Principles-based regulation

18.24 The NPPs and IPPs—together referred to as the privacy principles—represent the main regulatory mechanism in the Privacy Act. Parliament deemed it preferable to regulate privacy using, for the most part, broad principles, as distinct from using a more conventional method of detailed, prescriptive regulation—sometimes referred to as ‘rules-based regulation’.[26]

18.25 In Chapter 4, the ALRC expresses the view that principles-based regulation should be the primary method used to regulate information privacy in Australia. Importantly, however, the ALRC does not recommend the adoption of a pure form of principles-based regulation, recognising the benefits of allowing principles to be supplemented by more specific rules in regulations or other legislative instruments, in order to accommodate different industries or policy considerations. In later chapters, this Report addresses detailed regulation in certain specific areas—namely health and research,[27] credit reporting[28] and telecommunications.[29]

18.26 In addition, a primarily principles-based framework can itself adopt varying degrees of detail and prescription within its principles. The IPPs and NPPs each contain detailed rules and high-level principles. For example, NPP 2 sets out relatively detailed rules related to the use and disclosure of personal information, whereas NPP 3 provides a broad, high-level principle relating to data quality.

18.27 Professor Julia Black suggests three broad categories of regulatory method: ‘bright line’ rules; ‘principles’ and ‘complex or detailed rules’.[30] Table 18.1 below provides hypothetical examples of each of these three types of regulatory method. The paragraphs immediately following it explain how these different forms of regulation operate.[31]

Table 18.1: Hypothetical examples of regulatory methods

Bright line rule

Principle

Complex/detailed rule

An organisation must not collect personal information relating to an individual’s sexuality.

An organisation must not collect personal information unless it is necessary for one of its functions or activities.

An organisation [defined] must not collect [defined] personal information [defined] unless all of the following conditions are met: [list of conditions].

18.28 As Table 18.1 illustrates, a ‘bright line’ rule contains a single criterion of applicability. Such rules are clear and straightforward to apply, but can fail to achieve their goal because there is considerable scope for manipulation or creative compliance. For instance, the rule may not be broad enough to capture all of the conduct that it is intended to proscribe, or an organisation may seek a loophole so as to comply with the letter, but not the spirit, of the rule.

18.29 A ‘principle’ articulates substantive objectives. Whether a principle is certain depends on whether there is general consensus about what is required to achieve compliance. While principles may appear simple to apply—in that they are concise and avoid arcane language—problems can arise in practice where, for instance, there is a dispute as to the meaning of the key terms. In the example from Table 18.1 above, reasonable minds may differ over what is necessary, in a particular context, for an organisation’s functions or activities.

18.30 A complex or detailed rule can provide a higher degree of certainty because it expressly lists the relevant conditions to be taken into account. Applying such a rule, however, is complex, and the creation of a list of conditions inevitably will leave gaps resulting in scope for manipulation or creative compliance.

18.31 The discussion below considers the level of detail and prescription that ought to be embodied within the privacy principles.

[26] Ch 4 provides an overview of regulatory theory and the different forms of regulation. In particular, it generally compares principles-based and rules-based regulation.

[27] See Part H.

[28] See Part G.

[29] See Part J.

[30]J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 10. There are, of course, many other ways of differentiating between the various methods of regulation. See, eg, R Baldwin, Rules and Government (1995), 7–11.

[31] This part of the chapter is adapted from J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 10.