University of New South Wales Faculty of Law Research Series
Last Updated: 23 August 2012
A Critique of Australia’s Proposed Privacy Amendment (Enhancing Privacy Protection) Bill 2012
Nigel Waters, Pacific Privacy Consulting
Graham Greenleaf, University of New South Wales
This paper is available for download at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2134838
This paper may be referenced as  UNSWLRS 35.
The Privacy Amendment (Enhancing Privacy
Protection) Bill 2012 is claimed by the Australian government to be a major
‘pro-privacy’ reform of Australia’s Privacy Act 1988.
This submission to the relevant Parliamentary Committees (prepared by the
authors for the Australian Privacy Foundation) explains
the many reasons why
this is not so.
The Bill strengthens the powers of the Privacy Commissioner in a number of desirable ways, including civil penalty provisions, enforceable undertakings, enforcement of own-motion investigations, and limited requirements for Privacy Impact Assessments. But these reforms are undermined by inadequate reform of the Commissioner’s most important power, the making of determinations (enforceable decisions concerning complaints) under s52. Unless the Commissioner can be required by complainants to make decisions (only 9 have been made in 23 years), the new right of appeal against the Commissioner’s decisions will be meaningless. Appeal rights are no use if there are no decisions against which to appeal.
The proposed Australian Privacy Principles (APPs), while supposedly a welcome consolidation of disparate sets of principles, are in eight of the thirteen principles generally weaker than the UPPs proposed by the Australian Law Reform Commission (ALRC) or the current Act’s IPPs and NPPs. Particularly weak principles are those dealing with data exports, which abandons any idea of ‘border protection’ in favour of an unenforceable and largely valueless version of ‘accountability’, and the changes to the anonymity principle, which allow pseudonymity to be substituted for anonymity at the whim of a data collector.
The Bill gives the credit reporting industry the right to share information about Australians who have never had a credit default, a backward step for the privacy of every Australian who has ever had a loan or a credit card. Even though these changes to a form of ‘positive reporting’ are not as extensive or undesirable as in some countries, and may have some benefits in removing over-commitment, they have been brought in without sufficient responsible lending reforms. Some additional safeguards for credit reporting have been included and are welcome, but the overall effect of this part of the reforms is a major loss of financial privacy for all Australians.
The Bill does not remove the unjustifiable exemptions from the Act for ‘small’ businesses, employment records and political matters (reforms proposed by the ALRC). Australians will wait forever for a second reform Bill – there should be one comprehensive Bill including all reforms.
The Bill therefore does little overall to advance Australia’s case for an ‘adequacy’ finding by the European Union concerning Australia’s privacy protections. Whether the stronger enforcement powers can compensate for the negative aspects is questionable. Internationally, this seems like a missed opportunity for Australia.