Privacy Law and Policy Reporter
Despite the Federal Government’s wishful thinking, the question of the adequacy of Australia’s privacy regulation is not going away. This issue includes several different perspectives on this vexed matter.
At the Communications Law Centre’s excellent privacy conference in Melbourne in June, EU delegation head Aneurin Hughes gave an unusually frank appraisal of the private sector amendments to the Privacy Act 1988 (Cth) (the Act). He not only reiterated the views of the EU Commission’s art 29 Advisory Committee that the regime was deficient in eight specific respects, but he also contrasted the regime unfavourably with the Safe Harbor agreement between the US and the EU. He suggested that the Attorney General Daryl Williams’ assertion that the EU criticisms were based on a misunderstanding of the Australian law indicated a ‘head in the sand’ attitude to a continuing point of friction.
In this issue, Barbara Wellbery, one of the architects of Safe Harbor, brings the story up to date in the context of US privacy initiatives. Elizabeth Longworth discusses the role of contracts, which Mr Hughes highlighted as a necessary alternative to an EU adequacy assessment to allow the continued transfer of personal data from Europe. The second part of Nigel Waters’ analysis of the Australian regime against the EU Directive standards deals specifically with the telecommunications industry and the remainder of the private sector under the new regime to commence in December.
In issuing three sets of draft Guidelines on this new regime for consultation, the Federal Privacy Commissioner had an opportunity to address some of the EU criticisms.
The Guidelines cover: Code Development — the content of Codes of Practice under Pt IIIAA of the Act and the processes involved in obtaining the Commissioner’s approval for and registration of a Code; the National Privacy Principles (NPPs) — the way in which the Commissioner proposes to interpret the National Privacy Principles; and health privacy — the way in which the Act, as amended, applies to the handling of health information within the private health sector. The Commissioner intends to finalise all three sets of Guidelines before the commencement of the new private sector regime, after taking into account submissions received.
It would be unwise to assume that the final Guidelines will necessarily remain unchanged — there could be significant revisions, not least in relation to some key issues such as the standard of consent and the meaning in practice of what is ‘reasonably practicable’.
The other important proviso is that the Guidelines, even when finalised, have no formal status in law — they will be purely advisory, and the actual meaning of the NPPs and the way the Act applies to health information will ultimately be determined by the courts in judgments on individual cases, which may or may not take account of the Commissioner’s interpretation.
Has the Commissioner taken the opportunity to address ‘EU adequacy’ issues? Even bearing in mind that most of the EU criticisms concern provisions in the Act itself, over which the Commissioner has no control, the disappointing answer is: not really.
One of the art 29 Committee criticisms is that the exception for use/disclosure ‘required or authorised by or under law’ is a wider exception than the equivalent criteria in art 7 of the Directive that dislosure is ‘necessary for compliance with a legal obligation’. Under the heading ‘Authorised by law’, the Guidelines say that this ‘refers to circumstances where the law permits but does not require use or disclosure’. This can be read as presuming that there is a specific law (although the Committee correctly points out that the 1999 version of the NPPs used the term ‘specifically authorised’). While there is reason to believe that the NPP exception is not as broad as the Committee thinks, the Guidelines do little to assist this argument, as no examples are given that would help to alleviate the Committee’s concern that this effectively allows anything that is not expressly prohibited.
Another criticism is that NPP 9 does not expressly set out a role for the Commis-sioner in assessing other jurisdictions’ ‘adequacy’ and publicising these assess-ments (effectively a ‘white list’). The NPP Guidelines would be the obvious place for the Commissioner to ‘volunteer’ for such a role, but he has conspicuously declined to do so, instead suggesting in the Guidelines that this will remain a matter for each organisation to decide for itself, preferably with external legal advice.
The NSW Commissioner could assist in this respect by determining laws in other jurisdictions that are of an equivalent standard (to the Privacy and Personal Information Protection Act 1998 (NSW)) and gazetting them. However, the draft Code of Practice on interjurisdictional transfers issued by Privacy NSW for comment in April 2001 seems to suggest that the Commissioner sees the Code as an ‘easier’ alternative to determining other laws. Moreover, the draft Code appears not to even aspire to meet the EU Directive standards for transborder data flows. It remains to be seen if the newly appointed Victorian Privacy Commissioner is any more courageous than his or her interstate counterparts in giving effect to the data export principle — IPP 9 in the Information Privacy Act 2000 (VIC) is effectively the same as NPP 9. This seems unlikely, as while the Victorian Commissioner is given the express function of issuing model terms for data export contracts or arrangements, there is no reference to a role for the Commissioner in determining adequacy.
The only ‘EU adequacy’ criticism that appears to be addressed directly in the federal Commissioner’s Guidelines is the limitation of the ‘miscellaneous’ basis for overseas transfer — NPP 9(f) — to standards alone, with no reference to enforcement of rights. The Commissioner’s NPP Guidelines suggest that he will apply the same benchmarks as in NPP 9(a) to (f). These include a requirement to be satisfied that the standards are ‘effectively upheld’ and the Guideline on (a) sets a criteria of ‘an appropriate complaint mechanism and enforcement scheme’. If this interpretation of (f) is confirmed in the final Guidelines and upheld then it would substantially address the criticism. But it is difficult to see what basis the Commissioner has for importing ‘enforcement’ criteria into (f) when it clearly only deals with standards; if it also requires enforcement machinery, then how does it differ from (a)? There must be a real prospect that the Commissioner’s current interpretation will be challenged and may not survive, in which case the criticism remains.
It should be said that some of the EU committee’s criticisms of the federal law do seem unfair. Its criticism of both the direct marketing ‘opt out’ provisions and the requirements for notice do not stand up well to close examination, particularly in comparison with the equivalent articles in the EU Directive. But enough of the other criticisms are valid to suggest that further discussions and explanations, apparently in progress, are unlikely to change the EU’s collective mind about the overall weakness of the private sector amendments.
The reluctance of Australian Privacy Commissioners to ‘bite the bullet’ on adequacy assessment is understandable — the stakes are high, and it would be a brave Commissioner who took an initiative which could result in interruption of significant data transfers affecting business and commerce. Australia is not alone in this: even the EU has only issued formal decisions in relation to three jurisdictions — Hungary, Switzerland and the US — and all of them were favourable, and no jurisdiction has yet ‘blacklisted’ another. However, the matter will eventually be forced by complaints and or court challenges. If Australia wants to avoid the dubious distinction of being the first country to be judged ‘inadequate’, the Federal Government would do well to address the EU’s valid criticisms. v
Nigel Waters, Associate Editor.
 Expressed in Opinion 3/2001 — see <europa.eu.int/comm/internal_market/en/dataprot/wpdocs/index.htm>.
 The first part, dealing with the public sector and credit reporting, appeared in Issue 8.1.
 See <www.privacy.gov.au>.
 NPP 2.1(g).
 Page 136.
 Contrast the Hong Kong Personal Information (Privacy) Ordinance, which gives the Commissioner the express role of issuing a ‘white list’ of jurisdictions with adequate laws (although this section, s 33, has not yet been commenced).