The ALRC Report on Privacy

In a digital environment, approval of a data transfer makes about as much sense as approval of an ocean current.

In its preoccupation with a perceived threat to its independence arising out of the recommendation for a private right of action for invasion of privacy, the media commentary on the ALRC’s Privacy Report has missed its most significant aspects.

Among its many recommendations, the following deserve wide public discussion: regulating cross-border data flows; rationalisation of exemptions and exceptions; and uniform privacy principles and national consistency.

Regulating cross-border data flows

1. The existing law, which is based on the 1980 OECD Privacy Principles, regulates cross-border data flow by requiring an assessment of the level of privacy protection that will be provided to the data in the jurisdiction to which it is being transferred.  While some flexibility is built into the tests, the basic concept is that privacy protection in the receiving jurisdiction should be similar to that in Australia.  This approach was also taken, in a more bureaucratic form, in the European Union’s Privacy Directive of 1995.

2. Generally speaking, the EU Directive requires an assessment of the ‘adequacy’ of privacy protection in the receiving country if data is to be transferred without contractual privacy protection.  Australia’s law has been criticised by the European Commission (Article 29 Data Protection Working Party, Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2001) on a number of grounds and has not been assessed as ‘adequate’.   The Commission process has, in turn, been criticised by Australia and by some commentators (see, for example, keynote speech by Australian Attorney-General, Daryl Williams, QC at Data Protection and Privacy Commissioners’ Conference, Sydney, 10-12 September, 2003 )

3. While all EU member countries are bound by the Directive, practice differs across the EU in its application. National differences can be important in situations where transfer is to a country that, like Australia, is ‘outside the circle’. (Currently, the countries with ‘adequate’ privacy laws are Argentina, Canada, Guernsey, Isle of Man, Switzerland and the USA (‘Safe Harbor’ scheme). The list needs little comment.) Different approaches by national privacy authorities lead to differences in privacy practice across the EU.

4. While this approach may have been appropriate in the context of point to point data transfers, it is clearly unsuited to the information age where information flows constantly across the world.  Global information flows are integrated with production processes in ways that allow ‘around the clock’ service to be provided to customers.  Business in the twenty-first century is very different from business in the 1980’s and ‘90’s.  In a digital environment, approval of a data transfer makes about as much sense as approval of an ocean current.

5. The ALRC report eschews this approach altogether and instead adopts the formulation in the APEC Privacy Framework.  The basic principle is that, except in certain specified circumstances, the agency or organisation that transfers information outside the country remains accountable for it.

Rationalisation of exemptions and exceptions

6. The Privacy Act currently exempts small business, employees’ records and political parties from its application. The ALRC has recommended the removal of all these exemptions. There are also a number of complex exceptions that modify the operation of the exemptions.  Recommendations are made for the simplification of these provisions.

7.  In principle, the justification for these exemptions has always been tenuous.  When the Act was passed, the argument was that to apply it to small business would place too great a burden on a sector of the economy that needed relief and that, in any event, small business (businesses with a turnover of less than $3 million) involves less of a privacy threat than big business.  Of course it was recognised that some small businesses directly deal in personal information and provisions were made to include these in the coverage of the Act.  In relation to employment records, it was argued that sufficient regulation was already provided by the industrial relations regime.  In relation to political parties, there was general agreement within the Parliament that application of the Privacy Act would be inappropriate.

8. If these recommendations are accepted by the Government and the Parliament, small business will need a great deal of help to understand their statutory obligations.  Much of the burden would necessarily fall on the Privacy Commissioner but additional measures would also be required.  Some assistance may be derived from the OECD Privacy Statement Generator, but there may also be an increased demand for expert assistance from within the private sector.  Removal of the employee records exemption would also be likely to lead to increased demand for expert assistance.  The political parties exemption is in a different category but, having regard to previous experience in the Parliament and the fact that such an exemption is common in other countries, its adoption seems unlikely.

Uniform privacy principles and national consistency

9. Differences in the detail of the privacy regimes in the Commonwealth, New South Wales and Victoria, particularly in the health area, have given rise to difficulties in the resolution of particular complaints.  Privacy law is also unnecessarily complex and difficult to navigate.  To address these issues, the ALRC recommends that a single set of privacy principles apply to federal government agencies and the private sector and that the same principles also be applied to State and Territory agencies through an inter-governmental co-operative scheme.  The objective is that the same principles apply throughout Australia regardless of what kind of agency or organisation is handling the information.

10. To address the complexity of the law, the ALRC recommends a basic restructuring of the Privacy Act focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields such as health privacy and credit reporting.

Conclusion

11. In its media release of 11 August 2008,  the ALRC says that it ‘was given many examples of the Privacy Act being used inappropriately as a reason for failing to provide information or assistance.  Privacy regulators refer to this as the “BOTPA” excuse, for “Because of the Privacy Act”.  This underlines the pressing need for simplification and harmonisation of law and practice, as well as more education about what the law does – and does not – require.’

12. It is to be hoped that, in considering the report, the Government keeps this observation at the centre of its focus.

_________________________________

Peter Ford is a Visiting Fellow at the ANU College of Law with responsibility for coordinating the law internship program. He has also carried out a number of reviews relating to information sharing in security, law enforcement, privacy and immigration and has provided advice on identity issues.

Peter Ford was a member of the ALRC’s Advisory Committee on Privacy.