British novelist E M Forster famously offered two cheers for democracy. We might say the same about the national Privacy Amendment (Enhancing Privacy Protection) Bill introduced into Parliament last week. It is legislation that is a good start - but alas, overdue and inadequate.
The Bill begins the process of updating the Privacy Act 1988, the centrepiece of Australia’s national privacy regime. It is important to remember that privacy law in Australia is a complex and often contradictory mix of Commonwealth and state/territory statutes and judgements covering areas such as telecommunications, medical research and personal health data, national security, journalism and workplace surveillance.
The Bill reflects the Government’s acceptance in 2010 of 197 of 295 recommendations by the Australian Law Reform Commission (ALRC) in that body’s comprehensive For Your Information: Australian Privacy Law and Practice report. That report in turn reflected sustained criticism of the the 1988 Act. It also reflected overseas developments, notably the ongoing strengthening in Europe of EU Directives covering public/private sector data collection and European case law on matters such as national security and the protection of celebrities from egregious invasions of their privacy, given that respect for personal space is a fundamental human right.
What does the Bill do? It’s a beginning, rather than an ending, because it covers matters that are still contested and we may see significant changes before it becomes law.
The Bill eliminates the current anomalous differentiation between privacy principles covering the public sector.
It is a major step forward, because there will be a single set of principles – the Australian Privacy Principles - for the protection of all Australians. (Privacy is not an explicit power of the national government under the Australian Constitution and the Bill, when enacted, will therefore not supersede over 100 state/territory statutes that deal with the protection of personal data. It will also not enshrine privacy as a constitutionally-protected human right).
For many people the bleeding edge of privacy law has been their credit records. The Bill rationalises the current credit reporting regime, which has featured strong disagreement between competing industry bodies and examples of bad practice by particular enterprises. That rationalisation is to be strongly welcomed by consumers and business as providing greater transparency and certainty. Its success however will be dependent on action by the national Privacy Commissioner, an entity within the national Office of the Information Commissioner. Under the proposed law, credit providers will have access to additional personal information with the expectation that more data will facilitate “a more robust assessment” of credit risk and “responsible lending” that may also “result in reductions to the cost of credit for individuals”. As with much finance, we will trust that lenders will pass on their savings to consumers.
The Bill aims to give the Commissioner greater powers, for example scope for “own motion” investigations rather than in response to complaints by individuals who claim that there privacy has been disrespected. It is unclear whether the Commissioner will make effective use of those powers, given difficulties with resourcing and perceptions – fair or otherwise – that the office lacks both the will and expertise to take on particular interests. Historically it has endorsed industry practice that although commonplace, is below overseas benchmarks and is less than desired by many Australians.
The Commissioner will be able to recognise external dispute resolution mechanisms, something that is consistent with the trend to outsourcing and administration and presumably welcomed by business.
The Bill does not provide for a tort of serious invasion of privacy - that is, scope for an individual to seek compensation over an invasion of their privacy by an individual or an organisation. That tort has been recommended by the ALRC and by the law reform commissions of New South Wales and Victoria. It is thus hardly a radical or alarming notion, although it has been strongly opposed by the major media groups and some legal practitioners. The Government’s willingness to proceed with suggestions for establishment of the tort as we head towards an election is unclear.
Enactment of the Australian Privacy Principles is a step forward, deserving of two cheers even if we ask why has it taken so long and wonder how the APP will be interpreted by the Privacy Commissioner. Rationalisation of credit reporting law, in conjunction with the National Consumer Credit Protection Act 2009 (NCCPA) is also meritorious, although in one of the most messy areas of privacy practice we will need to see how business implements the revised arrangements and whether there is meaningful enforcement by the Privacy Commissioner.
Lawyers and managers across Australia are just starting to assimilate the 242-page Bill. In a month that’s seen another major data breach involving one of Australia’s leading corporations and further revelations about disregard of privacy by News Corp (not much contrition there) we might ask whether the big end of town has yet to get the message about privacy and whether people will simply get lost in the detail. It’s too early to cheer.