Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Australia to legislate for the private sector [1999] PLBIRp 7; (1999) 4X Privacy Laws and Business International Report 12

Australia to have a federal private sector law soon

THE STATE OF VICTORIA'S INITIATIVE to legislate, combined with the EU directive's threat perceived by Australian businesses, will soon result in federal private sector legislation. The new law will be based on creating enforceable industry codes.

Australia's Federal Government has been undecided for some time about what privacy measures to take. The idea of a comprehensive federal privacy law has been on the agenda for some time, but has failed to materialise. Although Australia has a federal Privacy Act of 1988, it applies only to most federal government agencies. In 1997, the Government announced, despite earlier promises, that it would not go ahead with privacy legislation for the private sector (PL&B August '97 pp.19-20). The Privacy Commissioner was left with merely the opportunity to develop a scheme based on selfregulation. However, the Government changed its course of action once again in December by announcing a privacy law for the private sector.

FROM NATIONAL PRINCIPLES TO A LAW

The new legislation will be based on The National Principles for the Fair Handling of Personal Information, issued in February 1998 by the Australian Privacy Commissioner, Moira Scollay. The principles represented a first step towards a national privacy scheme (PL&B May '98, p. 16). With no legal backing, the principles were voluntary.

The national principles are modelled on the OECD Privacy Guidelines of 1980. They also reflect the EU Data Protection Directive in terms of international data transfers and sensitive data. The ten voluntary principles encourage companies to follow the basic data protection rules of collection, use and disclosure, data quality, data security, openness, access and correction. In addition, the principles contain aspects that are not included in the Privacy Act 1988. They oblige companies to limit the use of identifiers, such as personal identity numbers. Anonymity has been included as a separate principle; the text states that "if we can (and if you want to) we will deal with you anonymously."

The voluntary nature of the principles was a particular cause of concern for consumer and privacy advocacy groups, who refused to develop a self-regulatory scheme before it had some legislative controls. On the other hand, privacy advocates criticised the principles for lacking features that should be included in a modern model, for example specific rules for protecting privacy with regard to electronic commerce.

Now these national principles have been acknowledged as becoming a basis for legislation. The Government announced, on 16th December last year, that it aims to create a "light touch legislative regime" which will be based on industry codes. It will only apply the legislative framework in sectors that have NOT adopted industry codes. Whether this, effectively a selfregulatory approach, will provide sufficient protection for personal data, remains to be seen. There are no details yet as to how the Government plans to ensure the enforcement of the codes. However, it is already clear that the scheme will include exemptions for employee records and personal data collected for journalistic purposes.

TRANSBORDER FLOWS WILL REMAIN AN ISSUE

The new private sector law is mainly needed to facilitate data flows with EU countries, which are committed to stop data flows to countries without adequate privacy protection. However, privacy and consumer organisations have pointed out some weaknesses in the national principles' data transfer provisions. They stressed, in a position paper issued 28th August 1998, that the rules on data transfers should also apply to transfers within Australia. The question of international data transfers needs to be solved urgently, as the EU Data Protection Directive is already in force in some EU Member States, and they will be requiring adequate protection of personal data for transfers to Australia.

MODIFYING THE PRINCIPLES

In her report, submitted in July last year, the Privacy Commissioner recognised that several issues have not been addressed. The committee which received the report - the Senate Legal and Institutional References Committee - was considering the Privacy Amendment Bill 1998 which was introduced to amend the federal Privacy Act, but had not progressed due to the October 1998 Parliamentary elections. The Committee had ordered an inquiry to assess privacy protection within the private sector. The Commissioner's report clarified the progress which had been made with the implementation of the principles in the first four months, and the issues which still needed to be resolved.

The Privacy Commissioner's starting point was that a single, consistent approach was needed, and that principles needed to be general enough to be suitable for a range of different organisations. A crucial requirement was the need for an independent mechanism for monitoring compliance. Also, complaint handling and dispute resolution processes needed to be established. Additional questions included the possible application of the principles to employees' personal data and the media.

The Commissioner started discussions with business groups and law enforcement agencies on implementation methods last year. She emphasised that the final judgement on whether the principles are useful depends on how companies are willing to implement them.

Another review process has been under way on the principles themselves. Privacy and consumer organisations have raised various points for her consideration, and the Privacy Commissioner informed Privacy Laws & Business in mid- December that she aimed to introduce some changes to the principles before the end of 1998 when she would be standing down from her post. Some changes will merely clarify the wording of the principles, whereas others will bring them more closely into line with the EU Data Protection Directive.

SOME SECTORS HAVE ALREADY ADOPTED THE PRINCIPLES

The business sectors which have shown enthusiasm for the adoption of the principles include banking, insurance, retail and direct marketing organisations. The Australian Bankers Association, the Australian Direct Marketing Association and the Insurance Council of Australia have already adopted the principles. They have, however, made slight variations to the text to suit their particular industries. Other industries that have been considering the principles include the Australian Retailers Association, the Credit Union Services Corporation and the Investment and Financial Services Association.

VICTORIA SET THE BALL ROLLING

The states have also responded to the issuing of the national principles and the EU Data Protection Directive. The Victorian Government announced its plans, in a discussion paper in July last year, to introduce a privacy law which would cover both the public and the private sectors. Victoria's main concern was to foster electronic commerce and ensure that business links with EU countries do not suffer because of inadequate protection of personal data.

Victoria recently published "exposure drafts" of the proposed legislation for data protection and electronic commerce. The drafts are available for public consultation until mid-February (http://www.vic.gov.au). Originally, the state intended to introduce Bills in the Victorian Parliament later in 1999. However, it has also made it clear from the start that it would step down if the Federal Government decided to legislate.

In the meantime, New South Wales has adopted legislation for the public sector. The new act on privacy and the protection of personal information was enacted last December.

INTERNET INDUSTRY KEEN ON LEGISLATION

The Australian Internet Industry Association was among the most eager groups to see private sector legislation, and to lobby the Government. In its letter to the Prime Minister, dated 30th October 1998, the Association asked for a privacy law that would still give primacy to self-regulation. This is the approach adopted by the Victorian Government, and now by the Federal Government. The Association stressed that legislative backing is needed, even though it had already developed a draft Code of Practice which implemented the national principles issued by the Privacy Commissioner. It believed that voluntary industry codes will not be adhered to by everyone in the on-line business. The group also pointed out that Australia must demonstrate adequacy of protection for transfers of personal data from the EU.

Australian developments demonstrate what a huge impact the business community can have on Government policy. Earlier on, the plans for private sector legislation were abandoned as too expensive. Now that the Government is forced to legislate, it nevertheless is trying to ensure that the scheme will place only a minimum burden on business.

A revised version of the national principles was released in January. It is available on the Privacy Commissioner's website at http://www.privacy.gov.au. The position paper of the privacy and consumer groups was published in the Privacy Law & Policy Reporter, August 1998 (published in Australia by Prospect Media Pty Ltd, Tel: + 61 2 9439 6077). For current privacy developments in Australia, see also http://www.anu. edu.au/people/Roger.Clarke/DV/OzCurrent.html