Privacy Law and Policy Reporter
On 26 May the Victorian Treasurer Alan Stockdale introduced his much anticipated Data Protection Bill into State Parliament, and it received its Second Reading on 28 May. It will now lie over until the Spring session, and the Minister has invited further comments in the meantime.
PLPR has previously analysed both the July 1998 Multimedia Victoria discussion paper ((1998) 5 PLPR 21 & 25) and the December 1998 draft Bill ((1999) 5 PLPR 136). While we gave the proposals a general welcome, we had some concerns. How does the final Bill measure up against the earlier criticisms?
One of the most pleasing features of the Bill is that it proceeds to implement a privacy regime for both the public and private sectors. Unless specifically exempted, the information handling practices of all people, companies, councils and government departments in Victoria will fall within its terms. Victoria’s commitment to see effective data protection across the board has not been ‘bought off’ by the mere announcement of a federal initiative. Instead, the Bill applies to all data users, subject only to a personal use exemption, and provides for the Victorian Privacy Commissioner to exercise all functions in respect of both the public and the private sectors, in the absence of national legislation. An arrangement with the Commonwealth for the Federal Commissioner to exercise functions in respect of the private sector is anticipated, but according to the Second Reading speech would only be made following the enactment of an acceptable national legislative regime.
The Bill will protect the privacy of personal information where it is contained in a document that is in the possession, or under the control, of an organisation in Victoria, regardless of where the document is situated. The effect of the law cannot therefore be defeated by holding documents outside Victoria, although there will inevitably be difficulties in due course in establishing ‘possession’ and ‘control’. ‘Document’ is not defined in the Bill, but is assumed to include electronic media.
A partial exemption is granted with respect to news activities, in order to provide a balance between supporting freedom of the press and personal information protection. The Bill sensibly limits the exemption to collection, use or disclosure ‘in connection with [its] news activities’ and makes a brave attempt to define news activity in a way which should further limit the exemption to ‘genuine’ news and current affairs — but attempts can be expected in due course to extend the benefit of the exemption to ‘infotainment’, where some of the most objectionable invasions of privacy occur.
The Bill also amends the Parliamentary Committees Act 1968 (Vic) to provide that the Scrutiny of Acts and Regulations Committee will assess legislative proposals for consistency with the data protection regime, in particular to consider whether legislation unduly requires or authorises acts or practices that may have an adverse impact on personal privacy. This is a very positive step that will bring Victoria into line with the Commonwealth and, more recently, Queensland, although these ‘scrutiny’ processes rely on the relevant Committees and their staff understanding privacy issues and taking their additional role seriously.
The IPPs will apply ‘so far as is practicable to regulate the use of personal information held on public registers’. The Bill will in most cases treat uses outside the legitimate purposes for which public register information was collected as interferences with personal privacy. This is a very helpful provision and an improvement on the rather clumsy public register principle in the New Zealand Act.
The Bill has added a well intentioned clause to the Identifiers principle (Principle 7) to prevent government agencies assigning common identifiers ‘if to do so would lessen the protection afforded ... by these principles’. But it is difficult to believe that this will act as an effective break against the growth of multi-function identifiers. Government would presumably give itself legislative authority for such identifiers. It might be more realistic, if less ambitious, to simply apply the general provisions of Principle 7 to government agencies as well as to the private sector.
The relationship between the data protection regime and freedom of information legislation, which appeared flawed in the December draft Bill, appears to have been resolved satisfactorily, although there may still be an issue in relation to inconsistent definitions of personal information in the two laws. There is also still a potentially dangerous exclusion from the definition of personal information of ‘information contained in a generally available publication’. It is surely not intended that an individual’s name, address or telephone number loses the protection of the law wherever it is held simply because it may appear in a telephone directory? The specific provision at cl 14 relating to publicly available information seems designed to avoid this outcome, but may be inadvertently undermined by the definition.
As well as the specific law enforcement exceptions to Principles 2 and 6, there is an additional and wider exception for law enforcement agencies at cl 18, which the Privacy Commissioner has not felt it necessary to include in the National Principles. The justification for this wider exception has not been explained and it runs the risk of allowing a wide range of agencies to avoid compliance with the notification, access and sensitive data principles on a relatively weak test: where ‘non-compliance is necessary for ...’ If the additional exceptions remain, they should at least be limited to ‘particular cases’ to avoid ‘blanket’ or ‘across the board’ non-compliance, even in cases where there would be no prejudice to law enforcement.
While the Bill is not retrospective, the IPPs will regulate the use and disclosure of any current stores of personal information, as well as prescribing rights to access, regardless of when it was collected.
However, the phase-in period prevents any obligations arising under the legislation, except under the security and access principles, until 12 months after the Bill comes into force. There is also a further year’s grace, and the possibility of further extensions, for acts and practices done pursuant to a contract made before commencement. These are arguably unnecessarily generous transition arrangements, particularly for principles such as data quality and for some restrictions on uses and disclosures. It would be better to have a period during which ‘all reasonable endeavours’ to comply would suffice and sanctions and remedies would not always apply, but during which poor practices could still be brought to notice and investigated. However, given the length of time we have waited for effective privacy legislation, another year will pass quickly.
The criticism made in January of the new principle (see (1998) 5 PLPR 137) remains — it provides too broad an exemption from the intention of Principle 9. Contract terms are widely acknowledged, including by the Federal Privacy Commissioner, to be very much a ‘second best’ way of providing privacy protection. Contract terms may amount to ‘reasonable steps in the circumstances’ for the purposes of 9.1(f) in some circumstances, but the effect of 9.2 would be to make the adoption of model contract terms automatically satisfy Principle 9 and allow an onward transfer. This is not appropriate — (f) should be left as a condition that may or may not be satisfied by contract terms depending on the circumstances, following the example of the EU Directive.
There is another general issue relating to this principle that consideration of the Victorian Bill brings to light. This is the lack of an express cross reference between Principle 9 and Principle 2. Principle 9 has clearly been designed as an additional limitation on disclosure, not an additional exception to those in Principle 2. This intention is perhaps clearer in the National Principles where it applies to all disclosures to third parties. But unless this is made explicit in legislation, there is a danger that Principle 9 could be read as an independent principle, particularly in the Victorian version where it applies only to ‘trans-border’ disclosures. It could be argued that it is the only principle limiting such disclosures, cutting out some of the carefully designed exceptions in Principle 2 that should apply.
While codes may create lesser as well as greater standards than those specified in the IPPs, they must meet two criteria, to be assessed by the Victorian Privacy Commissioner. First, a code must substantially achieve the objects of the Bill. Secondly, a code must not be contrary to the public interest. These criteria should ensure that the regime is not weakened through the development of second rate codes, but it would have been better if codes had been subject to disallowance by State Parliament, as a further safeguard against any unjustified weakening.
The Commissioner should not be left with the discretion as to whether to consult widely about a proposed code of practice before recommending its approval (cl 24(4)(b) and (c)). Given that a code may weaken the statutory regime, a period of public consultation should be mandatory.
Clause 23(4)(b) should make it clear that the charges referred to are only in relation to access as provided for in Principle 6.5.
Clause 27(2) provides for (free?) inspection of the register of approved codes, and for copying of an entry subject to a fee. Given that the codes will in effect be the law, it is essential that at least enquiry access to this register, and preferably obtaining an entry, is free of charge. No one should be required to pay to find out what the law requires. If the register is also made available on the internet free of charge, then the imposition of a modest fee for hard copies may be justifiable.
The Privacy Commissioner appears to be able to refer a complaint to the Tribunal only at the request of the complainant. This puts another unnecessary barrier in the way of swift and effective redress. The right to request a referral is important in case the Commissioner is unsympathetic, but the Commissioner should also have the discretion to refer a complaint to the Tribunal at any stage if she or he considers this desirable in the circumstances.
The Privacy Commissioner should be required to publish anonymous summaries of conciliation agreements which deal with significant issues of interpretation or are otherwise of general interest. This would help to build up a public data protection ‘jurisdprudence’ which can guide others and assist in promoting compliance.
The Bill provides for the Commissioner to issue compliance notices, but only on limited grounds. There is no definition of ‘serious and flagrant’ breach and the other ground — that a breach has been repeated five or more times in two years — is too restrictive. Taken together, these grounds (in cl 47(1)(b)) run the risk of excluding many significant patterns of behaviour which should attract enforcement action. There will often be repeated breaches but with sufficient minor variations to allow a successful defence against the second ground, and yet with no one breach causing sufficient damage to be judged ‘serious and flagrant’. Commercially driven intrusive behaviour such as some forms of direct marketing could easily escape enforcement action, as could repeated minor security breaches.
Despite these criticisms, the Bill overall represents an effective model for a data protection law well suited to the new century. The Victorian Government has learnt from experience and has responded to views put from both sides of the privacy debate. It has crafted a good law, which can nevertheless be further improved by fine tuning as the Bill proceeds through the Victorian Parliament. It is to be complimented on recognising the need for effective privacy protection as part of the essential infrastructure for the information economy. It also deserves credit for standing firm in this view despite the Federal Government’s muddled approach over the last two years, and for keeping up the pressure which seems at last to be achieving the desirable aim of consistent national legislation for the private sector.
Nigel Waters, Associate Editor.