Other enforcement mechanisms following non-compliance

Enforcement pyramid

50.35 As discussed in Chapter 4, Professors Ian Ayres and John Braithwaite have suggested that the ideal regulatory approach to enforcing compliance with regulation is through the adoption of an explicit ‘enforcement pyramid’. Under such a model, regulators use coercive sanctions only when less interventionist measures have failed to produce compliance.^[59] Breaches of increasing seriousness are dealt with by sanctions of increasing severity, with the most serious or ‘ultimate sanctions’ generally held in reserve as a threat.

50.36 There is great value in adopting the enforcement pyramid structure in the Privacy Act, as discussed further in Chapter 45. In some respects, the Privacy Act already adopts a pyramid-type structure for enforcing compliance. The approach relies initially on encouraging compliance, with determinations (and enforcement in the courts) and injunctions held in reserve. While there is some degree of escalation involved in these remedies, there are currently no civil penalties for serious contraventions of the Act, and only some limited criminal penalties attached to credit reporting, and tax file number, offences.^[60]

Issues Paper 31

50.37 In IP 31, the ALRC asked whether the range of remedies available to enforce rights and obligations created by the Privacy Act required expansion. Further remedies suggested by the ALRC included administrative penalties, enforceable undertakings or other coercive orders, remedies in the nature of damages, infringement notices, civil penalties and criminal sanctions.^[61]

50.38 The ALRC received mixed responses from stakeholders about the need for further enforcement mechanisms. Some stakeholders suggested that harsher penalties under the Privacy Act are unnecessary as it has not been shown that the lack of ‘teeth’ in privacy legislation has reduced compliance with privacy laws.^[62] In contrast, the Australian Privacy Foundation submitted that a wider range of remedies and sanctions is desirable.^[63]

50.39 A number of stakeholders in the OPC Review submitted that there should be some level of civil penalty resulting from a contravention of the Privacy Act.^[64] One stakeholder stated that it is hard to convince some company boards to comply with privacy laws when no schedule of penalties is attached to non-compliance with the NPPs.^[65] While recognising the resource implications of additional remedies, the Consumer Credit Legal Centre observed in a submission to the Inquiry that:

stronger enforcement mechanisms, including through civil pecuniary penalties, present the OPC with a more long-term cost-effective way of functioning. Forcing businesses and industry to be accountable by imposing greater deterrents should result in less cases and investigations by the OPC.^[66]

50.40 There was no support for introducing further criminal penalties into the Privacy Act, such as for a reckless, intentionally dishonest or flagrant contravention. The OPC considered that a cautious approach should be taken to the inclusion of further criminal sanctions, and noted that ‘as privacy is unlikely to be a high policing priority, a significant increase in criminal sanctions may impede rather than facilitate better privacy protection and privacy complaint outcomes’.^[67]

Discussion Paper proposal

50.41 In DP 72, the ALRC canvassed whether the range of remedies available to enforce rights and obligations created by the Privacy Act required expansion. A number of suggestions were made by stakeholders, including enforceable undertakings, civil penalties and coercive orders. Having regard to the enforcement pyramid concept, the ALRC proposed that the Privacy Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.^[68]

Submissions and consultations

50.42 The ALRC received a number of submissions on this proposal. The OPC expressed its support for allowing the imposition of a civil penalty in the case of serious or repeated interferences with privacy. It argued that the definition of ‘serious’ should include explicitly cases where a respondent breaches a notice to comply arising from an own motion investigation, or where a respondent fails to report a data breach, contrary to the requirements of the Privacy Act.^[69]

50.43 The Law Council of Australia argued that a civil penalty was preferable to the introduction of administrative penalties^[70] or an infringement notice scheme and was consistent with the ‘light-touch’ approach of the Privacy Act.^[71] PIAC stated that a civil penalty regime was likely to provide a strong incentive to comply with the Act, provided that the amount of the penalty was commensurate with the seriousness of the breach.^[72] A number of other stakeholders also supported this proposal.^[73]

50.44 Some stakeholders also agreed with the proposal that the OPC should develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty will be made.^[74] The Law Council argued that:

A binding set of criteria would provide necessary certainty to the scheme and prevent organisations from incurring significant costs associated with determining what obligations exist.^[75]

50.45 One stakeholder expressed the view that the Privacy Act should include criminal sanctions for serious irresponsible handling of personal information. It argued that criminal sanctions should apply to the senior management and directors of agencies and organisations.^[76]

50.46 Other stakeholders took the view that the introduction of civil penalties was unnecessary.^[77] GE Money, for example, submitted that it was not aware of ‘the sorts of significant and ongoing breaches of privacy laws by organisations that might suggest that such a regime were necessary’.^[78] Another stakeholder argued that:

To the extent that there is a need to increase compliance with and enforcement of the Act, this can easily be met by using the existing powers of the Privacy Commissioner to a greater extent.^[79]

ALRC’s view

50.47 The framework of compliance-oriented regulation underpinning the Privacy Act should be considered when examining whether there should be further penalties added to the Act. As discussed in Chapter 45, a compliance-oriented approach to enforcement, which includes a focus on fostering compliance in the first instance, requires the presence of punitive sanctions to be effective. This is because ‘persuasive and compliance-oriented enforcement methods are more likely to work where they are backed up by the possibility of more severe methods’.^[80] The existence of a strong penalty, by itself, can act as an incentive for compliance, as long as the regulated entity knows that the regulator will impose the penalty where appropriate.

50.48 Determinations are regarded by some as a ‘strong’ penalty, because they can involve a public declaration of breach and thereby contain an element of informal, negative publicity.^[81] The ALRC notes, however, that according to the OPC’s determination policy, determinations are not necessarily going to be limited to the most serious cases, ‘nor will determinations issued by the Commissioner necessarily be punitive’.^[82] This approach by the OPC is consistent with the ALRC’s recommendation to increase the number of determinations issued, by giving complainants and respondents the right to require the Commissioner to issue a determination in certain circumstances.^[83]

50.49 The Attorney-General’s Department publication, A Guide to Framing Commonwealth Offences, Civil Penalties and Enforcement Powers (the Guide), states that it is important that civil penalties be used in appropriate and justifiable contexts.^[84] The Guide provides that the inclusion of civil penalty provisions is most likely to be appropriate and effective where:

• criminal punishment is not merited (for example, offences involving harm to a person or a serious danger to public safety should always result in a criminal punishment);

• the penalty is sufficient to justify court proceedings; and

• there is corporate wrongdoing.^[85]

50.50 The inclusion of civil penalties in the Privacy Act is appropriate and justifiable by reference to each of the circumstances outlined above.^[86] Criminal sanctions would be disproportionate to the level of harm caused by a serious or repeated interference with an individual’s privacy. Financial penalties are, however, likely to be effective against agencies and organisations by providing a strong incentive to comply with the Act.

50.51 Although the significance of determinations should not be underestimated, there is a need to strengthen the overall enforcement remedies available in the Privacy Act. Accordingly, the ALRC recommends that the Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.^[87] The Privacy Commissioner should be empowered to bring proceedings for pecuniary penalties in the Federal Court, similar to the approach taken with the Australian Competition and Consumer Commission (ACCC) under the TPA.^[88]

50.52 Consistently with the ALRC’s recommendation in Principled Regulation (ALRC 95), the ALRC recommends that the OPC develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty under the Privacy Act would be made.^[89] Examples of a serious or repeated interference with the privacy of an individual could include where the matter involves: an apparent blatant disregard of the law; a history of previous contraventions of the law; significant public detriment or significant number of complaints.^[90] Civil penalties may also be pursued where there is the potential for action to have a worthwhile educative or deterrent effect. The ALRC agrees with the OPC that a serious interference with privacy should include cases where a respondent breaches a notice to comply. Failure to notify the Commissioner of a data breach as required by the Act, also may attract a civil penalty.^[91]

50.53 Provision should also be made to allow for the Privacy Commissioner to accept an enforceable undertaking. An enforceable undertaking is essentially a promise enforceable in court. A breach of the undertaking is not contempt of court but, once the court has ordered the person to comply, a breach of that order is contempt.^[92] Undertakings under s 87B of the TPA were introduced as an enforcement tool in 1993. Research undertaken for the ACCC in 2001 showed that undertakings were frequently used instead of court action, and often encompassed assurances by the offender to undertake a comprehensive compliance program. Undertakings also were made as part of the settlement of court proceedings.^[93] Under the TPA provisions, undertakings may be published on the ACCC’s website. This approach both lends transparency to the process and serves an educative function.

50.54 Since 2005, the Australian Communications and Media Authority (ACMA) has accepted enforceable undertakings about matters concerning compliance with the Telecommunications Act 1997 (Cth). ACMA may accept undertakings

that a person will take specified action or refrain from taking specified action to comply with [the Act], or take action directed at avoiding contravention in the future.^[94]

50.55 In ALRC 95, it was noted that regulators viewed enforceable undertakings as a success in terms of achieving compliance following a breach.^[95] The Privacy Commissioner should be empowered, therefore, to accept an undertaking that an agency or organisation will take specified action to ensure compliance with the Privacy Act or other enactment under which the Commissioner has a power or function.