Privacy Law and Policy Reporter
Graham Greenleaf and Nigel Waters
Australian Privacy Commissioner Moira Scollay has issued National Principles for the Fair Handling of Personal Information, a set of ten information privacy principles and an explanatory guide, which she says are intended as a benchmark to assist in the development of a national uniform approach to privacy protection. The National Principles were launched by Commonwealth Attorney-General Daryl Williams on 20 February 1998.
This special issue of PLPR includes the full text of the Principles and the Guidance Notes issued with the, and commentaries on the Principles and their significance from both business representatives and privacy/consumer perspectives. The purpose of this introduction is to place these ‘National Principles’ in the context in which they arose.
The ten new Principles are based on the OECD Guidelines and the Information Privacy Principles in the Commonwealth Privacy Act 1988. Their novel elements owe a debt to the Australian Privacy Charter (a version of the ‘anonymity’ principle), the European Union privacy Directive and the NZ and HK privacy laws (versions of the ‘transborder data flow’ and ‘sensitive information’ principles). However, they are to a large extent a reflection of the 1980s approach to information privacy principles, an attempt to bring Australia to an acceptance of principles that European and other countries reached a decade ago. They say little about the privacy challenges of a world based around electronic commerce and pervasive telecommunications. That would have been expecting too much, given the ‘consensus-seeking’ process out of which the Principles arose, and the resistance of some business organisations to basic privacy principles.
The Commissioner states that she is issuing the Principles as ‘my recommended national approach to fair information handling’. She notes that they are ‘the result of extensive consultations with key stakeholders’, but does not say that they represent a consensus of views of those consulted. However, the nature of the consultation process which she organised was one of seeking to find whatever degree of consensus could be found between business groups on the one hand, and consumer/privacy advocates on the other. The process was one of ‘consensus-seeking’.
The ‘National Principles’ that emerged from the process are in fact best regarded as ‘the Commissioner’s best shot’, her own compromise formulation that accommodates as best she could both the areas of consensus and the remaining conflicting views of the two sides of the negotiating process. During the two months of ‘pressure cooker’ discussions over summer, both sides agreed on some aspects of the Principles, but there were significant areas where no general agreement had been reached by the end of the discussions. Examples of areas where consensus was not reached are given below.
It is therefore very important to put the National Principles in their proper perspective. As they are the Commissioner’s ‘recommended’ Principles, we can assume that she thinks they provide a reasonable level of privacy protection, and one that contains many points of consensus. The various parties to the negotiations will now have to state how much of these Principles they accept, and how much they do not accept, before it is clear where any national consensus lies. Governments, and the Online Council, will also have to reach their own view, without assuming that all (or even most) of the National Principles represent some sort of national consensus.
The National Principles do not purport to represent any consensus whatsoever about the best means of implementation of privacy principles (see the Commissioner’s Foreword). Nor do they represent the Commissioner’s endorsement of voluntary guidelines as the best way to proceed. The only reason that the discussions took place at all was because the Commissioner explicitly separated any discussion of enforcement mechanisms from a discussion of privacy principles, because most privacy and consumer advocates refused to attend any discussions which were premised on an assumption of voluntary compliance. Whether Australian business does more than pay lip service to these Principles, and whether their voluntary implementation receives any acceptance or respect from consumer and privacy advocates, remains to be seen.
The most stark illustration of how these Principles are not a matter of consensus on all points is seen in exceptions (g) and (h) to Principle 2 which limits use and disclosure:
(g) the use or disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of the public revenue; or
(h) an intelligence or law enforcement agency asks the organisation to use or disclose the personal information on the basis that the use or disclosure is necessary to safeguard the national security of Australia.
This is an area where there was consensus between the business and consumer/privacy representatives around the table, but it was a consensus that the starting point should be that the police, tax and intelligence agencies should get warrants to obtain personal information from the private sector. After the discussions concluded, exceptions (g) and (h) simply appeared by the fiat of the Commissioner in the published version, after police and security interests intervened at the eleventh hour to protest. These exceptions would serve the interests of law enforcement, tax and intelligence bodies giving the holders if personal information any basis for resisting their demands. However, the Commissioner notes that these exceptions are contentious and merely included as a ‘stopgap’ pending further negotiations between the original participants and police/security interests, which discussions will commence shortly.
There are many other aspects of the National Principles, from broad principles to matters of detail, where business and consumer/privacy views simply did not end up in any final agreement by the time the process ended. From a privacy advocate’s perspective, the following are some of the areas of weakness:
There is no space in this introduction to expand these criticisms, or even to make them comprehensive — they merely illustrate the limits of the process. Reservations and criticisms by some business representatives and other privacy advocates are found within these pages, but there will be many other shades of opinion as well. The point is that any consensus is limited in scope.
Victoria has been the State most advanced with its proposals for data protection laws as a crucial part of its electronic commerce framework, and has its own legislation in draft. Minister for Multimedia, Alan Stockdale, has committed Victoria to support the development of a national approach based on the National Principles, through the Online Council, unless there is radical disagreement by Victoria (or, presumably, other jurisdictions such as NSW) with the content of the National Principles. The Online Council will meet to consider endorsement of the National Principles on 22 May 1998. After that date, the future of the Principles, and Victoria’s intentions, may become clearer.
Everyone would prefer national uniformity in privacy principles. The Commissioner’s National Principles indicate the extent to which such uniformity could be based on consensus — and where it can not. If governments are going to play a role in determining the shape of privacy protection, as they should, then they have to determine policy where consensus cannot be found.
Graham Greenleaf, General Editor and Nigel Waters, Associate Editor.
The National Principles are also available at http://www.hreoc.gov.au/privacy/natprinc.htm