Chapter 2 Australian Privacy Principles
The Australian Privacy Principles (APPs) are contained in Schedule 1 of
the Privacy Amendment Bill. The principles cover:
n transparent management
of personal information
n the collection, use
and disclosure of personal information
n identifiers, integrity,
quality and security of personal information, and
n access to and
correction of personal information.
Defences to contravention of APP 8
Proposed APP 8.1 requires an entity disclosing personal information to
an overseas recipient to take reasonable steps to ensure that the overseas
recipient does not breach the APPs in relation to that information.
Proposed section 16C outlines certain circumstances in which an act done
by the overseas recipient can be taken to be a breach of the APPs by the
disclosing Australian entity.
A number of exceptions to APP 8.1 exist:
n where the entity has
a reasonable belief that the overseas recipient is bound by legal or binding
obligations to protect information in a similar way to the protection provided
by the APPs
n where an individual
consents to the cross-border disclosure, after being informed that the
consequence of giving their consent is that the requirement in APP 8.1 will not
n where the disclosure
is required or authorised by law
n where limited
‘permitted general situations’ exist (in proposed section 16A(1))
n where the disclosure
is required or authorised by or under an international agreement relating to
information sharing, the entity is an agency and Australia is party to that
n where the entity is
an agency, and the agency reasonably believes that the disclosure is reasonably
necessary for enforcement related activities by an enforcement body and the
overseas recipient’s functions are similar to those of an enforcement body.
The Australian Law Reform Commission (ALRC) inquired in some depth into
ideal arrangements for the cross border disclosure of data flows
but did not closely consider the question of defences or how any such defences
should be framed. Consequently, the ALRC has not formed a view on this issue.
Many submissions express concern that holding the disclosing Australian
organisation responsible for a breach that occurs overseas places too great a
burden on organisations that regularly transfer data overseas.
Foxtel expressed concern that even where an organisation takes
reasonable steps, such as reviewing its security controls, it may still be
found liable for a data breach that occurred overseas, even where access to the
information is unauthorised, such as a hacking situation.
The Law Council of Australia (LCA) acknowledged that APP 8 attempts to
strike a balance between the protection of personal information and the
convenient flow of information. However it suggests that, in this era of global
trade, APP 8 errs too far on the side of cross border compliance at the expense
of convenient flow of information and this may deter the growing use of cloud
In this regard, some have suggested that there should be a defence to
APP 8 available if the disclosing organisation has ‘taken reasonable
steps’ to protect the information.
Proposing a counter view, the Committee received many submissions
suggesting APP 8 should include a much higher level of protection for personal
information that is sent overseas.
For example, the Australian Privacy Foundation (APF) is opposed to any
defence to contravention. Similarly, the Office of
the Privacy Commissioner, New South Wales (OPCNSW) suggests defences to
contravention are inappropriate. The Office of the
Australian Information Commissioner (OAIC) does not support defences to
contraventions but considers that matters such as systems in place to prevent
contraventions should be taken into account when determining the penalty.
Some suggest individuals should be given prior knowledge before their
personal information is sent overseas and consent should be
required before it can be sent. The APF and OAIC further
suggest that the exception in 8.2(e) should be removed.
The Explanatory Memorandum to the Bill notes the attempt to strike a
balance between data flow and privacy, stating that ‘the principle will aim to
permit cross-border disclosure of personal information and ensure that any
personal information disclosed is still treated in accordance with the Privacy
The Attorney-General’s Department confirms that it does not consider
that APP 8.1 should include a general exception as this ‘would undermine the
confidence of individuals in the protection of their personal information’
and that ‘the exceptions in APP 8.2 have been carefully considered and the
Government considers that they are justified’.
In relation to a defence for inadvertent disclosure, the
Attorney-General’s Department stated:
The Government does not consider that an exception is
necessary where the overseas recipient may have made an inadvertent disclosure
of personal information. An inadvertent disclosure of personal information may
have significant consequences for an individual. While a disclosure may be inadvertent,
the fact the disclosure has occurred may indicate failures in the security
systems or handling protocols of that personal information in the hands of the
The Department considers an explicit defence is not required, as:
These are matters that can be taken into account in an OAIC
determination or by a court if the matter was being considered in relation to a
possible civil penalty for the Australian entity.
It is not automatically the case that all possible or actual
breaches of APP 8.1 will result in the imposition of a civil penalty. The
decision to obtain a civil penalty order is at the discretion of the
Commissioner, while the decision on whether a civil penalty should be imposed
is at the discretion of the court.
In line with this, the Privacy Commissioner gave evidence that:
Where an organisation can demonstrate that it is taking these
steps to try and limit the impact of the [data breach], whether they can
demonstrate that, for example, they have put in the best standard or the
highest standard of systems protection such as those highlighted through
international standards organisations, I certainly take that into account.
There have also been suggestions that it would be helpful if a list of
countries that satisfy APP 8.2(a) was published.
At the Senate hearing, Mr Glenn, from the Attorney-General’s Department
gave evidence that:
Certainly the ALRC recommended that the government publish a
list of laws or binding schemes that would meet those criteria. The government
response – this recommendation 31-6 – was to accept that. If this Bill is
passed, the government will provide information about laws and binding schemes
that it would consider are substantially similar to the APPs.
He noted, however, that there would still be an obligation on the
disclosing party to ensure they were complying with the APPs in each set of
Compliance with overseas laws
Some submissions suggest that the APPs do not allow for the fact that
some Australian companies are required to comply with overseas laws as part of
their business activities. There is some concern
that obligations in such overseas laws may conflict with the requirements of
For example, the Australian Bankers Association notes that banks are subject
to compliance with foreign laws such as the United States Foreign Accounts Tax
Compliance Act 2010 (FACTA), which requires them to provide some personal
information about United States nationals that hold Australian bank accounts.
The Australian Bankers Association and the Australian Finance Conference
suggest that the definition of ‘Australian law’ should include any applicable
overseas law or government agreement binding on an organisation, which would
allow organisations to comply with these overseas obligations.
At the Senate hearing, the Attorney-General’s Department suggested that
the solution to this problem does not lie in reform of the Privacy Act 1988
(Cth). It was suggested that
FACTA requirements will not come into force until 2014, that they would also be
inconsistent with the current requirements of the Privacy Act 1988 (Cth)
and that there are no changes implemented through the Privacy Amendment Bill
that affect this.
The Department suggests that creating an exception similar to that
proposed above is very broad and is problematic for sovereignty reasons.
There may be other mechanisms to prevent this conflict arising and discussions
are being pursued between Australian Government agencies and the United States
Internal Revenue Service to resolve this issue.
It is anticipated that the outcome of these discussions will be a
negotiated solution to the issue before the FACTA obligations commence.
The APP 7 is entitled ‘prohibition on direct marketing’. APP 7.1 outlines
a prohibition on direct marketing, and APPs 7.2 – 7.5 detail a number of
exceptions to this prohibition.
In their submissions, the Australian Direct Marketing Association
(ADMA), Foxtel, the LCA and Salmat all suggest that labelling these provisions
as a ‘prohibition’ on direct marketing is misleading because, the provisions actually
permit direct marketing in many circumstances.
The ADMA suggests that this title will create confusion for consumers
and businesses and will result in marketing suppliers losing business when
businesses believe direct marketing is now prohibited.
At the Senate hearing, Ms Jodie Sangster (ADMA) noted that $15 billion is spent
on direct marketing each year.
Foxtel suggests that consumer confusion will result in complaints about
direct marketing where APP 7 is being complied with.
The LCA suggests APP 7 should be drafted in the style of APP 6,
suggesting permission in certain situations and prohibition in all other
Although the ALRC report suggested direct marketing be regulated in a
discrete principle, their recommendation was not framed as a prohibition.
The ADMA recommends that the language and structure in the exposure
draft be reinstated or alternatively, that similar drafting outlined by ADMA in
their submission, be implemented.
Foxtel suggests the section should be drafted to ensure clarity that
there is an entitlement to market directly, subject to conditions.
The Attorney-General’s Department suggests that this drafting approach
was used ‘to clearly identify the information-handling activity that breaches
The Department also notes that the drafting approach was implemented as
a result of comments and a recommendation made by the Senate Finance and Public
Administration Legislation Committee that APP 7 be re-drafted to simplify
terminology and clarify intent. The Department suggests
that the heading ‘prohibition’ was instated consistently with a clarity
approach taken elsewhere in the Bill.
‘Opt out’ provisions for direct marketing
The APP 7.3(d) requires organisations to provide a prominent statement
or to draw the individual’s attention to the option that an individual can
request not to receive direct marketing in ‘each direct marketing
Foxtel, ADMA and Salmat’s submissions outline concern that such a
requirement is not suited to all forms of direct marketing communication. In
particular, for direct marketing in media such as Facebook and Twitter, which
allow limited character space, they suggest it is highly
impractical to require that each communication include an opt out message.
The Attorney-General’s Department notes that these provisions will not
cover all forms of direct marketing:
APP 7 will not cover forms of direct marketing that are
received by individuals that do not involve the use or disclosure of their
personal information such as where they are randomly targeted for generic
advertising through a banner advertisement. Nor will APP 7 apply if it merely
targets a particular internet address on an anonymous basis for direct
marketing because of its web browsing history.
The Department notes that the ‘opt out’ requirements are designed to
operate flexibly so organisations can develop methods tailored to the specific
form of advertising. It suggests that shorter messages inviting consumers to
opt out through a link might be an option to consider.
Further, the Department notes that while these requirements will require
organisations to adapt to new direct marketing rules, the rules will enhance
the privacy protections of consumers.
Defences to contravention
The Committee acknowledges the concerns raised by industry in relation
to this matter. In addition, the Committee notes advice of the Attorney‑General’s
Department and the Privacy Commissioner that reasonable steps taken by
organisations will be taken into account in a determination at the OAIC and
when the Privacy Commissioner makes a decision as to whether to seek a civil
penalty order in relation to a breach. It notes that not all breaches will be
dealt with by civil penalty.
The Committee accepts the Attorney-General’s Department’s concern that
creating defences such as those proposed in some submissions may have a
detrimental effect on the overall security of personal information in some
Following due consideration, the Committee is of the view that the
manner in which the provisions will function in practice will perhaps only be
wholly understood once the regime is in operation. At this point, the Committee
considers the correct balance has been achieved to ensure protection while
permitting the flow of data required for effective business.
However, to safeguard the desired operation of the provisions, the
Committee recommends that the prospect of introducing such a defence or
exemption be re-evaluated in a review of the operation of the new privacy laws.
This review should be conducted twelve months after the Act commences.
Compliance with overseas laws
The Committee acknowledges industry’s concern regarding the conflict of certain
overseas laws and the APPs.
However, based on advice from the Attorney-General’s Department, the
Committee concludes that this is not an issue specific to changes implemented
through the Privacy Amendment Bill. Consequently, the Committee has not
considered this issue in detail.
The Committee is pleased to note the Attorney-General’s Department’s
intention to continue negotiations with stakeholders, with a view to
identifying a method to prevent this conflict from arising.
The Committee acknowledges industry’s concerns that the characterisation
of the direct marketing provision as a prohibition may have adverse effects for
the direct marketing industry.
The Committee has not formed a view as to the degree of any adverse
effect that may materialise but is satisfied this approach was taken following
consultation and as a result of comments to the exposure draft of this Bill.
At this stage, the Committee considers that amendments to the drafting
of these provisions are not required.
‘Opt out’ provisions for direct marketing
The Committee appreciates industry’s concern about the requirements of the
‘opt out’ provisions for direct marketing. However, the Committee notes that
APP 7 does not apply to all direct marketing, is intended to be flexible and
can be fulfilled in a variety of ways.
The Committee is satisfied with the provisions as they stand, but
suggests that their operation be evaluated in a review to be carried out twelve
months after commencement of the Act.