CHAPTER 5


CHAPTER 5

Australian Information Commissioner's functions and powers

5.1        Under subsection 12(1) of the Australian Information Commissioner Act 2010 (AIC Act), the 'privacy functions' of the Australian Information Commissioner (Commissioner) are conferred upon the Australian Privacy Commissioner, a person appointed under section 14 of the AIC Act.

Enhanced powers

5.2        Schedule 4 of the Bill makes several amendments to the functions and powers of the Commissioner. The Explanatory Memorandum (EM) indicates that these amendments are largely derived from recommendations made by the Australian Law Reform Commission (ALRC) and are intended to:

...improve the Commissioner's ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.[1]

Support for enhanced powers and commensurate resourcing

5.3        Some submitters and witnesses expressed broad support for the Bill's proposed enhancement of the Commissioner's powers.[2] The Australian Privacy Commissioner, Mr Timothy Pilgrim, told the committee:

These powers reflect the increasing importance that the community places on the protection of personal information and the need for the protection of privacy interests in a digital and globalised world. They will assist me in addressing serious and systemic interferences with the privacy of individuals and provide a clear message to entities of the need to take privacy seriously.[3]

5.4        The NSW Privacy Commissioner submitted similarly:

[These powers] will hopefully lead to better outcomes for the community in terms of ensuring that entities consider the privacy-related consequences of projects as soon as possible to avoid potential privacy breaches later in the process.[4]

5.5        In some instances, submitters referred to specific provisions which they supported. For example, the NSW Privacy Commissioner and the Australian Privacy Foundation (Privacy Foundation) endorsed the proposal to allow the Commissioner to accept enforceable undertakings (proposed new section 33E of the Privacy Act in item 64 of Schedule 4).[5] The Office of the Victorian Privacy Commissioner especially welcomed proposed new section 33D of the Privacy Act, which enables the Commissioner to direct a Commonwealth agency to conduct a 'privacy impact assessment' (PIA):

It is my hope that these powers are exercised widely, as my office has found that conducting a PIA early in a project has the ability to greatly reduce the impacts on the privacy of individuals...I recommend removing section 33D(7) and allowing the Commissioner to direct any APP entity to conduct a PIA.[6]

5.6        Proposed new subsection 33D(7) of the Privacy Act requires the Attorney‑General to undertake a review of proposed new section 33D within five years of its commencement to determine whether the section should apply in relation to private sector organisations, as well as Commonwealth agencies.

5.7        The EM notes that proposed new subsection 33D(7) of the Privacy Act partially implements the Australian Government's response to ALRC Recommendation 47-5.[7] That response states:

The Government notes that PIAs are a valuable tool to assist an organisation to comply with its responsibilities under the Privacy Act but agrees with the ALRC that a similar power to that recommended in [Recommendation] 47-4 for agencies should not be available in relation to organisations at this stage.[8]

5.8        A few submitters and witnesses also commented on the adequacy of resourcing for the Office of the Australian Information Commissioner (OAIC).[9] Australian Direct Marketing Association (ADMA), for example, submitted that under‑resourcing of the OAIC, in general, and the Australian Privacy Commissioner, in particular, was a problem when the National Privacy Principles were first introduced in 2001. ADMA's submission argued that this led to delays in the resolution of complaints, which undermined confidence in the effectiveness of the (then) new privacy regime. Accordingly:

It is to be hoped that the Government will increase the budget for the [Office of the Australian Information Commissioner] commensurate with the new powers and functions contained in [the current proposed] legislation.[10]

Concerns regarding exercise of the powers

5.9        Some submitters and witnesses argued, however, that the Commissioner has not fully utilised the enforcement powers currently available under the Privacy Act.[11] Most notably, the Privacy Foundation submitted:

[W]e consider that successive Commissioners have had a history of inaction in the use of the enforcement powers that they do have, which has seriously undermined the effectiveness of the Privacy Act...This regrettable situation cannot be reversed solely by more powers or more resources being given to the Commissioner. More powers must also be given to complainants so that they can ensure for themselves that the Commissioner does his or her job.[12]

5.10      In particular, the Privacy Foundation referred to proposed new paragraph 96(1)(c) of the Privacy Act.[13] This provision will allow for an appeal to be made to the Administrative Appeals Tribunal against a decision made by the Commissioner under current subsections 52(1) or 52(1A) (Determination of the Commissioner) of the Privacy Act.[14]

5.11      The Privacy Foundation described this provision as a 'long-overdue reform'[15] but remained sceptical of its value given the low number of determinations made under section 52 of the Privacy Act to date:

[F]or the right of appeal to have any meaning, the Commissioner would first have to make decisions against which appeals can be lodged.

In the 23 year history of the Privacy Act, successive Commissioners have made a mere nine determinations. It is a very poor record of inaction.

Therefore, this new right of appeal is of little use unless complainants can require the Commissioner to make formal decisions under s52 of the Act...The only way to make the new s96 right of appeal meaningful is therefore for the Commissioner to be required to make a formal decision dismissing a complaint, whenever a complainant so requests, so as to activate a complainant's right of appeal.[16]

5.12      In response, the Australian Privacy Commissioner, Mr Pilgrim, advised the committee that the low number of determinations reflects success in conciliating matters rather than having to use more formal powers. Further:

[W]e have a system that is set up to bring the parties together in an area that is not based around black-and-white law. It is an area where there are a lot of judgment calls to be made on broad-ranging principles and the process that we take to resolve the complaints reflects the nature of the [A]ct in that regard.[17]

5.13      Mr Pilgrim rejected the suggestion that individuals should have the ability to require the Commissioner to make a determination,[18] a position also taken by the Australian Government when it rejected a similar recommendation made by the ALRC in 2008:

This recommendation would fetter the Commissioner's discretion to determine the most effective way to resolve a complaint and could undermine the incentives for parties to engage actively in conciliation.[19]

5.14      Mr Pilgrim noted that a decision not to go to determination is appellable under section 5 of the Administrative Decisions (Judicial Review) Act 1977, and argued that it would be quite reasonable for this right to extend to a merits-based review of any determination made by the Commissioner.[20]

5.15      Mr Pilgrim's comments regarding the number of determinations to date were endorsed by the Department:

The Department is not aware of any evidence of widespread dissatisfaction with the way in which the Commissioner has resolved complaints through the conciliation process.[21]

5.16      The Department did not agree, however, that there should be a right to merits‑based review of the Commissioner's decision not to make a determination:

[E]xpanding merits review to decisions by the Commissioner not to make a determination, or including a right of complainants to require the Commissioner to make a determination, would be at odds with the compliance-oriented regulatory design recommended by the ALRC [and adopted throughout Schedule 4 of the Bill].[22]

Civil penalty orders

5.17      Schedule 4 of the Bill also inserts a new Part VIB into the Privacy Act.[23] Proposed new Part VIB sets out provisions in relation to civil penalty orders. Essentially, an entity will be prohibited from contravening a 'civil penalty provision',[24] and the new Part provides a means by which the Commissioner can enforce these provisions.

5.18      Proposed new section 80W of the Privacy Act allows the Commissioner to apply to the Federal Court of Australia or the Federal Magistrates Court for an order that an entity, which is alleged to have contravened a 'civil penalty provision', pay the Commonwealth a pecuniary penalty.[25] The court may, if satisfied that an entity has contravened a 'civil penalty provision', order the entity to pay the Commonwealth such pecuniary penalty as the court deems to be appropriate. The maximum penalty that the court can order is:

(a) if the entity is a body corporate—5 times the amount of the pecuniary penalty specified for the civil penalty provision; or

(b) otherwise—the amount of the pecuniary penalty specified for the civil penalty provision.[26]

Clarity and proportionality

5.19      Some submitters commented on the judicial discretion in proposed new subsection 80W(3) of the Privacy Act. ADMA, for example, expressed concern that the court could theoretically impose unlimited fines because the wording of the penalty provisions is 'too open-ended'.[27] Several other submitters similarly called for clarification of the proposed fines and penalties provisions.[28]

5.20      Magnamail, and others, argued:

Being a company that is subject to the Privacy Act it is essential that we have an understanding of the potential extent of fines and penalties for our risk assessment purposes.[29]

5.21      Remington Direct added:

Despite the Government's best efforts to educate, there are likely to be companies who don't read the literature or realise it applies to them. In light of this we would support an initial warning before a company incurs a monetary fine.[30]

5.22      A few submitters also questioned the penalties contained in certain 'civil penalty provisions'. The Law Council of Australia, for example, argued in a general sense that a number of large penalties contained in the Bill are 'out of proportion to the gravity of the contraventions involved'.[31] More specifically, the Australian Industry Group considered that proposed new section 13G of the Privacy Act should provide for an 'appropriate' civil penalty of 60 units, rather than the 'excessive' 2,000 units included in the provision.[32]

5.23      The NSW Privacy Commissioner, who supported proposed new section 13G of the Privacy Act, did not agree that the penalty in that provision is disproportionate:

The community expects that there will be appropriate penalties for organisations that engage in serious and repeated acts that interfere with the privacy of an individual or individuals.[33]

5.24      A representative from the Department agreed:

[There] is potentially a high penalty, only for serious or repeated interferences with privacy. If you think of the regulatory scheme at the pyramid, it is at the apex of the pyramid. It says, 'This is the ultimate sanction that a commissioner could take.' It is designed to be used only in those situations where there are really serious issues that have emerged or there is a repeated pattern of behaviour that has not otherwise been resolved through the other tools that the commissioner has available to him.[34]

5.25      The Australasian Retail Credit Association (ARCA) and ADMA, in respect of proposed new section 13G of the Privacy Act, argued that the Bill should allow for breaches which are not wilful or deliberate. ARCA suggested that, as with the Corporations Act 2001, 'lesser penalties' should be applied in such circumstances; and ADMA recommended that section 13G of the Privacy Act should be amended to define 'serious' as 'reckless or wilful and intentional'.[35]

5.26      The EM acknowledges that proposed new section 13G of the Privacy Act does not define what constitutes a 'serious' or 'repeated' interference with the privacy of an individual – that is, the ordinary meaning of these words will apply.[36] In addition:

[I]t is anticipated that the OAIC will develop enforcement guidelines which will set out the criteria on which a decision to pursue a civil penalty will be made. These guidelines will assist in [providing] further clarity and context for the term ['serious'].[37]

5.27      In its submission, the Australian Bankers' Association (ABA) noted that the Bill does not provide any defence to an alleged interference with the privacy of an individual. In the ABA's view, 'there should be a general defence available to an APP entity' for inadvertent breaches of the Privacy Act:

The amendments in the Bill will create a more onerous compliance regime for APP entities in the collection, handling, use and disclosure of personal information.

Banking is a highly dynamic environment for the handling of personal information across a very large number of employees. Banks will continue to develop and implement robust privacy protection systems and processes and will rigorously train staff as they have done to date.

Inadvertent breaches of the [Privacy] Act and the APPs may occur in circumstances where these occurrences ought fairly to be excused.[38]

Navigation: Previous Page | Contents | Next Page