Scope for co-regulation

Part IIIAA privacy codes

4.82 The ALRC’s approach to regulating privacy retains the ability of organisations and industries to flesh out the requirements of the privacy principles in privacy codes approved by the Privacy Commissioner under Part IIIAA.^[63]

4.83 This scope for co-regulation is consistent with the overall hybrid approach adopted by the ALRC in its regulatory model. In this model, the legislation establishes the general principles, which then operate ‘as the minimum benchmarks or safeguards that must apply across the board’.^[64] A code can then sit below the principles and set out the steps that an organisation should take in order to achieve the outcome set by the principles.

4.84 As noted above, within the model of responsive regulation supported by the ALRC, there is an important place for using regulatory tools which conceive non-state actors as ‘important regulators in their own right’.^[65] While the ALRC understands, to date, that the code-making provisions have not proved popular with industry as a whole, the provisions provide for an important measure of co-regulation which may gain favour in the future as a means of addressing new and developing technologies, and other international concerns.

Codes in regulations

4.85 The ALRC’s recommended regulatory model also has the flexibility to accommodate industry-developed codes that derogate from the UPPs. These codes would not be approved under Part IIIAA, as privacy codes under the current and recommended Part IIIAA code provisions cannot derogate from the principles. Instead, such industry codes would need to obtain the approval of the relevant minister who would then pass the requirements in the codes as regulations, using the ALRC’s recommendation regulation-making power.

4.86 This is similar to the approach adopted in Part IVB of the Trade Practices Act 1974 (Cth). Under the Trade Practices Act, the Minister has the power to prescribe an industry code of conduct in the regulations.^[66] The regulations declare the industry code to be a mandatory industry code or a voluntary industry code, with the former binding on all industry participants.^[67] The Act makes the codes enforceable by prohibiting a corporation, in trade or commerce, from contravening an applicable industry code.^[68] In the privacy regime, the codes would be enforceable because a breach of the code would constitute an interference with privacy of an individual.

4.87 In the Trade Practices Act regime, formal proposals for industry codes are initiated at the ministerial level, ‘following representations from industry participants, consumers or government authorities about problems in a particular industry’.^[69] It is expected that a similar initiation would take place in the privacy regime, with industry participants lobbying the relevant minister to pass a code in the regulations.

4.88 Being a legislative instrument, the minister must undertake appropriate consultation before making the instrument, which would include ensuring that ‘persons likely to be affected by the proposed instrument had an adequate opportunity to comment on its proposed content’.^[70] This obligation would ensure that industry views are sought in making the code, and that other bodies—such as the OPC and consumer groups—are also consulted.

Binding Corporate Rules

4.89 Binding Corporate Rules (BCRs) are part of a new framework for regulating privacy in the information age, proposed by the Privacy and Trust Partnership (PTP).^[71]

4.90 Under the PTP’s proposed framework set out in the Working Paper A Possible Way Forward: Some Themes and an Initial Proposal for a Privacy and Trust Framework, the privacy principles would remain the benchmark but ‘organisations would be able to vary the principles for their own circumstances’^[72] by drafting BCRs to replace the default privacy principles. The PTP explains that any variations in the principles incorporated in a BCR that ‘might be perceived as a weakening would need to be compensated for by the variations in other principles and by the surrounding compliance, accountability and enforcement framework’.^[73] While the PTP suggests that this proposal is similar to Part IIIAA privacy codes, the ALRC notes that the current code provisions (as well as the ALRC’s recommended code provisions) do not permit a code to be approved if it weakens a privacy principle.

4.91 While the ALRC understands that this proposal is still being developed, it is useful to note that some aspects of BCRs potentially could be accommodated in the ALRC’s recommended regulatory approach. If the BCR derogated from the UPPs, such as by weakening a privacy principle, it would need to be put into regulations, using the ALRC’s recommended regulation-making power. The ALRC recognises that having to use the regulation-making power may significantly reduce the flexibility and ease with which BCRs can be changed, which is seen as one of the primary advantages of BCRs. A BCR, however, could not be approved as a code under Part IIIAA, as a code applies in addition to the principles and cannot derogate from them.

4.92 If a BCR was put into regulations, as part of the regulation-making process, the organisation would have to convince the relevant bodies, as well as the general public, that the BCRs were in the public interest and that the BCRs were consistent with the objects of the Privacy Act, if not with all the privacy principles.

Summary: Interaction of regulatory tools

4.93 In summary, the basic premise of the ALRC’s regulatory approach is that the privacy principles will provide the primary obligations in relation to privacy. The principles will be high-level, technology-neutral and generally non-prescriptive, thereby capable of application to all agencies and organisations subject to the Privacy Act. These obligations can, however, be modified or displaced in certain circumstances, including where regulations are passed, a public interest determination is made, or a rule is approved.

4.94 Therefore, the ‘privacy obligations’ that will apply to an agency or organisation will depend on the agency or organisation in question. Most entities will be regulated entirely by the privacy principles, with an option to refer to (voluntary) guidance issued by the OPC where the agency or organisation desires further detail or advice.

4.95 Agencies and organisations operating in industries where more prescriptive regulation has been deemed necessary—such as credit reporting and health—will be subject to the privacy principles and to any further rules specified in the regulations. In addition, they will have the option of referring to voluntary guidance where they want further assistance.

4.96 Industries that desire more certainty in how to comply with the principles may decide to embellish on the privacy principles by developing a privacy code to be approved by the Privacy Commissioner. Pursuant to the ALRC’s recommended model, such a privacy code would not derogate from the principles and would operate in addition to the principles to prescribe steps on how the organisation should apply or comply with one or more principles. The ALRC’s recommended regulatory model, however, will also have the flexibility to accommodate Binding Corporate Rules and codes that are incorporated into regulations.