17.08.2010
54.138 There has been some concern about the: (a) listing on credit information files of information about foreign credit; and (b) disclosure of credit reports to foreign credit providers.[170] For example, as some credit reporting agencies operate in both New Zealand and Australia, individuals applying for credit in Australia may have default listings relating to loans from New Zealand credit providers.
54.139 Under the Privacy Act, a credit provider is defined to include a corporation if a substantial part of its business or undertaking is the provision of loans.[171] In turn, a corporation includes a foreign corporation within the meaning of s 51(xx) of the Australian Constitution.[172]
54.140 The provisions of s 5B of the Privacy Act dealing with its application to acts and practices outside Australia do not apply to the credit reporting provisions.[173] In particular, the Privacy Commissioner is not empowered to take action outside Australia to investigate credit reporting complaints.[174] The OPC faces difficulties in investigating complaints about information from foreign credit providers, given limitations on the extraterritorial operation of Part IIIA. In response to these concerns, Veda Advantage does not include information about foreign loans in its credit reports.
54.141 More generally, there may be no means to ensure that a foreign credit provider complies with any of the obligations of credit providers under Part IIIA—for example, in relation to notifying individuals that information may be disclosed to a credit reporting agency.
54.142 The OPC, based on the statutory construction of Part IIIA, has taken the view that
the listing of overseas incurred loans (and any information relating to those loans) on an individual’s credit information file and the disclosure of personal information in credit information files … to a party overseas is not permitted by Part IIIA.[175]
Discussion Paper proposals
54.143 In DP 72, the ALRC proposed that the:
new Privacy (Credit Reporting Information) Regulations should exclude the reporting of personal information about foreign credit and foreign credit providers, and the disclosure of credit reporting information to foreign credit providers;[176] and
Australian Government should consider including credit reporting regulation in the list of areas identified as possible issues for coordination pursuant to the Memorandum of Understanding Between the Government of New Zealand and the Government of Australia on Coordination of Business Law (2000).[177]
54.144 With some qualifications, mostly involving the desirability of harmonisation of trans-Tasman rules, stakeholders supported excluding foreign credit providers from access to the Australian consumer credit reporting system.[178]
54.145 The OPC expressed the view that practical and jurisdictional difficulties dictate that foreign credit providers and foreign loans should continue to be excluded from regulation under the Privacy Act. The OPC supported the express exclusion in the new Privacy (Credit Reporting Information) Regulations of:
(a) information about credit incurred in foreign countries;
(b) access to the Australian credit reporting system by credit providers based overseas; and
(c) the disclosure of credit reporting information to credit providers or credit reporting agencies based overseas.[179]
54.146 Other stakeholders also expressed concern that about the privacy risks and enforcement difficulties involved with access by foreign credit providers.[180] Some supported access by foreign credit providers[181] or considered that, if foreign credit providers can demonstrate compliance with data security and complaint-handling procedures, they should be permitted to access credit reporting information in Australia.[182]
54.147 ARCA and a number of other industry stakeholders agreed that, for the time being, foreign credit providers should be excluded, but that this position should be subject to review in light of the potential future benefit of extending the credit reporting system.[183] New Zealand was seen as a special case,[184] given
the geographic location of NZ to Australia, the frequency of migration of residents between the two countries, and the Australian Government’s commitment to greater harmonisation between Australia and NZ’s laws particularly in the banking and consumer protection regulatory framework … evidenced in cross-border company recognition and insolvency provisions.[185]
54.148 The desirability of trans-Tasman flows of credit reporting information was emphasised.[186] Veda Advantage stated that it sought ‘urgent measures’ to ‘permit trans-Tasman access to credit reporting for business and consumers’.[187]
54.149 The AFC and the Australian Credit Forum[188] considered that, at the very least, a New Zealand credit provider should be able to obtain a copy of an Australian citizen’s credit report from an Australian credit reporting agency while that individual is resident in New Zealand—as ‘to prevent such access may operate to disadvantage the customer in relation to their access to appropriate and effectively-priced credit while in NZ’.[189]
54.150 Stakeholders agreed that, if greater consistency between Australian and New Zealand credit reporting regulation can be achieved, credit reporting information from both countries should be available from Australian credit reporting agencies. The ALRC’s proposal to identify credit reporting regulation as an issue for the business law coordination agenda met with broad approval.[190] Concerns were expressed, however, that any harmonisation process should not adopt the NZ Code as the template for future legislation or lead to less stringent regulation of credit reporting.[191]
ALRC’s view
54.151 Issues concerning the participation of foreign credit providers are linked to the regulation of cross-border data flows, which is discussed in Chapter 31. The draft ‘Cross-border Data Flow’ principle is designed to regulate the transfer of Australian credit reporting information overseas, but has nothing to say about inward data flows—for example, a default report from a foreign credit provider that is transferred to an Australian credit reporting agency.
54.152 Such a provision could be built into the new Privacy (Credit Reporting Information) Regulations so that, for example, foreign credit providers may report credit reporting information if they are subject to a law, binding scheme or contract which effectively upholds principles for fair handling of credit reporting information that are substantially similar to those in the new regulations.[192]
54.153 As discussed above, however, the primary concern about the reporting of personal information by overseas credit providers relates to the availability of effective enforcement and complaint handling. On this basis, the ALRC recommends that the Privacy (Credit Reporting Information) Regulations should generally exclude the reporting of personal information about foreign credit and foreign credit providers; and the disclosure of credit reporting information to foreign credit providers.
54.154 There should, however, be some mechanism by which credit reporting across jurisdictional boundaries may be permitted—in particular, between Australia and New Zealand. The Australian and New Zealand banking and financial services markets are highly integrated and many credit providers (and both major credit reporting agencies) operate on both sides of the Tasman. The New Zealand Privacy Commissioner observed, in this context, that ‘consumer credit reporting is an activity in which the same major companies dominate business on both sides of the Tasman’ and urged the ALRC to consider ‘the trans-Tasman angle’.[193]
54.155 There are important benefits in promoting harmonisation in the area of credit reporting, and harmonisation may ultimately permit integration of regulatory systems. Starting from their similar legal and commercial backgrounds, New Zealand and Australia have already achieved a significant degree of coordination and cooperation in a number of areas of business law (including in fair trading and other consumer protection law).
54.156 The countries are committed to further development of business law coordination under the Memorandum of Understanding Between the Government of New Zealand and the Government of Australia on Coordination of Business Law (2000).[194] Recent progress in this regard has involved cross-border company recognition, cross-border insolvency provisions, mutual bans on disqualified company directors and information sharing between trans-Tasman competition and consumer regulators.[195] Coordination of credit reporting regulation would be a subject consistent with this overall agenda.
54.157 Trans-Tasman transfer of credit reporting information, however, need not necessarily await the outcome of a business law coordination process. In the ALRC’s view, the new Privacy (Credit Reporting Information) Regulations should empower the Privacy Commissioner to approve the reporting of personal information about foreign credit; and the disclosure of credit reporting information to foreign credit providers, in defined circumstances.
54.158 The criteria for approval should include the availability of effective enforcement and complaint handling in the other jurisdiction. In this context, the OPC and the Office of the New Zealand Privacy Commissioner are well placed to build upon existing relationships, reflected in their 2006 Memorandum of Understanding.[196] This memorandum, among other things, records the intention of the respective offices to ‘cooperate in relation to complaints or investigations that may affect the other participant or have a cross-border element’; and ‘explore the usefulness of developing more detailed protocols for handling complaints that may affect the other participant or that have a cross-border element’.[197]
54.159 Given the existing similarities between credit reporting regulation in Australia and New Zealand—and links between New Zealand and Australian credit providers, credit reporting agencies, and privacy regulators—appropriate mechanisms may be able to be developed to allow trans-Tasman transfer of credit reporting information to be approved. There is, for example, nothing to prevent a New Zealand credit provider agreeing to be bound by the terms of an Australian-based EDR scheme, as a condition of access to Australian credit reporting information.
Recommendation 54-5 The new Privacy (Credit Reporting Information) Regulations should, subject to Recommendation 54–7, exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers.
Recommendation 54-6 The Australian Government should include credit reporting regulation in the list of areas identified as possible issues for coordination pursuant to the Memorandum of Understanding Between the Government of New Zealand and the Government of Australia on Coordination of Business Law (2000).
Recommendation 54-7 The new Privacy (Credit Reporting Information) Regulations should empower the Privacy Commissioner to approve the reporting of personal information about foreign credit, and the disclosure of credit reporting information to foreign credit providers, in defined circumstances. The regulations should set out criteria for approval, including the availability of effective enforcement and complaint handling in the foreign jurisdiction.
[170] Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006), [5.163].
[171] See Privacy Act 1988 (Cth) s 11B.
[172] Ibid s 6(1) definitions of ‘corporation’ and ‘foreign corporation’.
[173] Ibid s 5B(1).
[174] Ibid s 5B(4).
[175] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.
[176] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–8.
[177] Ibid, Proposal 50–9.
[178] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007. The Law Society of New South Wales, in contrast, stated that foreign credit providers should be encouraged to make reports to Australian credit reporting agencies: Law Society of New South Wales, Submission PR 443, 10 December 2007.
[179] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[180] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007.
[181] Institute of Mercantile Agents, Submission PR 270, 28 March 2007.
[182] Queensland Law Society, Submission PR 286, 20 April 2007.
[183] GE Money Australia, Submission PR 537, 21 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[184] For example, Australian Credit Forum, Submission PR 492, 19 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.
[185] Australian Finance Conference, Submission PR 398, 7 December 2007.
[186] Australian Finance Conference, Submission PR 294, 18 May 2007; Veda Advantage, Submission PR 272, 29 March 2007; MasterCard Worldwide, Submission PR 237, 13 March 2007; Min-it Software, Submission PR 236, 13 March 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 232, 9 March 2007; Australian Institute of Credit Management, Submission PR 224, 9 March 2007.
[187] Veda Advantage, Submission PR 272, 29 March 2007.
[188] Australian Credit Forum, Submission PR 492, 19 December 2007.
[189] Australian Finance Conference, Submission PR 398, 7 December 2007.
[190] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[191] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[192] See Ch 31.
[193] New Zealand Privacy Commissioner, Submission PR 128, 17 January 2007.
[194] Memorandum of Understanding Between the Government of New Zealand and the Government of Australia on Coordination of Business Law (2000) Department of Foreign Affairs and Trade <www.dfat.
gov.au/geo/new_zealand/anz_cer/memorandum_of_understanding_business_law.html> at 5 May 2008.
[195] P Costello (Australian Government Treasurer) and M Cullen (New Zealand Minister for Finance), ‘Bilateral Progresses Single Economic Market Agenda’ (Press Release, 29 January 2007).
[196] Office of the Australian Privacy Commissioner and Office of the New Zealand Privacy Commissioner, Memorandum of Understanding Between the Office of the Australian Privacy Commissioner and the Office of the New Zealand Privacy Commissioner, 4 September 2006.
[197] Ibid, [8.1], [8.4].