coherence

This page considers proposals for rationalisation of the Australian privacy regimes, including establishment of a tort of privacy and of a cogherent national set of Unified Privacy Principles (UPP).

It covers -

• introduction
• a tort?
• a national regime?
• exemptions
• Unified Principles?

     introduction

The Australian Law Reform Commission's 2007 Review of Australian Privacy Law discussion paper, a three volume document of some 1,977 pages) drew on community consultation and previous exploration by federal and state/territory entities (notably the NSW state Law Reform Commission) in proposing rationalisation of the Australian privacy regimes.

That rationalisation would provide a substantially uniform regime, reducing anomalies attributable to different laws in the Australian jurisdictions, inconsistency in the development and application of industry codes and government guidelines, and anomalous exemptions.

As of late 2007 privacy in Australia is a confusing concatenation of -

• state and national legislation (often with a sectoral basis),
• administrative arrangements (as noted in later pages of this profile, some states have relied on administrative orders rather than legislation to deal with privacy in relation to their public sector bodies)
• industry codes, conceived and administered in favour of consumers or otherwise
• a range of public and private sector regulatory bodies, some of which have been strongly criticised by past executives as supine or underresourced
• overlaps, exclusions and uncertainties (eg coverage of some state statutory bodies, quasi-statutory bodies and private sector contractors)
• judicial decisions moving unsteadily towards recognition of community expectations.

There is no national tort of privacy, ie a statutory cause of action for breach of privacy. The European Commission has criticised the Australian regimes as lacking parity with international best practice. Other critics have noted that principles and operational rules for the public and private sectors are not the same, although both deal with the same people and often cover the same information, and commented that in practice the regimes are exception- rather than principle-based.

The ALRC has thus suggested a national approach, founded on a single set of Unified Privacy Principles (UPP) and featuring a statutory cause of action for invasion of privacy.

That suggestion has faced criticisms of varying significance, with unsurprising opposition from the Direct Marketing Association, comment by the Australian Bankers’ Association that adoption of UPP would be "premature" and anxiety on the part of the Arts Law Centre that creativity may be chilled.

     unified principles

The paper proposes that

The Privacy Act should be amended to consolidate the current Information Privacy Principles and National Privacy Principles into a single set of principles … that will be generally applicable to agencies and organizations, subject to such exceptions as required.

Those UPP would be based on the NPP in the current federal Privacy Act.

They would reflect a new objects clause that articulates seven national objectives in relation to privacy, including promotion of the protection of individual privacy, establishment of a cause of action, promotion of "responsible and transparent" information handling, facilitation of electronic commerce and provision of "the basis for nationally consistent regulation of privacy".

Those objects and thus the new UPP revisit the 1980 OECD Guidelines, bearing in mind technological development over the past two decades and continuing disagreement about conceptualisation of personal privacy and corporate data protection. The ALRC considers that privacy is not an unqualified ‘right to be left alone’ , whether online or offline.

Adoption of the UPP would not require amalgamation of current federal information law, for example fusion of the Privacy Act, Freedom of Information Act 1982, Archives Act 1983 and Spam Act 2003.

The expectation is that national government agencies and the private sector would be directly covered by single set of UPP -

1 Anonymity and Pseudonymity
2 Collection
3 Specific Notification
4 Openness
5 Use and Disclosure
6 Direct Marketing
7 Data Quality
8 Data Security
9 Access and Correction
10 Identifiers
11 Transborder Data Flows

State/Territory government agencies would be covered by the same UPP in legislation in those jurisdictions.

The UPP do not feature a discrete principle regarding consent, with the paper noting that "treating consent as a separate privacy principle may inappropriately elevate consent to being the overriding factor in permitting or restricting the handling of personal information".

Questions about consent would instead be addressed through the proposed UPP. Application of the Transborder Data Flow principle, for example, assumes that data subjects would be alerted in contracts and pre-contractual arrangements that fulfilment of the contract may require overseas transfer of an individual's personal information, with entities being held accountable where there was transfer in breach of consent.

At the national level the UPP would apply except where primary legislation "imposes different or more specific requirements in a particular context" or "subordinate legislation under the Privacy Act imposes different or more specific requirements in a particular context". That would accommodate health-specific privacy regulations (the draft National Health Privacy Code), with health information being covered by the UPP rather than quarantined in a discrete health 'silo' administered by separate agencies and tied to separate privacy objectives.

The Act and UPP are expected to be resilient, with few changes over time; treatment of health privacy through the proposed Privacy (Health Information) Regulations is seen as allowing a flexible response to changing circumstances.

More broadly the use of regulations derived from the UPP is an attempt to reconcile conflicting advice to the ALRC that the Act should

• identify technology-neutral broad principles
• offer rules for practical application
• provide certainty without being so narrowly restricted as to be superseded by commercial/technological developments
• foster attention to the letter rather than the spirit of the law.

A national approach

National comprehensiveness and consistency would be provided through the expectation that any state/territory privacy laws regulating the public sector should apply the proposed UPPs, and contain uniform provisions relating to a number of key issues - such as definitions, the making of determinations by the regulator, and data breach notifications.

Reform of state/territory law (and the administrative arrangements that in some states are a surrogate for a privacy enactment) would see elimination of overlaps, inappropriate exclusions and uncertainties on a jurisdiction by jurisdiction basis. Articulation of the UPP can thus be seen as a mechanism for harmonisation (facilitated through an intergovernmental entity), not an attempt to erode state power.

Exemptions

One driver for review of the privacy regime has been disquiet about exemptions in federal and state/territory privacy enactments. The ALRC proposes elimination of some amendments (eg the UPP would cover small business, employee records, registered political parties and state incorporated bodies) but retention of exemptions for some government agencies.

Exemptions for defence and intelligence agencies are retained, with the paper essentially proposing formalisation of ad hoc practice by the relevant federal ministers and agencies. Harmonisation of court policies is recommended; exemption of federal tribunals in relation to adjudicative functions is left in the air. In contrast the ALRC suggests that exemption of the ABC, SBS and other agencies - derived from their FOI Act exemption - should be removed, providing parity with private sector media organizations. It asks whether the federal parliamentary departments should be exempt, indicating that the rationale for exemption is unclear.

It notes that a range of state/territory statutory authorities and government business enterprises are currently not covered by privacy legislation in those jurisdictions. The paper accordingly suggests that - pending enactment of state/territory legislation reflecting the UPP - the national Act should be amended to apply to all state incorporated bodies except where covered by state law or exempted on public interest grounds (adverse effect on the particular government) by the Minister.

Just as adventurously, the ALRC notes that no comparable overseas jurisdictions have an exemption for small business, commenting that it is “not convinced that exemption for small business is either necessary or justifiable”. Simplification of the Privacy Act should minimise the compliance costs that have been claimed to prevent extension of the Act to small business. The paper similarly notes that there is no sound policy reason why privacy protection for employee records is only available to public sector employees and not private sector employees. Treating employees’ personal information differently from other personal information is also unjustifiable

It goes on to comment that maintaining the exemption may result in further regulation by states/territories, thus “contributing to fragmentation and inconsistency in workplace privacy regulation”. National adoption of the UPP would minimise proliferation of those silos - with protection on the basis of principle rather than where a person works - and facilitate recognition by the EU of the Australian regime. Employee privacy should be addressed through the overarching Privacy Act, not through a fix quarantined in the Workplace Relations Act 1996.

From a principles perspective neither journalism nor politics occur on a separate planet. The paper comments that

In the interests of promoting public confidence in the political process, those who exercise or seek power in government should adhere to the principles and practices that are required of the wider community.

Consistent with non-exemption in the UK, Canada and other jurisdictions it accordingly recommends removal of exemption for registered political parties and for political acts and practices. It proposes tightening of the ‘journalism’ exemption, which would not override the statutory cause of action for invasion of privacy, and inclusion of the key word ‘adequately’ in dealing under s 7B(4)(b)(i) of the Privacy Act, thereby ending a requirement that the effectiveness of self-regulation is irrelevant.

A private investigation industry spokesperson complained in 2006 that asking investigators not to use illicit surveillance methods “is like asking a carpenter to put cupboards up without using a hammer, nails, screws or a saw”. Unsurprisingly, the ALRC rejected suggestions of a new exemption for that industry, instead recommending that governments consider regulation. It similarly found “no compelling reason” for exemption of valuers or archivists.

   next page (the 1988 national Privacy Act)