Chapter 3
Evaluating a privacy system
Introduction
3.1 Before examining the nature of Australia's privacy protection system
and its relationship with the privacy sector, the Committee considers
it important to first establish the benchmark criteria or characteristics
of an adequate privacy protection scheme. Any such benchmark criteria
must comprise two elements. The first is the contents of the privacy rights
and the second is the degree to which those rights are enforceable.
3.1 In establishing the `model' of a privacy protection system, the Committee
also considers it important to identify the key stakeholders who will
be affected by the creation of such a system, and the nature of their
requirements and expectations. In this respect, the Committee is aware
that any solution to the privacy protection issues must to the greatest
extent possible, balance the interests of these various groups.
General characteristics of a privacy protection scheme
3.2 Whether the coverage of the privacy legislation should be extended
to the private sector will depend upon the adequacy of the present arrangements.
In order to assess the present arrangements, criteria of adequacy must
be developed and applied. Protection of privacy involves two elements:
appropriate privacy principles that govern the behaviour of people who
collect information and an effective mechanism to apply them and to ensure
that the principles are observed. Drawing on evidence presented to the
Committee from a number of expert witnesses [1],
adequate privacy protection schemes must:
- Have core principles that if observed will protect privacy. This criterion
is the content of the privacy protection scheme.
- Guarantee to a level acceptable to the community, and internationally,
a level of compliance with accepted privacy principles; [2]
- Guarantee to provide a means for people to exercise and protect their
right to privacy, that is, provide an accessible enforcement mechanism;
- Guarantee to provide redress when a privacy right is breached, by
way of specific remedies, sanctions or compensation. [3]
3.3 The last three criteria constitute the enforcement of the principles.
Aspects of this approach are generally accepted within Australia, although
to varying degrees, and internationally. [4]
The Committee will use these criteria to assess the current privacy arrangements.
[5]
3.4 The Committee notes that as a general proposition, a scheme for the
protection of privacy should incorporate a list of central principles
that enable the rights contained to be accessible and identifiable and
which allow people to be aware of their rights. This point has two implications.
3.5 The first is that there should be a single source document enumerating
privacy rights. The National Principles for the fair handling of information
are an example of this. The second is that the principles should be
readily understood. This principle was noted by Telstra:
A principle function of any privacy regime has to be the education
of both the people who give up their personal information and the people
who collect that information and subsequently use and/or disclose it.
This can most readily be achieved by expressing the Information Privacy
Principles in plain English. [6]
3.6 However, it could also be argued that the issue of privacy is so
important that `plain English' may not be the only way of making information
available to the community. Plain English is often a euphemism for more
technical language, and colloquial English may be more comprehensible.
[7]
3.7 In addition, the Committee believes it is important that any information
about human rights must be couched in terms which are meaningful to particular
groups of people, both within the English-speaking community, and in communities
where other languages are spoken.
Content of the principles of privacy
3.8 The rights contained in a privacy protection scheme should, as a
minimum, include the following: [8]
- Limits to the collection and use of personal information – ensuring
that an organisation collects personal information only where doing
so serves a legitimate purpose and that an organisation uses the information
only for that purpose.
- Personal information should only be collected using fair, lawful and
non-intrusive means.
- Individuals should be aware that information is being collected; the
purpose of the collection; whether the collection of the information
is authorised or required by or under law; and any person body or agency
to whom the information is usually disclosed.
- Personal information held by an organisation should be protected against
unauthorised access.
- Personal information should not be retained unless it is reasonable
to do so, and other personal information should be destroyed.
- Organisations holding personal information should take reasonable
measures to ensure the quality of the information held.
- Individuals should have access to their personal information, and
to have it corrected.
Enforcement of privacy rights
3.9 A further fundamental principle is that privacy rights must be capable
of being enforced. In other words, the scheme must result in a system
of legally enforceable rights and obligations.
3.10 The Committee recognises that notwithstanding the existence of powerful
and complete principles of privacy protection, ultimately there must be
legal mechanisms that can compel parties to enforce those principles,
and to impose, where necessary, remedies and compensation.
Stakeholders in privacy protection
3.11 In achieving a workable and equitable privacy protection regime,
there are a number of stakeholders whose interests must be taken into
consideration, although it should not be assumed that these interests
are necessarily conflicting or mutually exclusive. One of the factors
that has led to an apparent polarisation between those advocating self-regulation
and those supporting legislation is a lack of clarity about the benefits
available to various stakeholders through the different systems. It is
possible that apparent advantages to industry from self-regulation, for
example, may prove illusory; and it is also likely that rigorous legislation
may not meet the needs of all parties, including those who advocate it.
3.12 The key stakeholder groups include members of the public, industry
and industry associations and the governments of the Commonwealth and
the states and territories. Recent developments of international legal
standards, and in particular the EU Data Protection Directive, will also
have significant impact on Australian regulators.
Members of the public
3.13 In considering the extent of the stakeholder community, the Committee
sought to determine the coverage of the term ` members of the public',
and the extent to which this group has needs and responsibilities.
All persons
3.14 The term `members of the public' is preferred to that used in the
terms of reference 1(f) which considers only `consumers'. It was felt
that use of the term `consumers' might not include all those affected
by privacy systems. [9]
Employees
3.15 The Committee was also concerned at the attempt to exclude employee
data from consideration on the grounds that it was quite different to
`personal information' about consumers, and that it was already subject
to other legislation. The Australian Chamber of Commerce and Industry
(ACCI), for example, argued that principles which applied to employee
data would create an additional and unnecessary burden for employers,
[10] and succeeded in having this category
of information excluded from the National Principles:
ACCI's firm position is that workplace-related issues must not be included
under Privacy Principles, but should continue to be covered, to the
extent required, under workplace relations legislation, awards, agreements
and best practice (rather than a general privacy regime). [11]
3.16 The ACCI also challenged the approach by the Australian Law Reform
Commission (ALRC) on this matter, seeing it as `subjective', and leading
to duplication. [12] Should the extension of
the National Privacy Principles include employee records, the ACCI argued,
there would be `confusion and uncertainty' if they were similar, and a
`compliance nightmare' if they were dissimilar. [13]
The ALRC was of the belief that even small companies could effectively
keep an appropriate records system which would not duplicate processes
and which would be much fairer to all parties:
The legal obligation is really no more than best human resources practice
and best management practice. [14]
3.17 While there may be costs to establish such a system, it was likely
that similar processes were already in place; further, such costs were
part of business operations and would be amortised over a period of time.
Thus, the `cost' factor should not mislead people into thinking that dealing
with employee records was too complex and imposed an additional burden
on business. [15]
3.18 From another angle, the European Commission advised the Committee,
and had apparently also advised the Privacy Commissioner, that the draft
of the National Principles was deficient in that it did not deal
with employee data. The Commission noted that employee data was `an important
area for international data flows.'
3.19 The Committee notes the concerns of ACCI and similar groups, but
does not believe that this type of information should automatically be
excluded from coverage of a common privacy system which applies to all
forms of personal information. If current legislation allows for practices
which are quite dissimilar from the precepts in the National Principles,
consideration should be given to the development of ways in which to standardise
the use of information. Otherwise an individual has certain rights as
a consumer or purchaser of services that are denied to him or her as an
employee. To some extent, ACCI acknowledged this discrepancy by stating
that a solution would be `to consider possibilities for improving the
existing arrangements':
To this end ACCI has commenced developmental work on appropriate guidelines
for employers, that will constitute a guide to the principal “do's
and don'ts”. [16]
3.20 In its submission to the Attorney General's department on the discussion
paper Privacy and the Private Sector, [17]
and its other submissions to this Committee, the ACCI noted that employee
(employment) records contained information on financial and other matters
which were of limited interest and/or were collected primarily in the
interests of the employee. [18] This in itself
suggests that if the National Principles or a similar code applied
to the use of such documents, there would be no conflict or duplication.
3.21 It is apparent that there is little objection per se by industry
groups to appropriate protection of employee data. It is more that employer
groups believe existing legislation provides this protection adequately,
and that the introduction of another level would lead to confusion.
3.22 The Committee therefore recommends that in the development
of more effective privacy legislation, as is recommended later in this
report, consideration be given to the relationship between existing laws
regulating employer records and proposed legislation which would seek
to cover employee data.
The vulnerable and disadvantaged
3.23 Members of the public generally have an interest in seeing appropriate
controls on the use of their private information. The interests of the
public are principally served by the introduction of a system that reflects
principles of content and enforceability detailed above.
3.24 In particular, a privacy system must also address the availability
of a privacy protection system to the disadvantaged in society. In terms
of the content, privacy protection principles must be wide enough to consider
where necessary, the needs of particular groups, while the enforcement
provisions must recognise the very real barriers to justice that can work
to shut some members of the community out of the legal system.
3.25 In this regard, the Committee recognises that reliance on a system
of private legal action to enforce rights is frequently prohibitively
expensive for most members of the public, and well out of reach for the
most disadvantaged, except in instances where legal aid may be available.
As Ms Sophie Delaney of the Victorian Mental Health Legal Centre told
the Committee:
In relation to privacy, the previous speaker talked about the fact
that people can take civil action in relation to breaches of confidentiality
whether it be for a breach of contract or equitable actions for a breach
of confidence. That is all very well in theory but, particularly when
you are talking about people who are socially disadvantaged, those sorts
of remedies are not accessible when they have to be pursued through
the courts. [19]
3.26 In some instances arrangements may be made so that consumers do
not have to take legal action at great expense. The Australian Bankers'
Association, for example, saw the National Principles as providing
a means by which a legal right could be exercise at minimal cost:
The ABA model does not require the customer to litigate that right
in a court. There will be internal processes to deal with customer complaints
about bank groups' compliance with the National Principles. [20]
3.27 However, although this may suit some people, it may well be that
many consumers would rather have another party dealing with their complaint,
one which has no apparent relationship with the party complained of.
3.28 In this context, the Committee also notes the implications of the
High Court's decision in Brandy v Human Rights and Equal Opportunity
Commission, [21] which held that the mechanism
for registration and enforcement of HREOC determinations through the Federal
Court breached the doctrine of the separation of powers implicit in Chapter
III of the Australian Constitution. This means that any system developed
to protect privacy will not be able to rely on binding determinations
by the Privacy Commissioner, and that even after investigation by the
Privacy Commissioner, an enforceable judgement can only be given after
a complete re-hearing by the Federal Court.
3.29 Within the Australian community there are many groups and communities
which may have particular needs concerning information and access. These
needs may arise from language and cultural factors; age; disability; refugee
status, and other grounds. The education and information process must
be such as to meet these needs, so that all members of the community understand
the issues involved in privacy protection and the most effective means
of gaining access to such protection.
The public interest
3.30 At the same time, Parliament must consider the wider public interest
of developing a system that provides privacy protection but also retains
sufficient flexibility to be able to meet the demands of evolving technology
and the particular demands, structures and issues that arise across various
industry sectors, service providers etc.
3.31 The Committee recognises that an unduly prescriptive system will
lack this inherent flexibility and is likely to be become unwieldy and
anachronistic. However, evidence presented did not demonstrate that legislation
must always be 'unduly' prescriptive, and there appeared to be considerable
support for the idea of `light' legislation. [22]
3.32 Governments are also, as always, under pressure to minimise cost.
Regulatory systems instituted by Parliament must also therefore, seek
to minimise the costs of implementing, enforcing and administering programs.
However, the Committee, in acknowledging justifiable concerns by industry
about duplication and overlap, also notes that the issue of cost and duplication
can be raised to obscure. There is limited evidence available to demonstrate
that the costs of ensuring some privacy rights will be too great to be
borne by society. [23]
The rights and responsibilities of the private sector
3.33 Term of reference 1(e) relates to the needs and responsibilities
of the private sector. In submissions and other evidence to this inquiry,
there were several different views as to the needs of the private sector,
including the view that industry's needs would have to be seen in a much
wider context:
The needs of the private sector are not a material consideration
… other than their legitimate desire to see any regulatory burden
minimised. Privacy and consumer advocates reject the proposition that
private sector businesses have `rights' which compete with individuals'
rights. They do not dispute that there is a public interest (ultimately
the interests of a majority of individuals) in as free a marketplace
as is consistent with other values and interests which need to be protected.
The responsibilities of the private sector, which need to be
enshrined in law, are to respect fundamental rights and freedoms in
the pursuit of commercial objectives. In the privacy context, those
responsibilities must include compliance with international best practice
standards of fair information handling. [24]
3.34 For other witnesses, the issue of responsibility meant that an industry
sector would need to balance the rights of all relevant parties:
If the Private sector need tenancy databases to be able to conduct
their business, they cannot be allowed to abrogate their responsibility
in [en]suring that only correct, documented, and verified information
is entered into those databases. [25]
3.35 From the industry sector, the most often stated needs were:
- consistency and uniformity regarding privacy standards; [26]
- the need to trial current self-regulation principles, that is, the
National Principles for the Fair Handling of Personal Information,
[27]and existing codes of practice;
- limited regulation and red tape; [28]and
- industry specific needs.
-
Consistency and uniformity regarding privacy standards
It remains critical to avoid the enactment of separate and divergent
regimes by individual States and Territories. A series of overlapping
and inconsistent schemes can only add to business confusion and compliance
costs. [29]
3.36 Submissions to the Committee suggest that the key focus for industry
is minimising the costs of doing business and increasing competitiveness:
The private sector recognises that protection of privacy, particularly
for personal data has become an increasingly significant social issue
… However, it is crucial that this objective be balanced with ensuring
a conducive business operating environment if Australia's broader economic
goals are to be achieved. [30]
3.37 To achieve this goal, industry priorities are on minimising the
regulatory burden and compliance costs, and creating a system that is
nationally consistent. This is reflected in the comments of the Australian
Bankers' Association:
At a philosophical level, we advocate less regulation rather than more
as the most effective way of achieving economic and social objectives.
[31]
[T]he worst possible model would be individual states coming up with
their own legislation because, by definition, they are going to be inconsistent,
and it will lead to tremendous confusion and cost. [32]
3.38 These comments were further reflected by the Australian Chamber
of Commerce and Industry, [33] and Telstra
which emphasised that duplication and overlap inevitably led to expense
and red tape :
While Telstra considers it desirable that there should be national
privacy standards within legislative framework it is also import[ant]
to avoid a prescriptive, rigid and costly framework which ultimately
would be counter productive. [34]
The need to trial current self-regulation principles
3.39 Industry groups which emphasised this approach did not generally
believe that current self-regulatory approaches could be combined with
legislation. [35] This subset of stakeholders
argued that significant time and resources have been invested in the development
of the Principles and that these arrangements should be given an opportunity
to prove themselves and to return the investment.
3.40 One major representative body suggested that the Principles should
be given time to settle in and, that if at the end of this period, it
was seen that the process was not leading to `coverage and enforcement',
then legislation might be appropriate:
It is the ACCI's stated and continued view that the Privacy Principles
should be implemented and evaluated before further action is undertaken.
This means allowing an appropriate period for the various industry sectors
to develop and institute their codes Given that the banking, insurance
and direct marketing sectors are well advanced in this respect, it would
not be unreasonable to expect this to be done by year's end.
At that stage it would be appropriate to consider the extent to which
the self regulatory approach is resulting in gaps in terms of coverage
and enforcement to evaluate the system in operation …
The strength of adopting a co-regulatory model, post a self-regulatory
evaluation phase is that it represents evolution not revolution. [36]
3.41 While the Committee appreciates this view, it does not believe that
the investment will be wasted. The process of devising the National
Principles may not have been as useful as desired, but it has achieved
a standard series of principles that many industry sectors apparently
accept. [37]
3.42 It could also be argued that the phased in process simply buys further
time for organisations which have already had a considerable period to
determine and finalise codes of practice. Arguably, given the mounting
urgency of threats to privacy and international pressure to develop privacy
protection, Australia cannot afford to spend too long on a “wait
and see” approach. [38] On the other hand,
many of those organisations which agreed with a co-regulatory approach
also wanted a gradual phase-in of up to three years. [39]
Limited regulation and red tape
3.43 To a degree, those opposed to red tape and extensive regulation
were those who approved self-regulation:
The principles in the Privacy Act … require specific written consent
for each disclosure across a financial organisation, which most consumers
would condemn as bureaucratic. [40]
3.44 However, there are some notable differences between supporters of
the minimalist approach. The opposition to what is perceived as complexity
is espoused by those who are in favour of legislation, particularly national,
consistent legislation, as well as by those who correlate simplicity with
non-legislative codes of conduct. Similarly, those who emphasise the value
of codes of conduct may often see benefit in having those codes enforced
through law, in order to limit the advantages gained by those who work
outside any system. [41]
3.45 A major and, to the Committee, quite valid, concern about red tape
and extensive regulation was the development of complex principles and
processes for which there was no observable requirement:
… which are the sectors or types of transactions where privacy
invasion could warrant regulatory intervention?
… the idea of detailed statutory codes negotiated with and issued
by the Privacy Commissioner would seem to be appropriate only for those
sectors or transactions with a clear need and a positive cost-benefit
for the community. [42]
3.46 The Committee notes, however, that the issue of need for a process
may be somewhat different to that of a discernible `cost benefit'. Many
representatives of the community strongly believed in a right to privacy
and in the security of personal information. There may be no immediate
financial benefit to the community (or financial loss, either) from the
development of rights, but this is not a factor that should dominate discussion
of access to rights.
Industry-specific needs.
3.47 Many industry groups did express a concern about inappropriate services
or legislation and the need for legislation which recognised the specific
needs of industry sectors. Thus, although many industries found the existing
privacy legislation inappropriate (as too inflexible, or not designed
for business) [43] many suggested ways in which
acceptable controls could be developed:
While privacy protection issues eg the confidentiality of personal
information have a high priority with the public, the implementation
of strategies to ensure that protection needs to focus on exactly what
is the problem or perceived problem and what are the costs and business
operational requirements that need to be considered in solving the problem.
An extension of the Commonwealth privacy legislation will fail that
test and consequently impose costly and difficult to implement generic
provisions on eg. the retail industry which needs a self regulatory
approach underpinned by some general principles. [44]
3.48 Some of the examples provided of specific industry requirements
included :
- the importance of recognising the range of databases in use, and the
range of purposes for which these were used; [45]
- the fact that some businesses only collect information, and thus cannot
guarantee that others won't misuse it; [46]
- the importance to retailers and suppliers of having appropriate systems
in place to deal with fraud, theft and possible product tampering; [47]
and
- cognisance of business standards and practices (although this relates
more to the role of a privacy commissioner). [48]
The shared interests of industry and the community
3.49 In the discussion on the rights and responsibilities of industry,
the Committee was concerned that the needs or interests of industry and
those of the community be clearly identified in order to determine the
extent of overlap. While there are many areas of considerable difference,
there are some issues where the needs of the different stakeholders are
similar.
3.50 The Committee considers, for example, that a consideration for the
business community is the adoption of standards and levels of protection
that maintain the community's faith in emerging technology. Referring
to some of the evidence raised in relation to electronic commerce [49]
the Committee notes the suggestion that there is a serious lack of confidence
in the emerging technology:
There is an emerging international consensus in relation to the information
economy in general, that government needs to foster a policy of management
framework, and promote markets for consumer control, confidence and
choice. A recent report to the Clinton administration … suggests,
as a principle for international discussion and agreement, that, `where
governmental involvement is needed, its aims should be to support and
enforce a predictable, minimalist, consistent and simple legal environment
for commerce. [50]
3.51 The view was supported by a major service provider group which recognised
that the needs of consumers will be shaped by their attitudes and experiences:
If such product development is put on hold because of a lack of consumer
faith in their legal protection then all parties will suffer.
Not extending a privacy regime to the private sector may negate many
of the benefits that such a regime could bring to the wider community.
Consumers have also indicated that while Codes of Conduct do make a
difference to their confidence levels concerning privacy, consumers
are only truly satisfied when they know that such Codes are backed up
by legislation. [51]
3.52 While the Committee has not received enough evidence to make any
definitive conclusions on this point, it does note it is important that
at a national level Australians continue to adopt and embrace the technology
of electronic commerce. A failure to do so could have damaging consequences
for Australia's wider competitiveness in international markets, in which
we profit from our expertise as a highly `technology literate' society.
3.53 This point was recognised by many industry representatives. At the
same time, some of these had difficulty in perceiving that confidence
in technology might only occur with greater protection, and that this
did not mean adopting the lowest common denominator – `Australian
business needs to ensure that its privacy controls are no stricter than
those of its global competitors.' [52] The
issue of the protection of personal data must not be subsumed by `business'
concerns that have not been substantiated.
International standards and obligations
3.54 Emerging international standards and obligations are increasingly
having an influence on the requirements and expectations on national privacy
protection schemes. Reflecting this, the first term of reference for the
inquiry refers to:
The need for Commonwealth privacy legislation to be extended to be
extended to the private sector, with particular reference to:
3.55 There are five sources of international law and standards relevant
to Australia in considering the need to extend privacy legislation to
the private sector. These are:
- the International Covenant on Civil and Political Rights;
- the Universal Declaration of Human Rights;
- the Organisation for Economic Cooperation and Development (OECD) Guidelines
Governing the Protection of Privacy and Transborder flows of Personal
Data;
- the Council of Europe Convention on data protection; and
- the European Union Data Protection Directive.
3.56 The sections below consider each of these in turn, and evaluate
the nature of the obligations they create, and the extent to which they
are binding.
International Covenant of Civil and Political Rights (ICCPR) and the
Universal Declaration of Human Rights
3.57 The ICCPR recognises the right to privacy in Article 17, which states:
(1) No one shall be subjected to arbitrary or unlawful interference
with his privacy, family, home or correspondence, nor to unlawful attacks
on his honour and reputation.
3.58 This provision is matched by the virtually identical Article 12
of the Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to unlawful attacks on his honour
and reputation. Everyone has the right to the protection of the law
against such interference or attacks.
3.59 As a signatory to the ICCPR, including the Optional First Protocol
(permitting individuals to take complaints to the United Nations Human
Rights Committee), Australia is bound under international law by Article
17, which should be read in association with Articles 2 and 3:
Article 2
Where not already provided for by existing legislative or other measures,
each State Party to the present Covenant undertakes to take the necessary
steps, in accordance with its constitutional processes and with the
provisions of the present Covenant, to adopt such legislative or other
processes and with the provisions of the present Covenant, to adopt
such legislative or other measures as may be necessary to give effect
to the rights recognised in the present Covenant.
Article 3
(a) to ensure that any person whose rights or freedoms as herein recognised
are violated shall have an effective remedy, …
3.60 While it is clear, therefore, that Australia is bound to provide
legal protection for the rights of privacy, as well as effective remedies
for breaches of those rights, it is less clear what exactly is encompassed
by such a right to privacy. As the Privacy Commissioner commented:
These provisions, of course, are couched in very general terms and
give little guidance as to the boundaries of `arbitrary interference'.
[53]
3.61 The ICCPR gives little general indication as to whether the content
of Australia's current privacy laws is adequate, nor does it offer any
solution to the question of whether Australia is bound to provide legislative
guarantees of those rights in either the public or private sectors. Officers
of the Attorney-General's Department suggest that Australia has no such
obligation:
[Article 17 of the ICCPR] sets a general standard does it does not
impose an obligation on member countries to legislate for privacy protection.
[54]
3.62 The Committee notes however that in the Toonen Case, the United
Nations Human Rights Committee declared Australia's law to be in breach
of the provisions of the ICCPR, demonstrating an increasing likelihood
that Australia will be actively held to account for its compliance with
its international obligations. [55]
OECD Guidelines Governing the Protection of Privacy and Transborder
flows of Personal Data
3.63 The OECD Guidelines Governing the Protection of Privacy and Transborder
Flows of Personal Data were issued in 1980, and the core of the guidelines
consist of eight `Basic Principles of National Application' in Part II
(Guidelines 7 to 14). These guidelines provide the basis for the Information
Privacy Principles contained in the Privacy Act. [56]
3.64 Unlike Decisions of the Council, OECD Recommendations are not legally
binding. [57] However, in 1984 Australia announced
its intention to adhere to the Guidelines, subsequently incorporating
the following statement into the Preamble to the Privacy Act 1988:
WHEREAS Australia is a party to the International Covenant on Civil
and Political Rights, …
AND WHEREAS, by that Covenant, Australia has undertaken to adopt such
legislative measures as may be necessary to give effect to the right
of persons not to be subjected to arbitrary or unlawful interference
with their privacy, family, home or correspondence;
AND WHEREAS the Council of that Organisation has recommended that member
countries take into account in their domestic legislation the principles
concerning the protection of privacy and individual liberties set forth
in Guidelines annexed to the recommendation;
AND WHEREAS Australia has informed that Organisation that it will participate
in the recommendation concerning those Guidelines:
3.65 Submissions to the Committee have argued that Australia has failed
to comply with the OECD guidelines. Although the Privacy Act 1988
gives protection to information held by public sector agencies, it is
claimed that this is not sufficient:
Insofar as the private sector is concerned, it would be difficult to
argue that the Guidelines have been implemented in any sector except
that relating to credit reporting (Privacy Act 1988, Pt IIIA
(Cth)). So Australia has still failed to comply with the Guidelines
for thirteen years after announcing its adherence. [58]
Council of Europe Convention on data protection
3.66 A further source of international standards relating to privacy
is the Council of Europe Convention on Data Protection, which has
been in force since 1985 and has been signed and ratified by 18 European
countries. Chapter II of the Convention, which is binding on signatory
states under international law, addresses both private and public sectors,
and contains eight Articles which constitute `Basic Principles for Data
Protection' and are in many respects similar to those of the OECD Guidelines.
3.67 Although Australia is not a signatory to this convention, the convention
is still playing a significant role in European privacy developments,
and thus represents a significant international benchmark and standard.
To the extent that it reflects the OECD guidelines, it also strengthens
the general acceptance of the OECD guidelines.
European Union Data Protection Directive [59]
3.68 The Committee has also heard considerable evidence relating to the
effect of Directive 95/46/EC of the European Parliament and the Council
of the European Union, on `the protection of individuals with regard to
the processing of personal data and on the free movement of such data':
This requires the 15 EU member countries to harmonise their privacy
laws and to include provisions for prohibiting the transfer of personal
data to `third' (ie non EU) countries where adequate privacy protection
is not assured. [60]
3.69 The emergence of this Directive has been described as:
[T]he most significant international statement of information privacy
principles since the early 1980s. [61]
3.70 Professor Greenleaf argues that the nature of the privacy protections
required by the EU Directive is in many respects similar to the OECD Guidelines
and the Convention but goes further by including:
- Where information is obtained from third parties, rights to be informed
of matters such as the purposes of collection, obligatory nature thereof,
intended recipients, and subject rights [A11];
- Rights to have such corrections, erasures, or blocking (suppression)
of data communicated to third parties to whom the data has been disclosed
[A12];
- Rights to object to processing on `compelling legitimate grounds'
[A14(1)], and an opportunity to object to data being used for direct
marketing (by various forms of `opting out') [A14(2)];
- The subject's rights not to be subject to decisions significantly
affecting him or her which are based solely on automated processing
intended to evaluate personal aspects relating to an individual, except
where pursuant to a contract or legislative authority, and where there
are suitable measures to safeguard the data subject's legitimate interests
[A15]. The subject's right of access must also include a right to know
the `logic involved' in any such automated decisions [A12(1)].
- National laws are to specify `processing operations likely to present
specific risks `so that `prior checking' of such systems by the supervisory
authority can occur [A20].
- A general prohibition on the processing of personal data revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership' and health or sex life [A8(1)] and
even stricter provisions concerning data on offences or `security measures'.
The implications for Australia
3.71 The opinions of witnesses to the Committee have been divided on
the significance that these provisions have for Australia, and in particular,
the effect that the Article 25 requirement for adequate privacy controls
in countries to which information about EU citizens is transferred might
have on Australian trade with the EU in the event that Australia's privacy
controls are found to be inadequate. The basis of the opposing points
of view lies with the question of whether a legislative response is necessary
to meet the EU privacy requirements, or alternatively, that the EU would
accept a sufficiently comprehensive self regulatory scheme.
3.72 The Attorney General's Department argues that the directive has
few implications for Australia:
[T]he directive will have no necessary immediate or comprehensive effect
on trade with countries outside the EU. This is the case for a number
of reasons. First, the Directive applies to only those commercial transactions
that involve the transfer of personal information. …
[R]estrictions would only come into effect if a concern was raised
about a particular transfer or set of transfers and the country in question
was found not to provide an adequate level of protection in relation
to the particular transfer.
The Directive provides that adequacy is to be assessed in light of
all the circumstances surrounding the transfer or set of transfers.
… The Directive does not specify that legislation is necessary
to establish adequacy.
The Directive does not define adequacy nor does it specify what may
be required for protection to be regarded as adequate for a particular
transfer or set of transfers. The EC is still considering the criteria
to be applied in making decisions about adequacy. [62]
3.73 Similarly, the Committee has heard from the Australian Chamber of
Commerce and Industry that the EU Directive does not require that Australia
legislate to protect privacy in order to safeguard Australia's trade with
Europe:
EU requirements are far from being settled and likely to be sufficiently
flexible to accommodate effective self regulatory regimes in trading
partners like Australia. [63]
3.74 These views were mirrored by the Australian Bankers Association.
[64]
3.75 In supporting this view, the ACCI point to the comments of the Head
of the EU Delegation to Australian, Aneurin Hughes, who stated in a then
recent article:
[W]e do not have any objection to the use of self-regulation but we
must be sure that it will create enforceable rules and meaningful rights
for individuals.
Sectors where data flows with the EU are more common, such as direct
marketing, financial services, travel and the electronic commerce services
sector more generally, should look at ideas on how to introduce effective
industry codes where audit and enforcement can be adapted to fit their
sector.
Australia can also expect from us what I think we have already shown
so far: an attentive ear; a readiness to look at results rather than
the form and above all, a desire to make the protection of privacy part
of the strong foundations for the further development of electronic
and traditional commerce. [65]
3.76 Proponents of this view therefore suggest that the EU is demonstrably
willing to accept a self regulatory approach, and there is no presumption
of a legislative response.
3.77 Others however, argue that although a legislative response may not
be a requirement, it is certainly the preference of the EU, as the EU's
delegate to Australia made clear in the article referred to above:
[W]e continue to prefer legally binding rules in the area of protection
of human rights and in particular the privacy of individuals because
of the legal security they provide, namely in terms of enforcement and
redress … [66]
3.78 Mr Hughes also clarifies that even though the EU is prepared to
consider self regulatory schemes, they must be effective ones. The EU
will look beyond the form of a regulatory scheme to address the substance
of the protections afforded:
Any code must have genuine `teeth' – dissuasive sanctions for
non-compliance or regular audits certifying compliance, together with
a means by which an individual can obtain a remedy where it is clear
that the code has been broken. [67]
3.79 The more rigorous interpretation of the EU position was also made
by the Privacy Commissioner:
[T]he EU will require a very robust self regulatory scheme before it
is prepared to assess an industry sector as adequate. … While it
appears that a sector could meet the EU adequacy criterion with an entirely
self-regulatory scheme, it is clear that the EU will require much more
than a well intentioned statement of principles. [68]
3.80 This being the case, it seems doubtful that Australia's current
privacy protections, or voluntary self-regulatory codes, would meet the
standards required by the EU. Only limited sectors such as the credit
reporting sector and ACT and Federal government agencies would qualify,
as would Victoria if the proposed legislation is passed. [69]
Mr Nigel Waters, a former EU Data Protection Commissioner who has provided
advice to the EU on privacy issues, states:
While I in no way speak for the EU Commission, my work for them puts
me in a good position to assess the likely impact on Australia. It seems
very clear that even if there was widespread adoption of the Commissioner's
National Principles, it would be extremely unlikely for Australia
to be assessed as having `adequate protection' in its entirety, in the
absence of effective compliance mechanisms. [70]
3.81 This view is reflected by the Privacy Commissioner:
the available indications of EU thinking on the question suggest that
Australia's existing mixture of statute law, common law, voluntary guidelines
and unwritten rules may not be enough to ensure that, as a country,
Australia would be assessed as having an adequate standard of protection
in place. [71]
3.82 According to the Australian Law Reform Commission, the EU Directive:
arguably is now the statement of international best practice. At present
Australia law and practice (at Federal, State and Territory level) does
not meet the minimum standards. [72]
3.83 These arguments also reject the view that individual or sectoral
privacy protections can be used where necessary, via Article 26 which
allows for case by case transfers if guarantees are secured by contract.
Submissions to the Committee have argued that although potentially expeditious
in the short term, especially for large corporations with high data flows,
in the longer term, this approach would be counter-productive. Mr Nigel
Waters suggests:
Even if some sectors or jurisdictions are able to pass the EU `adequate
protection' test, this would still leave most Australian businesses,
and governments, in the situation of having to demonstrate on a case
by case basis that they ensured adequate protection for particular transfers
of personal data from Europe. The cost, and cost of uncertainty, involved
will potentially massively outweigh the modest compliance costs associated
with a sensible, light handed statutory privacy scheme. [73]
3.84 Other submissions agree. The Privacy Commissioner argued that it:
[W]ould be far easier – and almost certainly less costly in aggregate
– if Australia or entire sectors within Australia were assessed
under Article 25 as having adequate privacy standards in place, …
[74]
3.85 Professor Greenleaf also argues:
I came to the conclusion that any self-regulatory measures that attempt
to address the European Union's requirements are unlikely to do so except
at very considerable cost and uncertainty to the Australian businesses
concerned. [75]
It seems pretty clear that although there are some very serious initiatives
taking place to develop standard contracts that can be used between
European data exporters and processors in other countries, that is not
going to provide a comprehensive solution to the problem. [76]
Australia's international obligations – conclusions
3.86 Having examined the sources of international laws and standards
relating to privacy, the Committee arrives at several conclusions.
3.87 First, under the terms of the ICCPR and the OECD guidelines, Australia
is obliged to provide effective and enforceable privacy protection measures
for its citizens. In this respect, as Professor Greenleaf states:
Australia's current privacy laws mean that Australia has not honoured
its international commitments to protect privacy. [77]
3.88 Second, the practical effect of international standards such as
the Council of Europe convention and the EU Data Protection Directive
is to create an international benchmark of best practice for the protection
of privacy. The evidence to the Committee strongly suggests that Australia
is now behind such international best practice:
Australia now lags behind all fifteen European Union states, New Zealand,
Hong Kong, Taiwan and South Korea in its response to concerns about
privacy protection. [78]
3.89 According to Allan Rose of the Australian Law Reform Commission,
this has the following implications:
… I think the European directive … is best international
practice. ... inevitably, best international practice is going to prevail…
… looking through European eyes, we are setting ourselves apart
in a category of countries which has to be scrutinised, which has to
be looked at closely. We believe that will rebound to Australia's loss
in the short term and will amount to additional cost on Australian government
and business in the longer term. [79]
3.90 The Committee further concludes that although none of these international
standards necessarily require the adoption of a legislative approach to
privacy protection, there remain strong practical incentives to do so.
The Committee therefore considers that action should be taken to introduce
a privacy protection regime that complies with Australia's international
law obligations, and meets international best practice.
Conclusions
3.91 The Committee concludes that an adequate privacy protection scheme
to cover the private sector must have several key characteristics, which
must include certain core information protection principles, as well as
an enforcement system. Together, these must have the effect of creating
a system of enforceable rights and obligations that can private minimum
guarantees of an individual's privacy rights.
3.92 The detail and content of the privacy protection principles should
be guided by existing international benchmarks such as the EU Directive
on Data protection. Any Australian privacy regime should conform to such
standards, since they represent international best practice, to which
Australia should always aspire. Secondly, there is a considerable risk
that a failure to ensure sufficiently high standards could damage Australia's
trade interests by inhibiting the ability of trade partners to exchange
information and by limiting the confidence of the Australian public in
emerging technologies. These issues were raised by the Privacy Commissioner:
Apart from the formal legal obstacles to trade that lack of privacy
protections may pose for Australian businesses, there is a risk that
neglect of the issue may give Australia a reputation as an unreliable
destination for personal information, making foreign organisations wary
about including Australia in information networks where personal information
is involved. Other information intensive businesses could be deterred
from investing or locating in Australia. [80]
3.93 The Committee also considers that while industry has legitimate
concerns over regulation, it is important to clearly establish that the
needs of industry must not be permitted to override the duties that business
owes to the community and individuals to safeguard privacy rights.
3.94 On this point the Committee notes that the government may have placed
itself in a difficult position, potentially stuck between the conflicting
policies of the EU and the US. Australia's trade interests may be substantially
disadvantaged by a failure to meet the EU Directive but at the same time
Australia has signed a bi-lateral agreement with the US committing Australia
to the US laissez-faire approach to Internet regulation. [81]
The US position on privacy protection is already promising to cause problems
in respect of the EU Directive, with the US considering lodging a complaint
against the Directive with the World Trade Organisation. [82]
3.95 The Committee therefore recommends that the criteria outlined
in this chapter be used as a baseline for the development and evaluation
of a privacy regime applying to the private sector.
Footnotes
[1] Submission No. 33, Professor Greenleaf,
p. 27; Submission No. 51, Human Rights and Equal Opportunity Commission,
pp. 1-2; 11; 35-36.
[2] A good level of compliance will be characterised
by a high level of awareness amongst information holders of their obligations
in respect of that information, awareness of the rights of people who
have provided information. This criterion includes having the necessary
auditing and compliance monitoring authorities and measuring the level
of awareness that data-subjects have of their rights and the remedies
open to them. Importantly, this criterion requires the measurement of
actual compliance with the rules that guide the collection, storage and
use of information and consistency and coverage across jurisdictions,
industries and sectors of the community. See, Submission No. 33,
Professor Greenleaf, p. 27; Submission No. 51,
Human Rights and Equal Opportunity Commission, pp. 1-2; 11; 35-36.
[3] This must include an appropriate system
of independent arbitration, compensation to those who have had their privacy
rights breached and in appropriate cases, punitive sanctions for information
holders who breach privacy protection principles, in order to deter other
breaches.
[4] See European Commission, Working Party
on the Protection of Individuals with regard to the Processing of Personal
Data, Working Document: Transfers of personal data to third countries:
Applying Articles 25 and 25 of the EU data protection directive, available
at: dg15/en/media/dataprot/wpdocs/wp12en.pdf.
[5] It is noted that these criteria also are
the criteria endorsed by the EU and will be those against which that organisation
will assess the adequacy of privacy protection schemes.
[6] Attorney General's Department, discussion
paper Privacy Protection in the Private Sector, quoted in Submission
No. 51, Human Rights and Equal Opportunity Commission, p. 970.
[7] See also below, Chapter 7, Paragraphs 7.88-7.89.
[8] This analysis is taken from Submission
No. 51, Human Rights and Equal Opportunity Commission, p. 940.
[9] See Submission No. 16, Vonaldy Pty
Ltd, pp. 373-374. "The real need is to look to the rights of citizens
and residents. I believe that a visitor on a tourist visa should be considered
as protected by privacy legislation, even if not a resident or citizen,
and that all of these people might or might not fall under the term of
consumers."
[10] Submission No. 41, Australian
Chamber of Commerce and Industry, p. 713.
[11] Submission No. 41, Australian
Chamber of Commerce and Industry, pp. 714-715.
[12] Submission No. 41A, Australian
Chamber of Commerce and Industry, p. 1368.
[13] Submission No. 41A, Australian
Chamber of Commerce and Industry, pp.1368-1369.
[14] Transcript of Evidence, Australian
Law Reform Commission, p. 230.
[15] Transcript of Evidence, Australian
Law Reform Commission, p. 231.
[16] Submission No. 41A, Australian
Chamber of Commerce and Industry, p. 1369.
[17] This is attached to Submission No 41A,
Australian Chamber of Commerce and Industry, pp 1371-1375.
[18] Submission No. 41A, Australian
Chamber of Commerce and Industry, p. 1372.
[19] Submission No. 50, Mental Health
Legal Centre, p. 166. See also below Chapter 6, Paragraph 6.26.
[20] Submission No 43A, Australian
Bankers Association, p. 1379.
[21] 183 CLR 245. See also below, Chapter 4,
Paragraph 4.28.
[22] See below, especially Chapters 5 and 7.
[23] See below, Chapters 7 and 8.
[24] Submission No. 7, Australian
Privacy Charter Council, p. 241.
[25] Submission No. 31, Central
Queensland Resource Service, pp. 509-510.
[26] See especially Chapter 7.
[27] See Chapter 5.
[28] See Chapter 5.
[29] Submission No. 41, Australian Chamber
of Commerce and Industry, p. 715.
[30] Submission No 41A, Australian Chamber
of Commerce and Industry, p. 1369.
[31] Transcript of Evidence, Australian
Bankers Association, p. 268.
[32] Transcript of Evidence, Australian
Bankers Association, p. 274.
[33] Submission No. 41, Australian Chamber
of Commerce and Industry, p. 715.
[34] Submission No. 38, Telstra, p.
675.
[35] See below, Chapter 5 and also Chapter
7.
[36] Submission No. 41A, Australian
Chamber of Commerce and Industry, p. 1369.
[37] See below Chapter 5, Paragraphs 5.78-5.144.
[38] Chapter 5 covers this point in more detail.
[39] See below, Chapter 7, Paragraphs 7.45-7.48.
[40] Submission No 43, Australian Bankers
Association, pp. 735-736.
[41] See below, Chapter 5. See also Submission
No. 39, Credit Union Services Corporation, pp. 680-681.
[42] See Submission 41A, Australian
Chamber of Commerce and Industry, p. 1371.
[43] See below, Chapter 5; see also Submission
No 43, Australian Bankers Association, p. 735:`the principles in the
Privacy Act do not recognise the post-Wallis environment in the financial
system characterised by:
the formation of financial conglomerates where products and services
are not necessarily identified with their traditionally recognised suppliers,
and
a broadening range of financial products and services and the packaging
or bundling of them.'
[44] Submission No. 10, Australian Retailers
Association, p. 314.
[45] Submission No. 10, Australian Retailers
Association, p. 315.
[46] Submission No. 9, Australian
Credit Forum, p. 307.
[47] Submission No. 10, Australian Retailers
Association, p. 319.
[48] Submission No. 39, Credit
Union Services Corporation, p. 681.
[49] See above, Chapter 2.
[50] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 885.
[51] Submission No. 39, Credit Union
Services Corporation, p. 681.
[52] Submission No. 43,
Australian Bankers Association, p.736.
[53] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 869.
[54] Transcript of Evidence, Attorney
General's Department, p. 212.
[55] United Nations Human Rights Committee,
Communication No. 488/1992.
[56] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 870.
[57] Submission No. 33, Professor Greenleaf,
p. 553.
[58] Submission No. 33, Professor Greenleaf,
pp. 553-554.
[59] The Directive is discussed in further
detail, relative to the National Privacy Principles, at Chapter 5, Paragraphs
5.87-5.121.
[60] Submission No. 7, Australia Privacy
Charter Council, p. 241. Article 25 contains the adequacy requirement
and Article 26 the derogations. The Directive came into force on 25 October
1998.
[61] Submission No. 33, Professor Greenleaf,
p. 556.
[62] Submission No. 52, Attorney
General's Department, p. 1036.
[63] Submission No. 41, Australian
Chamber of Commerce and Industry, p. 720.
[64] Submission No. 43, Australian
Bankers' Association, p. 736.
[65] European Union News, Vol. 16 No.
4, May/June 1998, pp. 1-2. Quoted in Submission No. 41, Australian
Chamber of Commerce and Industry, p. 720.
[66] Submission No. 41,
Australian Chamber of Commerce and Industry, p. 719.
[67] European Union News, Vol. 16 No.
4, May/June 1998, pp. 1-2.
[68] Submission No. 51,
Human Rights and Equal Opportunity Commission, p. 871. See also Transcript
of Evidence, Australian Law Reform Commission, p. 225.
[69] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 871.
[70] Submission No. 8, Mr Nigel
Waters, p. 253.
[71] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 870.
[72] Submission No. 49,
Australian Law Reform Commission, p. 833.
[73] Submission No. 8,
Mr Nigel Waters, p. 253.
[74] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 871.
[75] Transcript of evidence, Profesor
Greenleaf, p.103.
[76] Transcript of evidence, Professor
Greenleaf, p.104.
[77] Submission No. 33, Professor
Greenleaf, p. 548.
[78] Submission No. 7, Australia Privacy
Charter Council, p. 240.
[79] Transcript of evidence, Australian
Law Reform Commission, p. 224.
[80] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 968.
[81] Agreement on Co-operation on Electronic
Commerce; see Financial Review, 1 December 1998, p 1 and p.2.
[82] The Age, 28 October 1998, p. A14.