coherence

This page considers proposals for rationalisation of the Australian privacy regimes, including establishment of a tort of privacy and of a cogherent national set of Unified Privacy Principles (UPP).

It covers -

• introduction
• a tort?
• a national regime?
• exemptions
• Unified Principles?

     introduction

The Australian Law Reform Commission's 2007 Review of Australian Privacy Law discussion paper, a three volume document of some 1,977 pages) drew on community consultation and previous exploration by federal and state/territory entities (notably the NSW state Law Reform Commission) in proposing rationalisation of the Australian privacy regimes.

That rationalisation would provide a substantially uniform regime, reducing anomalies attributable to different laws in the Australian jurisdictions, inconsistency in the development and application of industry codes and government guidelines, and anomalous exemptions.

As of late 2007 privacy in Australia is a confusing concatenation of -

• state and national legislation (often with a sectoral basis),
• administrative arrangements (as noted in later pages of this profile, some states have relied on administrative orders rather than legislation to deal with privacy in relation to their public sector bodies)
• industry codes, conceived and administered in favour of consumers or otherwise
• a range of public and private sector regulatory bodies, some of which have been strongly criticised by past executives as supine or underresourced
• overlaps, exclusions and uncertainties (eg coverage of some state statutory bodies, quasi-statutory bodies and private sector contractors)
• judicial decisions moving unsteadily towards recognition of community expectations.

There is no national tort of privacy, ie a statutory cause of action for breach of privacy. The European Commission has criticised the Australian regimes as lacking parity with international best practice. Other critics have noted that principles and operational rules for the public and private sectors are not the same, although both deal with the same people and often cover the same information, and commented that in practice the regimes are exception- rather than principle-based.

The ALRC has thus suggested a national approach, founded on a single set of Unified Privacy Principles (UPP) and featuring a statutory cause of action for invasion of privacy.

That suggestion has faced criticisms of varying significance, with unsurprising opposition from the Direct Marketing Association, comment by the Australian Bankers’ Association that adoption of UPP would be "premature" and anxiety on the part of the Arts Law Centre that creativity may be chilled.

     unified principles

The paper proposes that

The Privacy Act should be amended to consolidate the current Information Privacy Principles and National Privacy Principles into a single set of principles … that will be generally applicable to agencies and organizations, subject to such exceptions as required.

Those UPP would be based on the NPP in the current federal Privacy Act.

They would reflect a new objects clause that articulates seven national objectives in relation to privacy, including promotion of the protection of individual privacy, establishment of a cause of action, promotion of "responsible and transparent" information handling, facilitation of electronic commerce and provision of "the basis for nationally consistent regulation of privacy".

Those objects and thus the new UPP revisit the 1980 OECD Guidelines, bearing in mind technological development over the past two decades and continuing disagreement about conceptualisation of personal privacy and corporate data protection. The ALRC considers that privacy is not an unqualified ‘right to be left alone’ , whether online or offline.

Adoption of the UPP would not require amalgamation of current federal information law, for example fusion of the Privacy Act, Freedom of Information Act 1982, Archives Act 1983 and Spam Act 2003.

The expectation is that national government agencies and the private sector would be directly covered by single set of UPP -

1 Anonymity and Pseudonymity
2 Collection
3 Specific Notification
4 Openness
5 Use and Disclosure
6 Direct Marketing
7 Data Quality
8 Data Security
9 Access and Correction
10 Identifiers
11 Transborder Data Flows

State/Territory government agencies would be covered by the same UPP in legislation in those jurisdictions.

The UPP do not feature a discrete principle regarding consent, with the paper noting that "treating consent as a separate privacy principle may inappropriately elevate consent to being the overriding factor in permitting or restricting the handling of personal information".

Questions about consent would instead be addressed through the proposed UPP. Application of the Transborder Data Flow principle, for example, assumes that data subjects would be alerted in contracts and pre-contractual arrangements that fulfilment of the contract may require overseas transfer of an individual's personal information, with entities being held accountable where there was transfer in breach of consent.

At the national level the UPP would apply except where primary legislation "imposes different or more specific requirements in a particular context" or "subordinate legislation under the Privacy Act imposes different or more specific requirements in a particular context". That would accommodate health-specific privacy regulations (the draft National Health Privacy Code), with health information being covered by the UPP rather than quarantined in a discrete health 'silo' administered by separate agencies and tied to separate privacy objectives.

The Act and UPP are expected to be resilient, with few changes over time; treatment of health privacy through the proposed Privacy (Health Information) Regulations is seen as allowing a flexible response to changing circumstances.

More broadly the use of regulations derived from the UPP is an attempt to reconcile conflicting advice to the ALRC that the Act should

• identify technology-neutral broad principles
• offer rules for practical application
• provide certainty without being so narrowly restricted as to be superseded by commercial/technological developments
• foster attention to the letter rather than the spirit of the law.

   next page (the 1988 national Privacy Act)