WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2000 >> [2000] PrivLRes 4

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

Dixon, Tim --- "Government tables new privacy Bill" [2000] PrivLRes 4; [2000] CyberLRes 6 (1 January 2000)

WorldLII [Home] [Databases] [Search] [Feedback] [Help]

Privacy Law Resources

You are here: WorldLII >> WorldLII Databases >> PrivLRes >> 2000 >> [2000] PrivLRes 4

[Global Search] [PrivLRes Search] [Help]

'Government tables new privacy Bill' ([2000] CyberLRes 6) - [2000] PrivLRes 4

Government tables new privacy legislation

Tim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)


Legislation to extend the Privacy Act to the private sector is now beforethe Australian Parliament, following the release of the Privacy Amendment(Private Sector) Bill 2000 by the Attorney-General Daryl Williams.The legislation is now being considered by a parliamentary committee andwhile some distance still needs to be covered before the final shape ofthe legislation is known, its general framework is unlikely to change.

Background to Current Privacy Legislation

The legislation is the latest stage in a long path towards national privacylegislation since the election of the Howard Government:

Coverage

The amendments to the Privacy Act 1988 extend a set of NationalPrivacy Principles (NPPs) to the private sector. The NPPs were originallydeveloped by the Privacy Commissioner in 1997 through a process of consultationwith industry and consumer groups. In turning them into legislative provisions,the detail of these principles has been substantially expanded. The NPPsdiffer from the Information Privacy Principles (IPPs) which apply to CommonwealthGovernment agencies.

The National Privacy Principles set out minimum standards forthe handling of personal information. These relate to:

The NPPs apply to all organisations (other than public sector organisations,which are already covered by the Information Privacy Principles). Thisincludes a body corporate, an unincorporated association, a partnership,a trust or an individual. However, exceptions are granted to the followingorganisations:

Scope

The legislation will cover all types of personal information which arenot publicly available but, will exclude:(i) a holding company of another body corporate;
(ii) a subsidiary of another body corporate;
(iii) a subsidiary of a holding company of another body corporate,Under section 46, a body corporate (in this section called the first body)is a subsidiary of another body corporate if, and only if:
(i) the other body:
(A) controls the composition of the first body's board;
(B) controls more than one-half of the maximum number of possible votes ata general meeting of the first body; or
(C) hold more than one-half of the issued share capital of the first body;
(ii) the first body is a subsidiary of a subsidiaryof the other body.

This might allow a large organisation with diverse businesses to poolits personal data collections without the knowledge of its customers. Restrictionsstill apply to the use and disclosure of this information, but an organisationwhich was able to conduct direct marketing to customers apparently conductdirect marketing in respect of all of the operations of its related bodiescorporate.

The NPPs

The heart of the legislation is the National Privacy Principles. The NPPsare broadly similar to privacy principles embodied in privacy laws introducedthroughout the industrialised world in recent years, broadly based on the1980 OECD privacy principles. The principles impose restrictions on thecollection, use and disclosure of personal information. They impose requirementsrelating to the quality and security of personal information as well asrequiring openness about information practices and where practicable, givingindividuals the option to remain anonymous in transactions. Individualsare given rights to access personal information, subject to restrictions.There are controls on the transfer of personal information to someone ina foreign country which does not have similar privacy protection. A higherstandard of privacy protection is required for "sensitive information"- defined to include information about an individual's racial or ethnicorigin, political opinions, membership of a political association, religiousbeliefs or affiliations, philosophical beliefs, union membership, sexualpreference or practices, criminal records and health information.

Privacy Codes

By default, the NPPs apply to organisations - that is, unless the organisationis a signatory to a voluntary code which has been approved by the PrivacyCommissioner. However, the legislation leaves open the option of industrygroups or individual firms developing their own codes of conduct in placeof the NPPs. Codes can be developed by any organisation or group, but cannotimpose a lower standard or privacy protection than the NPPs. Codes mustbe approved by the Privacy Commissioner after a process of consultation.The codes are intended to give the legislation maximum flexibility whileretaining a consistent standard of privacy protection.

Enforcement

Once in place, an individual who believes that the code has been breachedmay make a complaint to the organisation concerned. If it is not resolvedsatisfactorily, they may make a complaint to the Privacy Commissioner,or if an independent adjudicator has been appointed to administer the code,they must make the complaint to that body.Breach of the NPPs can result in an order from either a code authorityor the Privacy Commissioner to restrain an action, undertake an action,or to give monetary compensation.

A decision to give an individual a remedy can be appealed in the FederalMagistrate's Court, and can be enforced through the Court if it is notgiven effect. A decision against an individual cannot be appealed althoughthe decision itself is subject to the process of administrative review.
One of the key weaknesses in the enforcement mechanism is that whileCode authorities will be required to submit an annual report on their complainthandling, there is no other mechanism for accountability in the decisionmaking process for handling complaints. There is, for example, no processfor the Privacy Commissioner to issue binding rulings or interpretations,which may be needed because of the generality of many provisions of thelegislation. This is especially a problem since individuals will have nogeneral appeal right or recourse (other than a formal review under theAdministrative Division Judicial Review Act 1977) if a code authority rulesagainst a complainant. Under the ADJR Act, the review of the decision isrestricted to review for errors of law and does not extend to review ofthe merits of a decision, such as the policy used in the decision makingby a code authority, and the weight given to primary evidence for the purposeof inferring factual conclusions. The ADJR Act will nevertheless allowindividuals to obtain an explanation as to why an unfavourable decisionwas reached.

Conclusions

While there are strengths in the general framework of the legislation -a set of overarching principles which can be applied with some flexibility- the Bill is flawed by exemptions which are, by international standards,quite extraordinary. These exemptions create significant problems:
  • Given the complexity of the legislation and its broad exemptions, the Governmentwill have a difficult time arguing that consumer confidence in ecommercewill be bolstered. For example, the overwhelming majority of Australianbusinesses have a general exemption from the legislation (subject to limitations)through the small business provision. Consumers will often not know whetherthe organisation they are dealing with is covered by the legislation ornot. The complexity of the legislation is likely to add to confusion ratherthan create clarity. This is especially the case in the online environmentwhen consumers have no pre-existing relationship or knowledge of companieswith whom they may be doing business. Forrester Research in the UnitedStates has estimated that a lack of consumer confidence about the protectionof personal information online resulted in a loss of $2.8 billion in potentialecommerce business last year. These concerns can be addressed directlywith a world-standard privacy regime; but a confusing, compromised proposalsuch as this one will not overcome the lack of consumer confidence whichcontinues to retard the growth of ecommerce in Australia.
  • The implications of this exemption are not entirely clear. For example,if a small business is involved in one transfer of information for somekind of benefit, does this mean that it is covered by the privacy legislationin respect of all of its holdings of personal information? Is it only coveredin respect of the handling of that particular record? If it makes availablea set of records for some kind of benefit to a third party at one pointin time, for how long is that set of information records covered by theprovisions of the Act? Likewise, does the fact that some information collectedby an organisation is made available to the public mean that the organisationis exempted from the operation of the Act in respect of all other processesof collecting, using, handling and disclosing this information? If politicalparties are exempted from the legislation in relation to practices associatedwith elections, referenda or the political process generally, does thisallow the political party to on-sell information to other organisationswithout the individual's consent? By creating so many broad exemptions,the legislation creates uncertainty in many
  • With such broad exemptions, Australia is unlikely to make it on to theanticipated European Union "White List" of countries whose privacy protectionis "adequate", and with whom European businesses can confidently exchangepersonal information. This undermines Australian efforts to position itselfas the leading data processing in the Asia Pacific centre, especially asHong Kong and New Zealand both have privacy legislation which is likelyto meet the EU standards.
  • The decentralised nature of the complaint handling process may result inthe development of different interpretations and privacy standards. Thiscould be especially difficult for some companies which may belong to anumber of industry organisations and whose activities may extend acrossseveral industry sectors.
  • These issues are likely to receive a hearing through the parliamentaryprocess as the legislation gives through the two House of Representatives.There is strong public support for legal protection for privacy - accordingto a 1999 Roy Morgan survey, 56% say that they are worried by invasionof privacy through new technology, and consistently surveys show more thanfour out of five people supporting privacy legislation for businesses.As yet, that public concern has not been fully reflected in the Government'slegislative plans.

    Tim Dixon is an associate at Baker & McKenzie in Sydney and isChairman of the Australian Privacy Foundation.


    WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
    URL: http://www.worldlii.org/int/other/PrivLRes/2000/4.html


    WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
    URL: http://www.worldlii.org/int/other/PrivLRes/2000/4.html