ADDITIONAL COMMENTS BY COALITION SENATORS
1.1
Coalition Senators are supportive of the need to reform Australia's
privacy laws, to provide clarity and certainty and to enhance the privacy of
citizens in many forms and media. But they are dismayed by the inept,
ham-fisted way in which these reforms have been attempted in this bill.
1.2
Many of the submissions to this inquiry, and much of the evidence before
the committee, were critical of the approach the government has taken to
produce this legislation. Witnesses reported that the legislation had taken an
inordinately long time to bring forward, that they and other stakeholders were
substantially in the dark on the consultation process, that the provisions of
the Bill were difficult to understand and that many provisions were so broadly
or vaguely couched that much behaviour, which is currently considered
acceptable in the marketplace, would be made unlawful in future. Some witnesses
suggested the Bill was so bad it should be rejected outright by the Senate.[1]
1.3
The depth of the dismay obviously felt by many stakeholders stood in
sharp contrast to the effusive, self-congratulatory language used by the
Attorney-General in introducing the Bill.
1.4
Dr Anthony Bendall, the Acting Victorian Privacy Commissioner, said:
Not only does this completely remove the presumption of
innocence which all persons are afforded, it goes against one of the essential
dimensions of human rights and privacy law: freedom from surveillance and
arbitrary intrusions into a person's life.[2]
1.5
Ms Katherine Lane, Principal Solicitor with the Consumer Credit Legal
Centre (NSW) Inc, said of the Bill's readability and how well people were being
prepared for their new rights and obligations:
No, there has not been anything. Nothing at all. It is
alarming...[E]very time I mention it to a client, they go white. They have no
idea that any of this is coming. It will have a profound impact on the way they
manage their household budget and their lives and their loans. Australia spends
a huge amount of money on financial literacy, but we have not got anything
happening on this.[3]
1.6
The Law Council of Australia noted:
[A] number of large penalties contained in the legislation
are out of proportion to the gravity of the contraventions involved...[We
regret] the availability of such significant penalties for events that may be
trivial and may happen very quickly if an error arises.[4]
1.7
Mr Simon Remington, Managing Director of Remington Direct, said:
[T]he inclusion of a 'prohibition on direct marketing' will
cause considerable confusion with our clients as to whether direct marketing is
permitted or not. This will have a direct, financial and reputation effect on
our business...This decision would unquestionably cost many jobs within our
industry plus within companies who use direct marketing to grow their business.[5]
1.8
The Australian Bankers' Association noted:
[A]s far as the general privacy provisions are concerned, the
proposed implementation timeframe in the Bill will be insufficient for our
members to implement those reforms effectively.[6]
1.9
Faced with this avalanche of criticism, Coalition senators considered
recommending that the Senate reject this legislation; however, we also note the
predominant tone of stakeholder criticism, which is to the effect that: the Bill
is deeply flawed, but privacy reform is urgent, so passing this package and
fixing the problems later is the lesser of two evils.
1.10
Coalition Senators are broadly supportive of the committee majority's recommendations
attempting to fix some of these problems. In other respects, we feel the report
could go further at this time.
Direct marketing principle (APP 7)
1.11
APP 7.1 prohibits a private sector organisation which holds personal
information about an individual from using or disclosing the information for
the purpose of direct marketing. APP 7.2 and APP 7.3 provide
exceptions to the general prohibition and are contingent upon an organisation
providing a simple means by which an individual may easily request not to
receive direct marketing communications from the organisation (APP 7.2(c) and
APP 7.3(c)).
Breadth of the principle
1.12
Facebook, Google, IAB Australia and Yahoo!7 submitted that the proposed definition
and application of 'direct marketing' would allow for an extremely broad
application of the prohibition in APP 7.1. The joint submission stated that, in
practice, this would prevent businesses providing any promotional
communications to consumers and would potentially undermine ad-supported
business models:
This is so broad as to potentially cover all forms of
communications between businesses and consumers that include any promotional
material, including, for example, free-to-air television advertisements and
free online, ad-supported services such as those offered by [us].[7]
1.13
Instead, Facebook, Google, IAB Australia and Yahoo!7 suggested an
alternative definition of 'direct marketing' and 'direct marketing
communication', which would allow consumers to continue to receive direct
marketing in certain circumstances:[8]
[T]he Proposed Law should not be read to (and we believe it
is not intended to) permit a consumer to opt out of all direct marketing, if
receiving direct marketing is part of the value exchange of the service that
the consumer is choosing to receive. To avoid this ambiguity, APP 7.2 and APP 7.3
should be rephrased. APP7.2 and APP7.3 each require that an opt-out of direct
marketing be provided. However it is not clear that the opt-out be from receipt
of direct marketing that relies on personal information. Rather it is
written as an opt-out of direct marketing altogether. In the event that 'direct
marketing' were interpreted to include advertisements, this would undermine
advertising based business models, which is surely not the intention of the [Bill].[9]
1.14
Coalition Senators note the Attorney-General's Department's (Department)
response to this concern:
APP 7 will not cover forms of direct marketing that are
received by individuals that do not involve the use or disclosure of their
personal information, such as where they are randomly targeted for generic
advertising through a banner advertisement. Nor will APP 7 apply if it merely
targets a particular internet address on an anonymous basis for direct
marketing because of its web browsing history. These are current online direct
marketing activities that will not be affected by the amendments.[10]
1.15
Coalition senators are not convinced, however, that the operational scope
of APP 7, as drafted and explained in the Explanatory Memorandum, would be
limited in this way. They note that the current business practice of these
organisations, and presumably thousands like them, does entail harvesting
personal information about, say, a subscriber's internet usage to direct
incidental advertising to that subscriber's web account. Making such practices
unlawful seems to repudiate widely used and well accepted marketing techniques,
but the extent to which the Bill does so is far from clear.
1.16
Accordingly, Coalition Senators consider that either APP 7 or the
Explanatory Memorandum should provide further clarification on this point to
provide greater certainty for relevant private sector organisations.
Opt-out requirement
1.17
In evidence at the second public hearing, an officer of the Department
elaborated on the application of APP 7, including the circumstances in which
direct marketing using personal information is permitted:
APP 7...sets up two situations for when people can use personal
information for direct marketing. The first is essentially where there is an
existing relationship with the customer, so the information has been collected
from the customer and that customer has been provided with an opportunity to
opt out of receiving direct marketing—essentially the point of collection. That
is APP 7.2.
The second situation is where information is being collected
from somewhere other the person—from other information or from whatever
source—and in that situation direct marketing can occur if, in relation to each
instance of marketing, the individual is provided with the facility to opt out
of receiving further direct marketing material. [That is APP 7.3]. [11]
1.18
The departmental officer advised that the 'real intention' of APP 7.2
and APP 7.3 is to give consumers control over the use of their personal
information in direct marketing.[12]
However, Coalition Senators observe that there may be implementation
difficulties, not just with the provision of a simple opt-out mechanism but
also the requirement in APP 7.3(d), allowing for direct marketing if:
(d) in each direct marketing communication with the
individual:
(i) the organisation includes a
prominent statement that the individual may make such a request; or
(ii) the organisation otherwise
draws the individual's attention to the fact that the individual may make such
a request[.][13]
1.19
Coalition Senators are of the view that, in a Bill intended to modernise
a legislative framework, the proposed provisions should be not only practicable
but should also, as far as possible, be 'future proofed' so that they can apply
to current and future technologies in an international operating environment. The
present provisions do appear to suffer from a lack of relevance to contemporary
online practice.
1.20
Coalition Senators are concerned that APP 7.2 and APP 7.3 will be
rendered meaningless if those provisions impose conditions which cannot be met
for technical or logistical reasons. It is no answer to simply assert that
private sector organisations must comply with what may be a practically impossible
requirement.[14]
'Repayment history information' and lenders mortgage insurers
1.21
Proposed new subsection 20E(1) (item 72 of Schedule 2) of the Privacy
Act prohibits a 'credit reporting body' which holds 'credit reporting
information' about an individual from using or disclosing that information. There
are a number of exceptions to this general prohibition (proposed new
subsections 20E(2)-(3)); however, under proposed new subsection 20E(4) a 'credit reporting
body' cannot disclose 'credit reporting information' derived from 'repayment
history information' to recipients who are not 'licensees' under the National
Consumer Credit Protection Act 2009, including, for example, lenders
mortgage insurers (LMIs),[15]
which are regulated by the Australian Prudential Regulation Authority.
1.22
The Insurance Council of Australia highlighted that LMIs assume the same
risk as lenders:
[I]mpeding their ability to assess this risk by denying
direct access to the full range of credit information is likely to
significantly affect the LMI providers' ability to actually provide LMI. This
will impact on the availability and accessibility of borrowers (particularly
first home buyers).[16]
1.23
Coalition Senators note that such an outcome would be contrary to some
of the benefits of privacy reform identified by the Attorney-General in her
second reading speech and, in particular, the enhanced ability of the finance
and credit industry to make more accurate risk assessments.[17]
Consistent with the introduction of more comprehensive credit reporting,
Coalition Senators consider that, with the appropriate safeguards, there is no
sound justification for disallowing LMIs from receiving 'credit reporting
information' from a 'credit reporting body'.
Cross-border disclosures of personal information – 'Australian link'
1.24
Items 4 to 7 of Schedule 4 of the Bill amend the definition of
'Australian link' in subsections 5B(2) and 5B(3) of the Privacy Act. Coalition
Senators note the intention of this amendment, as stated in the Explanatory
Memorandum:
The credit reporting system will not contain foreign credit
information or information from foreign credit providers (even if they have
provided credit to an individual who is in Australia), nor will information
from the credit reporting system be available to foreign credit reporting
bodies or foreign credit providers.[18]
1.25
The Explanatory Memorandum further indicates that the use of the term
'Australian link' throughout the credit reporting provisions in proposed new
Part IIIA (item 72 of Schedule 2) of the Privacy Act was considered to be a simple,
clear and effective approach to implementing the government's policy proposal.[19]
1.26
However, industry stakeholders gave evidence to the committee indicating
that the use of the term 'Australian link' in proposed new section 21G (item 72
of Schedule 2)[20]
of the Privacy Act will have an inadvertent and significant adverse effect on
business operations. For example, Mrs Sue Jeffrey from the ANZ Banking Group
Limited (ANZ) stated her company's position as follows:
[T]he Australian link requirement will have a major effect on
the way ANZ structures its businesses. For example, ANZ from time to time use
credit assessment teams in New Zealand to assist with processing home loan
applications during periods of high volume. We would like to retain this
ability to move work across our geographies in order to best meet the needs of
our customers. [The Bill] would represent a much more significant impact than
we expect was intended. It would be a backward step in ANZ's ability to structure
its operations in a way that supports our regional footprint and delivers our
customers efficient, high quality service. At the same time it would offer no
additional privacy protection to our customers.[21]
1.27
Mr Steven Münchenberg,
representing the Australian Bankers' Association, told the committee that there
was no reason why the 'Australian link' requirement should be so restrictive:
ANZ have modelled their business in a particular way and
other banks would have modelled theirs in different ways. Certainly [the
Australian Bankers' Association] cannot see any reason why a wholly owned
subsidiary in New Zealand should be banned from processing Australian data, nor
can we see a reason why a company that has been set up in New Zealand to
service New Zealand banks should not also be able to provide that service to
Australian-based banks – as an example – provided, of course, they comply with
either Australian standards or comparable standards in New Zealand...[W]e would
certainly want to see this extended to agents.[22]
1.28
The Communications Alliance representative, Mr John Stanton, similarly
referred to the application of the 'Australian link' requirement to service
providers contracted by telecommunications providers:
The implication for telecommunications companies that use
contractors offshore for service activation and sales activities, activities
which do require access to credit eligibility information, is that the
Australian link requirement would make it very difficult for them to continue
their work.[23]
1.29
The Department acknowledged that implementation of proposed new section 21G
has caused unforeseen difficulties, which the Department is endeavouring to
address.[24]
In other words, this provision is anything but simple, clear and effective, and
the Australian Government is asking the Senate to debate and pass the Bill
without a solution in sight.
1.30
Coalition Senators can scarcely credit that an issue as serious as this
was not identified and addressed much earlier than in the current inquiry. It
also raises the question of what other oversights the Senate might be asked to scrutinise
in the future, for example, conflict of laws arrangements necessitated by the
Bill.
1.31
In the circumstances, therefore, Coalition Senators reserve the right to
revisit their comments on the appropriateness and efficacy of the term
'Australian link' in the credit reporting provisions of Part IIIA of the Bill.
Use of de-identified
credit reporting information
1.32
Witnesses argued that proposed section 20M was unnecessary, in that de‑identified
information cannot, by definition, be a breach of privacy. Coalition Senators
agree. The regulation in the Bill of this kind of data seems a particularly
pointless exercise in creating red tape. Coalition Senators note that the
committee majority considers
that 'it is appropriate for secondary uses of 'credit reporting information' to
be regulated, particularly when it might be possible to re‑identify the
information', but no circumstances were brought to the committee's attention
where such a situation could arise.
1.33
Coalition Senators believe this provision should be reconsidered.
Senator Gary Humphries
Deputy Chair |
Senator
Sue Boyce |
Navigation: Previous Page | Contents | Next Page