Privacy Law and Policy Reporter
The announcement late last year that the federal government will now legislate for privacy protection in the private sector clearly deserves the welcome it received from most quarters. It re-starts the process of achieving comprehensive protection that was unfortunately interrupted by nearly two years of stubborn denial by the Howard government. While we wait for further detail of the proposal to emerge, this article looks both back at the recent history and forward to the challenges that remain to be met before we can be satisfied that we have a decent law in place.
Credit for the change of heart should probably be shared by many different parties. There can be no doubting the influence of the Victorian government’s determination to proceed with statutory protection, culminating in the release of a draft Data Protection Bill in December, and this may have been the ‘final straw’. Some industry associations, particularly those in the technology area, were resolute throughout, while others were clearly eventually persuaded to lobby for Commonwealth action despite earlier flirtation with the government’s preferred strategy of self-regulation. Letters from the Internet Industry Association and the Australian Chamber of Commerce and Industry may have been particularly influential.
The European Data Protection Directive was an ever-present consideration. While it remains unclear as to exactly what restrictions and difficulties will be faced by jurisdictions which do not have a clearly equivalent law to those in Europe, the uncertainty alone provided a strong argument for decisive action, and was certainly taken very seriously by the Victorian government. Data protection officials from other countries, both on visits to Australia and in comments in papers and speeches, also helped to convey the message that privacy had to be taken seriously. The stand off between the US and the EU continues after many months of high level negotiations, with no immediate prospect of the EU accepting the American’s ‘safe harbour’ proposal unless it seriously addresses the issues of enforcement and access rights.
Several Parliamentary Committees can also probably claim some of the credit. While it was only the joint Public Accounts Committee which published a report (in June 1998) calling for legislation before the government’s change of mind, other committees, including the Senate Legal and Constitutional References Committee and the Senate Select Committee on Information Technologies, took copious evidence and seemed to be persuaded of the need for legislation. While their reports are still awaited, the views of committee members, and weight of submissions favouring Commonwealth action would have been filtering through to the government throughout 1998.
The Privacy Commissioner, Moira Scollay, and senior officials in several government departments should also be congratulated for steering a difficult course. Many privacy advocates would have liked to have seen more robust criticism by the Commissioner of the government’s 1997 decision, and felt that her development of the National Principles ran the risk of legitimising the self-regulatory alternative. But it should be recognised that Ms Scollay always emphasised that she was developing the Principles for implementation either in law or in voluntary schemes. While she clearly felt constrained from publicly criticising the government, there is no doubt that behind the scenes her advice to Ministers was that legislation was preferable and ultimately necessary. And it can be argued that her engagement with industry representatives over the National Principles helped to re-assure them that they had nothing to fear from a statutory regime. Officials in the Attorney-General’s and the Senator Alston’s departments, while even less inclined to even hint publicly at dissent with the government’s decision, were also likely to be giving more pro-regulatory advice in private.
At risk of self-congratulation, privacy and consumer advocates can of course be proud of their central contribution. It must be doubted whether the government would have changed its mind, at least in 1998, without the relentless lobbying by groups such as the Privacy Foundation, Campaign for Fair Privacy Laws, Electronic Frontiers, Consumers Association and Privacy Charter Council, amongst many others.
The controversial decision by these groups to ‘boycott’ any discussions about implementing the Privacy Commissioner’s National Principles as an alternative to legislation seems to have paid off, effectively preventing the government from claiming that self-regulatory implemen-tation would ‘deal with’ the issue.
In common with most ‘new generation’ privacy laws, the federal proposal envisages a major role for sectoral or activity based codes of practice. It remains to be seen how these codes will fit into a statutory framework. The media statement says that it is proposed to ‘apply a legislative framework only where industry codes are not adopted’. But it is widely assumed that the Commonwealth legislation will follow the lead of the New South Wales Privacy Protection and Personal Information Act and the Victorian draft Bill in ensuring that there is a right of appeal from the decisions of any code complaints process to a truly independent review body. In NSW it will be the Administrative Decisions Tribunal, conveniently headed by former federal Privacy Commissioner Judge Kevin O’Connor. In Victoria the proposal is for the Civil and Administrative Tribunal to hear appeals from decisions by Code complaints bodies, after the Privacy Commissioner has attempted conciliation.
Providing similar appeal rights under the Commonwealth scheme is complicated by constitutional constraints — the High Court’s 1995 decision in Brandy meant that Commonwealth Tribunals, including the Privacy Commissioner, could no longer make binding determinations, which have to remain a judicial function. A new division of the Federal Court has been set up to hear afresh human rights, anti-discrimination and privacy complaints where private sector respondents are unwilling to comply with the recommendations of the relevant Commissioners. Unfortunately this means more expensive, time consuming and legalistic processes before some complainants will receive appropriate redress for breaches of laws including the Privacy Act. It will be interesting to see how the Attorney-General’s Department addresses this issue, but some form of appeal right to a genuinely independent body, capable of making and enforcing determinations, is an essential component of any credible privacy regime.
The government’s intention to exclude employment records is a major disappointment. It is clearly nonsense to suggest, as the government does, that equivalent protection is already provided by employment law. This is a purely ideological position, quite understandable in the context of the coalition’s overall approach to de-regulation of labour markets, but equally clearly unacceptable other than as a short term ‘phased’ implementation of privacy principles. Employment records are amongst the most critical in terms of their effect on people’s social and economic circumstances and clearly deserving of the standards of fair handling which the privacy principles would require. While it is unlikely that the government will be prepared to consider application to employment records during the preparation of the Bill, Opposition or Democrat amendments are possible in the Senate.
The proposed media exemption is also likely to be contentious. At least there is some justification for a cautious approach to any restrictions on freedom of speech, and given the important role that the media plays in public affairs. But exempting any personal information collected and used for journalistic purposes, as is suggested in the government’s press release, is arguably much too generous. ‘Journalistic purpose’ would need to be defined, preferably to distinguish between serious news and current affairs reporting and ‘infotainment’ (not an easy task). There is also no good reason to exempt the media from many of the principles, such as the requirements to take reasonable security measures, and to ensure good data quality. The exceptions within the use and disclosure principle would seem to accommodate any reasonable journalistic purpose. It is really only the collection principle which journalists may not reasonably be expected to comply with in some circumstances, with some restriction also appropriate on the right of access prior to publication.
But the principled arguments against a broad exemption for the media may be outweighed by a pragmatic acknowledgement of the media’s power to oppose the legislation in general. One has only to look across the Tasman to the troubled relationship between the media and the Privacy Commissioner to see the damage that can be done to the image and credibility of privacy laws by ill-informed media comment, even when they have a broad exemption. New Zealand academic Tim McBride reviewed this relationship in the last issue ((1998) 5 PLPR 116). Any attempt to narrow the exemption and subject the media to the privacy principles would be likely to result in a concerted media campaign against the very concept of a private sector law, as happened in South Australia in the mid-90s.
Many privacy advocates may conclude, without abandoning their desire for some limits to apply to the media, that this is a battle better fought on separate ground and at another time.
Currently, the private sector is bound by the existing Privacy Act in relation to consumer credit reporting (Part IIIA) and tax file numbers. Given the history of the tax file number and its symbolic importance in the privacy debate for the last fifteen years, the government is unlikely to seek to tamper with the current TFN regime (even though there are some widely acknowledged anomalies and problems). A key issue will be whether the same can be said for Part IIIA. The finance industry has already made it clear, in the context of the Wallis Committee Inquiry, that it would like to re-open the issue of ‘positive reporting’, which the Privacy Act currently prohibits. The government has not yet acted on the Wallis recommendation to set up a separate review of that issue. It can be expected that business interests will argue for at least some relaxation of Part IIIA, perhaps by allowing it to be replaced in due course by a credit reporting code of conduct — broader than the existing Code issued by the Privacy Commissioner which complements Part IIIA. It is equally predictable that this will be strongly resisted by privacy and consumer advocates on the grounds that there is no strong evidence of the credit reporting regime not working satisfactorily, and that there is a steady stream of individual complaints being resolved under the current law.
One of the biggest issues facing the government is whether to leave the Commonwealth public sector subject to the existing Information Privacy Principles (IPPs), or to amend the Privacy Act to substitute the same new set of principles, based on the Privacy Commissioner’s National Principles, as will apply to the private sector.
There will no doubt be strong pressure from within the bureaucracy, and an obvious temptation, to leave the IPPs alone, on the basis that they are familiar and well embedded in agency systems and culture (although the extent to which this is true is debatable). But the position is complicated by the increasingly blurred boundaries between the public and private sectors, with more and more government functions being performed by private contractors, and most support services also now ‘outsourced’. The government is already committed to extending the existing Privacy Act to apply to contractors. The Privacy Amendment Bill 1998 provided for this extension, but was referred to a Senate Committee and lapsed when Parliament broke up for the federal election. The government had intended to re-introduce the Bill in the autumn session of the new Parliament, along with a companion Bill to extend the Freedom of Information Act to contractors. If it proceeds with this, many private sector organisations will be faced with complying with the IPPs in the short term for any federal government contract work, but with the new Principles under private sector legislation not long after.
It is precisely this sort of inconsistency that has provided much of the stimulus for federal action on the private sector. The only sensible way of resolving this issue in the long term is to amend the Privacy Act so that the same set of principles applies to commonwealth agencies, contractors, and the general private sector. But the National Principles have been developed without the involvement of government agencies, and there would probably be major resistance from the bureaucracy to any attempt to impose the new principles on them in place of the IPPs, without extensive consultation.
The temptation will be to defer the ‘outsourcing’ amendments, relying on the general private sector legislation to provide the safeguards that are needed. But the timing then becomes critical — the amendments in the 1998 Bill, extending the IPPs, are intended to clear the way for major outsourcing contracts due to be let in 1999, and unless these amendments are passed soon there will be renewed opposition to these contracts. On the other hand, the government’s preference would seem to be for a fairly relaxed timetable for introduction of the general national scheme, with further discussion even of the Commissioner’s National Principles. It is not at all clear how these conflicting pressures will be reconciled.
Taking all these factors together, the preferable course of action is for the federal government to proceed with the current Privacy Amendment Bill, which after all only adds an enforcement regime to the standards which are already required from contractors by client agencies.
The passage of the outsourcing amendments should not, however, be used as an excuse for delaying action on the general private sector law. The government should give this issue a high priority, and announce a timetable that will lead to the laws being in place as soon as possible. Realistically, given the lead times for drafting and introducing legislation, we are unlikely to see a law in place before mid 2000. But the private sector will have had a long period of notice about the standards that will be required, and there is no good reason why the law should not largely take effect almost immediately. After all, we have had eighteen months of detailed consultation on the content of the National Principles, and these have already been translated into draft legislative form in Victoria. The outstanding points of difference between consumer and industry groups will not be resolved by further consultation, and are best left now to the parliament.
One of the motives for the law is of course to satisfy European and other jurisdictions about the adequacy of data protection in Australia, and thereby avert any potential interruption to data transfers. Whatever the outcome of the current US and EU discussions, referred to above, it is unlikely that overseas regulators will accept merely an intention to legislate as providing adequate protection, without obligations, rights and compliance mechanisms actually being put in place. We are now faced, unavoidably, with a period of between 12 and 18 months before this is achieved.
Immediate commencement of the new law as soon as possible in 2000 would minimise the period during which Australia is vulnerable to restrictions on data transfers from overseas. Any practical and logistical difficulties for data users can be met with appropriate phasing in periods, which overseas regulators would probably accept provided the basic framework of binding standards and enforcement mechanisms are in place.
The machinery aspects of the new legislation should not prove too contentious. There is over 10 years experience of the complaints handling and enforcement machinery in the existing Privacy Act, applying already to the private sector in the case of credit reporting, spent convictions and tax file numbers. Subject to resolution of the constitutional difficulties over enforcement referred to above, there is no reason why the current regime could not be readily extended to apply to the new ‘general’ private sector regime. Similarly the powers and functions of the Commissioner should be applicable. However, it may be sensible to take the opportunity to review some of the machinery issues, not least in light of the useful recent review of the New Zealand Act (see (1998) 5 PLPR 100).
It is clear that there are a lot of issues still to be resolved in drafting the legislation. But hopefully the broad parameters are clear, and there will be no attempt by vested interests to weaken the objective, which is apparently now shared by the government, of enacting ‘world’s best practice’ privacy law as soon as possible. It will be an interesting year!
Nigel Waters, Associate Editor.