15.45 The APPs under the Privacy Act 1988 (Cth) regulate the handling of personal information by APP entities, ie government agencies and organisations. Notably, small businesses with an annual turnover of less than $3 million are exempt from the definition of ‘organisation’ and thus from the ambit of the APPs unless, for instance:
the small business trades in personal information;
the small business handles health information; or
the small business operator notifies the OAIC in writing of its desire to be treated as an organisation.
15.46 In its 2008 report For Your Information, the ALRC recommended that the small business exemption be removed from the Privacy Act. Several stakeholders, in submissions to the ALRC’s current Inquiry, noted that the exemption remains in the Privacy Act, and that the removal of the exemption would have benefits for privacy.
15.47 Ensuring that small businesses handle personal information in an appropriate way may be particularly important in the digital era. A small business in the digital era can readily collect personal information through, for example, software on mobile phones or websites. Removing the small business exemption may therefore provide for better information privacy protections in the digital era.
15.48 The ALRC acknowledges, however, that removing the small business exemption may have compliance costs for small businesses. The ALRC considers that the small business exemption should be given further consideration, particularly given the growth of digital communications and the digital economy since the 2008 recommendation. The Productivity Commission, for instance, may be well-placed to investigate the likely impacts on small businesses if the small business exemption were removed. Such an investigation could give detailed consideration to the application of limited data protection models to small businesses in other jurisdictions as well as other options for improving the protection of personal information held by small business.
An extended complaints process for the OAIC
15.49 In its submission to Issues Paper 43, the Office of the Australian Information Commissioner outlined a proposal for a new ‘complaints model’. The OAIC suggested that this model could provide an alternative to the statutory cause of action for serious invasions of privacy. A core element of the OAIC’s proposal would be a new power granted to the Australian Information Commissioner to receive complaints from individuals about intrusions into seclusion. This new power would extend the existing powers of the Commissioner to hear complaints about breaches of the APPs.
15.50 An intrusion into seclusion would, under the OAIC’s proposal, constitute an ‘interference with the privacy of an individual’. This would allow the individual to bring a complaint to the Commissioner, or for the Commissioner to undertake an own motion investigation. In the event that the Commissioner determined that an intrusion into seclusion had occurred, the existing powers of the Commissioner would allow for a range of declarations to be made. A determination of the Commissioner would then be enforceable through the Federal Court or Federal Circuit Court.
15.51 In the event that the intrusion into seclusion was serious or repeated, the intrusion would be a contravention of a civil penalty provision. The Commissioner would then be empowered to apply to the Federal Court or Federal Circuit Court for an order that the respondent pay a civil penalty.
15.52 The ALRC acknowledges that the OAIC’s proposed complaints model may offer several advantages over other methods of dealing with privacy disputes, in particular through litigation. Most significantly, the complaints model may be cheaper and faster than litigation, and may be less taxing on parties to a dispute. The complaints model would also take advantage of the OAIC’s existing powers and expertise in handling complaints about information privacy.
15.53 However, the OAIC’s proposed complaints model would face several challenges. First, as noted by the OAIC in its submission, the model would require substantial additional OAIC resourcing, particularly if the complaints process were to be readily available across the country. Second, also as noted by the OAIC, the respondents to complaints under the existing Privacy Act are typically government agencies and large businesses. Although it may be possible to extend the Privacy Act to include complaints against individuals more generally, such an extension may have significant consequences which would need detailed consideration. Third, the Privacy Act contains a range of exemptions, such as the small business exemption noted above. While these exemptions remain in place, a complaints process based on the Privacy Act would have significant limitations.
15.54 For these reasons, the ALRC has not proposed extending the Privacy Act or the powers of the Australian Information Commissioner in the way proposed in the OAIC submission. However, the ALRC notes that further consideration of the complaints model may be appropriate in the future.
Privacy Act 1988 (Cth) s 6(1) (definition of ‘APP entity’).
Ibid ss 6C, 6D.
Ibid ss 6D, 6E, 6EA.
ALRC, For Your Information: Australian Privacy Law and Practice, Report 108 (2008) Rec 39–1.
‘Mobile Apps’ (Occasional paper 1, Australian Communications and Media Authority, May 2013); ‘The Cloud—services, Computing and Digital Data’ (Occasional paper 3, Australian Communications and Media Authority, June 2013); ‘Mobile Privacy: A Better Practice Guide for Mobile App Developers’ (Office of the Australian Information Commissioner, September 2013).
Data Protection Act 1998 (UK).
For example, the small business exemption could be limited so that small businesses handling sensitive information would not be exempt. Sensitive information includes personal information about an individual’s racial or ethnic origin, political opinions, membership of political associations, religious beliefs or affiliations, philosophical beliefs, professional or union membership, sexual orientation or practices or criminal record, as well as health information, genetic information, and certain types of biometric information: Privacy Act 1988 (Cth) s 6(1) (definition of ‘sensitive information’).
Ibid s 6(1) (definition of ‘interference with the privacy of an individual’).
Ibid s 36.
Ibid s 40.
These declarations could include: that the complainant is entitled to an amount of compensation; that the respondent should perform specific actions to ensure that the intrusion does not occur again; or that the respondent should perform specific actions to redress any loss or damage suffered by the complainant: Ibid s 52.
Ibid s 55A.
Ibid ss 13G, 80U, 80W, 80X.