You are here:
WorldLII >>
Databases >>
Privacy Law Resources >>
2000 >>
[2000] PrivLRes 3
Database Search
| Name Search
| Recent Documents
| Noteup
| LawCite
| Help
Greenleaf, Graham --- "Submission on the Privacy Amendment (Private Sector) Bill 2000" [2000] PrivLRes 3; [2000] CyberLRes 5 (14 May 2000)
You are here:
WorldLII >>
WorldLII Databases >>
PrivLRes >>
2000 >>
[2000] PrivLRes 3
[Global Search]
[PrivLRes Search]
[Help]
Submission on the Privacy Amendment (Private Sector) Bill 2000 ([2000] CyberLRes 5) - [2000] PrivLRes 3
Greenleaf (2000)
Working Notes used in preparation of a
Submission to the House of Representatives Standing
Committee on Legal and Constitutional Affairs
Privacy Amendment (Private Sector) Bill 2000
Graham Greenleaf
Professor of Law, University of New South Wales
14 May 2000Contents of submission
1. Introduction
1.1. Structure of submission
I have read the submission proposed by the Australian Privacy Charter Counciland I wish to endorse that submission. I have not covered
many of the mattersin that submission but have concentrated on a few aspects of the Bill. References to sections ('s5B') are to sections of the PrivacyAct 1988, as proposed to be amended by this Bill. References to clauses('cl 3') are to clauses of the Bill
I have attached brief biographical details indicating my qualificationsand experience in relation to privacy matters.
1.2. Overall assessment of the Bill
In its current form, the Privacy Amendment (Private Sector) Bill 2000isessentially 'business protection legislation', and not primarily to protectthe privacy of consumers and citizens.At the most general level, the formal structure of the Bill is supportable,including its co-regulatory structure. The principal deficiencies
of theBill are its numerous exception and exclusions, and the omission of a numberof basic protective mechanisms that prevent effective
enforcement of suchconsumer rights as do exist. As noted by the Charter Council, the Billalso contains many well-drafted provisions.
Before this Bill deserves any support from a consumer perspective,it requires many major improvements. With such major improvements,
thestructure of the Bill is capable of providing a useful (though still inadequate)form of privacy protection. Well-controlled and
enforceable co-regulatoryschemes can provide a useful advance in the world-wide development of privacylaws - but this Bill lacks
both the necessary public interest controlsand fair enforcement mechanisms.
As the Bill stands, I do not support its enactment. Due to its numerousweaknesses, it will legitimate previously questionable privacy-invasivebusiness
practices more than it will protect privacy. Large areas of privacy-invasivebusiness (and political) practices will be completely
exempt from the Bill.Protection to individual privacy will be piecemeal, and will leave consumersunprotected against many of the
worst privacy invasions (which will nowhave an aura of legitimacy of 'complying with the Privacy Act'). Such rightsas the Bill provides
will be inadequately enforced and enforced in a waywhich is biased toward business.
This Bill is capable of amendment so it could at least bring Australiaup to the standards of privacy protection now commonplace in
Europe, NewZealand, Hong Kong and elsewhere. Such legislation will not be sufficientto provide sufficient privacy protection in the
21st century, but wouldat least bring Australia up to last century's standards.
In this submission I have detailed some major deficiencies ofthe Bill, and suggest how some of them can by remedied by simple amendments.Many
other deficiencies, and suggestions for improvement, are covered insubmissions by the Privacy Charter Council. These constructive
suggestionsfor improvement of the Bill should not be misinterpreted as support fora Bill which is fundamentally anti-consumer. It
will take major surgeryfor this Bill to be of substantial value to consumers.
1.3. Biased purposes (cl 3)
The new objects clause of the Act (s3) indicates a pro-business bias whichmay affect the interpretation of the Act by the Commissioner,
Code bodiesand Courts. The objects only refer to individual 'interests' in protectingtheir privacy, but refers to 'the right of business to achieve itsobjectives efficiently'.Recommendation: Two changes would make the objects more evenlybalanced, without bias toward either business or consumers:
(i) a change to 'individuals rights in protecting their privacy';and
(ii) a change to 'the right of business to achieve its legitimate objectivesefficiently'.
2. Deficiencies in the enforcement procedures
Co-regulation involving a range of different industry Code authoritieswill not operate in a way which is fair and effective unless:- The procedures are not biased against either businesses or consumers.
- The Code authorities have sufficient powers to properly investigate complaints.
- There is a process by which the potential differences in interpretationof the Act by different Code authorities can be overcome, with
uniformand legally correct interpretations of the Act resulting and applied byall Code authorities and the Commissioner.
The proposed complaints procedures will not deliver any of these necessaryoutcomes, and are unfair and biased against complainants,
for the reasonsfollowing.2.1. The lack of an appeals structure is biasedtoward businesses
Businesses complained about will in effect have a right of appeal to theFederal Court on the merits of their case, whereas unsuccessful
individualcomplainants will have no such right. This is unfair and biased. As is currently the case under s55 of the Privacy Act, under thenew ss55 and 55A, a determination of a complaint by a Code authority
orby the Commissioner can only be enforced by proceedings in the FederalCourt (or the new or Federal Magistrates Court), and the
Court has to dealwith the matter by way of a hearing de novo (anew) as to whetherthere has been conduct constituting an interference with privacy (s55A(5)).
As a result, all that a business has to do if it is aggrieved by theway in which a Code Complaints Body or the Privacy Commissioner
has dealtwith their complaint, is sit on its hands and not pay the compensationor take the other steps it has been ordered to take.
The complainant mustthen take the matter to the Federal Court, and the business can have thematter heard in full again. In effect,
it obtains a right of appeal toa Court.
The problem is that an unsuccessful complainant, whether the complaintis heard by a Code Complaints Body or by the Privacy Commissioner,
hasno such right of appeal - no right to have the matter heard de novoby any higher authority. They have no redress against a wrong interpretationof an Industry Code or the National Privacy Principles
(or of other provisionsof a Code or the Act), or of the wrong application of the law to the factsof the complainant's case. This
is unfair and biases the whole enforcementstructure of the Act against consumers.
A determination will now be prima facie evidence of the factsupon which the determination is based (s55A(6)). It will be possible,
however,for those facts to be challenged. This does not address the fundamentalproblem of unsuccessful complainants having no right
of appeal, but isan improvement since the successful complainant is at least not put toproof or those facts all over again.
2.2. Judicial review will not deliver justice, nordevelop consistent privacy law
Nor does the proposal to make decisions of code complaint bodies subjectto judicial review address the problem sufficiently. This
will help ensurethat code complaint bodies observe procedural fairness, but will do littleensure the development of consistent and
legally correct interpretationsof the National Privacy Principles or code provisions based on them tothe wide range of factual situations
which will arise in complaints. Itwill also fail to provide justice to complainants where a code complaintsbody has misinterpreted
its own code, or applied the code to the factsof the complaint in a dubious fashion, or (as mentioned below) been frustratedin its
investigation through lack of powers. As a result of these continuing deficiencies of the proposals,there will be little likelihood of the development of a significant
orconsistent body of law concerning the meaning and application of the Principles.The Privacy Commissioner will not oversee the interpretation
of codes byindustry bodies in individual cases, being limited to some vague obligationto report on their general operation in his
or her annual report. The Courtswill only do so rarely, and only in cases where the code has been interpretedin favour of complaints
and is therefore under attack by businesses.
2.3. Lack of powers to investigate
Industry complaint bodies will not have any statutory powers to investigateor obtain information, in contrast with the very strong
powers held bythe Privacy Commissioner. The Information Paper admitted: It is intended that privacy codes should require participantsto co-operate with and provide requested information to code complaintbodies.
However, this will not fully substitute for the Privacy Commissioner'sstatutory powers, particularly in relation to obtaining information
fromthird parties.
This deficiency in investigative powers exacerbates greatly the complainant'slack of right of appeal. If investigations are frustrated,
a complainant'scase will remain unproven. Where an industry complaint body's investigationis frustrated by its lack of investigative
powers (particularly where athird party not a party to the industry scheme has failed to cooperate),it is unlikely that it could
be criticised in a process of judicial review,and the fact that it can make no enforceable determination denies the complainantthe
avenue of taking the matter to a tribunal where legal powers of compulsionare available (the Federal Court). In contrast, in the
rare event thata business could not provide evidence of its defence because some thirdparty refused to provide evidence, the business
can use the avenues ofFederal Court process to obtain the evidence, once the complainant startsan enforcement action.
The ability of a Code authority to refer complaints to the Commissioner(s40(1B)) is useful, but is out of the control of the complainant
and atthe discretion of the Code authority, and is no substitute for a rightof appeal against bad decisions based on inadequate investigations.
All of these remedial processes are biased against complaintsin favour of businesses, and should not be. These weaknesses bring thebona fides of the proposed legislation as genuine co-regulationinto question.
2.4. The need for consistent and accessible privacylaw
The Australian Consumers Association, in its submission, refers to thedanger of 'privacy silos', inconsistent versions of privacy
law emergingin different industries with Codes. This is my concern as well, but I differfrom ACA in that I do not think that appeals
to the Privacy Commissioner(who is not a lawyer) is a complete answer. I have no objection to appealsto the Privacy Commissioner
as an intermediate stage - a first tier administrativereview. This would assist in providing greater consistency of interpretation,and
the Commissioner's investigative powers would assist in better resolutionof some complaints.However, the Privacy Act needs the benefit of occasional interpretationby the Courts on serious issues, and the Privacy Commissioner's
decisionsshould also be subject to appeal where the issue is important enough. Aright of appeal is unlikely to lead to a flood of
cases.
3. Publication of Code decisions - avoiding secretjustice
3.1. Formal determinations
New s18BB(3)(d) requires determinations (ie decisions on complaints) byCode authorities to be 'the same' as the Commissioner makes
under s52,but it is not clear that this would require Code authorities to followthe Commissioner's practice of publishing such determinations.
It doesnot even specifically require determinations to be in writing. These mattersshould be explicit in the terms of a Code. It is of vital importance that the way in which Code authoritieshandle complaints, and particularly how they decide the most importantcomplaints
- those that go to a full formal determination. This informationneeds to be available to potential complainants, to their advisers,
andto those generally interested in the way in which the law is being interpretedby Code bodies.
If there is not full access to determinations, then there is notransparency of the Code process and no guarantee of its integrity.
Recommendations
(i) s18BB should require Code authorities to make written determinationsspecifying the reasons for the determination, and to provide
a public registerof such determinations, and copies of determinations to anyone who asksfor one. (ii) s18BB should require determinations by Code authorities tobe provided to the Privacy Commissioner when made, and for the Commissionerto
publish them. Complainants should be anonymised where necessary.
3.2. Informal mediation
Most complaints will not be settled by formal determinations, but by informalmediation by the Code authority. However, even when complaints
are settledby mediation, they are settled on the basis of an interpretation of thelaw (ie of the Code and of other aspects of the
Act). For the same reasonsas set out above, it is very important that this process has some transparencythat will aid others to understand
how the law is being interpreted. News18BB(k) is unclear as to whether anything more than statistical recordingof these complaints
by Code authorities is necessary, and this is insufficient.Recommendations
(i) s18BB(k) should require Code authorities to keep a brief summary ofeach complaint resolved without a determination, sufficient
to identifythe nature of the complaint, the Code provisions applied in resolving it,the nature of the settlement, and any issues
of law which were raised inthe complaint. Where necessary, both complainant and respondent may beanonymised. (ii) The Code authority should provide a copy of these summariesto the Commissioner at least annually, for publication by the Commissioner.Publication
via Internet, and a copy available on request from the Commissioner'soffice, will be sufficient.
4. Unjustified exemptions
I have only been able to deal with some of the Act's unjustified exemptionsin this submission.4.1. Flaws in the 'small' business exemption
Other submissions will explain how the demographics of Australian businessesmean that the $3M turnover definition of a 'small' business
means mostAustralian businesses will have virtually no obligations to protect theircustomer's (or anyone else's) privacy. I will concentrate on how the exemption will be abused to provideexemptions to big businesses, and how it will also operate unfairly
toprejudice the interests of small businesses that wish to protect privacy,and will put at risk the privacy-protective efforts of
industry associations.
How big businesses can rort the 'small' businessexemption
The so-called 'small business exemption' contains a major loophole whichwill allow a company or individual to run a large business
(say of annualturnover $10M) which is based around major use of customer personal information,but for that large business to have
unrestricted swapping and use of thatpersonal information within all units of the business, and still to escapecompletely from the
operation of the Act. Big businesses can use this loopholeto escape from their obligations to protect privacy. This potential for the rorting of the Act takes several stepsto explain:
- A 'small business operator' (not a 'small business') is the entity exemptedfrom the operation of the Act, because 'organisation' does
not includea 'small business operator' (s6C). Since only 'organisations' (in the privatesector) are obliged to comply with the Act,
small business operators ('SBOs')are therefore exempt from complying with the Act.
- The definition of a 'small business operator' says a SBO 'carries on oneor more small businesses' (s6D(3)(a)). A SBO could therefore
carry on anumber of businesses, let's call them 'YourInfo (Marketing)', 'YourInfo(Sales)' and 'YourInfo (Collections)'.
- The exemption as a 'small business operator' is lost if any of the businessesof a SBO 'discloses personal information ... to anyone
else for a benefit,service or advantage' (s6D(4)(c)). The loophole is that disclosure of personalinformation between any of the businesses
run by the SBO is not disclosure'to anyone else', it is just disclosure to the same SBO (the fact it isbetween different businesses
is irrelevant). Similarly, the collectionof information from the other business does not cause the exemption tobe lost because it
is not collection 'from anyone else' (s6D(4)(d)).
- The different businesses run by the SBO can use the personal informationreceived from the other businesses for any purpose they like,
because onlydisclosure, not use, can cause loss of the exemption.
- This is so even if the use is completely unrelated to the purpose of collection,and if the information used is inaccurate, irrelevant,
incomplete etc.The individuals concerned have no rights of access or correction.
This means that any businesses run by the same operator, no matter howlarge and how privacy invasive in their use of information (provided
itdoes not involve disclosures or collections for consideration), can completelyavoid the operation of the Act by the expedient of
splitting any of theconstituent businesses into sub-businesses before they reach the $3M threshold(s6D(4)(a)). Just have lots of
'small' privacy invading businesses, andyour total business operation can be as big as you like, and still remaina privacy-free zone.How to increase the sale value of a small businessby privacy-invasion
The SBO rort is made even worse by the way in which it increases the salevalue of small businesses that hold potentially valuable
personal information,by encouraging the use of this information for interferences with privacywhich would otherwise be illegal. This argument also takes a couple of steps:
- Many small businesses will hold personal information (often about theircustomers) which could be misused for purposes for which it
was not providedby combining it with other personal information held by other businesses.However, the small business cannot do this,
because it would involve disclosureof the information to someone else, which would cause loss of SBO statusfor both the disclosing
business (s6D(4)(c)) and the collecting business(s6D(4)(d)).
- At face value, the value of the small business will therefore not includeany component based on the commercially valuable disclosure
and use ofthis personal information, because such disclosure is illegal.
- However, any SBO who buys the small business in question that has the valuablepersonal information (as opposed to buying the information)
can immediatelyshare all of this personal information with its other small businesses.The combining of the information held by all
the businesses is now withinthe privacy-free zone.
- Because of the so-called small business exemption, the sale value of abusiness that holds personal information can therefore be higher
than itsvalue as a stand-alone business, because what would be an illegal invasionof privacy by a stand-alone business (even a small
business), becomes perfectlylegal when one 'small' business buys another.
This Act therefore increases the takeover value of small businesses withprivacy-invasive potential. The Act should not operate to
distort marketmechanisms in this way.The 'small' business exemption will hurt smallbusinesses and industry associations
This exemption will also harm the small-ish business that wishes to obtaina reputation for protecting the privacy of its customers.
There is no provisionfor an organisation which comes within the definition of 'small businessoperator' to 'opt in' to be bound by
the Act.A business that wishes to protect privacy therefore cannot even saythat it complies with the Privacy Act without being in danger of
falseand misleading conduct through implying it is bound by the Act.
Many businesses with a turnover of less than $3M are involvedin international e-commerce via the Internet. Successful Internet businessesare
not necessarily big businesses. They may make extensive use of personalinformation, particularly concerning their customers, without
buying orselling personal information. It is likely that Australian 'small' businesseswill be excluded from any finding of 'adequacy'
by the European Union,and will therefore be excluded from receiving any personal informationfrom EU countries. Similar exclusions
are likely under laws of regionaljurisdictions which have data export prohibitions, such as Hong Kong. Moredetails are provided below.
Where a business is in an industry which has a Code under theAct, it cannot even participate fully in the industry Code, because
anycomplaints against it will not be able to be dealt with by use of proceduresunder the Act (including enforcement of determinations,
referrals to theCommissioner, administrative review etc).
Similarly, any industry associations which have as members any businesseswithin the definition of 'small business operator' and have
an industryCodes will be at risk of false and misleading conduct unless all informationand publicity about the Code stresses that
the legally significant aspectsof the Code only apply to those of their members with turnover of lessthan $3M (and how will the public
know who they are?).
This exemption therefore harms those small-ish businesses, andindustry associations, that wish to protect privacy by refusing them
thereputational and trade benefits that compliance with the Act provides.
Appropriate measures to safeguard small businessinterests
It should be possible to develop a flexible means of providing appropriateallowance for the interests of small businesses using other
provisionsin the Act without creating a dangerous 'privacy free zone'.Recommendation
The small business exemption should be deleted from the Bill. The Privacy Commissioner should be required, before the Bill comesinto force, to make a Public Interest Determination concerning
small businesses,for the purpose of modifying the NPPs to the extent necessary to ensurethat a simplified and less onerous set of
privacy obligations applies tothose small businesses where lesser obligations are proportionate and appropriateto the lesser risk
to privacy of their business operations. Such a Determinationshould be reviewed periodically by the Commissioner as the need arises.
The Commissioner should be required to take the modificationsto the NPPs into account in the development of all industry Codes, to
ensurethat such Codes have appropriate provisions for small businesses.
Such a requirement on the Commissioner would ensure that appropriateallowance is made for small businesses, based on the Commissioner's
expertisein the NPPs and how they will be administered, while at the same time preservingthe benefits of privacy protection both
for businesses and consumers.
4.2. A better political parties 'exemption'
The only legitimate interest that politicians and political parties havein being 'exempted' in any way from an obligation to respect
people's privacyis that there is some potential for the Privacy Act to be mis-used by onepolitical party against another during the
electoral process, with possibleinterference in the democratic process resulting. The blanket exemption in the Bill is completely unnecessary toaddress that problem. All that is needed is to remove the Privacy Commissioner,and
the Act, from the heat of the electoral process.
Recommendation
The current exemption for political parties (new s7C) should be deleted.Where a complaint under the Act is made against a political party (oran associated body), the following procedure should apply:
- Once writs have been issued for any election in which that political partyhas candidates, the Privacy Commissioner shall immediately
cease to investigateany such complaint.
- Once the poll is declared for all seats in which the political party hascandidates, the Privacy Commissioner will resume investigation
of any suchcomplaint.
4.3. The employment exemption
Others will deal with this exemption at more length, but I wish to adda number of further reasons why the exemption is unjustified:- Public sector employment information are already covered by the PrivacyAct (and this has not caused problems), so the exemption of
private sectoremployees is discriminatory.
- The workplace relations legislation does not cover many of the privacyprotections provided by the NPPs.
- If such an exemption is included, it is unlikely that Australian employerswill be able to obtain employment information from European
employers.
5. Will the Privacy Act be 'adequate' for EU purposes?
One of the objectives of the Bill (cl 3) is to meet 'international concerns... relating to privacy', which it is clear from the Explanatory
Memorandumprincipally includes meeting the requirements of the European Union's privacyDirective so that Australia can receive a
Declaration of 'adequacy' ofits laws by the Committee of Ministers of Member States (the 'A31 Committee').5.1. Uncertainty about the meaning of 'adequacy'
At the time of writing, exactly what the EU will require for a Declarationof adequacy has to be regarded as unknown. The first 'benchmark'
is likelyto be a Declaration concerning the 'Safe Harbor' proposals put forwardby the US government. The EU Commission has proposed
to the A31 Committeea draft Declaration that accepts a modified 'Safe Harbor' proposal as 'adequate'.However, the previous draft
was vehemently opposed by the Working Partyof National Data Protection Commissioners (the 'A29 Committee'), and theA31 Committee
will take into account the views of the A29 Committee onthe new draft (when available) and of the European Parliament. The resultis
unlikely to be known until near the end of this year, and it is possiblethat the A31 Committee might require further negotiation
of modificationsof the Safe Harbor proposals with the US. A realistic assessment of the likely 'adequacy' of the AustralianBill must therefore await the outcome of the A31 Committee's deliberationson
the Safe Harbor proposal, and this is unlikely to be possible duringthe Parliamentary passage of this Bill. The safest course, given
the importanceof satisfaction of the EU standard, is to address deficiencies in the Billwhich are likely to cause problems with an
EU finding of 'adequacy'.
5.2. Problems with the Bill's 'adequacy'
Even with as weak a benchmark as the current Safe Harbour proposal, thereare a number of aspects of the 2000 Bill which are likely
to limit thescope of any EU finding of adequacy for Australia, and will therefore constituteproblems for all or some sectors of Australian
businesses:- Lack of extra-territorial protection for EU citizens - Section 5Bonly extends the protection of the Act concerning extra-territorial practicesof Australian businesses to benefit Australians,
and therefore cannot beused to protect citizens of EU countries. NPP 9 dealing with transborderdata flows does not operate to prevent
the transfer of the informationby an Australian business to its own branch operating overseas, becausethis is only a transfer to
itself (and s5B would normally apply to extendthe protection of the Australian Act). There is therefore a loophole inthe Bill whereby
an Australian company could import personal informationon EU citizens, but could then export it outside Australia to a countrywith
no privacy law but without the Australian Act applying.
- Lack of correction rights for EU citizens - The existing approachin s41(4) which prevents anyone other than Australian citizens and permanentresidents from exercising correction
rights (IPP 7) is extended to theprivate sector (NPP 6 and equivalent provisions in Codes). As with theprevious example, this provision
prevents against EU citizens obtainingthe same benefits as Australians from our privacy law, and is contraryto the EU objective in
the notion of 'adequacy' that their citizens shouldbe protected by (adequate) local laws wherever their information is used,in the
same way that the privacy of local citizens is protected.
New Zealand's Privacy Commissioner recently proposed that the NZPrivacy Act 1993 be amended to ensure that non-citizens have all rightsunder the Act, in order to ensure adequacy under EU law and that of otherjurisdictions
such as Hong Kong. The Australian Bill is failing to do this.
- Generally available publications - The broad exemption in the Actfor information in a "generally available publication"[1],irrespective of whether the information came to be included in the publicationin breach of the Act, may cause problems, as the A29
Committee noted asimilar deficiency in the Safe Harbor principles.
- 'Small' businesses - There is no equivalent in the EU Directivefor an exemption for 'small' businesses (or in the Safe Harbor proposals).At best, this
is likely to result in an A31 Declaration that expresslyexcludes exempt Australian 'small' businesses from its coverage. However,the
resulting difficulties involved in an EU business knowing whether anyAustralian business was covered by the Act could lead to the
type of proceduralcomplexities that legislation was supposed to avoid. There is no provisionfor 'small' businesses that wish to be
bound by privacy law so as to beable to import personal information from Europe to opt in to being coveredby the Act. They would
have to resort to some artificial device such asbuying or selling personal information so as to lose their exempt statusunder the
Act. But how would the EU exporter be satisfied of this?
- Employment information - There is no equivalent general exemptionin the EU Directive, and this is likely to lead to any A31 Declarationexcluding any transfer
of employment-related information. The A29 Committeewanted such an exclusion of employment information made explicit in theSafe Harbor
proposal because the US Commerce Department did not have jurisdictionover such information. If there is such an exclusion, a European
companywould not be able to export employee data to a branch of its own companyin Australia because the Australian company cannot
'opt in' to be coveredby the Act in relation to its employment information.
- Weak control over onward transfers - As discussed later, two ofthe conditions under which personal information can be exported from Australiaunder NPP 9 are much weaker
than anything found in the Directive. The A29Committee has consistently identified controls over onward transfers asone of the key
elements of 'adequacy', so this may also cause difficulties.
6. Other recommendations
It has not been possible in the time available for me to complete my submissionon the following matter, but I indicate some of my
concerns below.6.1. Related corporations
The effect of new s13B is to allow related corporations to exchange informationabout individuals where this disclosure is unrelated
to the primary purposefor which the information was collected, or where the individual wouldnot reasonably expect this to happen
(otherwise, s13B would be unnecessary). Normally this exchange of information between related corporationswill not matter so much, because the recipient corporation will
still haveto satisfy one of the conditions of NPP 2 before it can use theinformation (see NPP 2.3 which clarifies this). The use would have to bewith the consent of the individual, or as authorised by
law, or with similarlyserious justification.
However, there is two exceptions to this:
- NPP 2.1(c) allows the information to be used for direct marketing purposesby the related corporation even though such use is contrary
to the individual'sreasonable expectations at the time of collection of the information, providedthe individual is given the opportunity
to opt out.
- Where information is used in a non-identified form, NPP2 may be irrelevant.The extent to which the related corporation may be able
to use a de-identifiedform of the information, merged with other information it holds, to createprofiles of Internet usage and to
customise user interactions in a waythat falls outside the Act's definition of 'personal information' is uncertain.
It is far preferable for the corporation which collected the informationto obtain the consent of the individual to disclose it to
the related corporation,as this will be within the consumer's expectations in dealing with a corporationwith which it has had previous
dealings, rather than a corporation whichmay be related but with which it has never dealt.Recommendation
The exemption from parts of the NPPs for related bodies corporate in news13B should be deleted as unnecessary. Alternatively, s13B should state that it has no application toNPP 2.1(c) (direct marketing contrary to the individual's reasonable
expectationsat the time of collection).
6.2. Inadequate definition of 'personal information'for cyberspace
In a published article 'Privacy Principles - irrelevant to cyberspace?'(1996) 3 PLPR 114 (available at <http://www2.austlii.edu.au/itlaw/articles/IPPs.html>)I have identified deficiencies with the Privacy Act's definition
of 'personalinformation' in relation to cyberspace transactions. In the article I concluded:
The approach of this definition misses the point to some extent.Information about, say, the interests, understanding or consumption
habitsof a particular person can be aggregated by an internet service provider(or providers), by use of e-mail or machine addresses,
for purposes suchas e-mailing customised direct marketing materials to that address, orto customise the appearance of a web page
so as to appeal most to requestswhich come from a particular machine address. It makes no difference whetherthe ISP can 'reasonably
ascertain' the identity of the person who is associatedwith either the e-mail address or the http request, because the informationabout
their consumption habits has been aggregated and used to market backto them, without them necessarily being aware of this or having
consentedto it. More serious consequences may also follow from such aggregation,such as decisions to limit access, or to deny some
goods or services. Ifthe definition of 'personal information' excludes such activity, IPPs willbe very weak in cyberspace.
Recommendation
The definition of 'personal information' in the Act should be amended toinclude wording such as 'any information which enables interactions
withan individual on a personalised basis'.6.3 Transborder data flows (NPP 9)
NPP 9 prohibits 'transfers' of personal information by an organisationto someone (other than the organisation) in a foreign country
unless oneof six conditions (a) - (e) is satisfied.If one of the conditions is satisfied, then the Australian organisationwhich transferred the data does not have any liability under
the Act forany privacy breaches which may occur subsequently. It is therefore important,from the individual's point of view, to ensure
that the conditions do notallow transfers which create unjustified privacy risks.
All of the publications by the A29 Committee of the EU have interpretedthe 'adequacy' requirement of the Directive as requiring some
such 'onwardtransfer' restriction, so this will be an aspect of the Bill that the EUlooks at carefully.
Condition (a) plays the role of A25 of the Directive (which allowstransfers to foreign countries with 'adequate' laws), but is weaker.
(a) the organisation reasonably believes that the recipientof the information is subject to a law, binding scheme or contract whicheffectively
upholds principles for fair handling of the information thatare substantially similar to the National Privacy Principles.
Instead of any objective and expert determination by a government or PrivacyCommissioner of which overseas countries have 'adequate'
laws (the 'whitelist' approach), the condition is satisfied by the mere 'reasonable belief'of the Australian organisation disclosing
the information. The 'reasonablebelief' need only be that the overseas arrangement 'effectively upholds'privacy principles, not that
there are enforcement mechanisms substantiallysimilar to those in the Australian Act. Conditions (b) - (e) are similar to those in A26(1) of the Directiveand largely uncontentious.
Condition (f), however, is much weaker than anything found inthe Directive:
(f) the organisation has taken reasonable steps to ensure thatthe information which it has transferred will not be held, used or disclosedby
the recipient of the information inconsistently with the National PrivacyPrinciples.
This does not even require that the individual should have some recourseagainst anyone in the event that the 'reasonable steps' turn
out to beinadequate. The subjective and imprecise nature of condition (a), and theweak and imprecise nature of exception (f), means that there is real
dangerthat personal information will be exported from Australia under conditionswhich give little protection to privacy.
The EU may well regard these two aspects of NPP 9 as inadequateprotection for EU citizens.
Recommendation
Conditions (a) and (f) should be tightened.
[1]"generally available publication" 'means a magazine, book, newspaper orother publication that is or will be generally available to
members ofthe public (however published)' - s6, as amended by the Bill, Schedule1, Item 14).
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2000/3.html
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2000/3.html
