CHAPTER 2

Australian Privacy Principles

2.1 One of the major reforms in the Bill is the creation of the Australian Privacy Principles (APP). The APPs replace the Information Privacy Principles (IPPs) – which apply to Commonwealth government agencies – and the National Privacy Principles (NPPs) – which apply to some private sector organisations. The APPs will apply to Commonwealth government agencies and private sector organisations (to be referred to jointly as 'APP entities' in this report); however, the APPs do not necessarily apply uniformly to Commonwealth government agencies and private sector organisations.[1]

2.2 There are thirteen proposed APPs, covering the following matters:

APP 1 – open and transparent management of personal information;
APP 2 – anonymity and pseudonymity;
APP 3 – collection of solicited personal information;
APP 4 – dealing with unsolicited personal information;
APP 5 – notification of the collection of personal information;
APP 6 – use or disclosure of personal information;
APP 7 – direct marketing;
APP 8 – cross-border disclosure of personal information;
APP 9 – adoption, use or disclosure of government-related identifiers;
APP 10 – quality of personal information;
APP 11 – security of personal information;
APP 12 – access to personal information; and
APP 13 – correction of personal information.[2]

2.3 During the inquiry, a representative from the Attorney-General's Department (Department) informed the committee that the APPs are 'broadly based' on the NPPs, but there are several new features included in the APPs:

Firstly, there are new, discrete privacy principles about maintaining privacy policies [APP 1]...That is an enhanced obligation for agencies and organisations to say publicly to their customers and to citizens: 'This is how we collect, use and disclose information and these are the things that you could anticipate we would do once we have your information.'

There is also a new principle to deal with the unsolicited collection of personal information – that is, when personal information is provided to an organisation in an unsolicited way, so the organisation has not asked for it but they have received it...

There is also a new separate principle dealing with direct marketing. The [NPPs] did deal with direct marketing previously, [however in the APPs the key issue] is around choice—the capacity of individuals to be able to opt out of receiving direct marketing information in different circumstances...

Then there is a new principle, Australian Privacy Principle 8, which deals with the cross-border disclosure of personal information...What the principle says is that it is open to an organisation to transfer data overseas. It has to take some steps to make sure that the recipient of the data will not deal with it in a manner that would be inconsistent with the Australian Privacy Principles, and that is typically dealt with through contract. But then it says: if you do that, absent a number of other features, you, the disclosing entity, will remain accountable for anything that might happen to that data in the future.^{^[3]}

2.4 Although many submitters and witnesses expressed support for the proposed APPs, concerns were raised in relation to the complexity of the principles, issues relating to the practical operation of specific APPs (or aspects of specific APPs), and certain definitions and terms contained in the APPs. This chapter examines some of those issues and concerns.

Complexity of the APPs

2.5 In 2010-2011, the Senate Finance and Public Administration Legislation Committee (F&PA committee) inquired into an Exposure Draft of the Bill (F&PA inquiry).[4] One issue commented on by the F&PA committee was the complexity of the proposed privacy principles. The F&PA committee supported the need for clarity, simplicity and accessibility, and concluded that the proposed APPs could be improved:

The committee recommends that the Department of the Prime Minister and Cabinet [which then had portfolio responsibility for privacy legislation] re‑assess the draft Australian Privacy Principles with a view to improving clarity through the use of simpler and more concise terms and to avoid the repetition of requirements that are substantially similar.[5]

2.6 The Australian Government accepted this recommendation in principle, advising that it would consider options to improve overall clarity and, in particular, to avoid repetition throughout the principles.[6] In additional information provided to this committee during the current inquiry, the Department confirmed that the APPs have been restructured:

The APPs generally have been restructured to shorten the length of the principles. This has been achieved by use of a table in [proposed new section] 16A of the Bill which captures the common permitted situations for the collection, use and disclosure of personal information. The use of the table has reduced repetition within the APPs.[7]

Australian Privacy Principle 2

2.7 Australian Privacy Principle 2 (APP 2) deals with anonymity and pseudonymity. This principle gives an individual the right not to identify him or herself, or to use a pseudonym, when dealing with an APP entity in relation to a particular matter. The right does not apply in certain circumstances – namely, where an APP entity is required or authorised by law to deal with individuals who have identified themselves, or where it is impracticable for the APP entity to deal with individuals who have not identified themselves.[8]

'Impracticable' to deal with unidentified individuals

2.8 Facebook, Google, IAB and Yahoo!7 argued that the wording of APP 2.2(b) – which provides an exemption for APP entities where 'it is impracticable for the APP entity to deal with individuals who have not identified themselves' – does not address the issue of pseudonymity. The joint submission suggested that APP 2.2(b) should refer to 'individuals who have not identified themselves or who use a pseudonym' to ensure that this scenario is specifically covered in the exemption.[9]

2.9 Further, Facebook, Google, IAB and Yahoo!7 submitted that the EM to the Bill should outline further examples of when APP entities may find it 'impracticable' to deal with individuals on an anonymous or pseudonymous basis, such as:

opt-in services that rely on a real name culture to help people find and connect with each other, and to promote user safety and security (for example, Facebook); and
organisations operating e-commerce websites where there is a need for users to authenticate their identity through the use of credit cards.[10]

Departmental response

2.10 The Department noted that the right contained in APP 2 is not absolute. For example, under APP 2.2(b) – if it is impracticable for an entity to offer the option of a pseudonym unless the entity obtains identification details from the individual – the entity is not required to provide that option. Further:

The suggestion put forward by some submitters is that clarity could be enhanced in this exception if it specifically referred to the impracticality of providing a pseudonym. The Government is considering options to enhance clarity around the application of this exception.[11]

Australian Privacy Principle 3

2.11 Australian Privacy Principle 3 (APP 3) deals with the collection of solicited personal information. The principle prohibits an APP entity from collecting personal information (other than sensitive information) unless the information is 'reasonably necessary' for one or more of the entity's functions or activities (APP 3.1). In the case of a Commonwealth agency, the information can also be 'directly related to' one or more of the entity's functions or activities. The principle allows for the collection of sensitive information in certain circumstances.[12]

2.12 Several submitters raised concerns regarding APP 3 with views expressed on a range of issues, including the breadth of the principle; 'consent' for the collection of sensitive personal information; and the means of collecting personal information.

Breadth of APP 3

2.13 The Law Institute of Victoria (LIV) argued that the phrase 'reasonably necessary for, or directly related to, one or more of the entity's functions or activities' is too broad:

[T]he construction of APP [3.1] allows multi-function entities to request personal information that is not directly related to the goods or services actually requested by an individual, so long as the information is reasonably necessary for one or more of the entity's functions. The LIV is concerned that APP [3.1] might enable entities to make the provision of goods and services conditional upon irrelevant and potentially unnecessary personal information being provided by an individual.[13]

2.14 The LIV argued further that APP 3.1 contains a unilateral test, which focuses on the entity and not on the individual:

The test permits the collection of personal information for any of the entity's purposes, even if the individual has transacted in respect of a confined, limited function or activity. The LIV recommends that this test, wherever appearing, should be amended to 'reasonably necessary for the function or activity in which the individual is engaging' or similar.[14]

2.15 The NSW Department of Attorney General and Justice similarly referred to the broad ability of Commonwealth agencies to collect information in accordance with the 'directly related to' test:

Under APP 3.1 the only nexus required for collection is that the information is directly related to an activity of the agency, not that the collection would be necessary for (or even assist) that activity. If it is not necessary for an entity to collect information in order to perform its activities it is questionable why it should be entitled to do so.[15]

2.16 More broadly, the Law Council and the NSW Privacy Commissioner considered that Commonwealth agencies and private sector organisations should be subject to the same obligations regarding the collection of personal information. In their view, APP 3 should be amended to remove the exception for a government agency to collect information that is 'directly related to' one or more of its functions.[16]

Evidence to the F&PA committee's inquiry and government response

2.17 During its 2010-2011 inquiry, the F&PA committee heard arguments regarding use of the term 'reasonably necessary for, or directly related to' in APP 3 and made a recommendation based on its findings:

The committee recommends that in relation to the collection of solicited information principle (APP 3), further consideration be given to:

- whether the addition of the word 'reasonably' in the 'necessary' test weakens the principle; and

- excluding organisations from the application of the 'directly related to' test to ensure that privacy protections are not compromised.[17]

2.18 In response to the F&PA inquiry, the Australian Government reiterated its support for use of the 'reasonably necessary' test in APP 3:

The requirement on entities to collect only personal information that is reasonably necessary to their functions, requires the collection of personal information to be justifiable on objective grounds, rather than on the subjective views of the entity itself. This is intended to expressly clarify that the test is objective (rather than implied) and to enhance privacy protection. Making it clear that the necessity of the collection must be reasonable is intended to reduce instances of inappropriate collection of personal information by entities.[18]

2.19 In relation to the 'directly related to' test, the government agreed to reconsider the application of the test to private sector organisations[19] and the test has now been removed from the Bill in relation to APP entities which are organisations.

2.20 The Department informed the committee:

There has been careful consideration given to the inclusion and breadth of agency specific provisions in the proposed APPs. While the general approach has been to apply the single set of principles to all entities, in some cases there is a clear rationale for applying separate rules.[20]

2.21 In relation to the 'directly related to' test in APP 3, the Department appears to have accepted the F&PA committee's view that the 'reasonably necessary' test 'provides organisations with sufficient flexibility, and is, in fact substantially similar to what is now provided in NPP 1'.[21]

Departmental response in the current inquiry

2.22 In the current inquiry, the Department again responded to broad concerns regarding the use of the term 'reasonably necessary' in the Bill. The Department affirmed its support for the inclusion of a 'reasonably necessary' standard in each circumstance in which that standard appears in the Bill. Two reasons were given in support of this position:

the concepts of 'reasonably necessary' and 'necessary' coexist in the Privacy Act without any confusion or compromise on privacy protection; and
the Privacy Act recognises that there are instances where an objective element applies to an activity where the 'necessary' formulation appears.[22]

2.23 The Department informed the committee:

The general approach taken in the Bill reinforces this current approach from the Act. First, the 'reasonably necessary' formulation is used in APPs 3, 6, 7 and 8, and exceptions listed in [proposed new section] 16A, to provide clarity that an objective test applies in relation to each of those activities. Secondly, where the 'necessary' formulation is used on its own, the addition of 'reasonably' is not required because it [is] preceded by a 'reasonably believes' test (see, for example, items 1, 2, 3, 6, and 7 in table in [proposed new section] 16A).[23]

2.24 The 'directly related to' test is a current feature of IPP 1.1[24] in relation to Commonwealth agencies. The Department stated that this feature is being retained in APP 3, not only to ensure flexibility in the requirements of APP entities but also:

...because there may be agencies (less so for organisations) that need to collect personal information to effectively carry out defined functions or activities but who may not meet an objective 'reasonably necessary' test.[25]

'Consent' for the collection of sensitive personal information

2.25 APP 3.3 prohibits an agency from collecting sensitive information about an individual without the individual's 'consent', unless one of the exceptions in APP 3.4 applies.[26] Current subsection 6(1) of the Privacy Act defines 'consent' to mean 'express consent or implied consent', and the EM notes that this meaning is being retained in the Bill.[27]

2.26 The NSW Privacy Commissioner submitted that it is not appropriate to rely on implied consent in relation to the collection of sensitive information, and that APP 3.3 should be amended to require express consent only.[28]

Consideration of the meaning of consent and government response

2.27 In its 2008 report, the Australian Law Reform Commission (ALRC) considered the meaning of 'consent' as it applies to the privacy principles. The ALRC concluded that the most appropriate way to clarify the meaning of this term would be for the Office of the Privacy Commissioner (now the Office of the Australian Information Commissioner (OAIC)) to provide guidance in this regard:

Recommendation 19-1 The Office of the Privacy Commissioner should develop and publish further guidance about what is required of agencies and organisations to obtain an individual's consent for the purposes of the Privacy Act. This guidance should:

(a) address the factors to be taken into account by agencies and organisations in assessing whether consent has been obtained;

(b) cover express and implied consent as it applies in various contexts; and

(c) include advice on when it is and is not appropriate to use the mechanism of 'bundled consent'. [29]

2.28 The Australian Government accepted this recommendation, noting that the decision to provide guidance is a matter for the Australian Privacy Commissioner.[30] The F&PA committee also supported ALRC Recommendation 19-1 and called on the OAIC to prioritise consideration of the matter to ensure that appropriate guidance is available concurrently with the implementation of the new legislation.[31] The Australian Government's position has not changed since its response to the ALRC's recommendation.[32]

Australian Privacy Principle 5

2.29 Australian Privacy Principle 5 (APP 5) deals with notification of the collection of personal information. At or before the time of collection or, if that is not practicable, as soon as practicable afterward, an APP entity must take such steps (if any) as are reasonable in the circumstances to notify an individual of certain matters set out in APP 5.2: for example, whether the entity is likely to disclose the personal information to overseas recipients (APP 5.2(i)); and, if so, the countries in which such recipients are likely to be located, if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them (APP5.2(j)).

Notification requirements

2.30 Some submitters expressed concerns about the clarity of the principle and implementation of the notification requirement. For example, the Australian Broadcasting Corporation (ABC) submitted that there is insufficient guidance on the meaning of what is reasonable in any given set of circumstances.[33] The Australian Bankers' Association (ABA) commented that the notification requirement is impractical because banks collect personal information from agencies 'on a regular basis about the hundreds of thousands of individuals on behalf of whom they execute international transfer payments'.[34]

2.31 One of the notification matters listed in APP 5.2 is:

(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order—the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection).

2.32 The Australian Finance Conference (AFC) submitted that the obligation in APP 5.2(c) to notify an individual of the name of the Australian law on which the collection is based creates a potentially unnecessary compliance obligation, particularly for organisations in the financial services sector operating under a 'significant range of laws which may provide a permitted basis for collection of personal information'.[35] The AFC recommended eliminating the statutory obligation and allowing entities to specify the relevant law where doing so is reasonable in the circumstances.[36]

Australian Privacy Principle 6

2.33 Australian Privacy Principle 6 (APP 6) deals with the use or disclosure of personal information. If an APP entity holds personal information about an individual that was collected for a particular purpose (the 'primary purpose'), the entity must not use or disclose the information for another purpose (the 'secondary purpose') unless they have the individual's consent, or the circumstances set out in APP 6.2 or APP 6.3 apply (APP 6.1).

General exception

2.34 APP 6.2 creates an exception to the general rule in APP 6.1, allowing an APP entity to disclose personal information in certain circumstances. The EM summarises these circumstances:

[T]here are a number of exceptions enabling the use or disclosure of personal and sensitive information where required or authorised by or under Australian law or a court/tribunal order; in permitted general situations ([proposed new] section 16A); in permitted health situations ([proposed new] section 16B); and where an 'APP entity reasonably believes that the use of disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body'. The final exception is aimed at enabling any APP entity to cooperate with an enforcement body where it may have personal information relevant to an enforcement related activity of that enforcement body.[37]

2.35 The Office of the Victorian Privacy Commissioner expressed concern at the complexity of APP 6 and considered the division between APP 6.1 and APP 6.2 to be unnecessary.[38] The Australian Privacy Foundation (Privacy Foundation) similarly argued that splitting the provisions across APP 6.1 to APP 6.3 is misleading:

It is not clear why this has been done and it is potentially confusing and misleading. Sub-section (1) is not only meaningless without an understanding that 6.2 and 6.3 contains 'exceptions' to consent, but is actively misleading in that it implies that consent has a much more prominent role than it does in reality...APP 6 needs to be rewritten so as not to be confusing and misleading. Consent should be only one of a number of conditions for use and disclosure, with all exceptions in a single clause, so as to give a much more realistic impression of the effect of the law.[39]

Biometric information and biometric templates exception

2.36 APP 6.3 also creates an exception to the general rule in APP 6.1, allowing a Commonwealth agency to disclose personal information if:

(a) the agency is not an enforcement body; and

(b) the information is biometric information or biometric templates; and

(c) the recipient of the information is an enforcement body; and

(d) the disclosure is conducted in accordance with the guidelines made by the [Australian Information] Commissioner for the purposes of this paragraph.

2.37 The OAIC considered APP 6.3 to be unnecessary. Its submission noted APP 6.2(e), which provides an exception where an APP entity reasonably believes that the use or disclosure of information is reasonably necessary for one or more enforcement‑related activities conducted by, or on behalf of, an enforcement body.[40]

2.38 Liberty Victoria also did not support APP 6.3, arguing that the ability of an enforcement body to collect information without an individual's permission from a non-enforcement agency is disproportionate and has the potential for serious abuse:

It would damage the community's trust in non-enforcement agencies because they would be perceived as being, and would become, the agents of enforcement agencies. In relation to the provision of medical services and biometric data, the invasive consequences will be grave. Liberty Victoria submits that the proposed provision should be removed.[41]

Departmental response

2.39 In relation to the comments of the OAIC, the Department advised that APP 6.3 is intended to allow non-law enforcement agencies to disclose biometric information and templates for a secondary purpose to enforcement bodies where an APP 6 exception, including the enforcement related activity exception in AAP 6.2(e), is not applicable:

This may occur where the disclosure is for purposes such as identity/nationality verification or general traveller risk assessment, in circumstances where there is a legitimate basis for the disclosure but no criminal enforcement action is on foot...The policy rationale in APP 6.3 recognises that non-law enforcement agencies have current, and will have future, legitimate reasons to disclose biometric information and templates to enforcement bodies, but that this should occur within a framework that protects against improper disclosure.[42]

Australian Privacy Principle 7

2.40 Australian Privacy Principle 7 (APP 7) deals with direct marketing. The principle prohibits a private sector organisation which holds personal information about an individual from using or disclosing the information for the purpose of direct marketing (direct marketing prohibition) (APP 7.1). There are some exceptions to this prohibition, relating to: personal information other than sensitive information; sensitive information; and organisations which are contracted service providers.[43]

2.41 Some submissions did not support APP 7 at all. For example:

the Australian Direct Marketing Association (ADMA) argued that principles‑based legislation should not include a specific marketing provision such as APP 7;[44]
the Australian Industry Group considered that APP 7 would seriously impede the ability of businesses to market and sell their products and services;[45] and
the Privacy Foundation recommended that APP 7 should also apply to Commonwealth agencies as 'the boundaries between private and public sectors are becoming increasingly blurred, and government agencies are now commonly undertaking direct marketing activities'.[46]

2.42 Some stakeholders expressed concern in relation to particular aspects of APP 7, including: the subheading to APP 7.1 and general structure of APP 7; exceptions to the general prohibition in APP 7.1; and the opt-out mechanisms in APP 7.

Subheading to APP 7.1 and general structure of APP 7

2.43 Several stakeholders commented on the heading to APP 7.1, that is, 'Prohibition on direct marketing'. ADMA, for example, argued that this is confusing for consumers, businesses and marketing suppliers as:

[APP 7] is not, in effect, a prohibition. Instead the provision permits direct marketing under certain defined conditions. Therefore, the term "prohibition" should be removed.[47]

2.44 The Fundraising Institute of Australia (FIA) submitted that charitable fundraising depends on direct marketing techniques and the way in which the subheading is drafted will cause confusion and distress in the fundraising community, particularly among smaller charities:

FIA is already receiving calls from members worried about their ability to continue their normal fundraising activities utilising direct marketing methods.[48]

2.45 ADMA supported the 'more practical, clear, positive drafting' in the Exposure Draft of the Bill (which contained the subheading 'Direct marketing'),[49] whereas the Law Council submitted that APP 7, if it is to be retained, should be restructured along the same lines as APP 6:

The structure of APP 7 is a blanket prohibition on direct marketing, followed by a list of exceptions under which direct marketing is permitted. The structure of APP 6 is to prohibit use and disclosure of personal information unless certain circumstances apply...[T]he structure of APP 7 suggests that direct marketing is generally prohibited unless an exception applies, whereas the structure of APP 6 is such that use and disclosure in certain situations is permitted and in all other cases it is prohibited.[50]

Departmental response

2.46 In 2011, the F&PA committee recommended that the drafting of APP 7 should be reconsidered with the aim of improving its structure and clarity. The intent of this recommendation was to ensure that the principle is not undermined.[51] The Australian Government accepted this recommendation in principle, advising that it would consider options to improve clarity and structure.[52]

2.47 During the current inquiry, the Department informed the committee that it had adopted the approach evident in the Bill following the recommendation of the F&PA committee.[53] Further:

The approach in [APP 7] of casting the principle as a 'prohibition' against certain activity followed by exceptions is a drafting approach used in principles-based privacy regulation to clearly identify the information-handling activity that breaches privacy, followed by any exceptions to this general rule that would permit an entity to undertake the activity. This is consistent with the practical effect of the current [IPPs] and the [NPPs]. For example, both IPP 1 and NPP 1 begin by expressly stating that the collection of personal information is not permitted unless certain exceptions apply.[54]

Exceptions to the general prohibition in APP 7.1

2.48 APP 7.2 allows the use or disclosure of personal information (other than sensitive information) for the purpose of direct marketing in certain circumstances. For example, one condition is that an individual 'would reasonably expect the organisation to use or disclose the information for that purpose' (APP 7.2(b)). Foxtel submitted that very little guidance is given regarding the assessment of a reasonable expectation and called for further clarification on this issue.[55]

2.49 APP 7.3(a) also allows for the use or disclosure of personal information (other than sensitive information) for the purpose of direct marketing in certain circumstances, including where the information is collected from someone other than the individual (APP 7.3(a)(ii)). The Queensland Law Society argued that APP 7.1 should contain a similar allowance to accommodate information which has been self‑generated or developed by an organisation.[56]

2.50 APP 7.4 permits an organisation to use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose. The Privacy Foundation asserted that APP 7.4 should be strengthened with a requirement for express consent:

...otherwise organisations will be free to use small print in terms and conditions, and 'bundled consent' to allow them to direct market using sensitive information.[57]

Opt-out mechanisms in APP 7

2.51 APP 7.2(c) and APP 7.3(c) require an organisation to provide a simple means by which an individual may easily request not to receive direct marketing communications from an organisation, if the organisation is to utilise the exceptions provided in APP 7.2 or APP 7.3.

2.52 APP 7.3 differs from APP 7.2 in that it includes situations where an individual 'would not reasonably expect the organisation to use or disclose the information' for direct marketing (APP 7.3(a)(i)). APP 7.3(d) therefore contains an additional safeguard: that in each direct marketing communication with the individual, the organisation must include a prominent statement that the individual may request not to receive direct marketing communications, or otherwise draw the individual's attention to the fact that they may make such a request.

2.53 In addition, APP 7.6 explicitly provides that if an organisation uses or discloses personal information about an individual for the purpose of direct marketing, or for facilitating direct marketing by other organisations, the individual may:

request not to receive direct marketing communications from the first organisation;
request the first organisation not to use or disclose the information for facilitating direct marketing by other organisations; and
request the first organisation to provide its source of the information.

Strength of the opt-out mechanisms

2.54 Several submitters commented on the opt-out provisions in APP 7. These comments concerned the strength of the provisions, and their current and future application. The Privacy Foundation, for example, argued that the mechanisms are not strong enough to protect consumers:

APP 7.2 and 7.3 and 7.6 appear to have the effect of requiring all organisations to maintain a facility to allow people to 'opt-out' of direct marketing, but only those covered by 7.3 have to do anything to draw an individual's attention to it, and even then not with any prescribed level of prominence. Under 7.2, if the individual would reasonably expect to receive marketing communications, they are not even required to be notified – this seems perverse and is a very weak provision.[58]

2.55 The Privacy Foundation considered that APP 7 should be strengthened and simplified, including by requiring notification of opt-out and related rights in every marketing communication, not just those covered by APP 7.3.[59] This view contrasted with the submissions and evidence received from industry stakeholders.

Current and future application

2.56 Facebook, Google, IAB Australia and Yahoo!7 argued that, as there is no clear definition of 'direct marketing' in the Privacy Act, the wording of APP 7.2 and APP 7.3 means that individuals would be opting out of all direct marketing (such as advertisements), rather than just direct marketing which relies on the use or disclosure of their personal information:

In the event that 'direct marketing' were interpreted to include advertisements, this would undermine advertising based business models, which is surely not the intention of the Proposed Law.

We would like APP 7.2 and APP 7.3 to require an opt-out of direct marketing that relies on personal information. This will allow advertisements to still be served (not based on personal information). This is particularly important where the advertisements are part of a service that is free to access and ad-supported.[60]

2.57 The FIA also questioned the lack of clarity in APP 7.3, and submitted in particular that new social media technologies complicate the provision of opt-out details as envisaged under the proposed legislation.[61] ADMA agreed:

The requirement to include an opt-out statement in each direct marketing communication is not possible with regard to all marketing and advertising channels due to space constraints. E.g. – online advertisements, banner ads, twitter feed etc. More compliance issues regarding this requirement will arise in the future as communication channels evolve and advance. This will give rise to many more examples where the inclusion of an opt‑out is not possible due to the channel, technology or medium.[62]

2.58 ADMA submitted that 'APP 7.3(d) needs to be amended so that it can apply to every channel, is future proof and easy to apply across multiple technologies'.[63] Similarly, the FIA called for further consultation on the latest iteration of APP 7:

There is clearly a case for further amendment to ensure that the Principle will apply in all circumstances, with provisions for specific channels being worked out with the Privacy Commissioner in codes and/or guidelines to ensure technological neutrality.[64]

2.59 Kimberly-Clark added that the requirement in APP 7.3(d) will: cause compliance difficulties; discourage the use of third party data cleansing and updating services; impact on the ability to communicate effectively with customers and provide the best possible products and services for clients' needs; and degrade the customer experience, which is critical to brand reputation.[65]

Departmental response

2.60 The F&PA committee recommended that the structure of APP 7.2 and APP 7.3 in relation to APP 7.3(a)(i) be reconsidered.[66] The Australian Government recognised the need to consider further simplification of these provisions and undertook to develop appropriate amendments to the draft legislation.[67]

2.61 In the Bill, APP 7 has been significantly restructured; however, the substantive provisions of APP 7.2 and APP 7.3 are largely unchanged. The Department addressed stakeholders' concerns regarding these provisions as follows.

2.62 In response to the concerns of Facebook, Google, IAB Australia and Yahoo!7, the Department assured the committee:

APP 7 will not cover forms of direct marketing that are received by individuals that do not involve the use or disclosure of their personal information, such as where they are randomly targeted for generic advertising through a banner advertisement. Nor will APP 7 apply if it merely targets a particular internet address on an anonymous basis for direct marketing because of its web browsing history. These are current online direct marketing activities that will not be affected by the amendments.[68]

2.63 The Department noted that opt-out mechanisms are currently used for many types of online communication and rejected the notion that compliance with APP 7.3(d) will be unduly onerous or technically difficult:

The opt out requirements are designed to operate flexibly so that organisations can develop an appropriate mechanism tailored to the particular form of advertising they are undertaking, while raising sufficient awareness amongst consumers of their right to opt out, and the means by which they can easily do so. While the Department notes that lengthy opt out messages may be impractical in some circumstances, there may be shorter messages (eg. 'opt-out' with a link) that could be considered.

The principle will require organisations to adapt to new direct marketing rules that enhance the privacy protections of consumers. Shifting the balance more in favour of consumers may require an additional mechanism to be developed.[69]

Australian Privacy Principle 8

2.64 Australian Privacy Principle 8 (APP 8) deals with the cross-border disclosure of personal information:

8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

(a) who is not in Australia or an external Territory; and

(b) who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

2.65 APP 8.2 sets out six exceptions to APP 8.1. For example, APP 8.1 does not apply to the disclosure of personal information about an individual by an APP entity if: the APP entity reasonably believes that the 'overseas recipient' is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme. (APP 8.2(a)).

2.66 APP 8 is supported by an accountability mechanism in proposed new section 16C of the Privacy Act (item 82 of Schedule 1 of the Bill). Under proposed new subsection 16C(2), if the section applies, an act done, or a practice engaged in, by an 'overseas recipient' in breach of the APPs is taken for the purposes of the Privacy Act:

to have been done, or engaged in, by the relevant APP entity; and
to be a breach of the relevant APPs by the APP entity.

2.67 The EM states:

Section 16C is a key part of the Privacy Act's new approach to dealing with cross-border data flows. In general terms, there are currently two internationally accepted approaches to dealing with cross-border data flows: the adequacy approach, adopted by the European Union [EU] in the Data Protection Directive of 1996, and the accountability approach, adopted by the [Asia-Pacific Economic Cooperation] Privacy Framework in 2004. NPP 9 [the current privacy principle, which deals with transborder data flows] was expressly based on the adequacy approach of the EU Directive. Under the new reforms, APP 8 and section 16C will introduce an accountability approach more consistent with the [Asia-Pacific Economic Cooperation] Privacy Framework.

The accountability concept in the [Asia-Pacific Economic Cooperation] Privacy Framework is, in turn, derived from the accountability principle from the [Organisation for Economic Co-operation and Development] Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 1980.[70]

General comments

2.68 Some submitters – such as the Law Institute of Victoria and Liberty Victoria – expressed support for APP 8,[71] whereas other stakeholders opposed the introduction of the principle. For example, Professor Graham Greenleaf from the Privacy Foundation told the committee:

While it was a laudable aim to combine the NPPs and the IPPs and try to get one set of privacy standards across Australia, what we have ended up within the APPs is in fact a serious step backwards. On our detailed analysis...eight of the 13 principles are weaker than the NPPs or IPPs, so we have no advance. A number of them are very seriously defective. The most important of those is APP 8, concerning cross-border disclosures...While in theory imposing a liability on the exporter is a good idea, it is in our view an empty imposition of liability. The problem that the individuals concerned will have is how they prove on the balance of probability that any breach has occurred in some overseas destination, particularly when they do not even know where it is or the state of the laws in that particular country.[72]

2.69 The Law Council argued that APP 8 is too restrictive.[73] The Australian Finance Conference also raised a number of concerns with the provision:

[A]s a matter of policy and drafting[,] APP 8 when combined with [proposed new section] 16C fails to achieve the key objectives of the Government (e.g. high level principles, simple, clear and easy to understand and apply) of the reforms. It also shifts the risk balance heavily to the entity and we query the individual interest justification to support that[.][74]

2.2 The majority of submissions and evidence focussed on three main issues with APP 8: its interaction with proposed new section 16C of the Privacy Act; breaches by 'overseas recipients' and inadvertent breaches; and the exceptions provided for in APP 8.2.

Interaction with proposed new section 16C

2.70 The NSW Privacy Commissioner commended the inclusion of proposed new section 16C in the Privacy Act,[75] but some other submitters questioned the appropriateness of the provision in view of the requirement in APP 8.1 for an APP entity to have taken 'such steps as are reasonable in the circumstances to ensure that the overseas recipient' did not breach the APPs.

2.71 Facebook, Google, IAB Australia and Yahoo!7 submitted:

We wholeheartedly support requiring disclosing entities to take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs. However, we are concerned that an entity disclosing personal information about an individual to an overseas recipient is subject to strict liability (by virtue of section 16C(2) (Acts and practices of overseas recipients of personal information)) even if that entity took all reasonable steps to ensure that the overseas recipient complies with the APPs.

An APP entity disclosing personal information about an individual to an overseas recipient, that discharges an onus of establishing that it took all reasonable steps to ensure that the overseas recipient complies with the APPs, should thereby make out a defence to liability pursuant to APP 8.1.[76]

2.72 The question of what will constitute reasonable steps in the 'cloud environment'[77] concerned the Queensland Law Society. Its submission suggested that 'the pivot point should be moved back a notch to reflect what reasonable entities do in like situations'.[78] ADMA agreed that the implications of APP 8 should be reassessed due to the increasing prevalence of cloud computing.[79]

2.73 According to the EM:

In practice, the concept of taking 'such steps as are reasonable in the circumstances' will normally require an entity to enter into a contractual relationship with the overseas recipient.[80]

2.74 In view of this, the NSW Privacy Commissioner argued that APP 8.1 should be amended to require an APP entity to enter into a contractual relationship with an 'overseas recipient', unless that would not be reasonable in the circumstances.[81] The Privacy Foundation also suggested that the Australian Information Commissioner (Commissioner) should be required to issue guidelines concerning model clauses, or a model contract, for these purposes.[82]

Evidence to the F&PA committee's inquiry and government response

2.75 The F&PA committee directly addressed the suggestion that the OAIC should issue guidelines on the application of APP 8, recommending:

...that the Office of the Australian Information Commissioner develop guidance on the types of contractual arrangements required to comply with APP 8 and that guidance be available concurrently with the new Privacy Act.[83]

2.76 The Australian Government supported this recommendation, noting that it is consistent with the government's response to ALRC Recommendation 31-7[84] (which also recommended that the OAIC develop and publish guidance on the Cross-border Data Flows principle, including 'the issues that should be addressed as part of a contractual agreement with an overseas recipient of personal information').[85]

Breaches by overseas recipients

2.77 A few submitters questioned the position whereby local law requires an 'overseas recipient' to use or disclose personal information which it has received from an APP entity subject to the Privacy Act. Min-it Software submitted that the Bill should provide further clarification regarding the liability of an APP entity in this scenario.[86]

2.78 In evidence at the first public hearing, a departmental representative acknowledged the complex issue of conflict of laws between jurisdictions:

The challenge comes when you are in Australia and you are seeking to comply with an overseas law that purports to bind you in Australia. We do not have a solution for that, primarily because allowing that to be an exception in the privacy law for Australia means that the content of Australian privacy law is effectively determined by every other country and the laws that they purport to apply to Australian businesses. That is a great challenge in conflict of law but one that is not yet resolved.[87]

Inadvertent breaches

2.79 In relation to inadvertent disclosures, Kimberly-Clark Australia argued that there are instances where 'data may be subject to actions or attacks outside of [an entity's] control such as operational failure, fraud, sabotage and hacking and these must be taken into consideration before imposing liability'.[88] Foxtel agreed:

[We] remain concerned that where an organisation takes such reasonable steps, including reviewing its security controls and protocols, the accountability provisions may still apply even where access to the relevant information is unauthorised, such as by hacking. Foxtel submits that the EM should provide further guidance to exclude this sort of 'disclosure' from falling within the new accountability regime in APP 8.[89]

2.80 Salmat suggested:

It is important that the offence provisions apply only in the case of recklessness or intentional disregard for the privacy of an individual. That is, if a company has all the systems, procedures and practices in place to adequately protect the personal information of an individual, then it should not be disproportionately punished when an unintentional error occurs.[90]

2.81 An exception for inadvertent disclosures was not supported by the Department, whose response to these concerns emphasised the potentially significant consequences for affected individuals, as well as the potential for the inadvertent disclosure to highlight failures in the 'overseas recipients' security systems or personal information‑handling protocols:

These are matters that can be taken into account in an OAIC determination, or by a court if the matter was being considered in relation to a possible civil penalty for the Australian entity.[91]

2.82 Similarly, the Department did not countenance an exception for situations in which an 'overseas recipient' recklessly or intentionally performs an act or practice that has led to a breach of an individual's personal information:

In such circumstances, the overseas recipient may not be readily subject to the jurisdiction of the OAIC or an Australian court. Again, while the actions of an overseas recipient may be taken into account in an OAIC determination or by a court if the matter was being considered in relation to a possible civil penalty for the Australian entity, the Government does not consider that this is sufficient reason to transfer accountability to the foreign recipient.[92]

APP 8.2 exceptions

2.83 Submitters commented on several of the exceptions to the application of APP 8 that are provided for in APP 8.2 and, in particular, the following exceptions set out in paragraphs APP 8.2(a), APP 8.2(b) and APP 8.2(e). APP 8.1 will not apply to the disclosure of personal information by an APP entity to an 'overseas recipient' if:

(a) the entity reasonably believes that:

(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

(b) both of the following apply:

(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

(ii) after being so informed, the individual consents to the disclosure; or

...

(e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party[.]

Substantially similar protections overseas

2.84 Facebook, Google, IAB Australia and Yahoo!7 contended that APP 8.2(a) does not have the intended effect of enabling individuals to take action through the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Enforcement Arrangement, or through other arrangements made between privacy regulators in different countries. Their submission called for APP 8.2(a)(ii) to be amended to explicitly ensure that these avenues of recourse can be pursued.[93]

2.85 The Privacy Foundation also remarked on APP 8.2(a), submitting that the threshold for this exemption – 'reasonable belief' on the part of the APP entity – is too weak and that only overseas privacy regimes approved by the Commissioner should qualify for this exception:

[T]his is [a] completely unacceptable basis for allowing cross border transfers. Some organisations will inevitably make self-serving judgements about the level of protection in other jurisdictions and/or pay for advice that supports their desire to transfer...The only practical approach to remedying this defect in the current Bill is simply to delete 'the entity reasonably believes that', so that the question of the effectiveness of the overseas privacy protections becomes a question of fact, to be determined initially by the Privacy Commissioner on the basis of a complaint, and ultimately by a court on appeal...It would be preferabl[e] if there could be some prior considered assessment of similarity or adequacy by experts, such as the Privacy Commissioner, and this could be achieved by guidelines under the current Act.[94]

Informed consent to the disclosure

2.86 The OAIC expressed concern that the accountability mechanism in APP 8.1 and proposed new section 16C of the Privacy Act could be 'displaced' by APP 8.2(b). In that situation, individuals might not be able to access remedies if their information is mishandled by an 'overseas recipient'.[95] In recommending that APP 8.2(b) be removed from the Bill, the OAIC submitted:

[I]n many cases there may be little real "choice" for an individual but to consent to their information being handled in that way. Once an individual does provide their consent, in many circumstances they are in effect abrogating any ability to seek redress for any mishandling by the overseas recipient.[96]

2.87 The NSW Privacy Commissioner warned similarly:

[E]ntities might include this notification requirement in general privacy policies or other legal documents. Individuals may then 'agree' to something which may be buried in the middle of a privacy policy or legal document and may be drafted in complicated language, rather than plain English.[97]

2.88 Accordingly, the NSW Privacy Commissioner recommended the preparation of a template, setting out the form of notification that an APP entity must give for the purposes of APP 8.2. The NSW Privacy Commissioner also suggested that APP 8.2(b) should specify that an entity must notify the individual of the practical effect and potential consequences of APP 8.1 not applying to a disclosure of personal information to an 'overseas recipient'.[98]

2.89 In answer to a question on notice, the Department informed the committee that individuals have the right to complain about an act or practice that might breach the APPs,[99] and through the Commissioner obtain access to an enforceable remedy:

Investigation of complaints is the role of the Information Commissioner. When making judgements about facts, administrative decision makers like the Commissioner make those judgements in terms of the civil standard of proof [and] the balance of probabilities...[A]n individual will be required to identify the respondent to the complaint. The operation of APP 8.1, in conjunction with [proposed] section 16C, means that it will not be necessary for an individual to identify the overseas recipient of the personal information as part of their complaint. The individual will only need to identify the relevant APP entity. The APP entity will be responsible (that is, accountable) for the acts and practices of the overseas recipient.[100]

International agreements relating to information-sharing

2.90 In relation to APP 8.2(e), the OAIC queried the effectiveness of the provision which, according to the EM, is intended to include all forms of information‑sharing agreements made between Australia and international counterparts (such as treaties and exchanges of letters).[101] The OAIC submitted that, since an international agreement is not effective until it is incorporated into domestic law, international agreements cannot affect rights or obligations in Australian law. On this basis, the OAIC suggested:

[S]pecific domestic legislative authority should be the basis for the exception in relation to the overseas disclosure of personal information under an international agreement.[102]

Departmental response

2.91 The Department noted that APP 8 reflects a new policy approach to the cross‑border disclosure of personal information and rejected arguments that this approach will undermine privacy protection:

The accountability approach in APP 8 will ensure effective cross-border protection for the personal information for individuals and is consistent with both [Organisation for Economic Co-operation and Development] and APEC privacy developments. APP 8 ensures that individuals whose information is disclosed to an overseas recipient continue to have an Australian entity that is responsible for the protection of their personal information.[103]

2.92 APP 8.1 and proposed new section 16C do not contain any general exceptions: the only exceptions to the accountability regime are set out in APP 8.2. The Department stated:

The exceptions in APP 8.2 have been carefully considered and the Government considers that they are justified. The Government considers that these exceptions provide appropriate and reasonable grounds for the transfer of accountability to an overseas recipient. In all other situations, the Australian entity should continue to remain accountable for the protection of personal information.[104]

Definitions

2.93 Items 4-45 of Schedule 1 of the Bill amend and repeal existing definitions in subsection 6(1) of the Privacy Act, as well as insert new definitions into the Privacy Act. Item 82 of Schedule 1 of the Bill also inserts new definitions relating specifically to the APPs. The proposed new definitions of 'enforcement body', 'enforcement related activity', and 'permitted general situation'/'permitted health situation' are discussed below.

'Enforcement body'

2.94 Items 16-19 of Schedule 1 of the Bill insert a number of agencies into the current definition of 'enforcement body' in subsection 6(1) of the Privacy Act.[105] The EM explains that these amendments will enable the body concerned to collect personal information (including 'sensitive information') related to the body's functions and activities, and to enable such information to be used or disclosed on its behalf for an 'enforcement related activity'.[106]

2.95 The addition of the 'Immigration Department'[107] (currently the Department of Immigration and Citizenship (DIAC))[108] as an 'enforcement related body' (item 17 of Schedule 1 of the Bill) particularly concerned the OAIC and the Australian Privacy Commissioner, Mr Timothy Pilgrim.

2.96 In its submission, the OAIC noted that item 17:

...has the effect of bringing the Immigration Department within the enforcement related exceptions that appear throughout the APPs. For example, APP 3.4(d)(i) permits the Immigration Department to collect sensitive information about an individual without their consent, if it is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the Immigration Department.[109]

2.97 The OAIC pointed out that the 'Immigration Department' is not currently an 'enforcement body' under the Privacy Act, and the Exposure Draft of the Bill did not propose to make that inclusion. Further:

The Immigration Department would appear to be of a different character to the other agencies included within the definition of an 'enforcement body', in the sense that its usual activities are not of an enforcement related nature. Accordingly, the OAIC believes that the Immigration Department's concerns are more appropriately addressed in enabling legislation, or alternatively under the Commissioner's power to make a [Public Interest Determination]. The OAIC recommends that the Immigration Department be removed from the definition of 'enforcement body'.[110]

Departmental response

2.98 The EM contains the following justification for the inclusion of the 'Immigration Department' as an 'enforcement body' under the Bill:

In view of DIAC's enforcement related functions and activities, and the type of information it collects, uses and discloses, it is appropriate to include it in the definition of 'enforcement body'. However, given that it has a range of non-enforcement functions and activities, it will be limited in the collection of sensitive information to its 'enforcement related activities'.[111]

'Enforcement related activity'

2.99 Item 20 of Schedule 1 of the Bill inserts a new definition of 'enforcement related activity' into subsection 6(1) of the Privacy Act. The EM advises that the new definition will substantially capture the matters covered by NPP 2.1(h),[112] with the addition of paragraphs to cover the conduct of surveillance activities, intelligence gathering activities and other monitoring activities (proposed new paragraph (b) of the definition), as well as protective or custodial activities:

These types of activities have been included to update and more accurately reflect the range of activities that law enforcement agencies currently undertake in performing their legitimate and lawful functions.[113]

2.100 Liberty Victoria expressed concern with proposed new paragraph (b) of the definition, arguing that it is too extensive and fails to balance the needs of enforcement agencies with the wider public interest of the community:

There is neither a definition of 'surveillance activities' nor 'monitoring activities' found in the Bill and, as such, there is little to guide enforcement agencies and agencies to whom they are responsible as to what is legitimate and illegitimate use of private information. Further, enforcement agencies that conduct intelligence gathering activities are, in many respects, immune from external investigation as to the propriety of their activities. Liberty [Victoria] submits that in these circumstances there is a real and alarming potential for the improper use and disclosure of private information including biometric data.[114]

2.101 The Privacy Foundation argued similarly:

It is not clear why [proposed new paragraph (b)] is considered necessary, and [it] has the potential to be very widely interpreted, and potentially misused to extend the effect of the exceptions which rely on the definition.[115]

'Permitted general situation' and 'permitted health situation'

2.102 Item 82 of Schedule 1 of the Bill inserts proposed new sections 16A and 16B into the Privacy Act. These provisions will allow an APP entity to collect, use or disclose personal information about an individual, or of a government‑related identifier of an individual, in certain circumstances. Proposed new section 16A will set out exceptions described as 'permitted general situations', and proposed new section 16B will set out those exceptions described as 'permitted health situations'.

2.103 In accordance with Recommendation 1 of the F&PA committee's report, the APPs were restructured to reduce their length and to avoid repetition.[116] The Law Council contended, however, that locating proposed new sections 16A and 16B separately to the APPs may create confusion:

For example, proposed section 16A which specifies 'permitted general situations' in which collection, use and disclosure of certain information by certain entities is allowed despite the APPs. As the APPs will not on their own set out all the circumstances in which a use or disclosure may occur, non-lawyers may find it difficult to identify the relevant rules. The [Law Council] suggests that notes be inserted in appropriate places in the Bill to draw the reader's attention to the existence and basic effect of those exceptions which are located in separate provisions rather than in the APPs.[117]

'Permitted general situation'

2.104 In relation to proposed new section 16A of the Privacy Act, the exceptions are set out in a table (proposed new subsection 16A(1)). For example, a 'permitted general situation' will exist in relation to personal information where an agency 'reasonably believes that the collection, use or disclosure is necessary for the entity's diplomatic or consular functions or activities'.[118]

2.105 The OAIC commented specifically on the inclusion of diplomatic or consular functions or activities as an exception to the APPs:

The intended scope of the exception...and the specific information handling practices of [the Department of Foreign Affairs and Trade (DFAT)] that it is intended to address, are not clear. In particular, the term 'diplomatic and consular functions or activities' is not defined and, as such, could cover a broad range of circumstances that involve the collection, use or disclosure of personal information.[119]

2.106 The OAIC recommended removing the exception for diplomatic or consular functions or activities in proposed new subsection 16A of the Privacy Act:

The OAIC acknowledges that there may be a public interest in exempting certain information handling activities undertaken by DFAT from the requirements of the APPs. However, the OAIC considers...that if these practices are not otherwise permitted by the Bill, they are more appropriately addressed in the agency's enabling legislation or, where no appropriate enabling legislation exists, via the Commissioner's power to make a [Public Interest Determination (PID)]. For example, since 1998 PID 7 and PID 7A have permitted DFAT to disclose the personal information of Australians overseas to their next of kin, in certain limited circumstances, where it would otherwise contravene the requirements of IPP 11.[120]

Navigation: Previous Page | Contents | Next Page