Regulatory theory

4.4 Principles-based regulation is the primary method that should be used to regulate information privacy in Australia.^[2] By principles-based regulation, the ALRC is referring to both the tools of regulation—that is, the principles—and adopting a more outcomes-based approach to regulating privacy.^[3] This section will examine in turn the theory of principles-based regulation and the notion of an outcomes-based—or ‘compliance-oriented’—approach to regulation.

Principles-based regulation

4.5 Principles-based legislation relies on principles to articulate the outcomes to be achieved by the regulated entities. According to Professor Julia Black, principles are ‘general rules … [that] are implicitly higher in the implicit or explicit hierarchy of norms than more detailed rules: they express the fundamental obligations that all should observe.’ Black states that principles-based regulation avoids ‘reliance on detailed, prescriptive rules and rel[ies] more on high-level, broadly stated rules or principles’.^[4]

4.6 Part of the guiding purpose of a principles-based approach is to shift the regulatory focus from process to outcomes. The rationale for this is described as follows:

Regulators, instead of focussing on prescribing the processes or actions that firms must take, should step back and define the outcomes that they require firms to achieve. Firms and their management will then be free to find the most efficient way of achieving the outcome required.^[5]

4.7 Principles-based regulation can be distinguished from rules-based regulation in that it does not necessarily prescribe detailed steps that must be complied with, but rather sets an overall objective that must be achieved. In this way, principles-based regulation seeks to provide an overarching framework that guides and assists regulated entities to develop an appreciation of the core goals of the regulatory scheme. A key advantage of principles-based regulation is its facilitation of regulatory flexibility through the statement of general principles that can be applied to new and changing situations. It has been said that such a regulatory framework is exhortatory in that it emphasises a ‘do the right thing’ approach and promotes compliance with the spirit of the law.^[6]

4.8 According to Black, all forms of regulation are subject, to varying degrees, to the following problems:

• Rules are just a ‘best guess’ as to the future: The rule maker has to anticipate how the rule will be applied in the future. New situations may arise that were not expected/known about when the rule was written, and the rule may be interpreted and applied in ways that were not intended or anticipated by the writer.

• Rules are never perfectly congruent with their purpose … : Rules are inevitably either under-inclusive, failing to catch things that the rule maker might want to catch, and/or over-inclusive, catching things that the rule maker might not want to catch when applied to particular sets of circumstances …

• Whether a rule is clear or certain depends on shared understandings: Just looking at a rule does not tell us whether it is certain. … Whether or not a rule is ‘certain’ depends not so much on whether it is detailed or general, but whether all those applying the rule (regulator, regulated firm, court/tribunal) agree on what the rule means.

• How a rule affects behaviour does not depend solely on the rule: … whether a rule has the desired effect on behaviour depends only partly on whether it is a precise, detailed rule or whether it is a principle. The firm’s own attitude to regulation, the incentive structures for compliance and non-compliance, and the approach taken to enforcement, are also critical.^[7]

4.9 Principles-based regulation attempts to solve these problems, largely by providing greater ‘flexibility’, thereby allowing for ‘a greater degree of “future-proofing”, enabling the regime to respond to new issues as they arise without having to create new rules’.^[8] Future-proofing can be achieved by drafting purposive principles that both express the rationale for the rule and provide ‘overarching requirements that can be applied flexibly to a rapidly changing industry’. Principles-based regulation also makes use of qualitative and often evaluative terms such as fair, reasonable and suitable.^[9] This regulatory approach can facilitate compliance as it allows entities to honour the spirit of the law by developing policies or other mechanisms that simultaneously comply with the rule and meet the entity’s needs.

4.10 By contrast, rules-based regulation is comparatively rigid. Detailed rules impose requirements that are not always appropriate for all entities regulated by the relevant scheme and, further, they do not always cover all of the entities or activities that are intended to be regulated.^[10] Black states:

Detailed rules, it is often claimed, provide certainty, a clear standard of behaviour and are easier to apply consistently and without retrospectivity. However, they can lead to gaps, inconsistencies, rigidity and are prone to ‘creative compliance’, to the need for constant adjustment to new situations and to the ratchet syndrome, as more rules are created to address new problems or close new gaps, creating more gaps and so on.^[11]

4.11 On the other hand, a regulatory approach that is based on using prescriptive rules can provide greater clarity in the regulation, as it is easier for a regulated entity to determine what rules it must comply with and the minimum standards of compliance expected.^[12] This, in turn, can direct responsibility for the regulatory system away from the entities being regulated.^[13]

4.12 Proponents of principles-based regulation argue that, contrary to the assertions of clarity and certainty, rules-based regulation ‘can be a dead hand on technology and product innovation’.^[14] For example, the former Parliamentary Secretary to the Treasurer, the Hon Chris Pearce MP, has argued that rules-based regulation introduces ‘unnecessary legal complexity’ and encourages ‘box-ticking’ exercises, rather than complying with the spirit and intent of the law.^[15]

4.13 The disadvantages of a principles-based system centre on problems of ambiguity, which can undermine the system’s intended protections and accountability:

Principles are criticised for not providing certainty; for creating an unpredictable regulatory regime in which regulators can act retrospectively; for allowing firms to ‘backslide’, and get away with the minimum level of conduct possible; and thus for providing inadequate protection to consumers or others.^[16]

4.14 Principles-based regulation often deals with this lack of clarity and certainty by integrating principles with other forms of regulation. For instance, detailed rules can be used to supplement principles; official guidance can be issued to explain the principles; and dialogue can be facilitated between the regulator and regulated entities.^[17]

4.15 Further, depending on the features of the regulatory scheme, principles-based regulation may also provide greater clarity through the interpretation of the principles by a regulatory body and the enforcement of those interpretations across the regulated industry or group.^[18] This leads to the development of a body of precedent that clarifies the principles and provides entities with further guidance.

4.16 The emphasis on outcomes in principles-based regulation allows regulated entities to work towards the effective implementation of the principles within their own organisational context without dwelling on the ‘expensive legislative focus’.^[19] Thus, in the privacy law context, the Privacy Commissioner, Karen Curtis, stated:

By encouraging organisations to recognise the business advantages of good personal information handling practices and regulating their behaviour accordingly, government regulators can minimise regulatory intervention and red tape. This has been a common theme of our regulatory approach where a legislative framework is balanced by an emphasis on business privacy awareness and self-regulation. The idea is to inculcate the values and objectives of privacy law in business rather than just the superficial rules. When this happens organisations will be better equipped to deal with technological change because they will understand the ideas behind the laws—the principles—and will not become as confused by detailed technology-specific regulations. ^[20]

4.17 In this way, principles-based regulation aims to minimise the need for enforcement by ‘encouraging organisations to understand the values behind the law and change their behaviour accordingly; not because they might get caught out by a regulator, but because they understand why the law is there and what its objectives are’.^[21] This has been described as ‘nurturing a culture of voluntary compliance with the law’.^[22] Nevertheless, Black and others emphasise that breach of a principle should involve an element of fault and public sanction.^[23]

4.18 Although rules-based and principles-based regulation are very different in their approach, in many instances they can operate as a hybrid system, providing regulated entities with the benefits of both systems. In many established systems of regulation, high-level principles that can be applied flexibly to new situations and promote a best practice approach to regulation are complemented by detailed rules providing clarity.

Compliance-oriented regulation

4.19 As noted above, the concept of principles-based regulation embraces both the tools of regulation and the approach to administering those tools.^[24] Compliance-oriented regulation adopts ‘an outcomes-based approach to total regulatory design’,^[25] in which ‘all the factors of regulatory rule making, monitoring, and enforcement are designed to elicit a particular regulatory objective’.^[26]

4.20 Dr Christine Parker has identified a number of elements of compliance-oriented regulation, which the ALRC has grouped for convenience into: securing voluntary compliance with the regulatory objectives; undertaking informed monitoring for non-compliance; and engaging in enforcement actions where voluntary compliance fails.^[27]

4.21 Parker explains that the first step of compliance-oriented regulation is ‘providing incentives and encouragement to voluntary compliance and nurturing the ability for private actors to secure compliance through self-regulation, internal management systems, and market mechanisms where possible’.^[28] A key way a regulator can help foster an agency’s or organisation’s capacity to comply is through education, guidance and other assistance.^[29]

4.22 The second element of compliance-oriented regulation is ‘informed monitoring for non-compliance’.^[30] Monitoring must be used ‘to determine whether regulatory design is having its desired effect on the target population’.^[31] As regulators cannot enforce every rule or cover every problem, they should use information collected about the regulatory problem to develop a ‘risk-based approach to targeting inspections’.^[32]

4.23 A compliance-oriented regulatory design also must provide for enforcement in the event of non-compliance; this is the third element. A regulator’s response to non-compliance in a principles-based regime can be likened to rehabilitative, rather than punitive, justice. As Parker explains, when organisations fail to comply in the first instance, the preferred approach in compliance-oriented regulation would be to ‘attempt to restore or nurture compliance rather than reverting immediately to a purely punishment-oriented approach’.^[33]

4.24 It is critical, however, that these attempts to nurture and restore compliance operate in the presence of more punitive sanctions, as the evidence shows that ‘persuasive and compliance-oriented enforcement methods are more likely to work where they are backed up by the possibility of more severe methods’.^[34]

The idea is that regulators should engage tit for tat in restorative or persuasive enforcement strategies depending on the responses of the regulated entity. A regulator can start with persuasive or restorative strategies and then move to more punitive strategies if voluntary compliance fails. If the application of punitive sanctions succeeds in bringing about compliance, then the regulator can revert to a trusting demeanour. If it does not bring about compliance, then the regulator must invoke harsher sanctions. The wider the range of strategies (from restorative to punitive) available to the regulator, the more successful tit-for-tat enforcement is likely to be.^[35]

4.25 This principle is encapsulated in Professors Ian Ayres and John Braithwaite’s enforcement pyramid.^[36] Braithwaite contends that compliance is ‘most likely’ when a regulator displays an explicit enforcement pyramid:

Most regulatory action occurs at the base of the pyramid where initially attempts are made to coax compliance by persuasion. The next phase of enforcement escalation is a warning letter; if this fails to secure compliance, civil monetary penalties are imposed; if this fails, criminal prosecution ensues; if this fails, the plant is shut down or a licence to operate is suspended; if this fails, the licence to do business is revoked. The form of the enforcement pyramid is the subject of the theory, not the content of the particular pyramid.^[37]

4.26 Self-regulation and co-regulation also form part of the enforcement pyramid model. It has been argued that regulatory responses should not be confined to escalations up the enforcement pyramid, but should also consider industry responses or allowing instruments to be implemented by trade associations and professions as well as regulators.

Seeing regulation in terms of these dimensions allows creative mixes, or networks, of regulatory enforcement instruments and of influencing actors or institutions to be adopted. It also encompasses the use of control instruments that, in certain contexts, may be easier to apply, less costly and more influential than state controls.^[38]