Privacy Law and Policy Reporter
An update on private sector developments
During November 1997 there have been substantial new developments in relation to private sector privacy regulation in Australia, beyond those outlined in Commissioner Scollay’s article in this issue (see 4 PLPR 81).
In late November the Commissioner wrote to all those who had expressed interest in her consultation process stating that she had concluded ‘that while there was considerable debate about the mechanisms of my proposed scheme, there was very little debate about the principles themselves’. She said that there were a number of issues where there was a surprising level of agreement.
1. There are a number of independent federal and state privacy initiatives that are currently being developed which involve the drafting of a set of privacy principles. Concern is expressed that this will lead to a patchwork of industry or sector privacy codes.
2. There is only a very small window of opportunity (two or three months) in which an acceptable set of national privacy principles can be drafted, before one or more of the above initiatives proceeds with its own set of principles.
3. There is a very strong consensus that there must be only one set of privacy principles in use in Australia, so that we avoid a patchwork approach. At the same time, it is recognised that one set of principles may not meet the needs of every industry or sector, and there may be a need to modify the principles through the implementation of some industry specific codes, such as a Health Code. Such codes would need to be kept to a minimum as they tend to create boundary problems between codes which could result in a patchwork of differing principles.
4. Only a national approach can provide an adequate framework for the fast growing international electronic commerce sector which will have a significant impact on all Australian businesses.
5. There is a common concern about whether my scheme could control businesses that wished to remain outside of a national scheme. It is felt that what ever mechanisms are adopted they must ensure that all businesses in an industry are subject to the scheme.
As a result of these factors, the Commissioner has:
Decided to separate the process into two components, namely the development of a nationally consistent set of principles and the establishment of acceptable and workable compliance mechanisms. This will allow me to take advantage of the window of opportunity to develop a set of national privacy principles over the next month or so, while allowing a little extra time for the more problematic task of developing acceptable mechanisms.
The Commissioner identified ‘another advantage in separating the principles from the mechanisms’:
Many privacy advocates and consumer groups have stated publicly that they will not support my process because they wish to pursue their primary aim of national privacy legislation. Although I understand their position, I feel that it would be unfortunate if they were not part of the debate. Their expertise would greatly enhance the discussion of the various privacy issues, and may give a balance to the view provided by the business sector. Many business representatives have also supported the need for consumer involvement. I understand that some of the advocates may be prepared to assist with the development of national principles, whereas they are not prepared to assist with mechanisms that are not set in a legislative framework.
Most privacy and consumer organisations and advocates had boycotted the Commissioner’s consultation (as explained in her article in this issue), but some had indicated to her in October that, if the question of nationally consistent principles could be dealt with in a forum which was quite separate from that discussing voluntary self-regulation, then they would take part.
The Commissioner therefore enclosed a set of ‘Preliminary privacy principles for discussion’ (see accompanying box) which are to form the basis of these discussions. They are based on those contained in her consultation paper, and she says she believes they are ‘close to being finalised’. They will form the basis of discussions with invited representatives of business, governments (including the Victorian government) and consumer/privacy advocates in the first week of December, with the intention that they be finalised by 11 December. The Commissioner explains the new ‘two track’ process:
For the present, my aim is to produce a set of national privacy principles that would be acceptable to all the stakeholders. Once the principles have been finalised, there will need to be a second level of discussion as to how the principles could be implemented in a particular sector. Some issues for consideration at this second level include whether the principles should apply to employee records, whether existing personal information should be exempted from some of the principles and in what circumstances consumers should opt in or out of proposals for the use of their information outside of the original purpose of collection. It is not my intention to deal with these second level implementation’ issues at present.
The development of these principles would also feed into the working party of the Online Council, which is also attempting to develop a consistent set of national principles (see the Commissioner’s article in this issue).
Meanwhile, industry groups seem to have been making some re-assessment of their opposition to legislation, in light of the difficulties with voluntary self-regulation and the likely emergence of a ‘patchwork quilt’ of privacy legislation. In an article in Business Review Weekly (20 October 1997) John Martin, Executive Director of the Australian Chamber of Commerce and Industry (ACCI) said it had four ‘non-negotiable’ criteria for privacy provisions:
As a result of this supposed more flexible approach, consumer and business advocates met with representatives of business organisations (including ACCI, ADMA, AFC, CRAA, the banks and the insurance industry) on 25 November to discuss future options in privacy protection and to see whether there was common ground for future discussion of ‘implementation issues’.
The Commissioner has produced a set of principles which are far closer to ‘plain English’ than the 11 IPPs in the Commonwealth Privacy Act. Although they are in most respects uncontentious, there are some areas which need further consideration. For example:
The new draft Principles also go beyond the scope of the Privacy Act IPPs in some respects, in the principles concerning destruction of records (4.2), multiple use of identifiers (7) and anonymity (8). While the anonymity principle is still novel in a regulatory instrument (although it is found in the Australian Privacy Charter), versions of the other principles are common in other privacy laws.
One principle which is not included, and probably should be, is that personal information should not be transferred to an organisation in a jurisdiction which does not provide a similar level of privacy protection unless there are sufficient guarantees of privacy protection given by the organisations concerned. This is not so much an issue of implementation as a separate principle in itself, certainly one which the European Union regards as an essential element of any adequate data protection law.
Graham Greenleaf, General Editor.