Internet allows quite small businesses to deal with extremely large quantities of personal information, and the rapid dissemination of information possible via the Internet means that harm caused by incorrect or improperly disclosed information can spread rapidly. There is no obvious correlation between the size of an Internet business or activity and the harm that can be done to people's privacy.

 The provisions in the Bill will commence twelve months after assent (cl 2), but there is a further delay of twelve months for small businesses, whether or not they are exempt (new s16D).

The 'privacy free zone' - the effect of the SBO exemption

Businesses that come within the `privacy free zone' of the `small' business exemption are then able to abuse people's privacy in the ways listed below (unless some law other than the Privacy Act prevents this):

The fragile exemption - How businesses can lose it

A business will lose its status as a 'small business operator' (SBO) if (under s6D(4)) at any time it:
(c) discloses personal information about another individual 'to anyone else' for a benefit, service or advantage; or (d) provides a benefit, service or advantage to collect personal information about another individual 'from anyone else'.
SBO status will also be lost by anyone who holds health information and provides a health service, and anyone who is a contracted service provider for a Commonwealth contract (s6D(4)).

It appears from s6D(4) that it is only necessary for a business to disclose or collect information under these circumstances on one occasion for it to lose its exempt status. One disclosure in return for some advantage would be sufficient for the business to lose its exempt status in relation to all information.

SBO status is not lost because of collection with the consent of the person concerned (s6D(8)). However, collection of personal information from a third party for any form or consideration, or collection of personal information (perhaps including an IP address or email address) from a person without their consent, still poses the risk that even one occurrence can cause the loss of exempt status for the whole business.

 The fragility of the SBO exemption has these consequences:

The ill-drafted exemption: How businesses can abuse it

A drafting deficiency in the SBO exemption allows avoidance by business operations with much larger turnovers of $3M. This loophole will allow a company or individual SBO to run a set of interconnected 'small' businesses (say with annual combined turnover $10M) based around major use of customer personal information, but with unrestricted swapping and use of that personal information within all units of the business, and still to escape completely from the operation of the Act.

 First it is necessary to understand how small businesses operated by the same SBO can swap personal information:

The Act is thought to place a ceiling of a $3M annual turnover on what is a 'small business', but the reasoning above opens up three distinct situations where the overall business operations of a SBO can be of unlimited financial size and still operate in the 'privacy free zone'. However, in considering these potential abuses, it must be remembered that it is possible for the government, by regulations, to prescribe that a class of small business operators must comply with the Act (s6E), and abuses of the SBO exemption could be countered in this way.
(i) Splitting a large business into small businesses before the Act commences
For existing businesses, the date at which it is determined whether a business is a small business, and therefore who is and is not a SBO, is the date of commencement of s6D (s6D(4)), which is December 21 2001 (not 21 December 2002, when then the s16D 'delayed application period' for small businesses ceases).

 Until this Xmas, a large business could therefore be reorganised into a number of 'small' businesses, each with a turnover of less than $3M, which can be calculated pro-rata on the turnover of the 'new' small-business for the duration of this year (s6DA(2)). Whether this would be worth the costs and risks involved depends on how important it is to the business to stay outside the reach of privacy laws.

(ii) Splitting a business before it reaches the #3M threshold
If a business is approaching the $3M turnover limit, it can be split into a number of the smaller sub-businesses (eg 'YourInfo (Marketing)', 'YourInfo (Sales)' and 'YourInfo (Collections)'), and the annual turnover of the 'original' business and each of the new businesses can be kept under $3M (s6D(4)(a)9i) and s6DA(2)). The process is repeated as any of the new businesses approaches the threshold. As above, whether this would be worth the costs and risks involved depends on how important it is to the business to stay outside the reach of privacy laws.
(iii) Takeovers of one small business by another - Privacy-invasion can increase sale value
The potentilla for abuse of the SBO exemption is made even worse by the way in which it increases the sale value of small businesses that hold potentially valuable personal information, by encouraging the use of this information for interferences with privacy which would otherwise be illegal. This argument requires the following steps: The moral is: don't buy personal information from a business, just buy the business. This Act therefore increases the takeover value of small businesses with privacy-invasive potential. The Act should not operate to distort market mechanisms in this way.

Industry codes, industry associations and small businesses

One of the innovative features of the Bill is the scope it gives in new Part IIIA for co-regulation through industry-based privacy codes. New s18BB allows the Commissioner to approve a privacy code only if satisfied that the code incorporates all the NPPs or sets out obligations that, 'overall, are at least the equivalent of all' of them. The code must also specify the organisations bound by the code or a way of determining them, and must only apply to organisations that consent to be bound. There must be adequate opportunities for public comment on a draft code (s18BB(2)(f)). Codes are not disallowable instruments so there is no opportunity for Parliamentary scrutiny, but this is not so important given that code standards must match those of the NPPs. There is to be a register of approved codes (new s18BG).

 For example, a code could apply to all members of an industry association, if a condition of membership was consent to the application of the code.

An 'small' business that is exempt from NPP compliance cannot simply consent to be bound by a code. Only 'organisations' can be bound by a code (s18BB), and an entity that falls outside the definition of 'small business operator' is not an 'organisation' (s6C). An exempt small business must therefore both 'opt-in' to the Act (s6EA), and consent to being bound by a code, before the code has legal force in relation to that business.

Industry associations with codes will therefore need to be vigilant in ensuring that all their members are either not 'small' or have 'opted in', or both they and the relevant members could be involved in false and misleading conduct in falsely holding out compliance with enforceable privacy standards.

4. Problems with enforcement and transparency

4.1. Complaint-handling and appeals under codes

There can be different types of codes under Part IIIA. A code might only provide for a replacement for the NPPs, or it might only provide for an alternative complaints procedure, or it might provide for both.

 If a code includes a complaints procedure, the Commissioner must be satisfied, among other things, that it provides for an 'independent adjudicator' (a 'code adjudicator').

 Section 52 gives the Commissioner broad powers concerning determinations of complaints, including power to award damages. Section 52(b) (b)(ii) allows him or her to order reasonable acts to redress complaint; and (c) provides for compensation including injury to feelings; (3) expenses; and (3A) corrections and additions to records. In the 12 years of the Act's operation the Commissioner has made only a handful of s52 determinations[28], so little guidance is available on the exercise of these powers.

 New s18BB requires that a code adjudicator must be able to make 'the same' 'determinations, findings, declarations, orders and directions' as the Commissioner can make under s52. Further, the code must oblige organisations bound by it to comply with those determinations etc, and to cooperate with the adjudicator (it cannot of course oblige anyone else to cooperate).

If there is an industry code in existence which is relevant to the act or practice complained of and which includes a complaints procedure, a complainant must take their complaint to the code adjudicator (new s36A), and cannot ask the Privacy Commissioner to investigate it at the outset.

There are now three ways in which the Privacy Commissioner can investigate complaints against private sector organisations:

Organisations that are respondents to determinations made by the Commissioner under s52 or by a code adjudicator under a code must comply with the determination (new s55). The complainant, the Commissioner (for determinations made under s52) or a code adjudicator (for determinations made under a code) can commence proceedings in the Federal Court or the Federal Magistrates Court to enforce the determination (s55A).

4.2 Lack of appeals from Commissioner's decisions - a remaining weakness

The Act does not provide for any right of appeal against determinations by the Privacy Commissioner, both in relation to complaints against public sector bodies, and in relation to any of three ways in which private sector complaints can reach the Commissioner.

 However, this does not affect complainants and complainees alike. Businesses complained about have in effect a right of appeal to the Federal Court on the merits of their case, whereas unsuccessful individual complainants will have no such right. This is unfair and biased.

 As is currently the case under s55 of the Privacy Act, under the new ss55 and 55A, a determination of a complaint by a Code authority or by the Commissioner can only be enforced by proceedings in the Federal Court (or the new Federal Magistrates Court)[29], and the Court has to deal with the matter by way of a hearing de novo (anew) as to whether there has been conduct constituting an interference with privacy (s55A(5)).

As a result, all that a business has to do if it is aggrieved by the way in which a Code Complaints Body or the Privacy Commissioner has dealt with their complaint, is sit on its hands and not pay the compensation or take the other steps it has been ordered to take. The complainant must then take the matter to the Federal Court, and the business can have the matter heard in full again. In effect, it obtains a right of appeal to a Court.

 The problem is that an unsuccessful complainant has no such right of appeal - no right to have the matter heard de novo by any higher authority. They have no redress against a wrong interpretation of an Industry Code or the National Privacy Principles (or of other provisions of a Code or the Act), or of the wrong application of the law to the facts of the complainant's case. This is unfair and has the potential to bias the enforcement structure of the Act against consumers.

A determination will now be prima facie evidence of the facts upon which the determination is based (s55B(3)). It will be possible, however, for those facts to be challenged. This does not address the fundamental problem of unsuccessful complainants having no right of appeal, but is an improvement since the successful complainant is at least not put to proof of those facts all over again.

 The defect is not, however, that businesses have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a Court or Tribunal if they wish to persist and run the risk of costs against them. The Privacy Act needs the benefit of occasional interpretation by the Courts on serious issues. Both the Privacy Commissioner's decisions and those of code adjudicators should also be subject to appeal where the issue is important enough. A right of appeal is unlikely to lead to a flood of cases. The Courts will only rarely hear a case concerning the Privacy Act, and only in cases where the code has been interpreted in favour of complainants and is therefore under attack by businesses.

 Decisions of the Commissioner are subject to judicial review[30] . This will help ensure that the Commissioner observes procedural fairness, but does not address the problem of lack of appeal rights. It will also fail to provide justice to complainants where the complaint is that the Commissioner has misinterpreted the NPPs or a code, or applied them to the facts of the complaint in a dubious fashion, or has misinterpreted some other provision of the Act.

 Riediger v Privacy Commissioner (Federal Court of Australia; Sackville J, 23 September 1998)[31], one of the few cases dealing with the Act, underlines this point. Sackville J, dismissing an application for judicial review under the ADJR Act of a decision by the Privacy Commissioner, stressed that 'an application of this kind must reveal an error related to the making of the decision itself, for example, a denial of natural justice, manifest unreasonableness, the taking into account of irrelevant considerations, and so forth ... the Court simply cannot revisit the merits of the applicant's complaints against either AVCO or OPTUS.'

4.3. Publication of Code decisions

It is of vital importance that the way in which code adjudicators handle complaints, and particularly how they decide the most important complaints (those that go to a full formal determination) is easily accessible to potential complainants and their advisers, and to those generally interested in the way in which the law is being interpreted by Code bodies.

 Although there is now provision for appeals to the Commissioner from code adjudicators, it is likely that these will only be a small percentage of all complaints, with most being mediated successfully by code adjudicators, and others where a formal determination by the code adjudicator does not result in an appeal to the Commissioner.

 There may be numerous code adjudicators, and it is possible that they may interpret the NPPs and other aspects of the law inconsistently unless the Commissioner and the interested public have effective means to find out what they are doing.

Formal determinations

New s18BB(3)(d) requires determinations (ie decisions on complaints) by Code authorities to be 'the same' as the Commissioner makes under s52, but it is not clear that this would require Code authorities to follow the Commissioner's practice of publishing such determinations. The Bill does not specifically require determinations to be in writing. These matters should be explicit in the terms of a Code.

 If there is not full access to determinations, then there is no transparency of the Code process and no guarantee of its integrity. The Commissioner, when issuing guidelines in relation to dealing with complaints (s18BB(3)(ii)), and when approving codes (s18BB(3)), will need to ensure that:

Informal mediation

Most complaints will not be settled by formal determinations, but by informal mediation by the Code authority. However, even when complaints are settled by mediation, they are settled on the basis of an interpretation of the law (ie of the Code and of other aspects of the Act). For the same reasons as set out above, it is very important that this process has some transparency that will aid others to understand how the law is being interpreted. New s18BB(k) is unclear as to whether anything more than statistical recording of these complaints by Code authorities is necessary, and this is insufficient.

 The Commissioner's Guidelines would also be very helpful here if they could:

4.4. s98 injunctions - Surprise and misunderstanding

Although it is not possible to appeal from a determination by the Commissioner to a Court in relation to a complaint about the NPPs, it is possible to go direct to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the NPPs. Section 98 provides:
98 (1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court or the Federal Magistrates Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court's opinion it is desirable to do so, requiring the person to do any act or thing.
One notable feature is that both the Commissioner and 'any other person' can seek such injunctions, not just a complainant likely to be affected by the breach of the NPPs.

 Courts have not in the past had an adequate appreciation that s98 is included in the Act. For example, in Ibarcena v Templar, Federal Court of Australia, Finn J [1999] FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction[32]. Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia, [2000] FCA 1873, French J seemed to give an account of how complainants could come before a Court, but it omitted any mention of s98 injunctions[33].


[1] See Greenleaf G 'A Bill not worth supporting' (2000) 7 PLPR 44 for one summary of dissatisfaction.

[2] Labor proposed few amendments of substance to the Bill during its passage (see G Greenleaf (2000) 7 PLPR 125), so it is unrealistic to expect any major changes to privacy law for at least some time, even if there is a change of government at the next Federal election.

[3] A HTML version of the consolidated Act is available on my web pages at

[4] See G Greenleaf and N Waters 'Putting the "National Principles" in context' (1998) 4 PLPR 161 and G Greenleaf 'Privacy and consumer organisations withhold endorsement of "National Principles" ' (1998) 5 PLPR 41, for one perspective.

[5] See G Greenleaf 'Victoria's Privacy Bill still sets the standard' (2000) 7 PLPR 21

[6] Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)

[7] The Information Privacy Principles (IPPs) applying to Commonwealth Government agencies.

[8] See the discussion in G Greenleaf 'Purposes' and the Directive' in 'Stopping surveillance: Beyond 'efficiency' and the OECD' (1996) 3 PLPR 148, available at <>

[9] <>

[10] Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)

[11] Bank of Credit and Commerce International (overseas) Ltd (in liq) v Price Waterhouse [1997 4 All ER 781; King v South Australian Psychological Board [1998] SASC 6621

[12] R v Glenys Ruth Scott [1996] SASC 5545

[13] cf Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming), who takes this view

[14] The Committee's recommendations would have imposed some checks on this intra-corporate spamming, if adopted. They wanted the Privacy Commissioner to issue guidelines (under NPP 1.3(d)) as to what companies should tell consumers about potential disclosures to their related corporations (Recommendation 21). It is a good point that, once a company has a disclosure practice to related corporations, NPP 1.3(d) requires its to be revealed during collection, but this cannot deal with the post-collection decision to disclose to a related corporation. The Committee also recommended that where corporation A has received personal information from a related corporation B that was exempt from NPP 1 when it collected the information (it might be a small business, or the information might be exempt employee information), corporation B will have to comply with NPP 1 before it discloses the information to A. In doing so, it would presumably have to inform the person concerned that his or her information was being disclosed to A. These recommendations were rejected by the Government.

[15] <>

[16] Tim Dixon'Privacy Charter sets new benchmark in privacy protection' (1995) 2 PLPR 41

[17] See L Bygrave 'Germany's Teleservices Data Protection Act' (1998) 5 PLPR 53

[18] An earlier version of this section was published as G Greenleaf 'Privacy Principles - irrelevant to cyberspace?' (1996) 3 PLPR 114

[19] See Raymond Wacks 'Privacy and media intrusion: A new twist' (1999) 6 PLPR 48 (re first instance decision) ; Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming) (re Court of Appeal)

[20] Gunning treats this question as going to whether the information had been collected.

[21]However, IP address and the domain and sub-domain information (eg `') allow the geographical and system location of the computer to be identified, along with the identify of the person with delegated responsibility to allocate the machine's addresses.

[22] The controversy about DoubleClick in the USA concerned this type of service.

[23] See later concerning the significance of this for the EU privacy Directive.

[24] An earlier version of some of this part is in G Greenleaf 'Reps Committee protects the "privacy free zone" ' (2000) 7 PLPR 1

[25] House of Representatives Legal and Constitutional Committee Report, para 2.20

[26] The Committee only gives irrelevant percentages for total business activity (including business-to-business activity.

[27] See dissenting report of Senator Stott-Despoja for discussion

[28] See Determination: Secretary, Department of Defence 1 PLPR 152 and Determination: Minister for Administrative Services 1 PLPR 170 for two examples.

[29] The problem of enforcement of Privacy Commissioner's decisions arises from Brandy v Human Rights and Equal Opportunity Commission (1995) High Court (see Casenotes (1995) 2 PLPR 32) where it was held that, in to complaints against respondents other than the Commonwealth, the previous system for lodging HREOC determinations (including Privacy Act 1988 s52 determinations) in the Federal Court, whereupon they become binding, was an invalid exercise of the judicial power. The 'quick Brandy fix' was to revert to the old system of a de novo hearing in the Federal Court in order to enforce a determination by a HREOC Commissioner or the Privacy Commissioner. Unfortunately, one of the anomalies arising from that expedient is the unfair difference in de facto appeal rights outlined above.

[30] It was proposed that decisions of code adjudicators would be similarly subject to judicial review - see Schedule 2 of the Bill, amendment to the definition of 'enactment' in the Administrative Decisions (Judicial Review) Act 1977 (Cth). However, when their decisions became subject to review by the Commissioner, the provision for judicial review was also dropped.

[31] Federal Privacy Handbook |P85-005 (CCH)

[32] See Casenote by P Gunning (2001) 7 PLPR Issue 10 (forthcoming)

[33] ibid