Compliance burden and cost

14.2 The Terms of Reference for this Inquiry require the ALRC to consider ‘the desirability of minimising the regulatory burden on business’. Business has identified the pervasive nature of privacy requirements as an important contributor to the cumulative regulatory burden it faces.^[1] The Australian Chamber of Commerce and Industry has reported that, in response to its 2004 Pre-Election Survey, 47.4% of Australian businesses polled considered that compliance with privacy requirements was a problem.^[2]

14.3 The Taskforce on Reducing Regulatory Burdens on Business (the Regulatory Taskforce) heard that inconsistency in the areas of workplace surveillance, direct marketing and telemarketing laws, and having to supply information to multiple government agencies, contributed to compliance burdens and costs.^[3] The Office of the Privacy Commissioner (OPC) review of the private sector provisions of the Privacy Act (OPC Review) was told that the lack of a single, national and comprehensive regime makes compliance more difficult and that the complexity of federal privacy laws (including the Privacy Act and the Telecommunications Act 1997 (Cth)) contributes to compliance costs.^[4] The Senate Legal and Constitutional References Committee inquiry into the Privacy Act (the Senate Committee privacy inquiry) also heard about compliance burden and cost.^[5]

14.4 The Regulatory Taskforce noted that nationally consistent privacy laws would reduce compliance costs for business,^[6] and recommended that the Australian Government ask the Standing Committee of Attorneys-General (SCAG) to endorse national consistency in all privacy-related legislation.^[7] In its response, the Australian Government stated that:

The Australian Government agrees to the recommendation and supports the goal of national consistency in privacy-related legislation. At the April 2006 meeting of the Standing Committee of Attorneys-General, Attorneys-General agreed to establish a working group to advise Ministers on options for improving consistency in privacy regulation, including workplace privacy.^[8]

14.5 The Productivity Commission report, Performance Benchmarking of Australian Business Regulation, found that there was evidence that significant differences in compliance costs exist across jurisdictions. The Productivity Commission concluded that the benchmarking of regulatory burdens across jurisdictions could shed light on where and how such differences might be reduced and increase government accountability for the design, administration and enforcement of regulation.^[9]

Do privacy laws cause an unjustified compliance burden?

14.6 The ALRC received a large number of submissions that claimed that the proliferation and fragmentation of privacy laws have increased compliance burden and cost for both agencies and organisations.^[10] In particular, stakeholders noted that state health privacy legislation and workplace surveillance laws are creating complexity and unjustified compliance costs.^[11] It also was noted that compliance burden is a particular issue for small businesses that are required to comply with the Privacy Act.^[12]

14.7 In the Office of the Privacy Commissioner’s (OVPC) view, there is little evidence of the existence or extent of any compliance burden. It noted, however, that compliance burden is most likely to be a problem for organisations that do not have the resources to obtain advice and training about their privacy obligations, especially where they are working in an area that intersects with multiple privacy regimes. This often has an impact on service providers, especially where they receive joint Commonwealth-state funding.^[13]

14.8 The OPC submitted that, in many areas, the compliance obligations are proportionate and appropriate to public expectations. It noted, for example, that the Privacy Act requires agencies and organisations to take actions that are ‘reasonable’ to fulfil obligations relating to notice requirements, data quality and data security. What is considered ‘reasonable’ is contextual, and may depend on the entity’s size and activities. The OPC stated, however, that it recognised that compliance costs escalate where entities must comply with multiple layers of privacy regulation, and suggested that

the solution may be to resolve questions of jurisdiction. For example, by clarifying that the Privacy Act ‘covers the field’ of the private sector to the exclusion of other jurisdictions’ privacy legislation. In other cases, governments and regulators may work together to promote greater consistency between regulations and administrative procedures, without disrupting existing regulatory frameworks.^[14]

14.9 Inconsistency and fragmentation in privacy regulation are a problem for organisations that operate in more than one Australian jurisdiction. For example, the OPC Review was told by one organisation that operates nationally that

a single piece of personal information may be subject to two or more … legislative regimes at one time, creating conflicting obligations, different obligations or more onerous obligations in respect of the whole or parts of that same piece of information.^[15]

14.10 The OPC Review also cited an instance where a national medication service operating via a call centre had to read different statements to obtain consent depending on the location of the individual (and the law that applied in that state or territory).^[16] The Regulatory Taskforce also noted that this was an issue in the context of different laws relating to direct marketing.^[17]

14.11 National organisations making submissions to this Inquiry noted that the main issue for them is compliance burden and cost.^[18] In particular, differences in rules governing acceptable calling times for telemarketers, and state and territory laws dealing with the privacy of employee records, were highlighted as problematic.^[19] State health privacy legislation also is creating problems for national organisations.^[20] The OPC submitted that in some cases these problems are

an inevitable consequence of large-scale operations across a federal system, which national organisations are often better equipped to deal with due to their size. In particular sectors, including health, greater consistency in regulation would clarify obligations and may facilitate the implementation of interstate and national initiatives.^[21]

14.12 Multi-layered regulation of personal information complicates the implementation at a national level of programs and services. This is an issue in the health sector, where multi-layered regulation creates a compliance burden and affects quality in the health care and health and medical research sectors.^[22] The Australian Bureau of Statistics stated that complex and overlapping legal requirements across jurisdictions make it difficult to collect and use for statistical purposes state and territory administrative data.^[23]

14.13 The National Transport Commission, an independent body established under federal legislation to maintain uniformity in regulatory transport reforms, submitted that inconsistent privacy laws have made national reforms to transport unnecessarily complex. Inconsistent privacy laws have often required tailoring legislation and policy in order to maintain the effectiveness of legislative privacy requirements in each Australian state and territory.^[24]

Quantifying the compliance burden

14.14 Stakeholders submitted that inconsistent privacy laws create a compliance burden in the following areas: monitoring changes to the law; staff training; changing internal policies and procedures; rewriting privacy policies and consumer information; and lost business due to a consumer perception of a lack of service.^[25] The Australasian Compliance Institute noted that many of these costs are ongoing, due to continuous changes in federal, state and territory legislation.^[26]

14.15 The Australasian Compliance Institute also noted that compliance costs often are passed on to the consumer.^[27] These costs are not always financial. For example, the NHMRC submitted that the multi-layered level of privacy laws sometimes will prevent information exchange for the purpose of medical research. This can compromise clinical care, quality assurance and related activities because: access to essential health information is impaired; significant research is not approved or submitted for approval; additional requirements are imposed on some research that reduce its scientific rigour; and excessive administrative effort and costs are incurred.^[28]

ALRC’s view

14.16 Some of the compliance burden imposed by the Privacy Act is justified. The Privacy Act was enacted to implement Australia’s obligations relating to privacy under the International Covenant on Civil and Political Rights as well as the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.^[29] It was enacted, therefore, to protect a fundamental human right—the right of an individual to privacy.

14.17 The compliance requirements under the Privacy Act are minimal when compared to comparable schemes in Europe that often include an expensive registration requirement. The Act also does not have extensive reporting requirements such as under the Corporations Act 2001 (Cth). Further, as noted by the OPC, the Act can take account of an agency or organisation’s size and activities. The ALRC also notes that the OPC is available to provide guidance free of charge to agencies and organisations.

14.18 In the ALRC’s view, however, inconsistency and fragmentation in the regulation of personal information at the federal, state and territory level does create an unjustified compliance burden. Time and money can be spent identifying sources of privacy obligations and complying with disparate laws and inconsistent privacy standards in different jurisdictions. This problem is acute when implementing programs and services by agencies and organisations at a national level. The costs associated with this burden are both financial and social.

14.19 The ALRC makes a number of recommendations throughout this Report that are intended to minimise inconsistency and fragmentation, and streamline the regulation of personal information. For example, the ALRC recommends: the amendment of the Privacy Act to provide that it is intended to apply to the exclusion of state and territory laws dealing with the handling of personal information by organisations; the adoption of the model Unified Privacy Principles (UPPs) at the federal, state and territory level; and a redraft of the Privacy Act to minimise its complexity.^[30] The ALRC also makes a number of recommendations to clarify the interaction of different laws that regulate the handling of personal information, particularly laws that regulate the health sector, credit reporting, and the telecommunications industry.^[31]

14.20 The ALRC also recommends a greater emphasis on the OPC’s educative role. For example, the ALRC recommends that the OPC develop and publish guidance about the interaction of the Privacy Act with other federal, and state and territory laws that regulate the handling of personal information. Parts F and J also include a number of recommendations designed to promote greater cooperation between privacy regulators and other bodies with responsibility for privacy.