Privacy Law and Policy Reporter
As previously discussed in this Bulletin, it remains to be seen whether private sector organisations find it worthwhile to develop and submit codes for approval.
Given that industry codes cannot provide less privacy protection than the National Privacy Principles (NPPs) and given that there is a right of appeal to the Privacy Commissioner from any independent complaints mechanism an organisation or industry has established, the question is why an organisation or industry would find it worthwhile to develop and submit codes for approval. It is a very real question facing the telecommunications industry.
The Government’s intention for its private sector privacy legislation was clear: establish a benchmark for privacy protection to apply throughout the private sector while encouraging organisations and industries to take primary responsibility for developing their own privacy codes, handling their own privacy complaints under those codes and establishing an enforcement mechanism to back up any findings made as a result of those complaints. The discussions now going on within the telecommunications industry suggest that predictions of little industry interest in code development need to be taken seriously.
At first blush, the telecommunications industry, with its code and enforcement mechanisms in place, should meet the Government’s intended goals of privacy protection.
The industry has its own privacy code on privacy protection which is almost a direct copy of the National Privacy Principles and which has been registered by the Australian Communications Authority (ACA).
It has its own complaints mechanism in the Telecommunications Industry Ombud-sman (TIO), a private company backed up by legislation which requires all suppliers of a standard telephone service, a mobile service or a service that enables end users to access the internet to both join and comply with the TIO Scheme. The TIO’s Constitution already allows the TIO to deal with complaints about privacy ‘in terms of non-compliance with the Information Privacy Principles’ of the Privacy Act 1988 (Cth). And, as a result of an investigation made into a complaint, the TIO can resolve complaints by requiring TIO members to do (or not do) specified act(s) and/or pay the complainant up to $10,000.
The ACA has the power to ‘register’ codes and, once registered, a code can be enforced against those subject to the code — whether or not the relevant industry members have signed it.
Privacy complaints are reported both in the TIO’s annual reports and in the ACA’s annual reports to the Minister on carrier and carriage service provider compliance with codes and standards.
The requisite elements for Privacy Commissioner approval of a code are there: a code which would most likely meet NPP standards, effective complaints and enforcement mechanisms, and reporting of the complaints made. Indeed, the telecommunication industry’s expectation is that it could submit its privacy mechanisms already in place to the Privacy Commissioner for approval, making only minor changes to the rules and mechanisms to gain that approval.
A more detailed examination of the privacy legislation, however, suggests that the answer is not that simple.
Even if the current Australian Commun-ications Industry Forum (ACIF) Code is submitted to the Commissioner without accompanying complaints procedures, the first issue is whether the Code would meet the test of voluntariness. Arguably, although the ACA can enforce registered codes by issuing a Direction for compliance to any industry member covered by the code, the code is voluntary until the Direction has been issued. That, however, raises a related issue: regulatory duplication.
Under the recent amendments to the Privacy Act, the ACA was given power to deregister codes. While the Act does not provide grounds upon which the ACA is likely to deregister a code, regulatory duplication would be one reason for doing so. In this case, the regulatory duplication would relate to the ACA and the Privacy Commissioner both having the power to enforce what are an almost identical set of rules — the NPPs.
In the case of the telecommunications industry, however, the ‘voluntariness’ require-ment for approved codes means that the regulatory duplication may only be partial.
Arguably, private sector organisations will either be covered by the Privacy Act itself or by an approved code which provides equivalent protections. However, the exemption for small businesses in the privacy legislation means that the smaller suppliers in the telecommunications industry, particularly the smaller internet service providers, will not be covered either by the Privacy Act or an approved code unless they voluntarily sign the code. In those circumstances, if the telecommunications privacy code is deregistered, many smaller internet service providers may not be subject to any enforceable privacy rules.
If the telecommunications industry submits its privacy code together with its surrounding complaints/enforcement structure (the TIO as the code adjudicator, and ACA enforcement powers), another important issue is raised. Under the TIO Constitution, all TIO decisions to resolve a complaint are binding on industry members, although not on the complainant who has a choice of accepting the TIO decision or rejecting it, in which case the complainant can pursue other remedies. Under the privacy legislation, it appears that both the complainant and industry member can appeal to the Privacy Commissioner against a decision of the complaint adjudicator (the TIO). This represents a significant change from TIO decision- making powers and, for consumers, an important loss of protection.
There are other issues. The reporting requirements for a code adjudicator are far more onerous that what the TIO currently requires. Also, the ‘prescribed standards’ required to be set by the Attorney-General are likely to be based on the Benchmarks for Industry Based Customer Dispute Resolution Schemes — which the TIO may not comply with in all respects.
The issues raised by the privacy legislation are complex — but not insurmountable. Clearly, there will need to be dialogue between the Commissioner and the telecommunications industry, and most likely some changes to the current arrangements. But Nigel Waters’ question remains not only for the telecommunications industry, but all industries with privacy protections in place: will it be worthwhile for industry members and consumers to submit a privacy code and surrounding complaints and enforcement mechanisms for approval? v
Holly Raiche is a Project Manager at the Australian Communications Industry Forum, (ACIF), responsible for the consumer codes relating to privacy, and for ACIF’s Privacy Advisory Board. She is also on the Editorial Board of PLPR.
 Waters N ‘Privacy codes — what are they? Where are they?’ (2001) 7(8) PLPR 162.
 Privacy Amendment (Private Sector) Act 2000.
 ACIF Protection of Personal Information of Customers of Telecommunications Providers Industry Code C523:1999 — available on the ACIF website at <www.acif.org.au>.
 Telecommunications (Consumer Protection and Service Standards) Act 1999 (Cth) Pt 6, s 128.
 Telecommunications Industry Ombudsman Constitution cl 4.1.
 Telecommunications Industry Ombudsman Constitution cl 6.1.
 The ACA can issue Formal Warnings or Directions for code compliance to an industry member or members under ss 121 or 122 Telecommunications Act 1997, with Directions enforceable through Federal Court proceedings under s 570. The ACA can also issue an industry standard, binding on all industry members, if a registered code is not operating to provide appropriate community safeguards, under s 125.
 Required to be published under s 105 Telecommunications Act 1997.
 See particularly s 18BB Privacy Act 1988, which sets out the elements about which the Commissioner must be satisfied before approving a code. Section 18BB(2) covers only those elements considered when a code is submitted for Commissioner approval. Section 18BB(3) sets out additional criteria to be considered by the Commissioner if the code includes procedures for making and dealing with complaints.
 Section 18BB(2)(c) Privacy Act 1988 requires that only organisations that ‘consent to be bound by the code are, or will be, bound by the code’.
 See the new s 122A Telecommun-ications Act 1997.
 Section 16A Privacy Act 1988.
 Under s 6C Privacy Act 1988, organisations are defined to exclude small business operators, which are further defined in s 6D to refer to businesses with an annual turnover of $3 million or less.
 See, for example, the draft Internet Industry Privacy Code of Practice which was released on 14 August 2001 — available on <www.iia.net.au>.
 This is assuming that the requirement for an approved code which ‘sets out procedures for making and dealing with complaints’ in s 18BB(3) Privacy Act 1988 permits this.
 Telecommunications Industry Ombudsman Constitution cl 6.1.
 Section 18BI Privacy Act 1988.
 Section 18BB(h)-(l).
 Section 18BB(3)(a)(i).
 Benchmarks for Industry-Based Customer Dispute Resolution Schemes, released by Chris Ellison, Minister for Customs and Consumer Affairs, August 1997.
 See Office of the Federal Privacy Commissioner Draft Code Development Guidelines April 2001 p 4.