A separate privacy principle dealing with consent?


19.69 As noted above, consent is not a discrete privacy principle, although it plays a key role in the application of other privacy principles—namely those regulating the collection of sensitive information, use and disclosure, and cross-border data flows. While many jurisdictions do not deal separately with the concept of consent, some, like Canada and Germany,[96] elevate consent to a separate principle or provision. The Canadian Model Code for the Protection of Personal Information, for example, contains a principle, which provides:

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.[97]

19.70 In Canada, the PIPED Act specifies a number of circumstances in which personal information can be collected, used and disclosed without a person’s consent or knowledge.[98] The Model Code covers the form of the consent sought by the organisation, the manner in which an organisation can seek consent and in which an individual can give consent, and the withdrawal of consent by an individual.[99]

19.71 The draft Asia-Pacific Privacy Charter also contains a separate consent principle, which states:

For some Principles, individual consent justifies actions that would otherwise not comply with the Principle. Where consent is relied upon, it must be freely-given, informed, variable and revocable. Consent is meaningless if people are not given full information, or have no option but to consent in order to obtain a benefit or service.

For Principles where consent normally applies, there are exceptional situations where consent may be insufficient justification.[100]

Submissions and consultations

19.72 In response to IP 31, there was general opposition to the creation of a discrete privacy principle dealing with consent.[101] There was concern that this could be too onerous if it imposed additional obligations to obtain consent.[102]

19.73 AAMI submitted that, while there is not currently a discrete consent principle, it already ‘exists by the very nature of what an organisation needs to do to collect and manage personal information’. A separate consent principle would therefore ‘add no value’.[103] Moreover, a number of stakeholders submitted that it would be preferable to rely on the consent provisions in the existing privacy principles and to modify those provisions as necessary.[104]

19.74 In DP 72, the ALRC expressed the preliminary view that it would be inappropriate to create a discrete privacy principle dealing with consent.[105] This approach was supported by stakeholders, on the basis that such a creation was inappropriate, unnecessary, or would introduce greater complexity into privacy regulation.[106] No contrary views were expressed in this regard.

ALRC’s view

19.75 It would be inappropriate to deal with consent as a discrete privacy principle. The concept of consent is built into the architecture of those privacy principles to which it is relevant. Such an approach emphasises that consent may have a role to play in various parts of the information cycle.

19.76 As noted above, consent is either framed as an exception to a general prohibition against personal information being treated in a particular way or as a basis to authorise the treatment of personal information in a particular way. Significantly, in each case, consent is not the only exception to a stated prohibition, or the only basis for permitting the treatment of personal information in a particular way. Treating consent as a separate privacy principle, therefore, may elevate consent to being the overriding factor in permitting or restricting the handling of personal information. In the ALRC’s view this would not be appropriate. As Professor Fred Cate has stated:

Requiring choice may be contrary to other activities important to society, such as national security or law enforcement, or to other values, such as freedom of communication. This explains why so many laws that purport to invest individuals with control over information about them exempt so many activities: it simply is not feasible or desirable to provide for individual control …[107]

19.77 Moreover, stakeholders have not identified any problems or issues arising from the location of consent within the privacy principles. Any radical change in this regard is not warranted.

[96]Federal Data Protection Act 1990 (Germany) s 4a.

[97]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) sch 1, Principle 4.3. Significantly, under the Canadian approach, consent is relevant to the collection of all personal information, not just sensitive information.

[98] Ibid s 7.

[99] See Ibid sch 1, Principles 4.34, 4.36–4.38.

[100] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008, Principle 2.

[101] Australian Federal Police, Submission PR 186, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; AAMI, Submission PR 147, 29 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[102] Law Council of Australia, Submission PR 177, 8 February 2007.

[103] AAMI, Submission PR 147, 29 January 2007.

[104] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; AAMI, Submission PR 147, 29 January 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007.

[105] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [16.43].

[106] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[107] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 342.