ADDITIONAL COMMENTS BY COALITION SENATORS


ADDITIONAL COMMENTS BY COALITION SENATORS

1.1        Coalition Senators are supportive of the need to reform Australia's privacy laws, to provide clarity and certainty and to enhance the privacy of citizens in many forms and media. But they are dismayed by the inept, ham-fisted way in which these reforms have been attempted in this bill.

1.2        Many of the submissions to this inquiry, and much of the evidence before the committee, were critical of the approach the government has taken to produce this legislation. Witnesses reported that the legislation had taken an inordinately long time to bring forward, that they and other stakeholders were substantially in the dark on the consultation process, that the provisions of the Bill were difficult to understand and that many provisions were so broadly or vaguely couched that much behaviour, which is currently considered acceptable in the marketplace, would be made unlawful in future. Some witnesses suggested the Bill was so bad it should be rejected outright by the Senate.[1]

1.3        The depth of the dismay obviously felt by many stakeholders stood in sharp contrast to the effusive, self-congratulatory language used by the Attorney-General in introducing the Bill.

1.4        Dr Anthony Bendall, the Acting Victorian Privacy Commissioner, said:

Not only does this completely remove the presumption of innocence which all persons are afforded, it goes against one of the essential dimensions of human rights and privacy law: freedom from surveillance and arbitrary intrusions into a person's life.[2]

1.5        Ms Katherine Lane, Principal Solicitor with the Consumer Credit Legal Centre (NSW) Inc, said of the Bill's readability and how well people were being prepared for their new rights and obligations:

No, there has not been anything. Nothing at all. It is alarming...[E]very time I mention it to a client, they go white. They have no idea that any of this is coming. It will have a profound impact on the way they manage their household budget and their lives and their loans. Australia spends a huge amount of money on financial literacy, but we have not got anything happening on this.[3]

1.6        The Law Council of Australia noted:

[A] number of large penalties contained in the legislation are out of proportion to the gravity of the contraventions involved...[We regret] the availability of such significant penalties for events that may be trivial and may happen very quickly if an error arises.[4]

1.7        Mr Simon Remington, Managing Director of Remington Direct, said:

[T]he inclusion of a 'prohibition on direct marketing' will cause considerable confusion with our clients as to whether direct marketing is permitted or not. This will have a direct, financial and reputation effect on our business...This decision would unquestionably cost many jobs within our industry plus within companies who use direct marketing to grow their business.[5]

1.8        The Australian Bankers' Association noted:

[A]s far as the general privacy provisions are concerned, the proposed implementation timeframe in the Bill will be insufficient for our members to implement those reforms effectively.[6]

1.9        Faced with this avalanche of criticism, Coalition senators considered recommending that the Senate reject this legislation; however, we also note the predominant tone of stakeholder criticism, which is to the effect that: the Bill is deeply flawed, but privacy reform is urgent, so passing this package and fixing the problems later is the lesser of two evils.

1.10       Coalition Senators are broadly supportive of the committee majority's recommendations attempting to fix some of these problems. In other respects, we feel the report could go further at this time.

Direct marketing principle (APP 7)

1.11      APP 7.1 prohibits a private sector organisation which holds personal information about an individual from using or disclosing the information for the purpose of direct marketing. APP 7.2 and APP 7.3 provide exceptions to the general prohibition and are contingent upon an organisation providing a simple means by which an individual may easily request not to receive direct marketing communications from the organisation (APP 7.2(c) and APP 7.3(c)).

Breadth of the principle

1.12      Facebook, Google, IAB Australia and Yahoo!7 submitted that the proposed definition and application of 'direct marketing' would allow for an extremely broad application of the prohibition in APP 7.1. The joint submission stated that, in practice, this would prevent businesses providing any promotional communications to consumers and would potentially undermine ad-supported business models:

This is so broad as to potentially cover all forms of communications between businesses and consumers that include any promotional material, including, for example, free-to-air television advertisements and free online, ad-supported services such as those offered by [us].[7]

1.13      Instead, Facebook, Google, IAB Australia and Yahoo!7 suggested an alternative definition of 'direct marketing' and 'direct marketing communication', which would allow consumers to continue to receive direct marketing in certain circumstances:[8]

[T]he Proposed Law should not be read to (and we believe it is not intended to) permit a consumer to opt out of all direct marketing, if receiving direct marketing is part of the value exchange of the service that the consumer is choosing to receive. To avoid this ambiguity, APP 7.2 and APP 7.3 should be rephrased. APP7.2 and APP7.3 each require that an opt-out of direct marketing be provided. However it is not clear that the opt-out be from receipt of direct marketing that relies on personal information. Rather it is written as an opt-out of direct marketing altogether. In the event that 'direct marketing' were interpreted to include advertisements, this would undermine advertising based business models, which is surely not the intention of the [Bill].[9]

1.14      Coalition Senators note the Attorney-General's Department's (Department) response to this concern:

APP 7 will not cover forms of direct marketing that are received by individuals that do not involve the use or disclosure of their personal information, such as where they are randomly targeted for generic advertising through a banner advertisement. Nor will APP 7 apply if it merely targets a particular internet address on an anonymous basis for direct marketing because of its web browsing history. These are current online direct marketing activities that will not be affected by the amendments.[10]

1.15      Coalition senators are not convinced, however, that the operational scope of APP 7, as drafted and explained in the Explanatory Memorandum, would be limited in this way. They note that the current business practice of these organisations, and presumably thousands like them, does entail harvesting personal information about, say, a subscriber's internet usage to direct incidental advertising to that subscriber's web account. Making such practices unlawful seems to repudiate widely used and well accepted marketing techniques, but the extent to which the Bill does so is far from clear.

1.16      Accordingly, Coalition Senators consider that either APP 7 or the Explanatory Memorandum should provide further clarification on this point to provide greater certainty for relevant private sector organisations.

Opt-out requirement

1.17      In evidence at the second public hearing, an officer of the Department elaborated on the application of APP 7, including the circumstances in which direct marketing using personal information is permitted:

APP 7...sets up two situations for when people can use personal information for direct marketing. The first is essentially where there is an existing relationship with the customer, so the information has been collected from the customer and that customer has been provided with an opportunity to opt out of receiving direct marketing—essentially the point of collection. That is APP 7.2.

The second situation is where information is being collected from somewhere other the person—from other information or from whatever source—and in that situation direct marketing can occur if, in relation to each instance of marketing, the individual is provided with the facility to opt out of receiving further direct marketing material. [That is APP 7.3]. [11]

1.18      The departmental officer advised that the 'real intention' of APP 7.2 and APP 7.3 is to give consumers control over the use of their personal information in direct marketing.[12] However, Coalition Senators observe that there may be implementation difficulties, not just with the provision of a simple opt-out mechanism but also the requirement in APP 7.3(d), allowing for direct marketing if:

(d) in each direct marketing communication with the individual:

(i) the organisation includes a prominent statement that the individual may make such a request; or

(ii) the organisation otherwise draws the individual's attention to the fact that the individual may make such a request[.][13]

1.19      Coalition Senators are of the view that, in a Bill intended to modernise a legislative framework, the proposed provisions should be not only practicable but should also, as far as possible, be 'future proofed' so that they can apply to current and future technologies in an international operating environment. The present provisions do appear to suffer from a lack of relevance to contemporary online practice.

1.20      Coalition Senators are concerned that APP 7.2 and APP 7.3 will be rendered meaningless if those provisions impose conditions which cannot be met for technical or logistical reasons. It is no answer to simply assert that private sector organisations must comply with what may be a practically impossible requirement.[14]

'Repayment history information' and lenders mortgage insurers

1.21      Proposed new subsection 20E(1) (item 72 of Schedule 2) of the Privacy Act prohibits a 'credit reporting body' which holds 'credit reporting information' about an individual from using or disclosing that information. There are a number of exceptions to this general prohibition (proposed new subsections 20E(2)-(3)); however, under proposed new subsection 20E(4) a 'credit reporting body' cannot disclose 'credit reporting information' derived from 'repayment history information' to recipients who are not 'licensees' under the National Consumer Credit Protection Act 2009, including, for example, lenders mortgage insurers (LMIs),[15] which are regulated by the Australian Prudential Regulation Authority.

1.22      The Insurance Council of Australia highlighted that LMIs assume the same risk as lenders:

[I]mpeding their ability to assess this risk by denying direct access to the full range of credit information is likely to significantly affect the LMI providers' ability to actually provide LMI. This will impact on the availability and accessibility of borrowers (particularly first home buyers).[16]

1.23      Coalition Senators note that such an outcome would be contrary to some of the benefits of privacy reform identified by the Attorney-General in her second reading speech and, in particular, the enhanced ability of the finance and credit industry to make more accurate risk assessments.[17] Consistent with the introduction of more comprehensive credit reporting, Coalition Senators consider that, with the appropriate safeguards, there is no sound justification for disallowing LMIs from receiving 'credit reporting information' from a 'credit reporting body'.

Cross-border disclosures of personal information – 'Australian link'

1.24      Items 4 to 7 of Schedule 4 of the Bill amend the definition of 'Australian link' in subsections 5B(2) and 5B(3) of the Privacy Act. Coalition Senators note the intention of this amendment, as stated in the Explanatory Memorandum:

The credit reporting system will not contain foreign credit information or information from foreign credit providers (even if they have provided credit to an individual who is in Australia), nor will information from the credit reporting system be available to foreign credit reporting bodies or foreign credit providers.[18]

1.25      The Explanatory Memorandum further indicates that the use of the term 'Australian link' throughout the credit reporting provisions in proposed new Part IIIA (item 72 of Schedule 2) of the Privacy Act was considered to be a simple, clear and effective approach to implementing the government's policy proposal.[19]

1.26      However, industry stakeholders gave evidence to the committee indicating that the use of the term 'Australian link' in proposed new section 21G (item 72 of Schedule 2)[20] of the Privacy Act will have an inadvertent and significant adverse effect on business operations. For example, Mrs Sue Jeffrey from the ANZ Banking Group Limited (ANZ) stated her company's position as follows:

[T]he Australian link requirement will have a major effect on the way ANZ structures its businesses. For example, ANZ from time to time use credit assessment teams in New Zealand to assist with processing home loan applications during periods of high volume. We would like to retain this ability to move work across our geographies in order to best meet the needs of our customers. [The Bill] would represent a much more significant impact than we expect was intended. It would be a backward step in ANZ's ability to structure its operations in a way that supports our regional footprint and delivers our customers efficient, high quality service. At the same time it would offer no additional privacy protection to our customers.[21]

1.27      Mr Steven Münchenberg, representing the Australian Bankers' Association, told the committee that there was no reason why the 'Australian link' requirement should be so restrictive:

ANZ have modelled their business in a particular way and other banks would have modelled theirs in different ways. Certainly [the Australian Bankers' Association] cannot see any reason why a wholly owned subsidiary in New Zealand should be banned from processing Australian data, nor can we see a reason why a company that has been set up in New Zealand to service New Zealand banks should not also be able to provide that service to Australian-based banks – as an example – provided, of course, they comply with either Australian standards or comparable standards in New Zealand...[W]e would certainly want to see this extended to agents.[22]

1.28      The Communications Alliance representative, Mr John Stanton, similarly referred to the application of the 'Australian link' requirement to service providers contracted by telecommunications providers:

The implication for telecommunications companies that use contractors offshore for service activation and sales activities, activities which do require access to credit eligibility information, is that the Australian link requirement would make it very difficult for them to continue their work.[23]

1.29      The Department acknowledged that implementation of proposed new section 21G has caused unforeseen difficulties, which the Department is endeavouring to address.[24] In other words, this provision is anything but simple, clear and effective, and the Australian Government is asking the Senate to debate and pass the Bill without a solution in sight.

1.30      Coalition Senators can scarcely credit that an issue as serious as this was not identified and addressed much earlier than in the current inquiry. It also raises the question of what other oversights the Senate might be asked to scrutinise in the future, for example, conflict of laws arrangements necessitated by the Bill.

1.31      In the circumstances, therefore, Coalition Senators reserve the right to revisit their comments on the appropriateness and efficacy of the term 'Australian link' in the credit reporting provisions of Part IIIA of the Bill.

Use of de-identified credit reporting information

1.32      Witnesses argued that proposed section 20M was unnecessary, in that de‑identified information cannot, by definition, be a breach of privacy. Coalition Senators agree. The regulation in the Bill of this kind of data seems a particularly pointless exercise in creating red tape. Coalition Senators note that the committee majority considers that 'it is appropriate for secondary uses of 'credit reporting information' to be regulated, particularly when it might be possible to re‑identify the information', but no circumstances were brought to the committee's attention where such a situation could arise.

1.33      Coalition Senators believe this provision should be reconsidered.

 

Senator Gary Humphries
Deputy Chair 		Senator Sue Boyce

Navigation: Previous Page | Contents | Next Page