Search This Blog

Monday, May 28, 2012

Privacy law reform stage 1 in parliament's safe hands

Attorney General Roxon introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 in Parliament last week, outlining some of the changes in a second reading speech and this media release- Ensuring your right to privacy prevails (pdf)

Media headlines were mostly positive, although you wonder how many made it beyond the media release to the 236 pages of amendments that have to be read in conjunction with the act to make sense of it all. (Admission-I didn't get through to the end either.) (Addition: Canberra academic Bruce Arnold writing for The Conversation says "too early to cheer.")

The marketing industry doesn't like what it sees. Most other commentary welcomes the bill as a (exceedingly slow) step forward on the issues the government carved out as "first stage" reforms from the ALRC report delivered four years ago. With the notable exception of the Australian Privacy Foundation.

While the Attorney General says the "bill will bring Australia's privacy protection framework into the modern era" and will tighten up the rules around how companies and organisations can collect, use and disclose personal information, the APF describes it as a backward step, and sets out why the 'Anti-Privacy Bill' Should be Scrapped (pdf). 

 I doubt if there will be many takers for that option. The bill is yet to pass the House and then face the Senate. Let's hope it's somewhat familiar territory there, although in Senate Estimates last week Shadow Attorney General Senator Brandis had a bee in his bonnet about the size of the ALRC report, regardless of its scope and the complexity of the issues:
It has seemed to me for quite a long time now that, although the Australian Law Reform Commission does wonderful work of the very highest standard, it does, if I may say so, somewhat overcapitalise its research. Let me give you an example of what I mean. The privacy report of a few years ago was nearly 2,700 pages long. I am not aware of anyone—academic, government body, think tank; any institution in the world—that has produced a 2,700-page document about privacy.
Provisions in the bill as passed won't come into effect until nine months after assent.  E-health is being dealt with separately and other major issues await stage 2 consideration including exemptions including for smaller business, media organisations in the conduct of journalism and political parties, serious data breach notifications and a statutory cause of action for serious invasion of privacy. Privacy law reform still has a long way to go.

The bill proposes a single set of privacy principles to apply to both Commonwealth agencies and private sector organisations, new credit reporting provisions, privacy codes, and powers and functions for the Privacy Commissioner to assist in resolving complaints, conducting investigations and promoting privacy compliance. On this, the Attorney General said
"..the Privacy Commissioner will be able to make a determination to direct an organisation to take specific steps to stop certain conduct, or take reasonable action to redress any loss or damage suffered. The commissioner will also be able to obtain enforceable undertakings from an organisation. A court can then make appropriate orders, including orders for compensation. The commissioner will also be able to apply to the court for a civil penalty order against organisations. Penalties range from 200 penalty units—$22,000 for an individual and $110,000 for a company—to 2,000 penalty units, which is $220,000 for an individual and $1.1 million for a company. For serious and repeated breaches of privacy, the penalty will be 2,000 penalty units. This is another remedy for consumers and will encourage compliance with the Privacy Act. The Privacy Commissioner will also be able to direct agencies to perform a privacy impact assessment, and will be able to conduct privacy performance assessments to check that agencies and organisations are complying with the Australian Privacy Principles. This bill will make dispute resolution simpler, quicker and cheaper. The commissioner will have a new power to recognise and approve an external dispute resolution scheme for credit reporting disputes. There are new conciliation provisions, so that conciliation can be a dispute resolution option. In essence, the Australian Privacy Commissioner will have new powers, including the power to seek enforceable remedies for consumers who have had their privacy breached."
The APF says "the improvements concerning the Privacy Commissioner are of little use unless complainants can require that the Commissoner make formal decisions under s52 of the Act. The Commissioner has made one s52 decision in 6 years, and says complainants have no right to formal decisions. Government proposals to allow such complainants to go direct to the Federal Court have been dropped."

With regard to cross-border disclosures an organisation will need to include in the privacy policy statement whether it is likely to disclose an individuals’ personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located.  Freehills outlines other aspects of these changes:
Under the new cross-border disclosure regime in the Bill, Australian entities that disclose personal information to overseas recipients will generally be liable for privacy breaches committed by those recipients—although the Australian entities may have recourse through their contracts. As the government acknowledges, this reflects a shift away from the ‘adequacy approach’ seen in NPP 9 and the EU to an ‘accountability approach’, as adopted by APEC and Canada. The government also comments that the ‘chain of accountability’ is not broken simply because an overseas recipient engages a subcontractor. There will be some exceptions to the ‘reasonable steps’ and accountability obligations. One of these is where the recipient is subject to a law or binding scheme similar to the APPs which gives appropriate enforcement rights to the individuals. Guidance from the OAIC is anticipated on this point. Notably, contractual provisions will no longer be sufficient alone to avoid accountability. Consent will also provide an exception, but must be more explicit than under NPP 9.
Some concerns have been raised in the media that the new APPs will significantly reduce the use of offshore cloud computing services. It is hard to see this being the case. While retaining data in Australia or a jurisdiction with similar laws will be more attractive in that it will overcome the accountability issue, we expect to see cloud computing customers seeking to use contractual measures to protect themselves in case they are held liable for a breach by the provider.
It should also be noted that APP 8 is not intended to apply ‘where personal information is routed through servers that may be outside Australia.’ Entities will however need to take reasonable steps to ensure that personal information routed outside Australia is not accessed by overseas recipients as this will be considered disclosure."
The APF says these changes mean "personal information of any Australians can now be sent to countries with no privacy laws at all, with victims required to prove breaches occurring there."

Other deficiencies in the Bill listed by the APF include:
• Not one of the 13 new Australian Privacy Principles (APPs) is an improvement
on the existing NPPs and IPPs, and 8 of 13 are worse for privacy protection.
• For example, the existing right to anonymous transactions has been destroyed.
• The consumer’s right to ask ‘Where did you get my name?’ can be avoided
wherever it is ‘impracticable’ for a business to do provide an answer.
. Exemptions from some of the APPs can be created by the Privacy
Commissioner without any public hearings, notice or opportunity for public
scrutiny, unlike the existing Public Interest Determination procedures.
. The credit reporting industry is being given the right to share information about
Australians who have never had a credit default, a backward step for the
privacy of every person who has ever had a loan or a credit card.
• Codes of Conduct have completely failed for 12 years, yet the government is
embarking on a futile effort to breathe more life into their corpse, instead of
concentrating on genuine reforms.
• The Commissioner can refuse to investigate complaints wherever he thinks
investigation ‘is not warranted’, an unwarranted and unappealable discretion.
• The Commissioner can recognise another dispute resolution scheme to
substitute for the Privacy Act, even if it provides lesser remedies than the Act.
• The Commissioner’s powers to require Privacy Impact Assessments (PIAs)
from agencies are defective in not requiring an independent or public PIA.

No comments:

Post a Comment