Jurisdiction - Australia
News
Australia – House Of Representatives Committee Tables Privacy Report.

29 September, 2012

 

Legal News & Analysis – Asia Pacific – Australia – TMT

 

In brief

 

  • On 17 September 2012, the House of Representatives Standing Committee on Social Policy and Legal Affairs tabled the results of its enquiry into certain aspects of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
  • The Committee recommended that the House of Representatives pass the legislation which will radically amend the Privacy Act 1988 (Cth) but, given the nature of concerns expressed by industry groups, further recommended that the operation of certain aspects of the legislation be reviewed 12 months after its commencement.
  • The passage of the legislation is gathering pace. The next step is to await the Senate Committee's report. Although there will be a nine month grace period before the legislation comes into force once it is passed, now is the time to start reviewing internal privacy compliance processes to ensure that the transition is as seamless as possible.

 

Background

 

The key milestones in the evolution of Australia's new privacy regime have been as follows:

 

  • in January 2006, the adequacy of Australia's existing privacy laws was referred to the Australian Law Reform Commission (ALRC);
  • the ALRC released an interim report in September 2007, followed by a final report in August 2008;
  • the Australian government released an exposure draft of new privacy principles in June 2010, to be known as the Australian Privacy Principles (APPs);
  • in January 2011, the government released an exposure draft of legislation containing provisions dealing with the collection, use and disclosure of information for credit reporting purposes;
  • both government responses were referred to the Senate Finance and Public Administration Committee for consideration;
  • in June 2011, the Senate Committee published 29 recommendations on the government's exposure draft of the Australian Privacy Principles;
  • in October 2011, the Senate Committee published 30 recommendations on the government's response to the draft credit reporting provisions;
  • in March 2012, the Australian government responded to the Senate Committee's recommendations;
  • in May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was tabled in the House of Representatives, and simultaneously referred specific issues to the House Standing Committee on Social Policy and Legal Affairs;
  • in June 2012, the Senate referred the Bill to the Senate Standing Committee on Legal and Constitutional Affairs for enquiry and report;
  • in September 2012, the House of Representatives Standing Committee on Social Policy and Legal Affairs recommended that the legislation be passed by the House of Representatives.

 

Issues considered by the Committee The House of Representatives Committee was asked to consider specific issues, namely: 

 

  • the adequacy of the proposed Australian Privacy Principles;
  • the efficacy of the proposed measures relating to credit reporting;
  • whether defences to contraventions should extend to inadvertent disclosures where systems incorporate appropriate protections; and
  • whether provisions relating to use of depersonalised data are appropriate.

 

Review of Australian Privacy Principles

 

Schedule 1 of the Bill contains proposed new Australian Privacy Principles which merge the existing Information Privacy Principles (which apply to Commonwealth public sector agencies) and National Privacy Principles (which apply to the private sector).

 

The Committee focused largely on APP 7 which regulates direct marketing activity, and APP 8 which regulates cross-border data flows.

 

App 7 – Direct marketing activity

 

In relation to direct marketing, the Committee considered concerns raised by the Australian Direct Marketing Association and other interested parties that the title "Prohibition on Direct Marketing" in the legislation sent a misleading and confusing message because in fact the legislation actually permits direct marketing in many circumstances. It also considered a submission that the requirement for an "opt-out" provision in "each direct marketing communication" was not suitable to all forms of modern direct marketing techniques, particularly media such as Facebook and Twitter which allow only limited character space.

 

The Committee was unpersuaded by the concerns raised in relation to direct marketing. In relation to the adoption of opt-out notices, the Committee emphasised that the legislation was flexible and could be fulfilled in a variety of ways, noting a suggestion by the Attorney-General's department that advertisers should consider adopting shorter messages inviting consumers to opt-out through a link as a viable option.

 

App 8 – Cross-border data flows

 

In relation to cross-border data flows, the Committee focused principally on the extent to which an Australian organisation could be held accountable for the actions of third parties overseas.

 

APP 8.1 requires the disclosing entity to take reasonable steps to ensure that an overseas recipient of personal information does not breach the APPs, and section 16C provides that a breach of the APPs by the overseas recipient will be deemed to be an act or omission by the disclosing entity in Australia. It was submitted to the Committee that this placed too great a burden on organisations which regularly transferred data overseas, and concern was expressed that the provision might deter the growing use of cloud computing. The Committee rejected this concern, noting that any extenuating circumstances would be taken into account by the Privacy Commissioner when determining whether a penalty should be imposed.

 

Conflicting overseas laws

 

On a related issue, the Committee considered a concern raised by the Australian Bankers Association, amongst others, that Australian companies could be compromised in their compliance with the legislation when a disclosure of data was required by overseas law. A specific example related to disclosure requirements under the United States Foreign Accounts Tax Compliance Act 2010. At present, an exemption only applies to disclosures required under an "Australian law", and one suggestion was that this expression should be deemed to include applicable overseas laws. The concern was rejected by the Committee, observing that the specific issue regarding the Foreign Account Tax Compliance Act might be addressed at inter-governmental level.

 

Credit reporting issues

 

The Committee considered a number of issues relating to the proposed new credit reporting provisions in the Bill.

 

One issue related to concerns over the fact that a credit provider would be prohibited from disclosing credit eligibility information to overseas recipients which did not have an "Australian link". It was thought that this restriction would inhibit legitimate business practices as information may not be able to be disclosed to an off-shore agent or related entity for legitimate business purposes, and could particularly affect companies which had off-shore call centres or data processing facilities. This concern was rejected by the Committee which upheld the principle that the requirement for an "Australian link" ensured that Australian credit information did not leave the Australian credit information system and that foreign credit information did not enter the Australian credit information system.

 

The Committee gave further consideration to the inclusion of repayment history data in the credit reporting system. It noted concerns that this had potential to justify the refusal of credit due to poor repayment history where the borrower otherwise had a capacity to pay. The Committee was not swayed by this argument, noting in particular that lenders are already subject to various responsible lending obligations under the National Consumer Credit Protection Act 2009.

 

The other credit reporting issue considered by the Committee related to concerns about the restriction on the number of addresses that can be held on a credit report. It was thought that the proposed limit of an individual's current address and two previous addresses increased the risk of those individuals becoming untraceable. One suggestion was that this restriction should be expanded to include any other addresses of an individual over the previous five years. The Committee was "not convinced" that this provision would operate so as to render a disproportionate number of individuals becoming untraceable.

 

De-identified data

 

The Committee considered, in the context of the proposed credit reporting provisions, section 20M of the Bill which contains a prohibition on credit reporting bodies using or disclosing de-identified credit reporting information, subject to compliance with certain rules. It was contended that the legislation imposed a greater level of regulation of de-identified data than any other modern economy. The Committee considered, however, that the Commissioner's power to make rules relating to the use of de-identified credit information for specific research purposes represented an adequate and appropriate safeguard, noting a submission from the Australian Privacy Foundation that "re-identification technologies are growing rapidly".

 

Recommended review period

 

The Committee recommended that the Attorney-General conduct a review of the functioning of the new privacy regime within 12 months after the Bill commences. The review would specifically address the following issues:

  • defence to contravention of APP 8 (which regulates cross-border data flows);
  • conflicting overseas laws;
  • direct marketing and opt-out provisions for direct marketing;
  • de-identified data provisions;
  • the system regulating/preventing credit reporting information overseas (the Australian link requirement); and
  • the effect of the repayment history provisions on addresses stored on file.

 

 

For further information, please contact:

 

Gordon Hughes, Partner, Ashurst

gordon.hughes@ashurst.com 

  

Tim Brookes, Partner, Ashurst

tim.brookes@ashurst.com

 

 

Leave a Reply

You must be logged in to post a comment.