Are two privacy regimes necessary?

71.32 A threshold question is whether two privacy regimes are necessary in the telecommunications industry, or whether the industry should be regulated under telecommunications-specific privacy laws or the Privacy Act.

Submissions and consultations

71.33 Some stakeholders argued that telecommunications-specific privacy laws are necessary. Stakeholders noted that Part 13 of the Telecommunications Act and the Privacy Act have different purposes. While the Privacy Act sets out individuals’ rights relating to the handling of their personal information, Part 13 is directed more towards deterrence and punishment.[32]

71.34 Stakeholders also noted that Part 13 deals with many aspects of the telecommunications industry that are not addressed by the Privacy Act. For example, the Department of Communications, Information Technology, and the Arts (DCITA)[33] submitted that the content and substance of communications and unlisted numbers require industry-specific privacy regulation because they will not always be protected under the Privacy Act.[34]

71.35 Some stakeholders noted that while the Privacy Act is largely premised on organisations collecting personal information from an individual, this is not the case in the telecommunications industry. It was noted that the very nature of telecommunications carriage services necessitates carriage service providers receiving, not necessarily ‘collecting’, and disclosing information relating to the affairs and personal particulars of customers and people who are not their customers.[35]

71.36 It also was noted that the telecommunications industry has access to vastly more information about individuals than most organisations, including information about their own customers and other members of the general public. Such information includes the content of their communications. [36]

71.37 The Office of the Victorian Privacy Commissioner (OVPC) submitted that telecommunications regulation is an area where fragmentation is a positive thing.

Care should be taken not to ask or expect all things from generic privacy laws or from a single regulator. Here, separate regulation with purpose-built protections is desirable as it covers intrusive activities (eg listening in to telephone conversations) that may not generate any records. Privacy legislation is essentially about protecting documents or records, not transmissions.[37]

71.38 It was submitted that the Telecommunications Act permits the use and disclosure of personal information where it is necessary for the efficient functioning of the telecommunications industry. For example, the telecommunications sector relies on the interconnection of different telecommunication networks in order to enable a consumer to communicate with any other user, regardless of the networks to which those end-users are connected. Accordingly, exceptions under Part 13 of the Telecommunications Act that go beyond those available under the Privacy Act are necessary to enable industry networking arrangements to work efficiently and effectively.[38]

71.39 Other stakeholders, however, argued that much of the information used and disclosed in the telecommunications industry could be regulated under the Privacy Act. It was submitted that, in most cases, the personal information collected by telecommunications service providers is no different to personal information collected in other sectors. This information often will be obtained in the course of business but will not be related directly to the carriage of telecommunications services.[39] For example, personal information held by a telecommunications company, a bank or an electricity supplier in relation to any given customer is likely to be broadly similar—it would include identifying information such as the individual’s name, address, telephone number and other contact information; as well as other information such as billing history, credit card details and likely income level.[40]

71.40 A number of stakeholders also noted that, due to technological and market ‘convergence’,[41] the boundaries between the telecommunications industry and other related industries are starting to blur.

Increasingly, communications and related services will rely on a range of intermediate services and databases. If differences in the treatment of personal information persist between ‘telecommunications’ services and other businesses, the potential for unintended outcomes and for difficulties in administration across regulatory boundaries will increase markedly. This will become increasingly problematic as communications becomes embedded in more and more services.[42]

71.41 The communications industry also is experiencing business diversification, specialisation and the entry of new niche industry participants. The lower cost of creating and distributing digitalised content and communications is lowering barriers to market entry and resulting in the emergence of new online services and environments.[43]

71.42 Stakeholders outlined a number of options for reform. It was suggested in one submission that the development of an instrument focused on telecommunications privacy would be appropriate.[44] The European Union has taken steps to regulate specifically the handling of data by the telecommunications industry. For example, the 2002 Directive on privacy and electronic communications requires Member States to enact legislation to ensure the confidentiality of telecommunications and telecommunications data,[45] and to ensure that subscribers to telecommunication services are given the opportunity to determine whether their personal data are included in a public directory.[46] The 2006 data retention Directive aims to ensure that telecommunications data are retained for a certain period in case they are required for law enforcement purposes.[47] It also requires Member States to ensure that data are stored securely, and destroyed at the end of the retention period.[48]

71.43 Another stakeholder argued that the deregistration of the ACIF Industry Code—Protection of Personal Information of Customers of Telecommunications Providers has resulted in regulatory gaps in the protection of personal information in the telecommunications industry. It also was noted that deregistration of the Code has resulted in a number of small telecommunications businesses not being regulated by any privacy rules, as they are not covered by the Privacy Act.[49] AAPT suggested that one option would be the development of an overarching document, whether a code, guide or separate piece of legislation, that provides a comprehensive overview of telecommunications privacy.[50] Others submitted, however, that the development of a telecommunications-specific industry privacy code is likely to result in additional compliance cost and a greater overlap with existing regulation.[51]

71.44 The OPC submitted that consideration should be given to removing the exceptions under Part 13 (while keeping the Part 13 offence provisions), and allowing the Privacy Act to regulate use and disclosure under that Part.[52]

71.45 It was also suggested that Part 13 could be moved into the Privacy Act, perhaps as an industry-specific section of the Act.[53] Optus submitted that telecommunications privacy provisions, if included in the Privacy Act, should:

  • cover both personal information, including the affairs or personal particulars of persons, as well as the content of communications and carriage services;

  • contain the same protections regarding the primary and secondary uses and disclosures contained within the Telecommunications Act; and

  • contain the exemptions from Part 13 of the Telecommunications Act that cover the permitted use and disclosure of content, carriage services and personal information.[54]

71.46 Stakeholders also suggested that privacy regulation applying to the telecommunications sector should be aligned with the general privacy provisions contained in the Privacy Act, particularly in the area of exemptions and penalties.[55] The OPC Review noted the possibility of amending the Telecommunications Act and the Privacy Act to ensure the highest of the two standards always operates.[56]

ALRC’s view

71.47 The ALRC sees merit in the promulgation of telecommunications privacy regulations under the Privacy Act to regulate the handling of personal information. The regulations could:

  • protect ‘personal information’ regardless of whether the information came into the knowledge or possession of a telecommunication services provider in the circumstances outlined in Part 13;

  • contain the same protections regarding the primary and secondary uses and disclosures contained within the Telecommunications Act; and

  • contain the exemptions from Part 13 of the Telecommunications Act that cover the permitted use and disclosure of content, carriage services and personal information.

71.48 Another option would be for the Privacy Commissioner to issue binding telecommunications privacy guidelines similar to the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs (Medicare Guidelines) issued under s 135AA of the National Health Act 1953 (Cth).[57] The advantage of both these options is that the telecommunications industry would have one set of rules to regulate the handling of ‘personal information’ and possibly other information.[58]

71.49 The ALRC has concluded, however, that both the Telecommunications Act and the Privacy Act should continue to regulate privacy in the telecommunications industry. The ALRC has reached this conclusion based on a number of considerations.

71.50 First, the telecommunications industry handles sensitive personal information. In addition to financial information, telephone numbers and other contact information, telecommunications service providers hold information about when, how and with whom individuals communicate, and the content of those communications. It is appropriate that the use and disclosure of this information is subject to more stringent rules than those in the Privacy Act.

71.51 The ALRC acknowledges that other organisations, such as banks, handle information that is just as sensitive as information handled by telecommunications service providers, and that these organisations are not regulated under stringent provisions such as Part 13 of the Telecommunications Act. The ALRC notes, however, that banks and other financial institutions are subject to a range of laws other than the Privacy Act that regulate the handling of sensitive financial information.[59] Further, organisations and agencies that handle particularly sensitive information are often subject to secrecy provisions that are more stringent than the Privacy Act provisions. These provisions are discussed in Chapter 15.

71.52 Secondly, as outlined above, the Telecommunications Act protects a broader category of information than the Privacy Act in the context of information that comes into the knowledge or possession of a person in the circumstances outlined in Part 13. For example, the Privacy Act regulates only personal information held or collected for inclusion in a ‘record’.[60] In contrast, Part 13 of the Telecommunications Act regulates information that may or may not be held in a record.[61] Further, Part 13 of the Telecommunications Act regulates information and documents about organisations, as well as individuals.[62]

71.53 The ALRC considered whether Part 13 should be transferred to the Privacy Act. The ALRC also considered whether the Privacy Act or the Telecommunications Act should regulate ‘personal information’ handled by telecommunications service providers regardless of whether it came into their knowledge or possession in the circumstances outlined in Part 13. Such an amendment, however, would create confusion and further fragment the regulation of the telecommunications industry. Further, as noted above, it is the ALRC’s view that the type and volume of information handled by telecommunications service providers warrants special protection.

71.54 Thirdly, Part 13 of the Telecommunications Act does not regulate all stages of the information-handling cycle. These matters are dealt with under the Privacy Act. The ALRC considered whether Part 13 of the Telecommunications Act should be amended to include rules relating to all stages of the information-handling cycle. The ALRC concluded, however, that because Part 13 regulates, in addition to personal information, the handling of non-personal information, such an amendment could create further complexity, may not be appropriate in the context of non-personal information, and may be beyond the ALRC’s Terms of Reference for this Inquiry.

71.55 Fourthly, the ALRC notes that specific exceptions to the offence provisions in Part 13, which go beyond those available under the Privacy Act, are necessary to enable industry networking arrangements to work efficiently and effectively. The ALRC considered whether telecommunications-specific exceptions under the Privacy Act could accommodate these uses and disclosures. In the ALRC’s view, however, this would add an undesirable layer of complexity to privacy regulation in the telecommunications industry. The exceptions to the use and disclosure offences are considered in Chapter 72.

71.56 Finally, determining whether a telecommunications service provider has complied with Part 13 requires technical knowledge and understanding of how the telecommunications industry operates. The Telecommunications Act is currently administered by ACMA. ACMA has expertise in the regulation of the telecommunications industry that the OPC does not have.

71.57 The interaction between the Telecommunications Act and the Privacy Act should be clarified. The ALRC’s approach to reform in this area involves:

  • clarification of the scope of the exceptions to the use and disclosure offences under the Telecommunications Act;

  • where appropriate, the alignment of the exceptions to the use and disclosure offences under the Telecommunications Act with the exceptions under the ‘Use and Disclosure’ principle in the model UPPs;

  • ensuring that all participants in the telecommunications industry are subject to privacy regulation;

  • the development and publication of guidance relating to privacy in the telecommunications industry that addresses the interaction between the Telecommunications Act and the Privacy Act; and

  • greater cooperation between the bodies with responsibility for privacy regulation in the telecommunications industry.

[32] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Australian Federal Police, Submission PR 186, 9 February 2007.

[33] Now the Department of Broadband, Communications and the Digital Economy.

[34] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007.

[35]I Graham, Submission PR 427, 9 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[36] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[37] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007. See also Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007.

[38] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007.

[39] Australian Communications and Media Authority, Submission PR 268, 26 March 2007.

[40] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007.

[41] ‘Convergence’ refers to a range of different technologies performing similar tasks. An example of a ‘convergent device’ is the mobile phone and other mobile communications devices that can act as multimedia platforms and, in particular, deliver audiovisual content. See Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 21; Australian Government Department of Communications‚ Information Technology and the Arts, Review of the Regulation of Content Delivered Over Convergent Devices (2006).

[42] Australian Communications and Media Authority, Submission PR 268, 26 March 2007. See also Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[43] Australian Communications and Media Authority, ACMA Communications Report 2005–06 (2006), 22.

[44] K Pospisek, Submission PR 104, 15 January 2007.

[45] European Parliament, Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, Directive 2002/58/EC (2002), art 5.

[46] Ibid, art 12.

[47] European Parliament, Directive on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks, Directive 2006/24/EC (2006), art 1.

[48] Ibid, art 7.

[49]Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[50] AAPT Ltd, Submission PR 87, 15 January 2007.

[51] Telstra, Submission PR 185, 9 February 2007.

[52]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[53]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Law Society of New South Wales, Submission PR 443, 10 December 2007.

[54]Optus, Submission PR 532, 21 December 2007.

[55] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[56] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 60.

[57]Office of the Privacy Commissioner, Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs: Issued under Section 135AA of the National Health Act 1953 (2008).

[58] The ALRC notes that the Medicare Guidelines regulate ‘Medicare claims information’ and ‘Pharmaceutical Benefits claims information’. This information would include information other than ‘personal information’ as defined in the Privacy Act 1988 (Cth): Office of the Privacy Commissioner, Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs: Issued under Section 135AA of the National Health Act 1953 (2008).

[59] These laws include the common law duty of confidence owed by banks to their customers (see discussion in Ch 53) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (see discussion in Ch 16).

[60]Privacy Act 1988 (Cth) s 16B. ‘Record’ is defined under s 6 of the Privacy Act 1988 (Cth).

[61] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[62] For example, Part 13 regulates the use and disclosure of the affairs ‘of another person’. ‘Person’ is defined in s 7 of the Telecommunications Act as including a partnership.