Privacy Law and Policy Reporter
In December 1999 the Board of the Australian Communications Industry Forum (ACIF) approved the industry code ACIF C523:1999 — Protection of Personal Information of Customers of Telecommunications Providers (CPI Code). It was registered by the Australian Communications Authority (ACA) this May.
The Privacy Amendment (Private Sector) Bill 2000 (the Bill) received its Second Reading in April this year. The thrust of the Bill is to extend regulation of privacy to the private sector either through industry codes on privacy protection which are approved by the Privacy Commissioner or, in the absence of approved codes, direct regulation by the Privacy Commissioner. In either case, the basis of privacy regulation is the National Privacy Principles (NPPs), originally issued as the National Principles for the Fair Handling of Personal Information developed by the Privacy Commissioner, and now contained in Sch 3 of the Bill.
The questions for both the telecommunications industry forum ACIF and the Privacy Commissioner’s Office are whether the CPI Code would meet the tests for approval under the Bill; if so, whether to seek code approval; and whether industry and/or consumers are better served by submitting the CPI Code for approval or not.
A note of caution: this article is based on the Bill as introduced into the House. It may well be altered by the Senate before final passage into law.
The CPI Code provides telecommun-ications specific rules on privacy protection. The Code was quite deliberately based on the NPPs, and in consultation with the Privacy Commis-sioner’s office. It is therefore unlikely that there would be significant difference between privacy protection afforded by the CPI Code and the NPPs. Any significant difference in privacy protection will more likely be in relation to the complaints and enforcement mechanisms provided under telecommunications codes and structures, as against mechanisms set out in the Bill.
The CPI Code itself does not include mechanisms either for complaints handling or for enforcement of Code rules. Those mechanisms are provided by the ACIF Complaints Handling Code, the Telecommunications Industry Ombudsman Scheme and the ACA.
The ACIF Complaint Handling Code is currently in draft form, but likely to be passed by the ACIF Board in June, and registered with the ACA by September, well before the Bill takes effect. The Code was based on the Australian Standard for complaint handling, and imposes requirements on service providers covering the supply of information on complaint handling processes, timelines for handling complaints, an appeal process and the collection of complaints data.
The Telecommunications Industry Ombudsman (TIO) handles complaints not satisfactorily handled by industry members. All carriers and carriage service providers who provide standard telephony, public mobile services or internet access services must enter into the TIO scheme (ss 127-8, Telecomm-unications (Consumer Protection and Service Standards) Act 1999 (Cth)). While TIO Ltd is a private company established and funded by industry, its corporate documents require Scheme members to abide by TIO determinations, including payment of up to $10,000 in compensation to complainants. TIO Ltd corporate documentation also gives the TIO jurisdiction to hear and determine complaints on breaches of ACIF codes.
The ACA is the final link in the complaints and enforcement structure. Once a code is registered, the ACA can issue formal warnings and directions on code compliance to industry members covered by the code (ss 121-122 Telecommunications Act 1997 (the Act)) and enforce non-compliance with a direction in the Federal Court (s 570). If the ACA believes it necessary or convenient to determine a standard (because a code is not in place, or because it has proved deficient), it can do so (s 125(3 )), and compliance with standards is a requirement of the Act (s 128). The ACA must also issue a report on carrier and carriage service provider compliance with registered codes annually (s 105(3)(d)).
Assuming the CPI Code (and possibly surrounding complaint and enforcement mechanisms) meets Privacy Commissioner tests for code approval, there are three options for the privacy protection in telecommunications. The first is submission of the CPI Code and surrounding complaints and enforcement structures as a package to the Privacy Commissioner for approval as a Privacy Code containing complaints mechanisms. The second is submission of the CPI Code as a stand alone document to the Privacy Commissioner for approval. The final is not submitting the CPI Code to the Privacy Commissioner. In the first two options, a related issue is whether and how the CPI Code would be deregistered by the ACA.
The Bill’s prohibition, in relation to approved codes, is against an organisation doing ‘an act’ or engaging ‘in a practice that breaches an approved privacy code that binds an organisation’ (cl 16A).
Once an organisation has applied to have a code approved by the Commis-sioner, the Commissioner must be satisfied of a number of criteria before approving the code (cl 18BB(2)). The criteria include:
There are additional criteria if the code also includes procedures for handling complaints in relation to code provisions on privacy.
If the code contains procedures for handling complaints, the additional criteria that the Commissioner must be satisfied about, for code approval, include:
The major implication of an approved code including complaint handling procedures is that complaints about an interference with privacy are handled according to approved code procedures and cannot, under cl 36(1A) of the Bill, be handled by the Privacy Commissioner. (An interference with privacy is defined in cl 13A to be, inter alia, an act or practice which breaches an approved privacy code, or an act or practice which breaches one of the NPPs and the offending organisation is not bound by an approved code.)
The relevant exception is if the code itself appoints the Privacy Commissioner as the independent adjudicator (cl 36(1B)). There is also provision for an independent adjudicator, acting under an approved code, to refer a complaint to the Privacy Commissioner, which the Commissioner can then handle (cl 40(1B)).
The telecommunications industry could, therefore, submit the CPI Code to the Privacy Commissioner for approval, arguing that the Code itself, plus surrounding complaint and enforcement mechanisms, constitutes a code with enforcement mechanisms. If approved on that basis, the CPI Code and surrounding mechanisms would effectively stop consumers complaining directly to the Privacy Commissioner about an interference with privacy unless the CPI Code were amended to give the Privacy Commissioner powers in relation to the Code. Presumably the TIO would be considered as the ‘independent adjudicator’, on the argument that its powers under TIO corporate documentation give the TIO powers equivalent to those which can be exercised by the Privacy Commissioner under s 52 of the Privacy Act 1988. If TIO powers are not equivalent to those in s 52, an amended CPI Code could appoint the Privacy Commissioner as the independent adjudicator.
In either case, a determination made by an independent adjudicator (that is, the TIO) under an approved code would have the same effect as a Privacy Commissioner determinations; that is, as if it were an order made by the Federal Court under s 55 Privacy Act 1988.
An additional issue is the removal of the CPI Code from the ACA’s register, effectively removing ACA powers to issue formal warnings and directions, and the power to determine standards if necessary. The Bill will amend the Act, making such deregistration possible (cl 122A). A difficulty with the amendment, however, is that it does not suggest a process or consultation mechanisms which the ACA should follow in deregistering a code.
Another option for the telecommunications industry is to seek Privacy Commissioner approval for the CPI Code as a stand alone code, without importing the surrounding complaints and enforcement mechanisms of the industry into the Code.
Under this option, complainants could raise an interference with privacy either with the TIO or the Privacy Commissioner. If the TIO handles the complaint, it would be under its general jurisdiction and not as a breach of a registered code (if the code is deregistered). Clearly the TIO would not be the ‘independent adjudicator’ for complaints, but could nevertheless handle and enforce decisions under his current powers. Alternatively, a complainant could go directly to the Privacy Commissioner.
The telecommunications industry may also make a very different choice: not to seek Privacy Commissioner approval for the CPI Code.
The Bill is clear: Commissioner approval is contingent on a code being submitted by an organisation (cl 18BA). If organisations do not submit codes for Commissioner approval, they are bound by the NPPs (cl 16A(2)).
The effect of this option would be to leave the current privacy regulation of the telecommunications industry in place: a registered CPI Code, the TIO handling complaints on privacy under CPI Code rules, with ACA enforceability mechanisms sitting behind a registered code. Consumers could also complain directly to the Privacy Commissioner about an interference with their privacy under the Bill.
Repeating the earlier point: the actual CPI Code rules and the NPPs will be similar in the privacy protection they afford. The issue — the choice to be made — is between the complaints and enforcement mechanisms surrounding the privacy rules.
The telecommunications industry view is generally that the CPI Code fits comfortably with the Bill’s self-regulatory structure and the more general government preference for ‘light touch’ regulation of the business sector.
The clear advantage of submitting the CPI Code and surrounding complaints and enforcement mechanisms for approval is that there would be one place for complainants to go on interferences with privacy: the industry itself. It would be the industry Code that sets the rules, with an independent adjudicator having the power of the Privacy Commissioner to enforce determinations made as a result of code complaints. It would remove the possibility (unless otherwise provided) of two separate and enforceable avenues for consumer redress on privacy.
The likelihood is that once the CPI Code, with or without its complaints and enforcement mechanisms, is approved, the ACA would move to deregister the CPI Code, with consequences for both TIO and ACA powers.
The TIO handles complaints about registered codes as potential breaches of rules that bind industry, and reports on those breaches to the ACA. If the Code is deregistered, the TIO will still have the power to handle and determine complaints on telecommunications privacy. Presumably that will still include handling those complaints as breaches of rules binding on the industry (under the approved Code) and reported to the Privacy Commissioner, although that is not clear. If the TIO is also considered as the ‘independent adjudicator’ under the Code, TIO determinations will be enforceable against offending organisations in the same way the Privacy Commissioner’s determinations are binding.
Another consequence of deregistration will be that the ACA’s power to issue formal warnings and directions will lapse, along with its power to set standards if the Code is seen not to be providing adequate community safeguards or otherwise not be regulating the industry adequately (s 125(7) of the Act).
The options are there: CPI Code approval with or without an accompanying complaints and enforcement structure, or not. There is a further choice as to whether to deregister the CPI Code, although who and how that decision is made is not clear. In all the options, the actual privacy rules afford similar protection. The choice for industry and consumers is which option provides the most appropriate complaints and enforcement mechanisms to support those rules.
Holly Raiche is the Project Manager, Consumer Codes, Australian Communications Industry Forum, and Adjunct Lecturer in Information Technology Law, Faculty of Law, UNSW. The views expressed in the article are personal, and should not be attributed either to ACIF or to any other organisation.