Consumer and commercial credit

54.160 Part IIIA distinguishes between consumer and commercial credit reporting. Part IIIA regulates consumer credit reporting activities, but does not cover personal information about commercial loans (that is, loans not intended to be used wholly or primarily for domestic, family or household purposes).[198] The handling of personal information relating to commercial loans (referred to below as ‘commercial credit reporting information’) is regulated primarily by the NPPs.

54.161 Part IIIA, however, touches on some aspects of commercial credit reporting. For example, s 18E(1)(b) permits credit reports to contain information about commercial credit and there are complex provisions to the effect that information about consumer credit can be used in commercial credit transactions, and vice versa, provided that agreement of the individual concerned is obtained.[199] Further, the fact that an individual is the guarantor of a commercial loan is currently permitted content of a credit information file.[200]

54.162 The ALRC asked whether the distinction in the credit reporting provisions of the Privacy Act between consumer and commercial credit is necessary or whether personal information about consumer and commercial credit should be regulated by the same statutory provisions.[201]

54.163 Most stakeholders who addressed the issue favoured retaining the distinction between consumer and commercial credit reporting.[202] This view was influenced, at least in part, by the fact that the Consumer Credit Code makes a similar distinction between credit ‘provided or intended to be provided wholly or predominantly for personal, domestic or household purposes’, which is regulated by the Code, and other credit, which is not.[203]

54.164 On the other hand, the OPC noted that credit reporting agencies currently make an individual’s commercial credit transactions available to credit providers to assess an individual’s credit eligibility and that some provisions of Part IIIA already regulate aspects of commercial credit granted to individuals. This ‘fragmented approach adds to the complexity of the provisions’.[204]

Discussion Paper proposal

54.165 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations should apply to personal information relating to credit advanced to an individual for any purpose and should not be limited to ‘domestic, family or household’ purposes, as is currently the case under the definition of ‘credit’ in the Privacy Act.[205]

54.166 In making this proposal, the ALRC noted that the current distinction between consumer and commercial credit may create needless complexity and appears inconsistent with the general approach of the Privacy Act. The Act does not distinguish in any other respect between personal information about an individual’s personal and commercial activities. The distinction is not made in the NZ Code, which simply covers personal information that is credit information.

54.167 This proposal was opposed strongly by industry stakeholders.[206] ARCA and others[207] submitted that there are good reasons to continue to exclude commercial credit reporting information from credit reporting privacy regulation. First, commercial credit reporting information is adequately protected as personal information by privacy principles—where it is ‘about’ an individual.[208] Secondly, if commercial credit reporting information (for example, about sole traders and unincorporated partners) were covered by the new Privacy (Credit Reporting Information) Regulations, then commercial credit reporting would be subject to new requirements, beyond those imposed by the UPPs, in relation to the collection, use and disclosure of information and complaint handling. The undesirable consequences of this were said to include:

(i) Significant additional compliance costs for the commercial credit reporting sector (access and correction; re-tooled business processes)

(ii) Significant additional compliance costs for commercial credit providers (EDR, additional statutory notice requirements)

(iii) Different treatment of commercial debtors who are superficially similar: a sole trader’s record would have additional protection; if the same or similar business were incorporated as an association or a company, even if it were smaller, it would not have the protection

(iv) Departure from the general consumer protection principle (FSR and UCCC) that people in business have less need of higher standards of protection (including disclosure)

(v) The consumer credit market is very different from the trade and commercial credit markets, and the primary purpose is likely to unreasonably constrain credit reporting in commercial contexts.[209]

54.168 Other industry stakeholders made similar points. The National Australia Bank stated that the ALRC’s proposal ‘has the potential to extend requirements into the small business segment which could make the regulation unworkable’.[210] Telstra submitted that the proposal

appears out of step with the ‘consumer protection’ purpose of the provisions dealing specifically with consumer credit information. Unlike consumer credit, an individual’s commercial credit activities do not receive the protection of the Consumer Credit Code. Given their nature, these commercial activities are generally subject to less onerous legislation on credit providers.[211]

54.169 The OPC’s position remained that the new Privacy (Credit Reporting Information) Regulations should apply to personal information relating to credit sought or obtained by an individual for any purpose and not limited to ‘domestic, family or household’ purposes as is currently the case under the definition of ‘credit’ in the Privacy Act.[212]

54.170 A number of other stakeholders agreed.[213] In relation to the consistency of credit reporting regulation and the Consumer Credit Code, Legal Aid Queensland noted that the Code is presumed to apply unless the borrower has signed a ‘business purposes declaration’:

This has resulted in many small lenders requiring all borrowers to sign a business purposes declaration and only lending for ‘commercial purposes’ to avoid the application of the legislation. This has resulted in some very unconscionable loans and unfair lending and enforcement practices. In our view to discourage lenders from avoiding the application of the Privacy Act, credit reporting ought to be regulated by reference to whether the person borrowing the funds is an individual or a business not the ‘disclosed use of the credit’ … If the definition is not broad enough to encompass loans to individuals for commercial purposes it may provide an incentive for some credit providers to list defaults as commercial in nature to avoid the requirement to belong to an EDR scheme.[214]

ALRC’s view

54.171 On one view, where credit-related personal information is maintained by a credit reporting agency and is, for example, inaccurate or misleading, an individual should have the same rights of recourse regardless of whether the credit advanced was for a consumer or commercial purpose.

54.172 The fact that the Consumer Credit Code makes a distinction between consumer and commercial credit does not dictate the retention of a similar distinction in credit reporting regulation. While credit reporting regulation under the Privacy Act can be seen as serving a consumer protection purpose, the focus of the Act is on the protection of the information privacy of individuals—regardless of the precise content of personal information.[215]

54.173 The coverage of the regimes already diverges significantly—notably, in relation to which organisations constitute credit providers (discussed above). In any case, the distinction contained in the Code is breaking down. The Uniform Consumer Credit Code Management Committee observed:

The forthcoming national finance broker laws … includes protection for both consumers and small business, while it is probably only a matter of time before the Code itself will extend to cover consumer investment and small business credit.[216]

54.174 There is strong opposition from the credit reporting industry and industry stakeholders to an extension of the coverage of credit reporting regulation, especially in view of the possible additional compliance costs. There are justifiable concerns that the provisions of the new Privacy (Credit Reporting Information) Regulations may not be appropriate for commercial credit reporting.

54.175 The restrictions on the permitted content of credit reporting information is an example of one such concern. Part IIIA of the Act sets out an exhaustive list of the categories of personal information that may be included in credit information files; a credit reporting agency must not disclose personal information that does not fall within the permitted categories.[217] A similar approach is recommended, with some changes, in the new Privacy (Credit Reporting Information) Regulations. It is questionable whether this approach is suitable in the context of commercial lending. The collection and disclosure of a broader set of personal information may be justifiable, with the consent of the individual concerned.

54.176 In any case, commercial credit reporting information receives significant protection under the NPPs, and would continue to do so under the model UPPs. In this context, while the Privacy Act extends additional privacy protection to credit reporting information, the regime also authorises some information-handling practices that would not be permitted under the NPPs without the consent of the individual concerned.[218] Bringing commercial credit reporting information into the regime would loosen some aspects of privacy protection, while strengthening others. For example, the credit reporting provisions operate to authorise some secondary use and disclosure of personal information that would not be permitted without consent under the NPPs.[219] Conversely, the credit reporting provisions provide for the deletion of information after the end of maximum permissible periods, whereas the NPPs only oblige organisations to take reasonable steps to ensure that personal information is ‘up-to-date’.[220]

54.177 On balance, the ALRC does not recommend any change to the coverage of credit reporting regulation in relation to commercial credit reporting. The new Privacy (Credit Reporting Information) Regulations should apply to personal information relating to credit intended to be used wholly or primarily for ‘domestic, family or household’ purposes, as provided by the current definition of ‘credit’ in the Privacy Act.

[198]Privacy Act 1988 (Cth) s 6(1) definition of ‘credit’.

[199] Ibid ss 18K(1)(b), 18L(4).

[200] Under s 18E(1)(b)(iv), permitted content includes information in connection with an individual having offered to act as a guarantor in respect of a ‘loan’. A ‘loan’, unlike ‘credit’, is not defined as being for ‘domestic, family or household’ purposes: Ibid s 6(1).

[201] Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006), Question 5–25.

[202] Australian Finance Conference, Submission PR 294, 18 May 2007; Institute of Mercantile Agents, Submission PR 270, 28 March 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Min-it Software, Submission PR 236, 13 March 2007; EnergyAustralia, Submission PR 229, 9 March 2007; Australian Institute of Credit Management, Submission PR 224, 9 March 2007. Some of these comments were premised on a misapprehension that regulation of credit reporting in respect of corporate entities was being contemplated.

[203] Consumer Credit Code s 6(1)(b).

[204] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[205] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–10.

[206] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[207] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[208] See, Privacy Act 1988 (Cth) s 6(1) definition of ‘personal information’.

[209] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[210] National Australia Bank, Submission PR 408, 7 December 2007.

[211] Telstra Corporation Limited, Submission PR 459, 11 December 2007. Other stakeholders also focused on the desirability of maintaining a distinction between commercial and consumer credit, consistent with the Consumer Credit Code: Australian Credit Forum, Submission PR 492, 19 December 2007; HBOS Australia, Submission PR 475, 14 December 2007.

[212] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[213] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[214] Legal Aid Queensland, Submission PR 489, 19 December 2007.

[215] Credit-related information concerning an individual, however, may not constitute personal information if it is, for example, not ‘about’ an individual but about a company (of which the individual happens to be a director): See, eg, Durant v Financial Services Authority [2003] EWCA Civ 1746.

[216] Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007, referring to the Finance Broking Bill 2007 (Cth).

[217] Privacy Act 1988 (Cth) s 18E(1).

[218] For example, s 18N expressly authorises the disclosure by credit providers of personal information to a credit reporting agency; a mortgage insurer; and the assignee of a debt to the credit provider. Under NPP 2.1, such disclosure may require the consent of the individual concerned, depending primarily on whether the specific circumstances authorised by Part IIIA are related secondary purposes within the reasonable expectations of the individual: see also Ch 57.

[219] For example, credit reports may be used by mortgage insurers and those considering entering securitisation arrangements, without the individual’s consent: Privacy Act 1988 (Cth) s 18K(1)(ab), (ac), and (d), as compared to NPP 2.1.

[220] Ibid s 18F, as compared to NPP 3.