Complexity of the exemption provisions

33.54 Some commentators have argued that the exemption provisions in the Privacy Act are overly complex.[106] Such complexity sometimes makes it difficult to determine the extent to which individuals and entities are exempt from the Act.

33.55 Certain agencies are, in effect, completely exempt from the operation of the Privacy Act—but this may not always be readily apparent from the structure of the provisions. For example, while intelligence agencies fall within the definition of an ‘agency’, acts done, or practices engaged in, by them are not included in the acts or practices to which the Act generally applies.[107] In addition, s 7(2) of the Privacy Act provides that provisions in the Act except in respect of the IPPs, the NPPs, an approved privacy code and some of the Privacy Commissioner’s functions, do not apply to these agencies. This exemption could be simplified by stating clearly that intelligence agencies are completely exempt from the operation of the Act.

33.56 The acts and practices of a number of agencies and organisations initially fall outside the acts or practices to which the Act applies, but the extent of the exemption is then modified either within the same section or through another section. Further, the scope of some exemptions must be ascertained by reference to other legislation.

33.57 For example, one of the schedules to the FOI Act lists a number of agencies that are exempt from the FOI Act in respect of particular documents.[108] These agencies fall within the definition of an ‘agency’ in the Privacy Act and therefore appear to be covered by the Act. Section 7(1)(a)(i) of the Act, however, appears to exempt their acts and practices completely. Section 7(1)(c) then provides that these acts and practices fall within the acts or practices to which the Act applies except in relation to records for which the agencies are exempt from the operation of the FOI Act. Further, s 7(2) of the Privacy Act provides that the provisions of the Act—except in respect of the IPPs, the NPPs, an approved privacy code and some of the Privacy Commissioner’s functions—apply to these agencies. Finally, s 7A provides that, notwithstanding ss 7(1)(a)(i), 7(1)(c) and 7(2), acts and practices done in relation to documents in respect of these agencies’ commercial activities, or the commercial activities of another entity, are treated as acts and practices of an organisation.

33.58 The ambiguity of some of the exemption provisions also has given rise to criticism.[109] For example, small businesses are defined as businesses with an annual turnover of $3 million or less. It has been argued, however, that it is difficult for customers to know the turnover of a business and, therefore, whether the business is exempt.[110]

33.59 In DP 72, the ALRC noted the comments made by a number of stakeholders concerning the complexity of the exemption provisions in the Privacy Act,[111] and the need for a clear statement of the exemptions and their scope.[112] For example, the Legal Aid Commission of New South Wales submitted that that the complexity of the existing exemptions results in uncertainty for individuals seeking remedies under the Privacy Act, making it more difficult for legal aid organisations to provide advice.[113]

33.60 Stakeholders expressed particular concern about the complexity of the exemptions provided for in s 7 of the Privacy Act.[114] For example, the OPC suggested that s 7 be redrafted because ‘it is a very complex and difficult section to understand and apply’—making it difficult for many entities to understand which aspects of their activities are covered by the Act.[115] In contrast, while the ABC acknowledged that the ‘carving out and partial reapplication’ under s 7 is relatively complex, it suggested that the section does set out the relationship between these exemptions and those applying under the FOI Act.[116]

33.61 ASIO supported the simplification of the exemption provisions that apply to it and other intelligence agencies, provided that this would not alter the scope of the exemption.[117]

33.62 The ALRC agrees that the exemption provisions are overly complex. In particular, s 7 is very difficult to understand and apply. Simplifying the exemption provisions would assist individuals and entities to understand their rights and obligations under the Privacy Act.

33.63 In Chapter 5, the ALRC recommends that the Privacy Act be redraftedto achieve greater consistency, simplicity and clarity.[118] This would include the redrafting of the exemption provisions. Specific recommendations for reform also are contained in the following chapters of Part E.

[106] T Dixon, ‘Preparing for the New Privacy Legislation’ (Paper presented at Australia’s New Privacy Legislation, Baker & McKenzie Cyberspace Law and Policy Centre CLE Conference, Sydney, 24–25 May 2001); R Clarke, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) Australian National University <www.anu.edu.au/people/Roger.
Clarke/DV/PActOECD.html> at 14 April 2008.

[107]Privacy Act 1988 (Cth) ss 6(1), 7(1)(a)(i)(B).

[108]Freedom of Information Act 1982 (Cth) sch 2 pt II div 1.

[109] See, eg, Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional Legislation Committee’s Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, 3 September 2000; Australian Privacy Charter Council, Submission to the Senate Legal and Constitutional Affairs Committee Inquiry on the Privacy Amendment (Private Sector) Bill 2000, 20 August 2000.

[110] Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005. The small business exemption is discussed further in Ch 39.

[111] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Commonwealth Ombudsman, Submission PR 202, 21 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; SBS, Submission PR 112, 15 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007; Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[112] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[113] Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[114] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[115] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[116] Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[117] Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007.

[118] See Rec 5–2.