Should there be any exemptions from the Privacy Act?

33.23 Before examining whether the existing exemptions from the operation of the Privacy Act are appropriate, the threshold question is whether the Act should contain any exemptions at all. Professor Roger Clarke has suggested that there should be no exemptions from the privacy principles. In his view, privacy principles should be universal statements that convey the idea that the principles are paramount. The manner in which they are formulated and applied in practice should involve careful balancing between privacy and other interests so that the principles are not infringed. He argues that powerful interests are protected through large numbers of ‘vague and extensible’ exemptions, and that privacy protection is lost entirely once a class of organisation or activity is exempted from the privacy principles.[41]

33.24 Blair Stewart, of the Office of the Privacy Commissioner, New Zealand, has taken a different view.[42] He concedes that well-drafted exceptions to specific privacy principles are preferable to excluding an entire class of entities or information. Stewart argues, however, that some types of entities and information should be excluded from the coverage of privacy principles so that the principles remain ‘workable, general and not overly complex’—for example, it might be better not to apply some principles to intelligence agencies than to have exceptions for national security provided throughout the principles.[43]

33.25 Privacy legislation in some overseas jurisdictions contains full or partial exemptions relating to, for example, personal information handled by: individuals for the purposes of their personal, family or household affairs;[44] intelligence agencies;[45] and news media in relation to journalism or news activities.[46]

33.26 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted stakeholder views that there should be few, if any, blanket exemptions from the Privacy Act.[47] For example, the Office of the Victoria Privacy Commissioner (OVPC) submitted that entities should not be completely exempt. It suggested that exemptions or exceptions should be targeted at particular practices, and that some principles should apply universally. The OVPC stated that privacy legislation ‘should only be subject to such reasonable limits … as can be demonstrably justified in a free and democratic society’.[48] Other stakeholders suggested that only a limited number of entities should be exempt. Exemptions that have been suggested as justifiable include individuals handling personal information solely for non-business purposes, entities that are subject to equivalent privacy laws (such as state and territory authorities),[49] and defence and intelligence agencies.[50]

33.27 In contrast, a few stakeholders specifically stated that it is appropriate to have exemptions from the Privacy Act.[51] For instance, while both the Australian Broadcasting Corporation (ABC) and the Special Broadcasting Service (SBS) submitted that there should be few blanket exemptions from the Privacy Act, they suggested that the EU Directive and other international instruments illustrate a number of clear policy reasons why certain exemptions should be maintained. The ABC submitted that many, if not all, of the exemptions under the Act are based on similar policy concerns to those reflected in international instruments.[52] SBS stated that the justification for exemptions that are common to all international instruments is the need to balance privacy rights against a public interest purpose, such as matters essential to law and governance and freedom of expression.[53]

33.28 The ABC and SBS also submitted that, in the interest of certainty, exemptions are preferable to exceptions to specific privacy principles.[54] The ABC stated that targeted exemptions could reflect a careful balancing of privacy and other interests.[55] SBS suggested that a universal statement of principles would be unworkable, as it would result in uncertainty and extensive litigation before the application of the principles could be understood.[56]

33.29 The Real Estate Institute of Australia (REIA) took the view that subjecting entities to overly rigorous privacy protection, regardless of the risk to individual privacy or the context in which the entity operates, may impinge on the ability of certain entities to carry out activities that are in the national interest. It submitted that such an approach also would result in an unnecessary and disproportionate compliance burden that would be passed on to consumers by way of increased prices.[57] The Fundraising Institute—Australia Ltd expressed a contrary view, submitting that the exemption for commercial entities, such as small business operators, undermines public confidence that the Privacy Act will protect personal information adequately.[58]

33.30 In DP 72, the ALRC expressed the preliminary view that exemptions from the Privacy Act may be necessary for those entities the principal function of which is in direct conflict with privacy principles, and for those entities that require specific information-handling standards in order to balance privacy interests with other public interests. The ALRC considered that exemptions for these entities would be appropriate, provided that there are other information-handling standards that apply to the exempted entity. In addition, the ALRC expressed the view that entities that are subject to obligations that are, overall, at least the equivalent of all the relevant obligations in the Privacy Act, should be exempt from the Act—as the need to comply with two equivalent regimes would add unnecessarily to the compliance burden for such entities.

Submissions and consultations

33.31 Submissions indicated support for limiting exemptions from the Privacy Act.[59] Liberty Victoria submitted that privacy principles should be applied uniformly and there should be no exemptions from the Privacy Act.[60]

33.32 The Law Society of New South Wales submitted that exemptions should be limited. It stated that ‘traditional areas benefiting from exemptions and exceptions should be re-examined and assessed against expressed criteria as detailed in the Act or regulations’, and those criteria should, in turn, be reviewed for their suitability. The Law Society also suggested that where an exemption or exception is justified, the exempted activity should be covered by other legislation that specifies a date for review and is subject to a privacy impact assessment, so that there would be some debate in both the community and the Parliament before an exemption or exception is granted.[61]

33.33 Privacy NSW considered that exemptions are ‘blunt instruments’, and that the balancing of privacy interests with other public interests ‘can best be achieved by the use of exemptions limited to the functions of the agency or organisations’. It supported the use of partial exemptions that are targeted at particular practices and provide some privacy protection for the personal information of employees, on the basis that:

the use of blanket exemptions presents a risk that employees of some agencies may have lesser rights than others and that the exemption will excise whole categories of dealings which do not relate to the purpose of exemption.[62]

ALRC’s view

33.34 Privacy interests in some cases may be outweighed by other public interests, such as national security, the administration of justice and the free flow of information to the public by the media. The purpose of having exemption provisions is to balance the need to protect privacy against these other interests, as is reflected in international instruments.

33.35 A blanket exemption from privacy legislation is a blunt instrument, in that it exempts all activities of a specified entity or class of entities, regardless of whether the particular activity relates to the conflicting public interest. There are some entities, however, such as intelligence agencies and specialist law enforcement agencies, the principal function of which is in direct conflict with a number of the privacy principles. In addition, due to the sensitive nature of the operation of these entities, oversight bodies—such as the Inspector-General of Intelligence and Security (IGIS) and parliamentary joint committees—have been established specifically to oversee their operations.[63] Other entities, such as royal commissions, inquire into matters of public interest and, therefore, should have their own information-handling standards tailored to their special role.[64] In these cases, the exemption of these entities from the operation of the Privacy Act is appropriate, provided that there are other information-handling standards, such as ministerial privacy guidelines, that apply to the exempted entity. These standards should reflect the model Unified Privacy Principles (UPPs) to the extent that this is possible.

33.36 In other instances, a partial exemption from the operation of the Privacy Act may be appropriate, where it would be possible to distinguish between the activities of an agency or organisation that conflict with privacy interests and those that do not. For example, federal courts require special information-handling rules that balance privacy interests with the principle of open justice. There is, however, no sound policy reason why their acts and practices in respect of non-administrative matters, such as their handling of the employment records of court staff, should be exempt from the Privacy Act.[65] In the case of media organisations, the public interest in the free flow of information to the public only relates to the journalistic activities of media organisations. Therefore, the exemption that applies to acts and practices in the course of journalism should not apply more broadly to information that does not constitute news, current affairs or documentaries, unless the public interest in the dissemination of that information outweighs privacy interests.[66]

[41] R Clarke, Exemptions from General Principles Versus Balanced Implementation of Universal Principles (1998) Australian National University <www.anu.edu.au/people/Roger.Clarke/DV/Except.html> at 31 March 2008.

[42] B Stewart, ‘The New Privacy Laws: Exemptions and Exceptions to Privacy’ (Paper presented at The New Privacy Laws: A Symposium on Preparing Privacy Laws for the 21st Century, Sydney, 19 February 1997).

[43] Ibid, 10.

[44] See, eg, Data Protection Act 1998 (UK) s 36; Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 4(2)(b); Personal Data Act 1998 (Sweden) s 6; Privacy Act 1993 (NZ) s 56; Personal Data (Privacy) Ordinance (Hong Kong) s 52.

[45] See, eg, Privacy Act 1974 5 USC § 552a (US) (j)(1); Privacy Act 1993 (NZ) s 57. See also Personal Data (Privacy) Ordinance (Hong Kong) s 57 (exemption of personal data held by or on behalf of the government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong).

[46] See, eg, Privacy Act 1993 (NZ) s 2(1) (definition of ‘agency’); Personal Data (Privacy) Ordinance (Hong Kong) s 61.

[47] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; SBS, Submission PR 112, 15 January 2007; K Pospisek, Submission PR 104, 15 January 2007; Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[48] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[49] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[50] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Confidential, Submission PR 143, 24 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; K Handscombe, Submission PR 89, 15 January 2007.

[51] SBS, Submission PR 112, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007; Australian Broadcasting Corporation, Submission PR 94, 15 January 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[52] Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[53] SBS, Submission PR 112, 15 January 2007.

[54] Ibid; Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[55] Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[56] SBS, Submission PR 112, 15 January 2007.

[57] Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[58] Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007.

[59] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[60] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[61] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[62] Privacy NSW, Submission PR 468, 14 December 2007.

[63] See Chs 34, 37.

[64] See Ch 38.

[65] See Ch 35.

[66] See Rec 42–1.