Privacy Law and Policy Reporter
PLPR’s editorial position for the last seven years has been to support stronger privacy laws in Australia, particularly a Federal private sector law. It is therefore very disappointing to have to conclude that the Privacy Amendment (Private Sector) Bill 2000 is not worth supporting. The proposed minimal Government amendments do not change this. In its current form, the Bill is essentially ‘business protection legislation’, and is not primarily designed to protect the privacy of consumers and citizens.
At the most general level, the formal structure of the Bill is supportable, including its co-regulatory structure. The NPPs could be improved, but they are not the main problem. The principal deficiencies of the Bill are its numerous unjustifiable exceptions and exclusions (many of which are detailed in (2000) 7(1) PLPR 1) which make it ‘more holes than cheese’, and the major deficiencies in the Bill’s enforcement regime that will prevent effective enforcement of such consumer rights as do exist (discussed below). These and other defects mean that the Bill is unlikely to even be effective in one of its main ‘business protection’ aims, the protection of imports of personal information from Europe (see lead article this issue).
Protection of individual privacy will be piecemeal, and will leave consumers unprotected against many of the worst privacy invasions (which will now have an aura of legitimacy of ‘complying with the Privacy Act’). Such rights as the Bill provides will be inadequately enforced and enforced in a way which is biased toward business.
The Australian public would be better served by the failure of this Bill, and another opportunity at a later date, than by the enactment of a Bill that presents an illusion of privacy protection and the legitimation of previously dubious practices. The Bill needs fundamental changes before it can bring Australia up to the standards of privacy protection now commonplace in Europe, New Zealand or Hong Kong and elsewhere — or even that proposed for the public sector in Victoria.
A major deficiency of the Bill not discussed elsewhere in PLPR is how the inadequacies of the enforcement procedures of the Bill mean that it is not genuine co-regulation, but closer to industry self-regulation. The enforcement powers of the Commissioner and industry bodies are quite insufficient.
The fundamental unfairness of the enforcement regime is that, as an indirect consequence of the Brandy decision, businesses have in effect a right of appeal to a court against decisions of an industry complaints bodies (or the Privacy Commissioner) but unsuccessful complainants (that is, consumers and citizens) have no such right of appeal on the merits. This is because a business against which an adverse determination has been made can just ‘sit on its hands’, and before the determination can be enforced against it the merits of the complaint must be heard de novo by a court. This defect has been known to the Government since the first meeting of the Core Consultative Committee in 1999, and is not remedied by allowing judicial review of decisions of industry complaints bodies, nor by making a determination prima facie evidence of the facts upon it is based.
Other important enforcement related deficiencies are related to this core problem:
These combined factors mean that the Bill’s enforcement regime is fundamentally deficient because it lacks both the capacity to do justice in individual cases and the capacity to generate a body of privacy law which will result in consistent and fair decisions by industry complaints bodies and the Commissioner.
Victoria’s Information Privacy Bill 2000 is a superior model for co-regulation to the Commonwealth Bill because it also gives dissatisfied complainants a full right of appeal to an independent administrative appeals tribunal (VCAT) (see ‘Victoria’s Privacy Bill still sets the standard’ (2000) 7(2) PLPR 21).
The Commonwealth Parliament should not enact such obviously deficient legislation just because a few business interests want to keep privacy rights tied up within some cosy industry self-regulatory bodies, when there is a clear alternative approach which is still genuinely co-regulatory.
Graham Greenleaf, General Editor.