Australia must rewrite privacy laws for the Information Age

The Australian Law Reform Commission’s landmark report For Your Information: Australian Privacy Law and Practice (ALRC 108), was launched today in Sydney by the Cabinet Secretary, the Hon Senator John Faulkner, and the Attorney-General, the Hon Robert McClelland MP.The three-volume, 2700 page report is the culmination of a massive research and consultation exercise conducted over two years, and recommends 295 changes to privacy laws and practices.

ALRC President, Professor David Weisbrot, said that “Although the federal Privacy Act is only 20 years old, it was introduced before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge our capacity to safeguard our sensitive personal information. 

“The Privacy Act has worked pretty well to date, but it now needs a host of refinements to help us navigate the Information Superhighway. These days, information privacy touches almost every aspect of our daily lives, including our medical records and health status, our finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.”

Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, added that “During our extensive consultations around the country, the overwhelming message we heard was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections.

At the same time, people appreciate that other interests often come into the balance—such as freedom of speech, child protection, law enforcement and national security. Australians also want the considerable benefits of the Information Age, such as shopping and banking online, and communicating instantaneously with friends and family around the world. And, of course, businesses want to be able to market effectively to current and potential customers, and to process data efficiently—including offshore.

Professor Weisbrot noted that “the ALRC was given many examples of the Privacy Act being used inappropriately as a reason for failing to provide information or assistance. Privacy regulators refer to this as ‘the BOTPA’ excuse, for ‘Because of the Privacy Act’. This underlines the pressing need for simplification and harmonisation of law and practice, as well as more education about what the law does—and does not—require.

“In For Your Information, the ALRC provides a clear framework for establishing world’s best practice in privacy protection. The massive range of issues has resulted in a huge report—but really this report comprises eight or nine substantial inquiries in one.

“A one-size-fits-all approach could never work, so we have endeavoured to craft sensible solutions to the various particular problems. In many cases, this will involve the Privacy Commissioner providing education and guidance to individuals, businesses and government agencies, but in other circumstances, stronger action and sanctions may be required.” 

The key recommendations in the For Your Information report include:

  • Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.  
  • Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information. 
  • Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances. 
  • Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
  • Improved complaint handling and stronger penalties: the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act
  • More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that some additional categories of ‘positive’ information should be allowed to be added to an individual’s credit file, in order to facilitate better risk management practices by credit suppliers and lenders.
  • Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important field. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research. 
  • Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues. 
  • Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach. 
  • Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.  

The Privacy Final Report and detailed Briefing Notes on 10 key areas—including children, credit reporting, health, data breach notification (fraud and identity theft), emerging technologies and creating an action for serious invasion of privacy—can be found at www.alrc.gov.au.