Privacy Law and Policy Reporter
In May 2001 the Privacy Commissioner released a set of guidelines to assist the interpretation of the private sector amendments made to the Privacy Act 1988 (Cth), which came into force on the 21 December 2001. Among other things, those guidelines contained a detailed discussion on the meaning of the term ‘consent’.
In September 2001 a new set of guidelines were presented by the Privacy Commissioner, containing fewer — not to say a lack of — explanations in relation to the use of the ambiguous term ‘consent’.
This article aims to examinine the differences, in relation to the term ‘consent’, between the September guidelines and the ones released only four months earlier.
Apart from the obvious fact that the May guidelines contain so much more assistance in the interpretation of the meaning of ‘consent’ than the September ones, it has to be said that they are still very similar at large. Only in a few instances do the newer guidelines contradict those released in May.
One possible difference is that the May guidelines deemed consent invalid if it was a result of ‘too much pressure or coercion’ while the September guidelines requires ‘extreme pressure or coercion’. Whether this represents a harder requirement or is simply a change of words is not entirely clear.
Furthermore, the September guidelines have left the doors wide open for so-called ‘implied consent’. The strict approach taken in the May guidelines, that ‘[g]enuine consent can only be implied in circumstances where it is clear that a person knows and understands what they are consenting to and clearly indicates from their behaviour that they have agreed’, has been replaced by the considerably softer approach, that ‘[i]mplied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation’.
The different view on implied consent becomes very obvious in relation to consent inferred from a failure to ‘opt out’. The May guidelines contain no less than nine conditions that had to be fulfilled for consent to be implied from a failure to opt out (and even if all those conditions were met, consent could not be implied in all circumstances). The September guidelines state that ‘it may be possible to infer consent from the individual’s failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up’.
The September guidelines also appear to take a different approach in relation to the question of impracticability to seek consent in relation to direct marketing. This question would, according to the September guidelines, ‘generally be considered at the time of the proposed use of the personal information for direct marketing — not the time the personal information was collected’. The May guidelines state that ‘[i]f the Commissioner receives a complaint about inappropriate use of information for direct marketing and the Commissioner concludes that the organisation could have gained the individual’s consent at the time of collection, it will not allow an organisation to succeed in an argument that it was impracticable to get consent’.
Finally, as mentioned above, the September guidelines take a stricter approach to the circumstances in which otherwise valid consent will be invalid due to external pressure. In the May guidelines ‘[consent] is ... invalid if there is too much pressure or coercion’, while the September guidelines state that ‘[c]onsent is invalid if there is extreme pressure or coercion’.
Naturally, it is impossible to assess how much difference the chosen wording will make in an actual case, but it seems fair to conclude that in general the September guidelines take a more business friendly approach than the May guidelines. The thought that consent can be gained by any means that does not constitute ‘extreme pressure or coercion’ must be alarming to any individual.
So how should the absence of an explanation of the term ‘consent’ in the September guidelines be perceived? I see at least two alternatives.
The fact that the September guidelines in general are considerably shorter than the May ones might be an indication of a desire to make the guidelines of a more manageable size. Taking that approach, the May guidelines might still be relevant as an indication of the opinion of the Privacy Commissioner, with the exception of the few but important parts that are contrary to the September guidelines. However, such a conclusion might seem rather far fetched.
The alternative view is that only what is mentioned in the September guidelines is relevant in the interpretation of the amended Privacy Act 1988. But it is hopefully just as far fetched to assume that the well thought through viewpoint expressed in the May guidelines only amounted to the very limited guidance of the September guidelines.
In my opinion it does seem possible that the May guidelines still represent the opinion of the Privacy Commissioner except where the September guidelines expresses a different opinion. The fact that, to an overwhelming extent, the newer guidelines do not express any opinions contradicting the May guidelines supports such a conclusion.
For example, although the issue is not directly addressed, there is nothing in the September guidelines that contradict the opinion that ‘[a]n organisation should not seek a broader consent than is necessary’, expressed in the May guidelines. Such fundamental concepts must still be seen as relevant.
The September guidelines simply fail to provide the same amount of information and guidance as the May guidelines do. Hopefully, it would be too big a generalisation to conclude that everything said in the May guidelines has been deemed wrong by the Privacy Commissioner simply because it is not restated in the newer September guidelines.
Dan Svantesson, SJD research student, University of NSW, Sydney.