17.08.2010
73.196 Several bodies are involved in the regulation of the telecommunications industry. ACMA is a statutory authority[255] with specific regulatory powers conferred on it by a number of Acts, including the Telecommunications Act, Telecommunications (Consumer Protection and Service Standards) Act 1999 (Cth), Spam Act and the Do Not Call Register Act.
73.197 The TIO is an external dispute resolution scheme that investigates and determines complaints by users of carriage services,[256] including complaints about breaches of the NPPs.[257] The OPC also deals with complaints of interference with privacy in the telecommunications industry.
73.198 The Commonwealth Ombudsman inspects, and reports on, actions taken under the Telecommunications (Interception and Access) Act by Commonwealth law enforcement agencies.[258] The IGIS also has various oversight powers under the Telecommunications (Interception and Access) Act.[259]
73.199 Each of these regulatory bodies receives privacy-related complaints from consumers. ACMA noted that concern about privacy was a theme in a number of the complaints it received in 2006–07.[260]In this same period, the TIO received 2,343 complaints relating to privacy of consumers with a landline, mobile telephone or internet connection. Many of these complaints related to telemarketing.[261] In 2006–07, the OPC received 81 complaints about privacy in the telecommunications sector (approximately 10% of all complaints) and 756 telephone enquires about privacy in the telecommunications sector (approximately 10% of all NPP telephone enquiries).[262]
73.200 These regulatory bodies have different powers to resolve complaints. For example, the TIO has the power to order service providers to provide complainants with compensation of up to $10,000.[263] There is no statutory limit on the amount of compensation that the Privacy Commissioner can award to a complainant.[264]
73.201 Stakeholders making submissions to the OPC Review noted that the existence of multiple regulators in the telecommunications industry had the potential to: confuse consumers wishing to complain about telecommunications privacy issues; delay or complicate the resolution of complaints;[265] and waste agency resources.[266] Telstra suggested that industry complaint-handling bodies be given responsibility for considering privacy-related complaints at first instance. It submitted that this would ensure the efficient and timely investigation of complaints and enable the OPC to focus on broader privacy issues.[267] The OPC noted that it could work closely with other privacy regulators to ‘ensure that privacy complaints are handled efficiently and to minimise confusion and costs for both individuals and organisations’.[268]
73.202 Although it is not a regulator, the Communications Alliance plays a key role in the regulation of the telecommunications sector. Membership of the Alliance is drawn from a cross-section of the communications industry, including service providers, vendors, consultants and suppliers as well as business and consumer groups. The Alliance develops and promotes compliance with industry codes. It has put in place a scheme that allows a carrier or carriage service provider to commit formally to comply with Communications Alliance Industry Codes. Part 6 of the Telecommunications Act provides that organisations such as Communications Alliance can create industry codes in relation to privacy for the telecommunications sector.
73.203 In DP 72, the ALRC noted that stakeholders had raised a range of issues concerning multiple bodies with responsibility for privacy in the telecommunications industry. Stakeholders noted that the overlapping complaints regime results in confusion and a loss of confidence by consumers in the ability of the telecommunications industry to handle their complaint; delay in the resolution of complaints; increased compliance costs for telecommunications providers; duplication of effort by regulators; and forum shopping. It was submitted that the regulatory roles of ACMA, the TIO and the OPC, as well as the Communications Alliance, should be clarified and relationships strengthened. Some stakeholders suggested that the OPC should be responsible for all telecommunications privacy matters, while others noted that the OPC does not have the resources or the expertise to deal with telecommunication privacy matters.[269]
73.204 The ALRC has concluded that there are advantages in having multiple bodies with responsibility for telecommunications privacy. Industry-specific regulators, such as ACMA and the TIO, play an important role as they provide industry expertise. Industry-specific regulators also reduce the volume of privacy complaints that would otherwise be made to the OPC, freeing the OPC’s resources for other functions. Another potential benefit is peer review and the promotion of high standards of performance.
73.205 In the ALRC’s view, however, the relationship between the various bodies with responsibility for telecommunications privacy needs to be clarified and strengthened. The ALRC has considered only the role of each of these bodies in relation to the regulation of privacy. The role and function of each of these bodies in the regulation of the telecommunication industry more broadly should be considered as part of the review recommended in Chapter 71.[270]
Memorandums of understanding
73.206 The Privacy Commissioner has entered into agreements with the New Zealand Privacy Commissioner and the Commonwealth Ombudsman that allow for greater cooperation between their respective offices when dealing with privacy-related complaints. In DP 72, the ALRC proposed that the OPC, TIO and ACMA should develop memorandums of understanding, addressing: the roles and functions of each of the bodies under the Telecommunications Act, Spam Act, Do Not Call Register Act and the Privacy Act; the exchange of relevant information and expertise between the bodies; and when a matter should be referred to, or received from, the bodies.[271]
Submissions and consultations
73.207 A large number of stakeholders supported this proposal.[272] Some stakeholders submitted that the arrangements outlined in the memorandums of understanding should be publicly available.[273] The Communications Alliance submitted that it should be a party to the memorandums of understanding.[274] Optus submitted that the OPC should have full responsibility for privacy regulation.[275]
ALRC’s view
73.208 The OPC, TIO and ACMA should develop memorandums of understanding that address the roles and functions of each of the bodies relating to complaint handling under the Telecommunications Act, Spam Act, Do Not Call Register Act and the Privacy Act. Such agreements also should address the exchange of relevant information and expertise between the bodies.
73.209 As the regulator with expertise in privacy, the OPC should provide advice to the TIO in relation to the interpretation of the model UPPs, and to ACMA on whether a privacy issue is dealt with better under the Privacy Act or the Telecommunications Act. Conversely, given that the TIO and ACMA have expertise in telecommunications issues, they should assist the OPC when it is investigating a telecommunications-related privacy matter.
73.210 The ALRC does not recommend that the Communications Alliance should be a party to the memorandums of understanding because it is not a regulator and does not handle complaints. The Communications Alliance, however, should have a role in the development of guidance and educational material on privacy in the telecommunications industry.[276]
Recommendation 73-8 The Office of the Privacy Commissioner, the Telecommunications Industry Ombudsman and the Australian Communications and Media Authority should develop memorandums of understanding, addressing:
(a) the roles and functions of each of the bodies under the Telecommunications Act 1997 (Cth), Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth) and Privacy Act;
(b) the exchange of relevant information and expertise between the bodies; and
(c) when a matter should be referred to, or received from, the bodies.
Complaint-handling policies
73.211 In DP 72, the ALRC proposed that the OPC prepare and publish a document setting out its complaint-handling policies and procedures,[277] and develop and publish enforcement guidelines.[278] The ALRC also proposed that these documents should set out the roles and functions of the OPC, TIO and ACMA under the Telecommunications Act, Spam Act, Do Not Call Register Act and Privacy Act; including when a matter will be referred to, or received from, the TIO and ACMA.[279] All stakeholders that addressed this issue supported the proposal.[280]
73.212 In Part F, the ALRC recommends that the OPC should develop and publish a document setting out its complaint-handling policies and procedures.[281] Consolidating this information into one document should increase the accessibility and transparency of the complaint-handling process, and provide a useful resource for agencies, organisations and individuals. The ALRC also recommends that the OPC should develop and publish enforcement guidelines.[282]
73.213 Both these documents should set out the roles and functions of the OPC, TIO and ACMA under the Telecommunications Act, Spam Act, Do Not Call Register Act and Privacy Act; including when a matter will be referred to, or received from, the TIO and ACMA. The TIO and ACMA also should develop and publish a complaint-handling policy and enforcement guidelines.
Recommendation 73-9 The document setting out the Office of the Privacy Commissioner’s complaint-handling policies and procedures (see Recommendation 49–8), and its enforcement guidelines (see Recommendation 50–3) should address:
(a) the roles and functions of the Office of the Privacy Commissioner, Telecommunications Industry Ombudsman and the Australian Communications and Media Authority under the Telecommunications Act 1997 (Cth), Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth) and Privacy Act; and
(b) when a matter will be referred to, or received from, the Telecommunications Industry Ombudsman and the Australian Communications and Media Authority.
Guidance
73.214 In DP 72, the ALRC proposed that the OPC, in consultation with ACMA, Communications Alliance and the TIO, should develop and publish guidance relating to privacy in the telecommunications industry. The guidance should:
outline the interaction between the Privacy Act, Telecommunications Act, Spam Act and the Do Not Call Register Act;
provide advice on the exceptions under Part 13 of the Telecommunications Act, Spam Act and the Do Not Call Register Act; and
outline what is required to obtain an individual’s consent for the purposes of the Privacy Act, Telecommunications Act, Spam Act and the Do Not Call Register Act. This guidance should cover consent as it applies in various contexts, and include advice on when it is, and is not, appropriate to use the mechanism of ‘bundled consent’.[283]
Submissions and consultations
73.215 A number of stakeholders supported this proposal.[284] The DBCDE submitted that there appears to be considerable merit in providing greater guidance on the interaction between the relevant Acts, particularly the exemption and consent arrangements. The Department noted, however, that it may be more appropriate for ACMA to have primary carriage of this responsibility, in consultation with the DBCDE. The Department’s view was based on ACMA’s expertise in regulation of the telecommunications industry and the Department’s responsibility for telecommunications policy.[285]
73.216 One stakeholder noted, however, that she had concerns about ‘consent as it applies in various contexts’ being covered in guidance and not legislation, and that the ALRC’s proposal mentioned the involvement of Communications Alliance, but not privacy advocates or consumer organisations.[286]
ALRC’s view
73.217 Since the deregistration of the Australian Communications Industry Forum Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, there is little published guidance on information privacy in the telecommunications industry.
73.218 Submissions to the OPC Review and the current Inquiry indicate that telecommunications providers, regulators and individuals would benefit from the development of such a document, particularly in relation to the interaction between the Privacy Act and other legislation that deals with telecommunications privacy issues.
73.219 The guidance should outline the interaction between the Privacy Act, Telecommunications Act, Spam Act,and Do Not Call Register Act and include advice on the operation of the exceptions, and on what is required to obtain an individual’s consent under each Act. Issues related to exceptions and consent under telecommunications legislation are discussed in more detail above and in Chapter 72.
73.220 All bodies with responsibility for telecommunications privacy should be involved in the development of this guidance. The ALRC has concluded, however, that ACMA should have primary responsibility for the development of this advice, as the regulatory body with expertise in the regulation of the telecommunications industry. The guidance should be developed in consultation with relevant stakeholders, including the OPC, TIO, DBCDE, Communications Alliance, privacy advocates and consumer groups, and bodies that represent the direct marketing industry.
Recommendation 73-10 The Australian Communications and Media Authority, in consultation with relevant stakeholders, should develop and publish guidance relating to privacy in the telecommunications industry. The guidance should:
(a) outline the interaction between the Privacy Act, Telecommunications Act 1997 (Cth), Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth);
(b) provide advice on the exceptions under Part 13 of the Telecommunications Act, Spam Act and the Do Not Call Register Act; and
(c) outline what is required to obtain an individual’s consent for the purposes of the Privacy Act, Telecommunications Act, Spam Act and Do Not Call Register Act. This guidance should cover consent as it applies in various contexts, and include advice on when it is, and is not, appropriate to use the mechanism of ‘bundled consent’.
Educational material
73.221 In DP 72, the ALRC proposed that the OPC, in consultation with the AGD, ACMA, the Office of the Commonwealth Ombudsman, the IGIS and the TIO, should develop and publish educational material that addresses: the rules regulating privacy in the telecommunications industry; the various bodies that are able to deal with a complaint in relation to privacy in the telecommunications industry; and how to make a complaint to those bodies.[287]
Submissions and consultations
73.222 All stakeholders that addressed this issue supported the proposal.[288] The DBCDE supported the proposal but noted that it may be more appropriate for ACMA to have primary carriage of this responsibility, in consultation with the DBCDE. In the DBCDE’s view, ACMA may be better suited to this role as it has expertise in regard to regulation of the telecommunications industry.[289]
ALRC’s view
73.223 The ALRC notes that the TIO publishes a number of ‘Position Statements’ designed to inform the public about a range of telecommunications issues, including privacy. ACMA also publishes on its website some material on Part 13 of the Telecommunications Act. There is little information about the operation of the Telecommunications (Interception and Access) Act on the website of the AGD.
73.224 It is important that individuals are aware of the obligations of agencies and organisations under telecommunications privacy laws, and know how to seek redress for a breach of those obligations. The ALRC recommends that ACMA, in consultation with relevant stakeholders, should develop and publish educational material that addresses: the rules regulating privacy in the telecommunications industry; the various bodies that are able to deal with a telecommunications privacy complaint; and how to make a complaint to those bodies. These stakeholders would include the OPC, TIO, DBCDE, Communications Alliance, privacy advocates and consumer groups.
73.225 These educational materials also should address agencies’ and organisations’ obligations under the Telecommunications (Interception and Access) Act. ACMA should consult with the bodies with responsibility for the administration and oversight of that legislation—namely, the AGD, the IGIS, and the Commonwealth Ombudsman.
Recommendation 73-11 The Australian Communications and Media Authority, in consultation with relevant stakeholders, should develop and publish educational material that addresses the:
(a) rules regulating privacy in the telecommunications industry; and
(b) various bodies that are able to deal with a telecommunications privacy complaint, and how to make a complaint to those bodies.
[255]Australian Communications and Media Authority Act 2005 (Cth) s 8(1).
[256]Telecommunications (Consumer Protection and Service Standards) Act 1999 (Cth) s 128(4).
[257]Telecommunications Industry Ombudsman Constitution, 20 May 2006, cl 4.1.
[258]Commonwealth Ombudsman, Submission PR 202, 21 February 2007.
[259] See discussion of the IGIS above.
[260] Australian Communications and Media Authority, Annual Report 2006–07 (2007), 60.
[261] Telecommunications Industry Ombudsman, Annual Report 2006–07 (2007), 54–55. Communications Alliance noted that it has conducted an analysis of the privacy-related complaints data generated by the TIO as a result of Communications Alliance’s review of the Australian Communications Industry Forum, Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, ACIF C523 (1999). This research suggests that the TIO is classifying what actually are telemarketing related complaints as privacy complaints. Further, some of these complaints may be attributed incorrectly to the telemarketing activities of a supplier, when the unsolicited telemarketing activity is the action of an independent telemarketing agency. Communications Alliance submitted that, although the TIO recorded 2,718 complaints relating to privacy in 2004–05, it may be that reported privacy breaches in the telecommunications sector are not as prevalent as the TIO’s statistics would suggest: Communications Alliance Ltd, Submission PR 198, 16 February 2007.
[262] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 44, 48.
[263]Telecommunications Industry Ombudsman Constitution, 20 May 2006, [6.1]. It can also recommend the provision of compensation for amounts between $10,000 and $50,000: see Telecommunications Industry Ombudsman Constitution, 20 May 2006, [6.2].
[264] The powers of the Privacy Commissioner to make determinations are discussed in Ch 49.
[265] Australian Communications Authority, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004, [1.3]; Telstra Corporation Limited, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004, 9.
[266] Australian Communications Authority, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004, [1.3].
[267] Telstra Corporation Limited, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004, [1.7].
[268] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 159.
[269]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [64.119]–[64.126].
[270] Rec 71–2.
[271]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 64–5.
[272]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; I Graham, Submission PR 427, 9 December 2007; AAPT Ltd, Submission PR 338, 7 November 2007.
[273]Communications Alliance Ltd, Submission PR 439, 10 December 2007; I Graham, Submission PR 427, 9 December 2007.
[274]Communications Alliance Ltd, Submission PR 439, 10 December 2007.
[275]Optus, Submission PR 532, 21 December 2007.
[276] See Recs 73–10, 73–11.
[277]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–8.
[278]Ibid, Proposal 46–2.
[279]Ibid, Proposal 64–6.
[280]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; I Graham, Submission PR 427, 9 December 2007.
[281] Rec 49–8.
[282] Rec 50–4.
[283]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 64–7.
[284]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Communications Alliance Ltd, Submission PR 439, 10 December 2007.
[285]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
[286]I Graham, Submission PR 427, 9 December 2007.
[287]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 64–8.
[288]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; I Graham, Submission PR 427, 9 December 2007.
[289]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.