Privacy Law and Policy Reporter
Victoria’s Liberal government is to enact a comprehensive Data Protection Act 1998, which may deliver fair information practices enforceable against both the Victorian public sector and (to the extent of the reach of Victoria’s laws) the entire private sector. Although the Act will allow for the development of approved sectoral codes and enforcement mechanisms, the bottom line is that this is co-regulation, not self-regulation.
Alan Stockdale, Victoria’s Treasurer and Minister for Information Technology and Multimedia announced Victoria’s plans in a speech to an IIR Conference on 15 June, and further details are provided in a Discussion Paper: Information Privacy in Victoria — Data Protection Bill released in July.
Among the reasons advanced in the Victorian Discussion Paper for introducing legislation are that threats to privacy are greater than ever before; that both business and consumers cite the absence of privacy laws as reasons for the slower growth of electronic commerce; that privacy protection would remain ‘ad hoc and random’ in the absence of legislation; that voluntary codes would never cover all those in an industry, particularly those uninterested in protecting privacy; that lines are increasingly blurred between the public and private sectors, and between formerly distinct ‘industries’; that technological protections for privacy need to be supported by a statutory framework; and that the proposed legislation will prevent restrictions on imports of personal data from overseas and reduce uncertainty among Victoria’s trading partners. The importance of privacy protection to Victoria’s strategies in fostering electronic commerce and electronic delivery of government services are stressed:
The absence of national data protection legislation placed an onus on the Victorian Government to either take action or accept that Victoria will make a slower and rockier transition to the information economy. The first option is the only choice ...
The reasons are no surprise to anyone familiar with privacy, but the fact that Australia’s second most populous State has announced it has no confidence in self-regulation is the end of the road for the federal government’s insistence on a national self-regulatory scheme. The issue now is whether State and Territory legislation and existing federal legislation, or just comprehensive federal legislation, regulates privacy in the private sector.
The essence of ‘the Stockdale Bill’, taking an optimistic interpretation, is that a set of Information Privacy Principles will be enforceable against all Victorian agencies (State and local government) and against the private sector with few exceptions. The new Victorian Privacy Commissioner will investigate complaints of breaches, and determine remedies (including monetary compensation), with provision for appeal (and perhaps enforceability actions) to the Victorian Civil and Administrative Appeals Tribunal (VCAT). Industry groupings (or agencies) may seek to have their own self-regulatory codes approved to replace the Act’s principles and initial enforcement aspects (but not to replace the right of appeal). The Privacy Commissioner will have a range of other powers as well.
Whether Victoria’s approach will provide privacy protection which matches ‘world’s best practice’ or even the requirements of the European Union (both of which Victoria claims), will remain uncertain until the full details of the Bill are available. On the limited information available, the Victorian approach could result in a Bill providing greater flexibility in privacy co-regulation, a further step down the co-regulatory road already taken by the NZ Privacy Act 1993 and the Commonwealth Attorney-General’s Discussion Paper of 1996. The Bill may allow a greater range of self-regulatory mechanisms, including various ‘privacy enhancing technologies’ to be taken into account as part of a satisfactory regime of privacy protection. It may also allow businesses and agencies coming within its provisions to import personal information from Europe unhindered by the European privacy Directive, or from other Asia-Pacific countries with similar laws.
However, whether the Bill will be worthwhile at all depends on whether it includes credible procedural safeguards and enforcement measures, such as are outlined in this article. If it does not include such elements, the ‘Stockdale bill’ will be worthless and counter-productive, as it will provide a smokescreen behind which organisations will justify and increase surveillance activities.
The Discussion Paper only provides an Outline of the Data Protection Bill (reproduced in full at (1998) 5 PLPR 25), so it is necessary to assess that Outline as the main document setting out Victoria’s intentions, supported by the Discussion Paper and the Minister’s speech. These documents are vague on key points, and sometimes appear contradictory. It will not be possible to make any certain assessments of the proposed legislation until a Bill is available.
References to ‘Outline’ are to the Outline of the Data Protection Bill, and to ‘DP’ are to page numbers of the Discussion Paper.
The data protection regime will apply to all personal information, in whatever form it is recorded (DP, p 11). Information held only for personal or household reasons is exempted, as is material collected or used by the media ‘for the purpose of informing the public’ (DP, p 11). Employee records are not exempted (DP, p 12). It won’t apply to legal persons or the dead (DP, p 12).
It will apply to ‘personal information handled in Victoria’ (DP p 12), but none of the documentation gives any more clue than this how the nexus between the information and Victoria will be defined.
The access and correction Principles will be enforceable from the outset of the Act, and the rest from 12 months after it comes into effect (Outline, Pt 2). Voluntary codes will be in effect as soon as they are approved.
The Victorian regime will not apply to businesses that are otherwise required to comply with ‘data protection principles’ under ‘any other state or federal legislation’ (including Pt IIIA of the Privacy Act 1988 (Cth) concerning credit reporting), or the Telecommunications Act 1997 (Cth). This is undesirable as there needs to be a guarantee that other data protection principles are as comprehensive as the principles in the Victorian legislation (the ‘NPPs’). For example, the Telecommunications Act 1997 is not as comprehensive as the NPPs. The Victorian Act need only provide for the Commissioner to issue guidelines (or codes) concerning when compliance with other equivalent principles will constitute compliance (in part or full) with the Victorian principles.
The Bill will contain a version of the Commonwealth Privacy Commissioner’s ‘National Principles for the Fair Handling of Personal Information’ (the ‘NPPs’ — see (1998) 4 PLPR 163), adopted by Victoria expressly in the interests of encouraging national uniformity. The Bill calls them ‘Information Privacy Principles’ (IPPs) as does the Commonwealth Privacy Act 1988.
The Bill will not simply adopt the NPPs as they may exist at the time of enactment, or even as they may be modified from time to time by the Commissioner, but will instead enact a version of them in language ‘modified as appropriate for a legal instrument (Pt 2). If the Commissioner changes the ‘National Principles’ then the consistency will depend on subsequent Victorian amending legislation. It would not be surprising if the Victorian version became the most significant version because it is backed up by legislative sanctions.
The ‘National Principles’, while covering many aspects of fair information practices reasonably well, have numerous deficiencies in their content and were only a product of consensus to a limited degree. The Discussion Paper notes that the Ministerial Online Council urged all parties in May 1998 to ‘endeavour to standardise on the National Principles — once further developed to set a benchmark’ (emphasis added).
An important purpose of the Bill’s IPPs, according to the Discussion Paper (DP, pp 15-16), is that they are intended to satisfy the six ‘core principles’ for ‘adequacy’ of content in the European Union’s (EU) privacy Directive. Some of the deficiencies in the National Principles may make this difficult, particularly the weakness of the Bill’s ‘finality’ principle in allowing unrelated internal uses of information on the basis of an opt-out right in customers, and various weaknesses in individual’s rights of access to their own records. A comprehensive assessment of the ‘adequacy’ of the National Principles is needed, but some weaknesses have been already been identified by the European Commission in a letter to the Privacy Commissioner.
The Commonwealth Privacy Commissioner is already holding consultations to address the deficiencies in the law enforcement and revenue protection exemptions in the NPPs (see (1998) 5 PLPR 20), and has scheduled a meeting on 18 August to address other weaknesses that have been identified by the European Commission. It is possible that the NPPs may be significantly improved within the time-frame of the Victorian legislation’s enactment.
If this does not occur, the Victorian government should recognise the limited consensus reflected in the NPPs. Although national uniformity in privacy principles has correctly been made a high priority by the Victorian government, the interest of proper protection of privacy of Victorians should come first, and it would be preferable if major deficiencies in the ‘National Principles’ could be remedied before they are enacted.
If the Victorian Bill does end up including a largely unrevised set of ‘NPPs’, then it should at least require that the Bill’s IPPs will be comprehensively reviewed after two years by the Privacy Commissioner in a report to Parliament.
A positive aspect of the Bill in EU terms is that the ‘National Principles include Principle 9 on ‘Transborder data flows’ (although it too has weaknesses in how it is expressed), since limits on onward data exports are one of the EU’s six ‘core principles’. Principle 9 only restricts data exports ‘outside Australia’, not to other States or Territories. Any broad restriction implemented in law would require careful consideration of s 92 of the Constitution. It is difficult to see the EU wanting to cause difficulties because of a constitutionally imposed limitation.
The ‘default legislative scheme’ is outlined in Pt 4. An individual may complain to the Privacy Commissioner only if the organisation complained about does not subscribe to a voluntary code (if it does, only the code applied) and only after the organisation has had the opportunity to resolve the complaint itself.
The Commissioner is only a mediator, with no power to issue decisions (‘determinations’) of complaints which bind the parties or anyone else (Div 4). The Commissioner will be able ‘to issue a determination either dismissing a complaint or finding it substantiated’ but it ‘will not be binding’. ‘Determinations’ might reflect agreed settlements between the parties, but even then will not become binding on the parties by virtue of the Commissioner’s determination.
The range of (non-binding) deter-minations that the Commissioner can make includes declarations that acts or practices be discontinued, monetary compensation paid or other actions taken to redress loss, records corrected, and reimbursement of expenses in pursuing a complaint.
Although the Commissioner’s deter-minations are not binding, the parties ‘affected by a determination, or the failure to make one, will be able to apply to the Victorian Civil and Administrative Tribunal for it to be reviewed’ (Div 5). The crucial question is therefore the ease with which the parties can appeal to the Victorian Civil and Administrative Tribunal, and whether it can make orders in all respects that the Commissioner can make determinations.
The Victorian Civil and Administrative Appeals Act 1998 provides for the Tribunal to exercise both original jurisdiction (s 44) and review jurisdiction (s 51). In exercising either type of jurisdiction the Tribunal can exercise functions ‘conferred on [it] by or under the enabling enactment’ or ‘conferred on [it] by or under this Act, the regulations and the rules’. In exercising review jurisdiction the Tribunal also ‘has all the functions of the decision-maker’ (s 51), but this in itself would seem inadequate given that the Commissioner has no power to make binding determinations. The ability of the Tribunal to make binding determinations therefore depends on appropriate powers being conferred on the Tribunal by the Data Protection Act or by regulations under the Civil and Administrative Appeals Act 1998.
Whether the Data Protection Act will itself contain the necessary powers to the Tribunal to make enforceable deter-minations wherever the Commissioner can make non-binding determinations, or whether the Tribunal’s powers will be treated as original or review jurisdiction, remains unknown.
Access to the Tribunal must also be guaranteed. The proposal that the exercise of a right of appeal to the Tribunal under the default scheme ‘might require the prior approval of the Commissioner’ (Div 5) is very undesirable, as it gives the appearance (and the reality) that the Commissioner can censor the right of appeal in order to cover up errors in the Commissioner’s own investigation and decision-making process. It should be sufficient to allow the Tribunal power to refuse to hear frivolous appeals, and to award costs against a party where appropriate.
The Discussion Paper states that a ‘punitive approach is unnecessary, undesirable and unacceptable’ and that ‘[p]enalities will be restricted to cases of serious, flagrant, or repeated breaches of the principles’ (DP, p 15). ‘Education rather than sanctions’ is stressed. Does this only refer to the fact that fines or criminal offences for breaches of the IPPs not be a major element of enforcement, or does it imply that compensation or other remedies will not be available to complainants? The former is consistent with credible legislation, the latter not.
Unless the IPPs are enforceable and with an appropriate range of remedies, the Data Protection Act will have no worth or credibility whatsoever. The way in which the Bill creates the Tribunal’s powers is therefore fundamental and any judgment before this is clear will be premature. As this is a fundamental aspect of the Data Protection Act’s credibility, the only appropriate place for such powers is in the Act itself, not in regulations subject to executive alteration.
Power to make enforceable deter-minations could be given to a Victorian Commissioner, and this would be a more efficient and preferable approach, provided there was also an unimpeded right of appeal to the Tribunal. Allocating the power of investigation and mediation to the Commissioner and the power to adjudicate to the Tribunal, as proposed, is very undesirable because it means that a complainant will always have to initiate and pursue two proceedings (one before the Commissioner, one before the Tribunal) to get a satisfactory outcome against a recalcitrant company, whereas the company need do nothing even if the Commissioner finds against it. This is unfairly stacking the deck against the individual complainant.
Voluntary codes will enable alternative means of compliance with the data protection regime, and may apply to information, organisations, activities or industries. Codes that have been approved will replace the legislative scheme for subscribers for as long as they continue to comply with their code (Pt 3).
Codes will be voluntary in the sense that ‘[s]ubmission to the Commissioner of a voluntary code will not be mandatory’ (in which case the default legislative scheme applies), but once a code exists it will be mandatory in the sense that ‘approval of a code will create a legal requirement for compliance, and failure to comply will be deemed to be a breach of an information privacy principle’ (Pt 3).
It is this aspect of the proposed Bill which promises a high degree of flexibility in the way the scheme will operate, and which leads Minister Stockdale to claim that the Victorian scheme ‘will bridge the gap between voluntary codes and fully-regulated schemes’.
Codes can apply to public sector as well as private sector entities, as illustrated by the expectation that two of the earliest areas for which codes will be developed will be public registers and health information (DP, p 12).
The key questions concerning codes, discussed in the following sections, are:
‘To be approved, a code will be given to the Privacy Commissioner for certification that: it is effective in substantially achieving the privacy objectives of the legislation; and it is not contrary to the public interest’ (Pt 3).
As Roger Clarke points out:
There is a remarkable contrast between these weak formulations and the wording used in the Victorian Government’s Regulatory Efficiency Legislation, announced on 20 May 1998, whereby business will be able to obtain approval for alternative compliance mechanisms (ACMs). The government’s statement referred to ‘stringent safeguards’, such that ‘an ACM would have to meet the objectives at least as effectively of any regulation as it replaces’, and would not be approved if it compromised the objectives of the regulation it replaced.
The expression ‘effective in substantially achieving the privacy objectives of the legislation’ is very vague and gives few clues as to how a code can vary from the content of the ‘National Principles’ or the types of enforcement measures a code must provide. Codes should contain equivalents to all of the IPPs, and to the various elements of enforceability in the default statutory scheme. The Bill needs to require codes which ‘meet the [data protection] objectives at least as effectively of any regulation as it replaces’, as with other ACMs.
The Act’s IPPs are said to be ‘minimum standards that can be supplemented by additional measures or varied by approved codes’ (Outline, Pt 1), and such ‘modifications may increase or decrease the level of data protection’. The code-making procedure therefore incorporates some method by which the standards of the IPPs can be tightened or loosened (on the NZ model, it seems). This would seem to incorporate the only equivalent there is in the Bill for any exceptions or modifications of the IPPs on public interest grounds (ie the equivalent to ‘Public interest determinations’ in Pt VI of the Commonwealth Privacy Act 1988).
The standards to which the Privacy Commissioner must adhere when approving codes, both in terms of permitted variations from the content of the IPPs and in terms of enforcement mechanisms, should be better defined. For example, under s 72 of the Commonwealth Privacy Act 1988 the Commissioner must be satisfied that the public interest in a variation from the IPPs ‘outweighs to a substantial degree’ the public interest in adhering to the IPP. Such an approach should be adopted in the Victorian Act, with the Commissioner being required to report, as part of the process of approving any code, the extent to which he or she considers that it varies from the statutory standard (higher or lower).
Codes should at least be required to comply with the EU’s minimum requirements for content of IPPs and for meaningful enforcement, including an enforceable means of obtaining compensation, independent arbitration etc. If it is possible for codes to be approved in Victoria which fall below the EU’s minimum standards for content or enforceability, why should the EU regard the Victorian Act as satisfying the ‘adequacy’ requirement under Art25 of the privacy Directive in relation to all data exports to Victoria?
The Commissioner will only be able to approve codes presented to him or her by the parties to a code (such as an industry association), and cannot initiate, draft or modify a proposed code. Approved codes will only be binding on the parties to the code, not to other members of the industry (whether they might wish to be bound by it or not). It is therefore likely that in some ‘industries’ where approved codes apply, some industry members will be bound by the Act, not the industry code.
It is this aspect of the scheme that makes it somewhat ‘self regulatory’: industries cannot have codes imposed on them — they can always choose to ‘live with the Act’ instead.
The flexibility which codes provide the Victorian scheme is very desirable in many respects, but it is essential that there be procedural protections to safeguard the basic privacy standards of the legislation. The Bill should contain the following features not yet found in the Outline:
(i) An open but fairly informal procedure for code-making is needed, where the public can be advised of proposed codes, hearings can be held etc.
(ii) Any interested party (within reason) should be able to request a modification to a code, not just the ‘record keeper’.
(iii)Codes or modifications of codes should be disallowable instruments, so that Parliament can protect the standards in the Act. As in the Commonwealth legislation (Pt VI) and the NZ legislation, it is of vital importance that the Commissioner’s decisions to ‘modify’ the statutory IPPs via approval of a code should be disallowable by Parliament. This provides protection to the public against the unjustifiable lowering of statutory standards, and to business against unjustifiable ‘tightening’ or extension. The proposal that codes be submitted to the Governor in Council for (in effect) Ministerial approval does not provide a sufficient safeguard.
(iv) There must be provision for codes to replace the legislative scheme only in part, so that some industries or agencies can have their own customised sets of IPPs, but retain all the enforcement measures in the Act so as not to have to invent (and fund) their own.
A somewhat more flexible version of Pt VI of the Privacy Act 1988 (Cth) is a suitable model.
As well as issuing codes to replace the statutory principles, the Commissioner should also be able to issue (at his or her own initiative) industry-specific ‘guidelines’ to the interpretation and application of the statutory principles, as can be done in the Commonwealth Privacy Act 1998 (but is missing from the Victorian Commissioner’s list of proposed powers in Pt 5). This would have two benefits. First, industry groups that were satisfied with the NPPs and the enforcement mechanisms of the Act, but wanted an industry-specific official interpretation of them, could obtain this without going through all the complexities and cost of setting up and administering their own code structure. Second, the Commissioner could issue such codes in ‘industries’ where there was no recognised or cohesive ‘peak body’ providing substantial membership coverage for an industry code. Where a code covered part of an industry, the Commissioner could issue industry guidelines to the statutory provisions which were as far as possible consistent with that code. Guidelines would not of course have the force of law: the requirement of industry members to simply comply with the Act would remain unchanged. Such an approach would give the Victorian scheme far more flexibility than the mere provision for ‘replacement codes’, and would overcome the deficiencies of the code approach in many industries.
Each code must provide its own enforcement mechanism, unless (as should occur) a code can state that it may be enforced by the procedures set out in the Act (that is, under Pt 4 of the Act).
Will there be an appeals mechanism beyond whatever self-regulatory mechanisms are provided by a code? What can an individual do who is dissatisfied with any aspect of procedure or remedies in the handling of his or her complaint under a code, or even that the code was being ignored completely?
‘Approval of a code will create a legal requirement for compliance, and failure to comply will be deemed to be a breach of an information privacy principle’ according to the Outline (Pt 3), but this statement appears meaningless on its face because Pt 4 which provides the consequences of such breaches only applies ‘if the organisation does not subscribe to a voluntary code’. It seems therefore that it will be impossible for an individual who is dissatisfied with any aspect of procedure or remedies in the handling of his or her complaint under a code to either make any complaint to the Privacy Commissioner, or to appeal to the Victorian Civil and Administrative Tribunal.
However, the Minister’s speech announcing the scheme said that an ‘appeal mechanism will be available’ ‘where resolution cannot be reached by mediation’, as part of the oversight mechanism that will apply to both codes and the default legislative scheme. Whether the approach taken in the Minister’s speech will be taken instead of the manifestly deficient approach implied in the Outline is unknown.
‘Codes that have been approved will replace the legislative scheme for subscribers as long as they continue to comply with their code’ (Pt 3, emphasis added), which implies that there is some procedure by which Codes can be revoked. However, there is nothing in the Outline to indicate any of the following:
(i) a procedure whereby the Commissioner may revoke a code;
(ii) procedures whereby interested parties may seek revocation of a code;
(iii) a requirement that the onus of proof of compliance is on the industry;
(iv) disallow ability of revocation (as with approval of codes).
It may be that the Commissioner would have an inherent power to revoke what he has previously approved, but this would be inadequate compared with a properly structured revocation procedure as it provides no procedural safeguards to ensure that ineffective codes are revoked.
This aspect of enforcement of codes (and of the statutory principles) is to be supported by power in the Commissioner to conduct random audits (DP 18), a necessary power if industry codes are to be credible. Of course, a well-run code will be able to avoid the need for this to occur, by running its own regular independent audits and providing the results to the Commissioner.
The Commissioner’s functions (Pt 5) other than investigation of complaints are extensive and similar to those in s 27 of the Commonwealth Privacy Act 1988. Most of the Commissioner’s proposed powers such as to conduct investigations of practices, and to make reports, public statements and recommendations can be in relation to any matters affecting individual privacy, not just breaches of the IPPs.
The function of receiving complaints is limited to complaints concerning ‘interferences with privacy’ (that is, breaches of the IPPs), and so is not a general privacy ombudsman role such as that of the NSW Privacy Committee. The Commissioner’s complaint-handling and mediation powers should be so extended, as was proposed for the Commonwealth Privacy Commissioner in the Commonwealth Attorney-General’s 1996 Discussion Paper. This would mean that the Commissioner could then investigate and conciliate privacy complaints that do not fall within the scope of the NPPs, but there would be no provisions for enforcement or appeal. The NSW Privacy Committee has performed such a function for over 21 years, and it would give Victoria a privacy regime that was comprehensive in its coverage but with differentiated remedies.
Multimedia Victoria also released in July 1998 another Discussion Paper — Promoting Electronic Business: Electronic Commerce Framework Bill which proposes the introduction of new ‘computer crime’ offences in the Victorian Crimes Act 1958 to match those already found in the Crimes Acts of the Commonwealth and NSW. These Acts make it a more serious offence to obtain unauthorised access to, or make unauthorised alterations to, data contained in a computer if it contains information about a person’s personal affairs. Prosecutions under the Commonwealth provisions show that these provisions can result in serious penalties for major breaches of privacy which may be outside the scope of IPPs.
 Available on Multi-Media Victoria’s web site at http://www.mmv.vic.gov.au/
 Available on Multi-Media Victoria’s web site at http://www.mmv.vic.gov.au/
 See G Greenleaf ‘Commonwealth abandons privacy — for now’ (1997) 4 PLPR 1
 Privacy and the Private Sector; see (1996) 3 PLPR 80 and (1996) 3 PLPR 161-200 for discussion.
 See G Greenleaf ‘New orientations on the EU privacy Directive’ (1997) 4 PLPR 154.
 There may be an argument in the telecommunications area that the Commonwealth legislation is intended to cover the field.
 See G Greenleaf and N Waters ‘Putting the “National Principles” in context’ (1998) 4 PLPR 161 and Roger Clarke ‘Serious flaws in the National Privacy Principles’ (1998) 4 PLPR 176 (with footnotes at 5 PLPR 18).
 See G Greenleaf ‘New orientations on the EU privacy Directive’’ (1997) 4 PLPR 154 at 158 for discussion.
 See G Greenleaf and N Waters ‘Putting the “National Principles” in context’ (1998) 4 PLPR 161 at 162 for details.
 In the unlikely event that the Commonwealth Privacy Commissioner did exercise the functions of the Victorian Commissioner, the separation of powers in the Commonwealth Constitution would require consideration if the Commissioner was to make binding determinations, but HREOC Commissioners have exercised such State powers in some circumstances.
 Roger Clarke ‘Discussion Paper — Information Privacy in Victoria: Data Protection Bill: Public Submission to the Minister for IT & Multimedia’ at http://www.anu.edu.au/people/Roger.Clarke/DV/VicDPSub.html
 Contra Commonwealth Privacy Acct 1988 Pt VI.
 The only recourse that such a complainant could have (although it would not provide any remedy to the individual) would be to seek to have the code revoked on the grounds of its ineffectiveness. This would be unlikely on the basis of one complaint — even if the Bill did provide any procedure for revocation!
 Privacy and the Private Sector; see (1996) 3 PLPR 84 for discussion.
 See discussions of Raiser v Slodac and Gilmour v DPP in (1998) 5 PLPR 13.