Privacy Law and Policy Reporter
The House of Representatives Standing Committee on Legal and Constitutional Affairs of the Australian Parliament has made 23 recommendations concerning amendments to the Privacy Amendment (Private Sector) Bill 2000 (see 6(10) PLPR 161 for the full text of the Bill). The Committee received 130 submissions and held public hearings. Many of the recommendations propose that exemptions from the Bill be tightened, but often in ways which do not satisfy those criticising the exemptions. Some recommendations merely identify problems with the Bill raised by submissions, and refer them to the Government without any recommendation.
The recommendations are unanimous on the part of the Committee’s 10 MPs, with no dissenting reports. This increases the weight of the Report. Lack of unanimity may also explain the lack of recommendations in some areas.
This article outlines the amendments recommended by the Committee, noting where they fall short of remedying deficiencies in the Bill. The Committee’s Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (June 2000) is available at <http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm>, and the full text of the 23 recommendations accompanies this article.
A fundamental flaw in the Bill, which the Committee’s Report perpetuates in its recommendations, is that it is based on blanket exemptions from all or most National Privacy Principles (NPPs) rather than on more targeted exemptions from specific NPPs, or other targeted ways to deal with identified problems.
An organisation that comes within one of the Bill’s blanket exemptions is then generally able (unless some law other than the Privacy Act prevents this) to do the following:
These exempted organisations can do this even with all the types of ‘sensitive’ information which would normally receive a higher level of protection under the Act (sometimes, except health information). There is, however, usually some limitation on disclosure of personal information to other organisations (for example, with the exemptions for politicians and ‘small’ businesses, but not for ‘employee information’).
This is what is meant by ‘the privacy-free zone’: dealing with hard issues (or more likely, politically powerful interests) by a blanket exemption from all or most of the NPPs.
The alternative approach — supported in many submissions received by the Committee and argued for in this article — is for exemptions, where they can be justified, to be limited to exemptions only from those aspects of the NPPs (or the Bill’s procedures) necessary to meet the justification for the exemption. Such targeted exemptions require more hard work and political courage than a blanket exemption, and neither the Government nor the Committee have shown themselves to be up to the task.
The Committee’s report makes many worthwhile recommendations, and is clearly the result of hard work in the short time allowed to it, but it only tinkers with the edges of the privacy-free zones instead of recommending their demolition.
The Bill exempts from all of the NPPs any ‘small business operator’ (SBO), which in essence is any business with an annual turnover of less than A$3 million, provided they do not sell, buy or trade personal information (to put it roughly) or fall into a couple of other narrow exceptions.
Businesses that come within the ‘privacy-free zone’ of the ‘small’ business exemption are then (unless some law other than the Privacy Act prevents this) able to:
SBOs can do this even with all the types of ‘sensitive’ information which would normally obtain a higher level of protection under the Act, except health information.
The Government estimated, when questioned by the Committee, that 94 per cent of Australian businesses would come within the $3 million threshold (see Report, para 2.20), so the proposed Bill will only apply to six per cent of all Australian businesses, plus a further unknown percentage that trade in personal information. What percentage of consumer transactions these 94 per cent of businesses are responsible for is not stated, as the Committee only gives irrelevant percentages for total business activity (including business-to-business activity).
The astonishing exemption of over 90 per cent of all Australian businesses from a supposedly comprehensive private sector privacy law drew numerous critical submissions. The only support for the exemption noted in the Report was from the Australian Chamber of Commerce and Industry (ACCI), and the Department of Employment, Workplace Relations and Small Business (DEWRSB), at the behest of whose Minister the proposed threshold has been raised from A$1 million to A$3 million turnover since December 1999. Various business, government, non-profit and consumer organisations opposed any small business exemption, including the Victorian Government and businesses such as AMP and the Australian Direct Marketing Association (partly on the basis of lack of a level playing field for businesses) and the Fundraising Institute of Australia (partly because exemptions for some charities would cause public confusion). The Committee did not receive any evidence to support the view that the Bill would impose high compliance costs on small businesses if they were required to come under it, but decided to continue to support ‘some form of small business exemption’ for reasons which are not clear from the Report.
The Committee’s key proposal to deal with this is that instead of the exemption being lost because a business discloses or collects personal information in exchange for a ‘service, benefit or advantage’, it would be lost wherever disclosure or collection is ‘without the consent’ of the individual concerned, and the NPPs would then apply. The Committee considers that the motive for disclosure or collection ‘is irrelevant’, so it is proposing lack of consent as a replacement requirement, not as an alternative.
Unfortunately, it is bad policy to say that the NPPs need not apply provided consent to disclosure has been given.
The proposed amendment also seems to imply (although the Committee is vague on this) that a business could be exempt from the Act in relation to some individuals but not to others, depending on whether it collected or disclosed their information without consent. This would be administratively impossible. The only obvious position is that once a business loses the exemption in relation to one individual it has lost it for all individuals forever, but this could easily lead to businesses inadvertently breaching the Act in relation to many individuals because they did not realise they had previously done so in relation to one.
The best answer to these dilemmas is to scrap the small business exemption.
The exemption will be abused to provide exemptions for big business. It will also operate unfairly to prejudice the interests of small businesses that wish to protect privacy, and will put at risk the privacy-protective efforts of industry associations.
This exemption will also harm the ‘smallish’ business that wishes to obtain a reputation for protecting the privacy of its customers. There is no provision for an organisation which comes within the definition of an SBO to ‘opt in’ to be bound by the Act.
A business that wishes to protect privacy therefore cannot even say that it complies with the Privacy Act without being in danger of engaging in false and misleading conduct through implying it is bound by the Act.
Many businesses with a turnover of less than $3 million are involved in international e-commerce via the internet. Successful internet businesses are not necessarily big businesses. They may make extensive use of personal information, particularly concerning their customers, without buying or selling personal information. It is likely that Australian ‘small’ businesses will be excluded from any finding of ‘adequacy’ by the European Union, and will therefore be excluded from receiving any personal information from EU countries. Similar exclusions are likely under laws of regional jurisdictions which have data export prohibitions, such as Hong Kong. More details are provided below.
Where a small business is in an industry which has a code under the Act, it cannot even participate fully in the industry code, because any complaints against it will not be able to be dealt with by use of procedures under the Act (including enforcement of determinations, referrals to the Commissioner, administrative review and so on).
Similarly, any industry associations which have as members any businesses within the definition of an SBO and an industry code will be at risk of engaging in false and misleading conduct unless all information and publicity about the code stresses that the legally significant aspects of the code only apply to those of their members with turnover of less than $3 million (and how will the public know who they are?).
This exemption therefore harms those ‘smallish’ businesses and industry associations that wish to protect privacy, by refusing them the reputational and trade benefits that compliance with the Act provides.
The Committee’s only additional response to these problems is to recommend that the Bill should allow an otherwise exempt small business to opt in to the coverage of the Bill or an industry code.
This does not address the underlying problem that the exemption is so broad that it undermines the credibility of the Bill. It is also likely to be very confusing for consumers, who will have little idea when dealing with a business whether they have any privacy protection or not.
Nor does an opt in option solve the problem that the Bill will not be ‘adequate’ for the purposes of the European Union (the subject of more detailed analysis in the next issue of PLPR) because of the small business exemption. Even if the EU did take the view that an ‘opt in’ allowed European businesses to identify with sufficient certainty those Australian small businesses which were bound by the legislation, there would need to be an additional ‘internal data export prohibition’ which prevented any business in Australia (small or otherwise) from disclosing personal information to any exempt Australian small business, even if the disclosure was otherwise in accordance with the Act, unless conditions equivalent to the NPP 9 ‘Transborder data flow’ conditions applied. Unless this was done, the EU could not achieve its objective of preventing personal information about EU citizens falling into the hands of businesses not covered by privacy laws.
It is possible to develop a flexible means of providing appropriate allowance for the interests of small businesses using other provisions in the Act without creating a dangerous ‘privacy-free zone’ for an undefined number of Australian businesses.
The small business exemption should be deleted from the Bill. Instead, the Privacy Commissioner should be required, before the Bill comes into force, to make a Public Interest Determination concerning small businesses, for the purpose of modifying the NPPs to the extent necessary to ensure that a simplified and less onerous set of privacy obligations applies to those small businesses, wherever lesser obligations are proportionate and appropriate to the lesser risk to privacy of their business operations. In particular, record keeping requirements should be reduced or eliminated for small businesses wherever possible. Such a Determination should be reviewed periodically by the Commissioner as the need arises.
The Commissioner should be required to take the modifications to the NPPs into account in the development of all industry codes to ensure that such codes have appropriate provisions for small businesses.
Such a requirement on the Commissioner would ensure that appropriate allowance is made for small businesses, based on the Commissioner’s expertise in the NPPs and how they will be administered, while at the same time preserving the benefits of privacy protection both for businesses and consumers. Parliament would have ultimate control over such an exemption through the disallowance process.
Another problem with the existing ‘small’ business exemption is a drafting deficiency which allows avoidance by business operations of any size. The Committee ignored this problem in its Report (although it was brought to its attention), probably because it considered that its recommended requirement of consent (argued above to be partly misconceived) dealt with the problem.
The so called ‘small business exemption’ contains a major loophole which will allow a company or individual to run a large business (say, with annual turnover of $10 million) which is based around major use of customer’s personal information, but for that large business to engage in unrestricted swapping and use of that personal information within all units of the business and still completely escape the operation of the Act. Big businesses can use this loophole to avoid their obligations to protect privacy.
This potential for the rorting of the Act takes several steps to explain.
This means that any businesses run by the same operator, no matter how large and how privacy invasive in their use of information (provided it does not involve disclosures or collections for consider-ation), can completely avoid the operation of the Act by the expedient of splitting any of the constituent businesses into sub-businesses before they reach the $3 million threshold (cl 6D(4)(a)). Just have lots of ‘small’ privacy invading businesses, and your total business operation can be as big as you like and still remain a privacy-free zone.
The SBO rort is made even worse by the way in which it increases the sale value of small businesses that hold potentially valuable personal information by encouraging the use of this information for interferences with privacy which would otherwise be illegal.
This argument also takes a couple of steps.
This Act therefore increases the takeover value of small businesses with privacy-invasive potential. The Act should not operate to distort market mechanisms in this way.
If the Committee’s rec 4 is not adopted, this loophole remains and needs to be removed in some other way. If rec 4 is adopted, then its effect on the loophole depends on what it means.
The problem identified here could be even worse if the requirement of consent replaced (rather than added to) the requirement of motive.
If most small businesses were required to comply with the Act, it might make sense to give them somewhat longer than large businesses to adjust to complying with it. But since all small businesses are exempt except a very small percentage where (by supposed definition) there is a higher privacy risk, it is very hard to see any justification for delaying the Act’s operation to small businesses by an additional year.
The Committee in effect recognises this logic by recommending that there be no delayed implementation in the case of health service providers (rec 2) or tenancy databases (rec 19) but fails to recognise that these are just two instances.
The Committee provides a thorough demolition of the Government and ACCI’s view that there is sufficient protection for employee privacy in the Workplace Relations Act 1996 (Cth), describing existing protection as ‘in fact, minimal’. It notes that there are no Government plans to improve this protection, and expresses its ‘disappointment’ that the Department of Employment, Workplace Relations and Small Business ‘appeared not to have addressed’ and was ‘unable to enlighten’ it about employee privacy. The Committee then went on, drawing on the other submissions it received (the majority of which advocated the removal of the employee records exemption) to detail the potentially disastrous consequences that a blanket exemption for employee information can have. It concludes that it ‘has not been persuaded that there is any clear need for employees to be without privacy protection in relation to their workplace records’.
The Committee then recommends (recs 5-7) that the current exemption for ‘employee records’ be narrowed to cover only what it calls ‘exempt employee records’ (see accompanying Recommen-dations). This is no doubt useful, since the new exhaustive definition must be somewhat more narrow than the old open ended one. How useful it is remains to be seen, as there will need to be a great deal of interpretation by the Privacy Commissioner before it is clear what falls within ‘exempt employee record’.
The problem is that the Committee’s recommendation does not follow from its reasoning and the evidence before it. It gives no reasons why what it calls ‘information relating to career progression or disciplinary matters’ should be exempted from privacy protection, particularly when these matters are crucial to a person’s livelihood and future livelihood (because of references between employers). Why should these crucial records be able to be based on false information, obtained by unfair means, held in secret from the employee, disclosed to anyone the employer likes, and subject to all the other privileges of the ‘privacy-free zone’?
The Committee’s recommendations (recs 11-13) have cut back the exemption for politicians and political parties (new s 7C) so that they are now limited to ‘parliamentary and electoral matters’ rather than including ‘another aspect of the political process’. The uncertain boundaries of ‘parliamentary and electoral matters’ will need to be interpreted by the Privacy Commissioner if complaints are received. This illustrates the need for a right of appeal against the Commissioner’s decisions to a court or tribunal, so the Commissioner can be protected against suspicions of political pressure by the availability of an appeal to test his conclusions.
The Committee also recommends a new clause which would prevent disclosure of any personal information collected by politicians or political parties to anyone not covered by the exemption.
These are valuable recommendations, but they are only fine tuning of a fundamentally unsound exemption. Submissions to the Committee by me, the Privacy Foundation and the NSW Privacy Commissioner all argued that the only legitimate interest that politicians and political parties have in being ‘exempted’ from an obligation to respect people’s privacy is that there is some potential for the Privacy Act to be misused by one political party against another during the electoral process, with possible interference in the democratic process resulting.
The blanket exemption in the Bill is completely unnecessary to address that problem. All that is needed is to remove the Privacy Commissioner, and the Act, from the heat of the electoral process. A better approach would be to delete the current exemption for political parties. Instead, where a complaint under the Act is made against a political party (or an associated body) the following procedure should apply:
The Committee dismisses this approach as not addressing ‘the heart of the issue’ but fails to put forward any examples of how the NPPs would prevent politicians or political parties from participating in the democratic process, representing constituents or being involved in freedom of political communication (which it identifies as the justifications for the exemptions). It says it did not receive any evidence of abuse by politicians of personal information provided by constituents. This doesn’t explain why political parties need to be free to collect personal information without disclosing why, collect it by intrusive means, hold and use inaccurate information and refuse to let people see their own records. It is hard to see the Committee’s approach as much more than ‘trust us, we’re politicians’.
A final irony: the Bill defines information about a person’s ‘political opinions’ or ‘membership of a political association’ as ‘sensitive information’(cl 27), which therefore obtains a higher level of privacy protection. But if the same information — and any other sensitive information — is held by a political party, it receives very little protection at all.
Instead of recommending any narrowing of the media exemption, the Committee recommended that, ‘in order for a journalist or media organisation to obtain the benefit of the media exemption under this legislation, he, she or it must subscribe to a code developed by a media organisation or representative body or, in the absence of such a code, a model code prepared by the Privacy Commissioner’ (rec 9).
The Committee has tried to find a compromise on keeping health information in the Bill or recommending separate legislation to deal with it. Many submissions, particularly from health consumer organisations, consider the Bill’s provisions to be too weak (and inconsistent with the provisions concerning public sector health records), and prefer special legislation for health records providing higher standards. The exceptions for use and disclosure of health information without consent in NPP 2.1(d) are particularly weak.
The Committee ended up supporting the inclusion of health information on the basis that the Bill provides ‘an interim acceptable level of privacy and access rights’ (if its other recommendations are accepted) — but it wants the Government to immediately review the position and try to find a consensus position across the health sector.
The attempted compromise is that the Committee recommends that the rights of patients to access their medical records be strengthened so as to be made uniform with those in the Health Records (Privacy and Access) Act 1997 (ACT), which it considers would also make the rights the same as those which apply to Common-wealth public sector health records.
Victoria’s proposed Information Privacy Bill 2000 is going to leave health information to be covered in separate legislation.
So-called ‘existing information’, which actually means any information which is collected up to a year after the Bill is passed, is exempt from access and correction (NPP 6) or any limits on use or disclosure (NPP 2).
The Committee seem to have been in such confusion about what to do about this that its recs 17 and 18 don’t even state what it recommends. Paragraphs 8.22-8.28 of the Report seem to set out more comprehensive recommendations along these lines.
The Committee’s first two recommendations are confusing because they seem to be preoccupied with direct marketing uses of existing personal information, and ignore other possible uses.
The third (well hidden) recomm-endation is very important, as it would mean that NPP 6 would simply apply to all existing information from the time of commencement, probably one of the most important recommendations the Committee makes. The fourth (equally well hidden) recommendation is also extremely important, as it means that
NPP 2 will apply from the time of commencement to all disclosure to third parties of existing information, but not to its use by the organisation holding it at the time of commencement.
These recommendations, if adopted in full, would largely remove the differences between ‘existing’ and new information.
The Committee recommends that all of the NPPs apply to existing information in tenancy databases from the commencement of the Bill (so they would have one year to get their records in order). It also wants the Government to ensure that tenancy databases are not able to enter the privacy-free zone by virtue of the small business exemption (rec 19).
These are worthwhile goals (and tenants’ organisations should be congratulated for an effective campaign), but they just serve to underline that the blanket exemptions for existing information and small businesses are not properly thought out. There will be other uses of personal information which are as potentially prejudicial as tenancy databases, where the need for access to existing information is just as important, and the potential for abuse of the consent approach to small businesses is just as real.
The Committee has recommended tightening the exception in favour of direct marketing for secondary purposes by a clarification that the opportunity to opt out of further direct marketing must be provided every time a marketing communication is sent, not just the first time. It also wants mandatory inclusions in the opt out offer, so that it will not be difficult for consumers to exercise it (rec 20).
The Committee’s approach to the provision allowing related corporations to disclose information between themselves is that it is not as dangerous as it looks, and they are right up to a point.
As they note (para 9.23), NPP 2.3 means that although the related corporations provision allows information to be disclosed by corporation A to related corporation B, it is the primary purpose of the collection by corporation A that determines what use corporation B can make of the information according to the ‘reasonable expectations’ test. This is generally true, but not (as was pointed out to the Committee) in relation to the direct marketing exception in NPP 2.3(c), which is why corporate groups are so keen on this provision. In our example, B can send direct marketing to A’s customers (with an opt out, of course) without worrying about why A collected the information.
However, the Committee’s recommen-dations may impose some checks on this intra-corporate spamming. They want the Privacy Commissioner to issue guidelines (under NPP 1.3(d)) as to what companies should tell consumers about potential disclosures to their related corporations (rec 21). It is a good point that, once a company has a disclosure practice for related corporations, NPP 1.3(d) requires it to be revealed during collection, but this cannot deal with the post-collection decision to disclose to a related corporation.
The Committee also recommends that where corporation A has received personal information from related corporation B, which was exempt from NPP 1 when it collected the information (it might be a small business, or the information might be exempt employee information), corporation B will have to comply with NPP 1 before it discloses the information to A. In doing so, it would presumably have to inform the person concerned that his or her information was being disclosed to A.
The Committee has made a serious attempt to deal with issues relating to exemptions, but in my view the approach was flawed. There are other important deficiencies in this Bill and the Committee has not dealt with them. Chapter 10 of the Report raises many issues relating to the inadequacy of the enforcement provisions of the Bill, and Chapter 8 notes the considerable uncertainty about whether the Bill is likely to be considered ‘adequate’ by the EU. In both cases the Committee recommends nothing (except the minor rec 23), but simply refers the issues to the Government.
Graham Greenleaf, General Editor.
Articles in following issues will deal with the enforcement aspects of the Bill, and with the question of its EU ‘adequacy’ (General Editor).