Greenleaf, Graham --- "Commonwealth abandons privacy - for now" [1997] PrivLawPRpr 19; (1997) 4(1) Privacy Law & Policy Reporter 1
Commonwealth abandons privacy — for now
Graham Greenleaf
The first two issues of Volume 4 of PLPR focus on the Commonwealth Government’s decision to abandon its plans for a comprehensive extension of the Privacy Act 1988 to cover the private sector, and its assertion that privacy is best protected by voluntary codes of conduct.
For a period following the release of the Commonwealth’s Discussion Paper Privacy Protection in the Private Sector in September 1996 (see (1996) 3 PLPR 81), it appeared that a consensual approach to the introduction of private sector privacy laws was emerging in Australia (see 3 PLPR 161) and that the Coalition Government intended to honour its election commitments to ‘best international practice’ in privacy protection (see (1996) 3 PLPR 1).
Australia’s approach to privacy protection is in disarray, following the Prime Minister’s announcement in March that the Government opposed any general privacy laws for the private sector. This article argues that it will be difficult for the Commonwealth to sustain this position. Developments such as the following are increasing pressure on the Government to change its position yet again.
- The claimed reason for abandonment, ‘compliance costs’, remains unsupported by evidence, particularly when compared against alternatives, is not borne out by business surveys, and is attracting critical attention in Parliament.
- Despite the Prime Minister’s request, State and Territory Governments have not abandoned their plans to legislate for privacy in the private sector, with such legislation likely in NSW, Victoria and the ACT, and under investigation in Queensland. The enactment of any such laws, and even the law reform processes that precede them, are likely to increase business fears of a patchwork of inconsistent State and Territory laws and the more significant compliance costs entailed by them.
- The Commonwealth’s decision to legislate for privacy protection in relation to outsourcing increases the range of private sector organisations that have to comply with the Privacy Act in relation to some of their activities, but not others. Here, as with employment case management services, health service providers, private health funds, and the telecommunications industry, privacy protection is not voluntary and not uniform.
- The approach of the Commonwealth Privacy Commissioner that voluntary codes of conduct must not provide lesser standards of privacy protection than best international practice, makes it less likely that acceptable voluntary codes will reduce compliance costs.
- The federal budget’s gutting of the Human Rights and Equal Opportunity Commission (HREOC), of which the Privacy Commissioner’s office is a part, makes the development of any consistent or concerted approach to voluntary codes even more problematic.
- An alliance of privacy and consumer advocates, and some business organisations, is committed to a long-term campaign to obtain ‘fair privacy laws’, and is not accepting that voluntary codes of conduct are the way ahead.
- International factors relating to the European Union, Hong Kong and Canada, are increasing the risks to Australia of a lack of comprehensive privacy laws and Australian businesses recognise this risk as significant.
- The Government’s breaking of its election promises in relation to privacy — or, technically speaking, their re-positioning as ‘non-core’ promises — may be the last factor taken into account, but will continue to embarrass the Government.
None of these factors are likely to change the Government’s position overnight, but they do mean that the pressures on the Government on this issue are unlikely to abate. Although Attorney-General Williams and his Department have at this stage proven to be ineffective as advocates for a positive approach to privacy protection within the Government, continuing negative pressures may be more effective. The Government’s position is also probably less absolute than it appears, and has already been described as ‘not now’ rather than ‘not ever’ by Finance Minister Fahey and Health Minister Wooldridge.
Comprehensive private sector privacy laws for Australia will remain a live issue which will not be exorcised by Prime Ministerial fiat.
Those elusive ‘compliance costs’
When Prime Minister John Howard announced on 21 March 1997, following a Premiers Conference, that the Coalition Government had decided against enacting information privacy laws for the private sector, his stated reasons (Prime Minister, Press Release ‘Privacy Legislation’, 21 March 1997) were:
The Commonwealth opposes such proposals which will further increase compliance costs for all Australian businesses, large and small. At a time when all heads of Government acknowledge the need to reduce the regulatory burden, proposals for new compulsory regimes would be counterproductive. On these grounds, the Commonwealth will not be implementing privacy legislation for the private sector.
Price Waterhouse’s 1997 Privacy Survey (see (1997) 4 PLPR 21) contradicts the Government’s position — major Australian businesses do not share this fear of compliance costs. Of the 130 major companies who responded, 79 per cent felt only minor changes would be required to their business practices in order to comply with legislation. Near two-thirds of the companies, most with sales figures in the billions of dollars, believed it would cost them less than $100,000 to conform to any privacy legislation, or less than 0.001 per cent of sales revenue.
The NZ Privacy Commissioner, as part of a comprehensive debunking of the virtues of voluntary codes compared with legislation (see (1997) 4 PLPR 6), argues that ‘the compliance costs for most small businesses in NZ have been almost nil’.
Why then, did the Government reverse its position? Mr Howard did not mention that the proposal that the Commonwealth was ‘opposing’ was principally that of his own Attorney-General, Daryl Williams, whose Discussion Paper Privacy Protection in the Private Sector had proposed such a regime. Just the week before, Attorney-General Williams presented an agenda paper outlining the Commonwealth’s position to the Standing Committee of Attorney’s-General (SCAG) (‘Development of a privacy regime for the private sector’ SCAG, Melbourne, 14 March 1997) which said, inter alia:
Over 100 submissions have been received on the discussion paper and further submissions are expected. The vast majority of submissions acknowledged the need for privacy law reform and support a national co-regulatory approach. A large number of submissions indicate that this is an area where a response by the Commonwealth Government would be preferred to a range of State privacy regulatory regimes.
There was no mention of concerns about compliance costs, though it did note that the NZ Privacy Act 1993, one of the models for the Australian proposals ‘had shown itself to be workable from a business perspective’. It seems that the parties that complained most about compliance costs did not do so principally through submissions to the Attorney, but went directly to the Prime Minister. These were the Australian Chamber of Commerce and Industry (ACCI), the Victorian Chamber of Commerce and Industry (VCCI) and some of the banks. The agenda paper noted that further consultations were underway, ‘with a view to developing legislation for introduction ... during 1997’, reinforcing the view that the abandonment had little to do with submissions received on the discussion paper. Two months later, in a speech on privacy to the Banking Law and Practice Conference (22 May), Attorney-General Williams had nothing to add on the question of compliance costs. A Parliamentary Committee is questioning the Attorney-General on the issue of which submissions caused the Government’s backflip.
One reason that the anti-privacy business groups had an opening to exploit was that Attorney-General Williams and his Department, in the Discussion Paper, had left the Privacy Act’s Information Privacy Principles (IPPs) unamended in their proposed application to the private sector. Since an unamended IPP 5(3) would impose unsupportable record-keeping and reporting costs on all businesses, and particularly small businesses, its inclusion was opposed by the Privacy Commissioner and most privacy advocates (see, for example, (1996) 3 PLPR 166, 191). Nevertheless, the damage was done, and the Discussion Paper’s failure to clearly signal that IPP 5 would need amendment seems to have been a tactical error.
States fail to salute
In his March press release the Prime Minister said:
I asked the premiers not to introduce legislation on this matter within their own jurisdictions. Both the NT and Queensland have agreed not to introduce such legislation. Other States have indicated that they will consider the Commonwealth’s request. I will be writing to the States on this matter.
Two months later, Attorney-General Williams had no more names to add to the list of compliant jurisdictions (speech to the Banking Law and Practice Conference, 22 May 1997).
A week earlier, Victor Perton MP, Chair of Victoria’s Data Protection Advisory Committee, informed the IIR Conference on Data Protection and Privacy that ‘the Victorian Government is still considering its position. It will make its decision in the light of its perception of the best interests of Victoria and the advancement of electronic commerce’ (see (1997) 4 PLPR 5 for the written speech). Victoria is pressing ahead with its plans to create the necessary legal infrastructure for electronic commerce, and sees urgency in the matter because of the need to compete with Malaysia and other regional jurisdictions. Victoria will introduce a package of measure later this year. It seems very likely the Victorian Government will deal with the key privacy issues in relation to computerised information (sometimes called ‘data protection’ in Europe), even if it does not address all aspects of private sector privacy, in such a context. The intention to legislate for privacy in relation to electronic commerce was confirmed by the Victorian Treasurer and Minister for Multimedia, Alan Stockdale, on ABC Radio on 30 May.
The ACT Chief Minister has announced that the federal advice will not be followed in relation to medical records (see (1997) 4 PLPR 12).
NSW Attorney-General Jeff Shaw stated in February that:
While I anticipate that most of the private sector will be governed by the new Commonwealth legislation, if that legislation is delayed and significant issues need to be addressed in NSW, then I will ask the Privacy Commissioner to consider codes of practice for the private sector.
These are compulsory codes issued by regulation, not voluntary codes. Privacy Commissioner designate, Chris Puplick, reiterated this approach in a speech on 13 May.
Even in Queensland, which is on the PM’s short list, a Parliamentary Committee has just launched a wide-ranging enquiry into the need for privacy laws in the private and public sectors, and has pointedly ignored the Prime Minister’s call in its issues paper (see (1997) 4 PLPR 15).
PM volunteers voluntary codes
The Prime Minister also announced in March that he had told the Premiers that the Commonwealth had offered ‘the services of the Federal Privacy Commissioner to assist business in the development of voluntary codes of conduct and to meet privacy standards’. Exactly how the Prime Minister volunteers the services of an independent statutory office holder remains unclear.
The Privacy Commissioner, Moira Scollay, has indicated that she will respond to the Prime Minister’s statement by taking a role in the development of such codes of conduct (see Commissioner Scollay’s articles in 4 PLPR Issue 2). However, she proposes that any codes that her office would be involved in developing would have to meet international best practice, including meeting the minimum standards of the EU privacy Directive; must include ‘a workable complaints mechanism’; and ‘could readily be converted into legislation’ if and when Australian Governments so decide. The Commissioner is also considering development of one single code which applies to the whole private sector, not sector by sector codes (partly for resources reasons).
The Privacy Commissioner has a function ‘to encourage corporations to develop programs for the handling of records of personal information that are consistent with’ the OECD Guidelines (A 27(1)(n)), and it will presumably be in the exercise of this function that the Commissioner becomes involved in the development of voluntary codes. It would seems that it is not consistent with the OECD Guidelines for the Commissioner to become involved in development of codes which do not provide ‘adequate sanctions and remedies’ (Guideline 19). It is worth noting that the Commissioner is also required to take into account other ‘developing general international guidelines.
Commissioner’s Office decimated
Since the Prime Minister announced that the Privacy Commissioner would become involved heavily in the development of voluntary codes for the private sector, the Government’s second budget has cut funding to the Human Rights and Equal Opportunity Commission (HREOC), including the Privacy Commissioner’s office, by cuts of five per cent in 1997–98 and 35 per cent in 1988–89, on top of a 3.56 per cent cut in 1996–97. These cuts of 43 per cent over three years will, according to HREOC’s estimate, require a one-third staff cut at HREOC. The staff cuts will have to take place very soon if they are to result in real savings by 1997–1998. The exact share of the burden which will fall on the Privacy Branch is not yet determined.
The Privacy Commissioner pointed out in a speech on 21 May (see the next issue) that, in light of the budget cuts, ‘the extra tasks which the Government has given me will now be even more problematic’. In the face of very significant staff cuts, the Commissioner is simultaneously expected to deal with the greater complexities of the application of privacy legislation to outsourced public functions (see below), and with convincing the whole of the private sector to adopt consistent voluntary codes which meet international best practice. The Commissioner cannot just cut her statutory obligations in order to give more time to voluntary code encouragement.
The prospect of any concerted development of voluntary codes by the Commissioner, under these circumstances, is remote. The Government cannot expect this process to be taken seriously if no resources are allocated to it, and existing resources decimated so that reallocation of priorities to new tasks is not even an option.
Compliance costs of voluntary codes
The NZ Privacy Commissioner has commented (see (1997) 4 PLPR 6) that:
As to the compliance costs it is difficult to see how a voluntary regime, is going to be less costly for business. First of all, if it is going to be meaningful the compliance costs will be roughly the same. There would have to be a complaint mechanism that delivers remedies or the voluntary system would be laughable. Secondly, the cost of maintaining the complaint mechanism will fall on business.
The Australian Privacy Commissioner has also expressed scepticism that voluntary codes will be less costly to business if they embody best practices.
Outsourcing contradictions
While rejecting any comprehensive private sector legislation, the Government is being forced in Act after Act to extend the Privacy Act in various ways, or enact ad hoc privacy laws, so that increasing parts of the private sector are in fact covered by such laws.
The best known example is the Government’s announcement in April that most Commonwealth Government information technology infrastructure would be outsourced to the private sector, including the processing of personal information held by many Commonwealth agencies. The announcement by the Minister for Finance, John Fahey, only stated that the companies doing the outsourcing would be required to enter contractual guarantees of privacy with the Government. Following considerable press criticism, including on the grounds that the individuals concerned would have no rights of action under such contracts, Mr Fahey ‘clarified’ early the next week that the Government in fact intended to extend the Privacy Act to apply to such outsourcers.
At this stage it is unknown whether the Act will apply to all outsourced Government functions, or only to IT outsourcing. However, any attempt to extend other outsourcing without privacy protections will re-ignite media and talkback hostility.
Even the application to IT outsourcing will be a complex and widespread extension of the Privacy Act into the private sector, as the contractors affected will range from data processing bureau, to computing waste disposal, perhaps to those collecting data through surveys. The data will include some of the most sensitive the Government holds, including social security, tax and medical records.
This raises problems for Government policy. There will be a lot more private sector organisations that have to comply with the Privacy Act in relation to some of their activities, but not others. In order to comply with the Act, organisations will have to constantly distinguish between those records to which the IPPs apply, and those where other standards apply. Some physical premises, and some networks, will need to comply with the security requirements of IPP 4, but others will not. ‘Privacy zone’ signs may be needed to warn employees of what is expected. If the Act is extended in full to these parties, particularly if this can be done without extensive compliance costs, then it starts to beg the question of why a similar set of standards should not be applied to the whole of the private sector.
Private sector codes — not voluntary and not uniform
Privatisation and outsourcing of Government functions has already led the Commonwealth Government to extend privacy laws to a wide range of other private sector bodies in the last two years. These include (see the Privacy Commissioner’s article in the next issue for details):
- private employment services and community organisations providing case management services to the long term unemployed (to be replaced by competitive market provision) — extension of the Privacy Act, plus contractual requirements and other statutory rules;
- accredited hearing services providers — extension of the Privacy Act;
- private health insurers — privacy principles issued by the Health Minister in relation to the incentive scheme; and
- telecommunications carriers and carriage service providers — criminal penalties and other rules expanded from the old legislation, plus mandatory codes which can be issued by the Australian Communications Authority.
In all these private sector areas, privacy protection is not voluntary and not uniform.
International dimension
International pressures on Australia in this area are unlikely to reduce, and are very important to Australian business. The Price Waterhouse survey of 130 of Australia’s largest companies found that businesses perceived that the single most significant privacy issue facing them was the need to comply with international privacy standards (see 4 PLPR 21).
The extent of enforcement of the data export prohibitions in the European Union’s privacy Directive are unlikely to be very clear until after the Directive takes effect in October 1998, but cannot easily be dismissed. European experts who have followed the development of the Directive stress that European authorities regard it as an important element of the protection of human rights and its enforcement as a serious matter. The collapse in April 1997 of the proposed treaty between Europe and Australia, and its replacement by a lower-level joint declaration, because of European insistence on a clause requiring observance of human rights underlines the extent to which Europe is willing to place human rights considerations before other important economic policy goals.
In this region, Hong Kong’s data export prohibitions may come into force earlier than October 1998 (see (1997) 4 PLPR 13).
In both cases, uncertainty among Australian businesses about compliance requirements, and the costs of providing evidence of either an exception to the prohibitions, or the existence of ‘sufficient protection’ in the particular case (not to mention the costs of providing the safeguards), may lead to significant business pressures for Australia to eliminate these problems by having adequate laws. Businesses involved in international transactions using personal information cannot avoid privacy compliance costs: they either face them at home in the form of adequate laws, or they face much higher costs in trying to comply ad hoc with international requirements.
In September 1996, a week after Australia’s ill-fated Discussion Paper was launched, the Canadian Minister of Justice, Alan Rock, announced to the annual gathering of Privacy Commissioners that by the year 2000 Canada aims to have ‘federal legislation ... providing effective, enforceable protection of privacy rights in the private sector’. He said Canada’s previous approach of legislation for Government but self-regulation for the private sector had been reconsidered because ‘it is obsolete’. ‘The protection of personal information can no longer depend on whether the data is held by a public or private institution’. With Canada now planning to legislate, Australia’s international position is more isolated than before.
Campaign for fair privacy laws
Last, but not least, in the factors which may lead the Federal Government to change its position is that an alliance of privacy and consumer advocates and some business organisations, is committed to a long-term campaign to obtain ‘fair privacy laws’. They are not accepting that voluntary codes of conduct are the way ahead, and are continuing to push for legislation. The extent of ‘consumer participation’ in the development of any voluntary codes is still an open question. Privacy advocates intend to use their international contacts through Privacy International and otherwise to ensure that European and other overseas organisations are well-informed on the state of Australia’s privacy laws, and their limitations. The Government has been kept on the defensive in the media since the Prime Minister’s announcement, but it remains to be seen whether the Campaign for Fair Privacy Laws can succeed in the most significant reversal of Australian privacy policy since the defeat of the Australia Card ten years ago.
Graham Greenleaf, General Editor.