The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 has been widely hailed as a major step forward in strengthening privacy laws in Australia.
However a closer inspection of the details of the legislation, which is over 240 pages long, and the submission prepared by the Australian Privacy Foundation , reveals what appear to be serious limitations and flaws.
As prominent privacy expert Nigel Waters points out, the reforms are desirable in that they have made provision for civil penalties, the obtaining of enforceable undertakings, the enforcement of own motion investigations by the Commissioner and Privacy Impact Assessments.
However the submission canvasses defects in the legislation which are meticulously analysed by the Australian Privacy Foundation.
Some of the problems noted will be mentioned fleetingly here, however any person concerned with privacy should read the submission by the Australian Privacy Foundation together with the new legislation to become more acquainted with it in more detail.
There is a conspicuous absence in the legislation to a power to require the Privacy Commissioner to make determinations or enforceable decisions concerning complaints. Providing a ‘new’ right of appeal to complainants to appeal to the Administrative Appeals Tribunal against the Commissioner’s decisions is of dubious value if complainants cannot legally oblige the Privacy Commissioner to make formal decisions to dismiss complaints or to appeal resolutions which they find unsatisfactory.
This omission is particularly disappointing when considered against the backdrop of a history of inaction in the use of enforcement powers which have been previously available to Commissioners. As privacy has had a low public profile, disappointing outcomes of complainants who have suffered an breach of their privacy have gone relatively unnoticed. The ‘entitlement’ to a right of appeal, without a requirement to make a formal decision, operates largely as a fiction, where there is no formal ‘decision’ to appeal.
The current Commissioner has only made one s52 determination and only nine determinations have ever been made over a period of 23 years. Many complainants have been powerless to have their ‘determinations’ reviewed as their complaints have been dismissed or deemed to have been resolved (albeit unsatisfactorily to complainants) without a formal determination.
Other flaws emerge from a closer consideration of the new Australian Privacy Principles (APPs). Whilst consolidation of the IPPs and NPPs does lead to simplification, eight of the thirteen APPs are in fact weaker in nature than the Unified Privacy Principles (UPPs) originally proposed by the Australian Law Reform Commission in their recommendations, and also weaker than the IPPs and NPPs.
Some worth mentioning are the principles which alter the anonymity provision, which enabled individuals to deal with organisations anonymously. The legislation now enables data collectors to insist on pseudonymity as a matter of what appears largely to be preference. The anonymity principle could be decimated given that entities have the option of offering pseudonymity or anonymity to individuals.
The amendments to the credit reporting provisions may seem appealing, however one of the major ways that privacy is protected is by not sharing information in the first place. There are provisions of the Bill which enable the credit reporting industry to share information about Australians who have never had a credit default; a retrograde step for individual privacy. The submission gives detailed consideration to the credit industry reforms to highlight their problems.
As stated previously, the recommendations of the ALRC regarding the removal of exemptions such as the small business exemption, the employee records and political exemptions are awaiting further consideration. There have been many law reform enquiries in relation to privacy and by past indicators, reforming privacy law does not seem to have rated highly on the political agenda in the past. One would have to wonder whether these recommendations made by the ALRC will ever be addressed, given the fact that the opportunity to legislate to cater for all of the ALRC’s recommendations was available. Indeed it took four years to respond to the ALRC’s recommendations, which were selectively implemented and in many cases ignored or altered, leading to erosions in privacy in many instances.
A major weakness of the privacy principles which has attracted international condemnation are the data export provisions. The European Union has yet to grant Australia an adequacy finding in relation to it’s privacy laws, when measured against the Council of Europe data protection Convention, which is envisaged to become something of a global convention. The cross-border disclosure principle in the legislation, which has great significance in the context of the adoption of cloud computing, is manifestly inadequate.
APP 8, in essence abandons a ‘border protection’ orientation recommended by the ALRC in favour of an ‘accountability’ approach which will probably end up being notional in it’s present form. The existing NPP 9 allows personal data to be exported to any country irrespective of the strength of their data protection laws, provided ‘reasonable steps’ are taken to ensure that the data is used consistently with the NPPs.
APP 8.1 enables an Australian company or agency to send personal to any country in the world subject only to APP 6. If it is not completely exempt from any liability for what happens to the information due to the application of existing exemptions, only then will it be liable under the Australian legislation for any acts by the overseas data recipient which would breach the APPs were they to be held to the APPs (see s20).
This applies to acts of an overseas recipient, even one which would be exempt under Australian law in Australia. The Australian exporter will also breach APP 8 if it fails to take reasonable steps, before exporting data, to ensure that the overseas recipient does not breach the APPs (other than APP 1).
There is no definition of what ‘steps’ which must be taken, nor is there any provision made for the Commissioner to issue guidelines or ensure that model contracts are used in this regard. It is critical that the Commissioner have established guidelines providing for standardised contractual clauses to protect transborder data flows.
The data exporter does not have to take any steps to ensure the data recipient complies in reality. It seems incomprehensible that an individual in Australia could possibly prove on the balance of probabilities a breach of privacy has occurred in an overseas country, particularly where the recipient doesn’t even have privacy policies in place. There has been a major backlash in relation to the ‘accountability provision’ however when examined carefully, it doesn’t appear to be any more than notional.
The failure to clarify the definition of consent to information collection by individuals is also another identified weakness. The failure to opt out should not be interpreted as meaning an individual has given clear and unambiguous consent to data collection. Consent should ideally be voluntary, informed and freely given. The failure of the legislation to address the issue of ‘bundled consent’ is also a flaw, so that individual consent is still no longer applicable to the operation of each privacy principle.
The drafting of the Act leaves a lot to be desired in that exceptions to each of the privacy principles are not set out under each principle, rather they have been put into a separate section of the Act, which reduces the ability of individuals to understand fully their privacy rights.
The collection principle has been significantly diluted from entities being able to collect data necessary for the performance of their function, by the substitution of the phrase ‘reasonably necessary’, whilst the exceptions to the collection of information falling into definition of ‘sensitive information’ have been expanded.
Finally, notwithstanding the level of enquiry, debate and discourse that has occurred regarding the enactment of a statutory tort of privacy, the issue didn’t rate a mention!
The legislation was overdue and to the extent that it purports to modernise and strengthen Australia’s privacy regime, has proven to be inadequate. Whilst the legislation purports to be acting on the many recommendations of the ALRC report, which was critical of Australia’s Privacy Act, it isn’t in fact faithful to the ALRC recommendations.
Amongst other things, the ALRC Report reflected favourably on overseas developments, notably the ongoing strengthening in Europe of EU Directives covering public/private sector data collection and European case law on matters such as national security. It seems that Australia still falls short of expectations, unlike New Zealand and other countries.
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012 passed
- Do mobile phone users have a reasonable expectation of privacy?
- Privacy Concerns Over Digital Photocopiers And Multi-Function Devices
- Commonwealth Statutory Cause of Action for Serious Invasion Of Privacy
- Customer may sue AT&T for breach of privacy