Chapter 8

Privacy in the Private Sector

Chapter 8

Co-Regulation – Costs and Constitutionality

Costs

8.1 The Committee has heard the concerns of a number of witnesses, arguing against federal privacy legislation on the grounds of increased regulatory burdens and associated compliance costs. Indeed, the desire to minimise such burdens on industry prompted the decision by the Prime Minister to abandon the model initially proposed by the Attorney-General's Department in favour of a purely self-regulatory system. [1]

8.2 However, as was noted in Chapter 7, the issue of costs is one about which much has been said but little has been studied. It requires further detailed examination by experts. Much of the information which has been provided to the Committee, therefore, is only approximate and much of it has to be treated with scepticism.

Types of costs incurred

8.3 The costs associated with a regulatory scheme can be broadly divided into two categories, administrative and compliance. Administrative costs are those incurred by a government agency responsible for supervising the legislation. Compliance costs are those incurred by industry in complying with the requirements of the legislation.

8.4 It is self evident that within the broader context of achieving a policy objective, any regulatory system should attempt to minimise both administrative and compliance costs. The NZ Privacy Commissioner suggested that excessive compliance costs can have the following negative effects:

    Discourage business growth and employment – they divert the energies and resources from more productive uses, deflecting firms' focus from core business;

    Erode international competitiveness – which will be the case if firms offshore face lower compliance costs; and

    Hinder compliance – if compliance costs are too burdensome, businesses are less likely to meet their obligations. [2]

The costs of compliance for business

8.5 Despite a certain amount of rhetoric from witnesses, the Committee finds it is impossible to generalise on the subject of the costs of a regulatory scheme. The exact nature and size of such costs will vary enormously depending upon the particular regime imposed; different types of business operations, and the extent of existing privacy protection systems already in place. As a Victorian discussion paper points out:

    The cost implications of the data protection regime will vary greatly from organisation to organisation. They will depend on the size and complexity of the organisation and its exposure to personal information. [3]

8.6 The New Zealand Privacy Commissioner found that costs can include appointment of privacy officers, review of forms, instituting complaints handling mechanisms, dealing with access requests, and initial education and training. Probably the highest additional costs are those imposed by registration and licensing systems include payment of annual fees, and reporting requirements. As Coles Myer stated:

    The costs of implementing any scheme would vary depending on the end requirements and the time frame for implementation. Some costs will be borne as part of planned efforts of business to modernise and improve databases, but other costs would be additional. For example, training and administrative costs, plus additional communications material regarding privacy and so on. [4]

8.7 The Committee also notes that these types of cost must be distinguished from costs associated with lost profits:

    because a privacy law declares that certain types of activities are no longer acceptable, it may be very profitable, for example, to have unrestrained sale of mailing lists, or to be allowed to use personal information generated by one aspect of a company to promote business activities by an unrelated part of the company, but the loss of those `windfall' profits because they are contrary to the limits on the use and disclosure of personal information. in some cases businesses seem to be complaining about the loss of profitable but socially undesirable activities. [5]

Cost benefits of privacy controls

8.8 Some evidence to the Committee has also indicated that there can be positive aspects arising from privacy controls. Foremost among such advantages are the significant cost advantages derived from a single national privacy law:

    The other major factor about not having a federal scheme, and possibly having many state schemes, is the cost of compliance. Under a federal scheme it would be one set of rules to follow. Under separate state schemes, one organisation operating nationally would be require to comply with seven different laws. [6]

8.9 The New Zealand Privacy Commissioner also points to the wider advantages of a simplified and consistent legislative approach:

    Seamless law has a variety of benefits by avoiding lacunae, loopholes and demarcation disputes, a further benefit is the transferability of people, experience and techniques between the public and private sectors having the same privacy requirements, it is also consistent with notions of “level playing field” and maximum choice in provision of services. [7]

8.10 Evidence has pointed to other advantages to business. Perhaps the greatest of these is the increased consumer confidence in emerging technology that will develop through legislative backing to privacy protection. Chapter 2 discussed the negative effects that a lack of consumer confidence in privacy protection can have on the adoption of emerging technology. A legislative baseline could do much to establish greater consumer confidence as the Credit Union Services Corporation states:

    If consumers become slow in their take up of such technology because of fears relating to protection of data, the loss will be across the community. CUSCAL advocates the establishment of legislation and regulation within which on-line commerce and many other new technologies can flourish. [8]

8.11 Businesses may also benefit from access and correction rights assisting businesses to maintain accurate records especially when data subjects may be charged an administrative charge to access their information. A New Zealand council also made the following observation:

    Cost have not been high … It gave us an opportunity to identify all information and reassess our need to gather it … [9]

8.12 Finally, a uniform system representing international best practice has the advantage, especially significant for small businesses, that there is no requirement to prove on a case by case basis that they comply with any particular privacy standards such as that for the EU:

    Even if some sectors or jurisdictions are able to pass the EU `adequate protection' test, this would still leave most Australian businesses, and governments, in the situation of having to demonstrate on a case by case basis that they ensured adequate protection for particular transfers or personal data from Europe. The cost, and cost of uncertainty, involved will potentially massively outweigh the modest compliance costs associated with a sensible, light handed statutory privacy scheme. [10]

8.13 For these reasons, the Committee concludes that cost factors do not always favour the argument against legislation to protect privacy, and that legislation can in some instances provide cost benefits. As Professor Greenleaf has pointed out, in many ways it is not a choice between no cost and cost, but rather of the cost of not bringing in a scheme compared to the cost of doing so. [11]

Costs of implementing the EU data protection directive

8.14 The Committee also received evidence that a UK source has estimated the cost of implementing the EU Data Protection Directive at £1,892 million. [12] Although not directly relevant to any proposed Australian response, the Committee notes materials provided by the Privacy Commissioner indicating that such an estimate is difficult to sustain; and, as noted above, the submissions to the Attorney-General's Department's discussion paper were also heavily supportive of a co-regulatory scheme and did not perceive that costs would be excessive. [13] The issue of costs can be exaggerated.

8.15 In rebutting this claim, the Registrar points to an 80% commonality between the existing legislation; the provision for a three year transitional period in which companies can achieve compliance, and an unrealistic approach to accounting, including assuming the need for manual verification of all information contained in each companies' files. [14]

8.16 These arguments cast doubt on the accuracy of such claims, and the Committee has received no further evidence on the point with which to contrast or verify the likely costs of complying with the EU directive.

Costs of implementing the New Zealand model

8.17 Given the similarity of the co-regulatory model proposed by the Committee to that of the system in place in New Zealand, it is of greater interest to examine the results of the review undertaken by the New Zealand Privacy Commissioner into the compliance costs associated with the New Zealand Privacy Act.

8.18 The review concludes that costs are not unreasonable, and employer, insurance, government and business groups have not reported any significant problems with the legislation: [15]

    With regard to the rest of the Privacy Act 1993, our members do not report any major difficulties and have found that compliance is largely a matter of good business practice. – Insurance Council of New Zealand

    Compliance costs seem to be reasonably efficient and minimal and the Act quite flexible in this respect. – NZ Association of Social Workers Aotearoa

    Although any “non-business” cost is an imposition on business, to date it does not appear that compliance costs are excessive. – NZ Employers Federation

The extent of added costs

8.19 It is clear that it is largely unproductive to speculate on the compliance costs of legislation, since such costs vary wildly according to the nature of the requirements imposed by the particular laws. What can be stated with confidence is that there are certainly legislative options available that do not impose unacceptable compliance costs.

    A survey conducted by Price Waterhouse in 1997 revealed that major Australian businesses estimate that costs might not be significant. Of the 130 companies that responded, 79 percent felt that only minor changes to their business practices would be necessary to comply with privacy legislation. Nearly two thirds of the companies, most with sales figures in the billions of dollars, believed it would cost them less than $100 000 to conform to any privacy legislation – less than 0.001 per cent of sales revenue. …

    The cost of the regime for small business is not expected to be onerous. A quantified guide might emerge as a result of a current review of the New Zealand Privacy Act by the New Zealand Privacy Commissioner, His clear impression is that the net compliance costs for most small businesses in New Zealand have been low. [16]

8.20 Two further points are worthy of consideration. The first is that any business that deals extensively with information must necessarily incur costs associated with the handling, storage, security, updating and general administration of their files. Equally, as has been discussed in Chapter 4, existing legislation or common law rules may impose various requirements or limitations on the handling of information, such as in the banking, insurance, medical, legal industries. It is therefore important to identify not so much the outright cost of complying with any proposed privacy legislation, but rather the extent of any additional costs.

8.21 Secondly, the Committee notes that there is an inherent problem with the arguments of those who oppose any form of legislation in favour of self-regulation. The Committee considers that to be effective, any form of regulation, be it legislative or self-regulatory, must involve the creation of some obligations. That being the case, the Committee has yet to see any argument demonstrating why legislatively imposed burdens necessarily cost more than self regulatory ones.

Conclusions

8.22 The Committee recognises that in developing a privacy protection system, it is important to minimise the regulatory burden and compliance costs to industry. Nevertheless, the Committee concludes that such costs will depend upon the exact nature of the system in question, and it cannot be assumed that a legislative system will necessarily entail high compliance costs. As the New Zealand Ministry of Justice concluded on the same point:

    The Ministry has in the past undertaken some work concerning compliance costs and the Privacy Act. Our conclusion drawn from these experiences is that while at an anecdotal level there are assertions of burdensome compliance costs, few organisations are able to substantiate these claims with concrete evidence that the Privacy Act imposes long term compliance costs, beyond that expected from appropriately targeted regulation. [17]

8.23 Given the evidence of low costs associated with the co-regulatory model adopted in New Zealand, developed with the minimisation of compliance costs as an explicit objective, the Committee considers that a similar system in Australia would not impose unacceptably high costs.

8.24 Recognising the importance of keeping costs to a minimum, the Committee recommends that any proposal for new legislation, once finalised, be subject to a specific costing analysis to ensure that costs are not unreasonable in the context of the social objectives of the legislation.

8.25 To that extent, the Committee endorses the comments of Coles Myer on this point:

    We are not convinced that the costs of any self-regulatory or co-regulatory approach have been properly evaluated. We submit that a comprehensive regulatory impact analysis of any proposed framework should be undertaken. This would ensure that the costs associated with the implementation of any proposed scheme do not outweigh any public benefit and that the most efficient and effective system is being utilised. [18]

Constitutionality of Commonwealth privacy legislation

8.26 The Committee recognises that a general question in considering the Commonwealth Government's role in creating privacy legislation for the private sector, is the extent of the Commonwealth's constitutional power to create such legislation. The Attorney-General's discussion paper does not really consider this issue, assuming that there is sufficient power to enact a co-regulatory scheme.

8.27 The Committee received limited evidence on this point. The Attorney-General's discussion paper [19] appears to share the assumption of most submissions that adequate Commonwealth power exists to legislate for privacy in the private sector. This, however, is not necessarily clear. The Australian Law Reform Commission in its submission stated that:

    … there are doubts as to the constitutional authority of the federal Parliament to exclusively legislate to introduce privacy legislation across the private sector. In ALRC 22, the Commission considered that while a national approach to privacy protection was desirable, the Commonwealth may not have the constitutional authority to enact such a comprehensive scheme … [20]

8.28 This issue has also been considered by the Senate Community Affairs References Committee in its inquiry into access to medical records. [21] That Committee acknowledged that insufficient thought had been given to the question of whether the Federal Parliament possessed the constitutional authority to establish nationally-based privacy protection laws across the private sector. The Committee considered that this uncertainty should not deter the Parliament from legislating, but that it should prompt an immediate consideration of the appropriate mechanism for introducing privacy legislation.

Constitutional principles

8.29 The Committee has not received sufficient detailed evidence on the constitutional question to arrive at any definitive conclusions. However a review of several basic constitutional principles is useful in allowing some general observations.

8.30 In assessing Commonwealth law making powers, a starting point is the enumerated powers doctrine of the constitution. [22] Under the Australian Constitution the Commonwealth is granted certain specific legislative powers, principally enumerated in Section 51, and the states are left with the unexpressed residue. Thus, the Commonwealth is a “government of enumerated or selected legislative powers”. [23] It is a polity of limited powers, a “body politic for certain specific purposes … These purposes must all be found within the four corners of the Constitution.” [24] Therefore, it can be assumed that in the absence of any express constitutional power, the states retain power in relation to a particular matter.

8.31 Historical practice has however, modified this simple presumption, which is now subject to a number of qualifications. This in part stems from the fact that with few exceptions, the Constitution creates no exclusive powers, either for the Commonwealth or the States.

8.32 Three basic principles of interpretation are now established. Firstly:

    subject to certain exceptions the heads of power in section 51 of the Constitution are to be interpreted separately and disjunctively, without any particular attempt being made to avoid overlap between them. The only consequence of overlap is that a law falling within more than one description of federal power is doubly valid.

    Secondly, the powers conferred by section 51 are to be construed liberally in accordance with their terms and without any assumption that particular matters were intended to be excluded from federal authority or `reserved' to the states. The alternative view, known as the `reserved powers' doctrine … was overthrown in the Engineers Case in 1920. … [N]ot only is each grant of power to be interpreted liberally, but the grant of power carries with it an implication that all powers necessary to carry the granted powers into effect are also granted. There is thus a wide “incidental” or “instrumental” power with respect to the granted subject matters.

    The third proposition flows from the other two. There is no requirement that Commonwealth legislation be exclusively about one of the granted heads of power. Indeed, there is no requirement that in terms of its intent or practical effect, the legislation be primarily predominantly or even substantially concerned with the granted head of power. [25]

8.33 This results in a broad basis for legislative power. An example of the operation of this position can be drawn from the use of the foreign affairs power, in an extract from the judgement of Mason J (with whom in substance the rest of the High Court agreed):

    The power to legislate with respect to trade and commerce with other countries … necessarily comprehends the power to select and identify the persons who engage in, and the goods which may become the subject of that activity … It is then for Parliament in its wisdom or for the person to whom Parliament delegates the power to decide who may export and what goods may be exported. The means and the criteria by which this choice is to be made are for Parliament to decide. There is nothing in the subject matter of the Constitutional power which justifies the implication in Parliament's power of selection. It does not follow, for example, that because the subject of the power is trade and commerce, selection of the exporter or of the goods to be exported must be made by reference to considerations of trading policy. [26]

Potential Constitutional heads of power

8.34 Directing this analysis to the issue of privacy, it is clear that, while the Constitution does not grant the Commonwealth any express `privacy power', there are other relevant heads of power in S.51:

  • trade and commerce [s. 51(i)];
  • postal, telegraphic and telephonic [s. 51(v)];
  • banking [s. 51(xiii)];
  • insurance [s. 51(xiv)];
  • foreign corporations and trading or financial corporations [s. 51(xx)];
  • marriage [s. 51(xxi)];
  • divorce and matrimonial causes [s. 51(xxii)];
  • invalid and old-age pensions [s. 51(xxiii)];
  • social security and other allowances [s. 51(xxiiiA)];
  • external affairs [s. 51(xxix)];
  • matters referred by States [s. 51(xxxvii)];
  • incidental matters [s. 51(xxxix)]; and
  • public service [s. 52(ii)]. [27]
  • financial assistance to the States [s. 96]

8.35 In combination, these powers provide the Commonwealth with the constitutional authority to legislate over most areas of privacy. Certain powers are of particular relevance. As the Australian Law Reform Commission report into privacy states, the power to regulate posts and telegraphs offers wide potential for the regulation of the content of information passing over telecommunications networks:

    Of all the heads of powers in s. 51 of the Constitution, this power appears the most suited to provide a wide, general source of federal regulation of information technology in Australia. [28]

8.36 International obligations, which were discussed in more detail in Chapter 3, also point to the relevance of the external affairs power. Officers of the Attorney-General's Department acknowledged:

    [I]f the Commonwealth government was so minded, there would be an array of constitutional powers that would be relevant, such as the corporations power and the trade and commerce power and the like, …

    It is possible that the foreign affairs power could be relevant, having regard to the EU directive, if it was necessary to take some action to preserve Australia's international trade and commerce. [29]

Conclusions

8.37 The Committee concludes that while some uncertainty exists as to the exact extent of the Commonwealth's legislative power over privacy in the private sector, given the broad spectrum of constitutional heads of power, it seems likely that the Federal Parliament has the legislative competence to enact privacy legislation over the private sector.

8.38 However, the wider question to be resolved is whether the Commonwealth has the constitutional authority to create legislation to comprehensively cover the field. The Committee notes the possibility that some areas may fall between heads of power, and therefore be susceptible to a constitutional challenge to their validity, as for example, with matters relating to local government, or unassociated partnerships.

8.39 For this reason, it has been suggested that it is preferable to adopt a cooperative approach to such regulation, between the federal and state parliaments:

    In Australia, if such a universal approach were considered desirable, it could only be achieved through the co-operation of the Commonwealth and State governments. [30]

This thinking was reflected in evidence presented to the Committee:

    Senator ABETZ - … you see the need for the Commonwealth and the states to cooperate because you do not believe that the Commonwealth necessarily has the complete capacity to legislate over the whole spectrum of privacy issues. Is that correct?

    Mr Rose – Yes, that is essentially right. We think that the Commonwealth has pretty broad power, … [31]

8.40 There are several methods that might be exploited to achieve such an approach. Possibly the most convenient is by means of Section 51(xxxvii) of the Australian Constitution, which gives the Commonwealth power over:

    Matters referred to the Parliament of the Commonwealth by the Parliament or Parliaments of any State or States, but so that the law shall extend only to States by whose parliaments the matter is referred, or which afterwards adopt the law.

8.41 An alternate approach is the creation of uniform model legislation that is simultaneously enacted by State/Territory and Federal parliaments.

8.42 These cooperative approaches have already been used with considerable success in other regulatory areas. As was noted by the Senate Community Affairs References Committee:

    The Commonwealth has achieved national uniformity in legislation in a number of key areas. Corporations law, trade practices law (specifically restrictive trade practices in connection with National Competition Policy) and occupational health and safety law provide working examples of Commonwealth/State cooperation resulting from … referral powers passed from the States to the Commonwealth under s. 51(37) of the Australian Constitution. [32]

8.43 The Committee concludes that although there is a wide constitutional basis for the Commonwealth Parliament to enact comprehensive privacy legislation, there may be some doubt as to the complete coverage of such legislation across all areas.

8.44 The Committee therefore recommends that the government investigate mechanisms to achieve a cooperative legislative approach with the State and Territory parliaments, that could ensure effective regulation.

Privacy and the Private Sector – Final Conclusions

8.45 The Committee believes the debate in the Commonwealth concerning privacy protection has gone on too long and, given the emerging technologies and international legal developments, it is in the national interest to resolve this matter. However, the Committee does not believe a hasty resolution is desirable if speed is given priority over a measured consideration of what is best for the community as well as for business and other groups.

8.46 As has been demonstrated in previous chapters, there is a strong case for the creation of uniform national privacy legislation that applies to all sectors of the community, including the private sector because:

  • The current legislative frameworks for the protection of privacy within the Commonwealth, at both the Federal and the State level do not adequately protect privacy or provide appropriate remedies.
  • International standards and obligations are not currently being complied with.
  • The current system mix of a patchwork of legislation combined with self-regulation is leading to incomplete coverage and ineffective privacy protection. As a result, the very evils that self-regulation was alleged to avoid are occurring:
    • an ad hoc approach to privacy protection;
    • a proliferation of privacy protection schemes;
    • a lack of co-ordination between schemes;
    • added costs to business;
    • harm to the competitiveness of Australian business in the international arena; and
    • uncertainty for the citizen.

8.47 For these reasons, the Committee concludes that the Privacy Amendment Bill 1998, although a useful response to the erosion of existing privacy protection caused by the outsourcing of government services, does not go far enough in extending privacy protection across the private and the not for profit/charitable sector.

8.48 The Committee strongly recommends therefore, the reconsideration of a co-regulatory scheme underpinned by national uniform privacy legislation applicable across all sectors. The scheme which was proposed by the Attorney-General's Department in their discussion paper provided what the Committee views as a practical and workable model, and one which received an overwhelmingly positive response from all sectors of the public.

8.49 The Committee commends the concept of a national scheme which promises to:

  • benefit the states, thus negating the need for separate privacy regimes;
  • benefit individuals; and
  • benefit commerce and industry by facilitating trade, producing certainty and reducing compliance costs.

8.50 Finally, the Committee urges the government to move both promptly and with a full understanding of the needs of the whole community to effect comprehensive privacy legislation in Australia. From the evidence, it is clear that an effective privacy protection regime is urgently required in Australia. It is equally obvious from the information set out in Chapter 7 that resistance by the business sector to legislation has been seriously exaggerated, to say the least.

Footnotes

[1] For a more detailed discussion of this decision, see Chapter 2.

[2] NZ Privacy Commissioner, Review of the Privacy Act 1993: Compliance costs submissions, May 1998, p. 6

[3] Discussion Paper – Information Privacy in Victoria: Data Protection Bill, July 1998, p. 20

[4] Submission No. 35, Coles Myer, p. 639K

[5] Submission No. 33A, Professor Greenleaf, p. 993

[6] Submission No. 43, Electronic Frontiers Australia, p. 727

[7] NZ Privacy Commissioner, Review of the Privacy Act 1993: Compliance costs submissions, May 1998, p. 9

[8] Submission No. 39, Credit Union Services Corporation, p. 685

[9] NZ Privacy Commissioner, Review of the Privacy Act 1993: Compliance costs submissions, May 1998, p. 9 – Franklin District Council, Submission WX2

[10] Submission No. 8, Mr Nigel Waters, p. 253

[11] Transcript of evidence, Professor Greenleaf, 28 July 1998, p. 102

[12] UK Government Document, Data Protection Bill – Cost of Implementing the EU Data Protection Directive, included in Submission No. 51, Human Rights and Equal Opportunity Commission , p. 1032

[13] See above Chapter 7, Paragraph 7.97.

[14] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 1032

[15] NZ Privacy Commissioner, Review of the Privacy Act 1993: Compliance costs submissions, May 1998, p. 3. Submission by the Insurance Council of NZ.

[16] Discussion Paper – Information Privacy in Victoria: Data Protection Bill, p. 20

[17] NZ Privacy Commissioner, Review of the Privacy Act 1993: Compliance costs submissions, May 1998, p. 3, Submission by the NZ Ministry of Justice.

[18] Submission No. 35, Coles Myer, p. 639K

[19] Attorney-General's Department, Privacy Protection in the Private Sector, Discussion Paper, p. 5.

[20] Submission No. 49, Australian Law Reform Commission, p. 835.

[21] Community Affairs References Committee, Report on access to medical records, June 1997, pp. 10-12.

[22] P. Lane, Commentary on the Australian Constitution, LBC, 1986, p. 128

[23] Amalgamated Society of Engineers v Adelaide Steamship Co Ltd (1920) 28 CLR 129 at 150

[24] A-G (Vic) v Commonwealth (1945) 71 CLR 237 at 282

[25] James Crawford, The Constitution and the Environment, (1991) 13 Sydney Law Review 11, p. 12 - 14

[26] Murphyores Incorporated Pty Ltd v The Commonwealth (1976) 136 CLR 1, p. 19

[27] For a wider discussion of these heads of power, see the Australian Law Reform Commission Report No. 22, Vol. 2, p. 189

[28] Australian Law Reform Commission Report No. 22, Vol. 2, p. 189

[29] Transcript of evidence, Attorney-General's Department, 5 August 1998, p. 211

[30] Australian Law Reform Commission Report No. 22, Vol. 2, p. 183

[31] Transcript of evidence, Attorney-General's Department, 5 August 1998, p. 227

[32] Community Affairs References Committee, Report on access to medical records, June 1997, p. 20