House of Representatives Committees

| House of Representatives Standing Committee on Social Policy and Legal Affairs

Navigation: Previous Page | Contents | Next Page

Chapter 2 Australian Privacy Principles

2.1                   The Australian Privacy Principles (APPs) are contained in Schedule 1 of the Privacy Amendment Bill. The principles cover:

n  transparent management of personal information

n  the collection, use and disclosure of personal information

n  identifiers, integrity, quality and security of personal information, and

n  access to and correction of personal information.

Defences to contravention of APP 8

2.2                   Proposed APP 8.1 requires an entity disclosing personal information to an overseas recipient to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

2.3                   Proposed section 16C outlines certain circumstances in which an act done by the overseas recipient can be taken to be a breach of the APPs by the disclosing Australian entity.

2.4                   A number of exceptions to APP 8.1 exist:

n  where the entity has a reasonable belief that the overseas recipient is bound by legal or binding obligations to protect information in a similar way to the protection provided by the APPs[1]

n  where an individual consents to the cross-border disclosure, after being informed that the consequence of giving their consent is that the requirement in APP 8.1 will not apply[2]

n  where the disclosure is required or authorised by law[3]

n  where limited ‘permitted general situations’ exist (in proposed section 16A(1))[4]

n  where the disclosure is required or authorised by or under an international agreement relating to information sharing, the entity is an agency and Australia is party to that agreement,[5] and

n  where the entity is an agency, and the agency reasonably believes that the disclosure is reasonably necessary for enforcement related activities by an enforcement body and the overseas recipient’s functions are similar to those of an enforcement body.[6] 

2.5                   The Australian Law Reform Commission (ALRC) inquired in some depth into ideal arrangements for the cross border disclosure of data flows[7] but did not closely consider the question of defences or how any such defences should be framed. Consequently, the ALRC has not formed a view on this issue.[8]

2.6                   Many submissions express concern that holding the disclosing Australian organisation responsible for a breach that occurs overseas places too great a burden on organisations that regularly transfer data overseas.[9]

2.7                   Foxtel expressed concern that even where an organisation takes reasonable steps, such as reviewing its security controls, it may still be found liable for a data breach that occurred overseas, even where access to the information is unauthorised, such as a hacking situation.[10]

2.8                   The Law Council of Australia (LCA) acknowledged that APP 8 attempts to strike a balance between the protection of personal information and the convenient flow of information. However it suggests that, in this era of global trade, APP 8 errs too far on the side of cross border compliance at the expense of convenient flow of information and this may deter the growing use of cloud computing.[11]

2.9                   In this regard, some have suggested that there should be a defence to APP 8 available if the disclosing organisation has ‘taken reasonable steps’ to protect the information.[12]

2.10               Proposing a counter view, the Committee received many submissions suggesting APP 8 should include a much higher level of protection for personal information that is sent overseas.[13]

2.11               For example, the Australian Privacy Foundation (APF) is opposed to any defence to contravention.[14] Similarly, the Office of the Privacy Commissioner, New South Wales (OPCNSW) suggests defences to contravention are inappropriate.[15] The Office of the Australian Information Commissioner (OAIC) does not support defences to contraventions but considers that matters such as systems in place to prevent contraventions should be taken into account when determining the penalty.[16]

2.12               Some suggest individuals should be given prior knowledge before their personal information is sent overseas[17] and consent should be required before it can be sent.[18] The APF and OAIC further suggest that the exception in 8.2(e) should be removed.[19]

2.13               The Explanatory Memorandum to the Bill notes the attempt to strike a balance between data flow and privacy, stating that ‘the principle will aim to permit cross-border disclosure of personal information and ensure that any personal information disclosed is still treated in accordance with the Privacy Act.’[20]

2.14               The Attorney-General’s Department confirms that it does not consider that APP 8.1 should include a general exception as this ‘would undermine the confidence of individuals in the protection of their personal information’[21] and that ‘the exceptions in APP 8.2 have been carefully considered and the Government considers that they are justified’.[22]

2.15               In relation to a defence for inadvertent disclosure, the Attorney-General’s Department stated:

The Government does not consider that an exception is necessary where the overseas recipient may have made an inadvertent disclosure of personal information. An inadvertent disclosure of personal information may have significant consequences for an individual. While a disclosure may be inadvertent, the fact the disclosure has occurred may indicate failures in the security systems or handling protocols of that personal information in the hands of the overseas recipient.[23]

2.16               The Department considers an explicit defence is not required, as:

These are matters that can be taken into account in an OAIC determination or by a court if the matter was being considered in relation to a possible civil penalty for the Australian entity.

It is not automatically the case that all possible or actual breaches of APP 8.1 will result in the imposition of a civil penalty. The decision to obtain a civil penalty order is at the discretion of the Commissioner, while the decision on whether a civil penalty should be imposed is at the discretion of the court.[24]

2.17               In line with this, the Privacy Commissioner gave evidence that:

Where an organisation can demonstrate that it is taking these steps to try and limit the impact of the [data breach], whether they can demonstrate that, for example, they have put in the best standard or the highest standard of systems protection such as those highlighted through international standards organisations, I certainly take that into account.[25]

2.18               There have also been suggestions that it would be helpful if a list of countries that satisfy APP 8.2(a) was published.[26]

2.19               At the Senate hearing, Mr Glenn, from the Attorney-General’s Department gave evidence that:

Certainly the ALRC recommended that the government publish a list of laws or binding schemes that would meet those criteria. The government response – this recommendation 31-6 – was to accept that. If this Bill is passed, the government will provide information about laws and binding schemes that it would consider are substantially similar to the APPs.[27]

2.20               He noted, however, that there would still be an obligation on the disclosing party to ensure they were complying with the APPs in each set of particular circumstances.[28]

Compliance with overseas laws

2.21               Some submissions suggest that the APPs do not allow for the fact that some Australian companies are required to comply with overseas laws as part of their business activities.[29] There is some concern that obligations in such overseas laws may conflict with the requirements of the APPs.

2.22               For example, the Australian Bankers Association notes that banks are subject to compliance with foreign laws such as the United States Foreign Accounts Tax Compliance Act 2010 (FACTA), which requires them to provide some personal information about United States nationals that hold Australian bank accounts. The Australian Bankers Association and the Australian Finance Conference suggest that the definition of ‘Australian law’ should include any applicable overseas law or government agreement binding on an organisation, which would allow organisations to comply with these overseas obligations.[30]

2.23               At the Senate hearing, the Attorney-General’s Department suggested that the solution to this problem does not lie in reform of the Privacy Act 1988 (Cth).[31] It was suggested that FACTA requirements will not come into force until 2014, that they would also be inconsistent with the current requirements of the Privacy Act 1988 (Cth) and that there are no changes implemented through the Privacy Amendment Bill that affect this.[32]

2.24               The Department suggests that creating an exception similar to that proposed above is very broad and is problematic for sovereignty reasons.[33] There may be other mechanisms to prevent this conflict arising and discussions are being pursued between Australian Government agencies and the United States Internal Revenue Service to resolve this issue.[34]

2.25               It is anticipated that the outcome of these discussions will be a negotiated solution to the issue before the FACTA obligations commence.[35]

Direct marketing

2.26               The APP 7 is entitled ‘prohibition on direct marketing’. APP 7.1 outlines a prohibition on direct marketing, and APPs 7.2 – 7.5 detail a number of exceptions to this prohibition.

2.27               In their submissions, the Australian Direct Marketing Association (ADMA), Foxtel, the LCA and Salmat all suggest that labelling these provisions as a ‘prohibition’ on direct marketing is misleading because, the provisions actually permit direct marketing in many circumstances.  

2.28               The ADMA suggests that this title will create confusion for consumers and businesses and will result in marketing suppliers losing business when businesses believe direct marketing is now prohibited.[36] At the Senate hearing, Ms Jodie Sangster (ADMA) noted that $15 billion is spent on direct marketing each year.[37]

2.29               Foxtel suggests that consumer confusion will result in complaints about direct marketing where APP 7 is being complied with.[38]

2.30               The LCA suggests APP 7 should be drafted in the style of APP 6, suggesting permission in certain situations and prohibition in all other situations.[39]

2.31               Although the ALRC report suggested direct marketing be regulated in a discrete principle, their recommendation was not framed as a prohibition.[40]

2.32               The ADMA recommends that the language and structure in the exposure draft be reinstated or alternatively, that similar drafting outlined by ADMA in their submission, be implemented.[41]

2.33               Foxtel suggests the section should be drafted to ensure clarity that there is an entitlement to market directly, subject to conditions.[42]

2.34               The Attorney-General’s Department suggests that this drafting approach was used ‘to clearly identify the information-handling activity that breaches privacy’.[43]

2.35               The Department also notes that the drafting approach was implemented as a result of comments and a recommendation made by the Senate Finance and Public Administration Legislation Committee that APP 7 be re-drafted to simplify terminology and clarify intent.[44] The Department suggests that the heading ‘prohibition’ was instated consistently with a clarity approach taken elsewhere in the Bill.[45]

 ‘Opt out’ provisions for direct marketing

2.36               The APP 7.3(d) requires organisations to provide a prominent statement or to draw the individual’s attention to the option that an individual can request not to receive direct marketing in ‘each direct marketing communication’.

2.37               Foxtel, ADMA and Salmat’s submissions outline concern that such a requirement is not suited to all forms of direct marketing communication. In particular, for direct marketing in media such as Facebook and Twitter, which allow limited character space,[46] they suggest it is highly impractical to require that each communication include an opt out message.[47]  

2.38               The Attorney-General’s Department notes that these provisions will not cover all forms of direct marketing:

APP 7 will not cover forms of direct marketing that are received by individuals that do not involve the use or disclosure of their personal information such as where they are randomly targeted for generic advertising through a banner advertisement. Nor will APP 7 apply if it merely targets a particular internet address on an anonymous basis for direct marketing because of its web browsing history.[48]

2.39               The Department notes that the ‘opt out’ requirements are designed to operate flexibly so organisations can develop methods tailored to the specific form of advertising. It suggests that shorter messages inviting consumers to opt out through a link might be an option to consider.[49]

2.40               Further, the Department notes that while these requirements will require organisations to adapt to new direct marketing rules, the rules will enhance the privacy protections of consumers.[50]

Committee comment

Defences to contravention

2.41               The Committee acknowledges the concerns raised by industry in relation to this matter. In addition, the Committee notes advice of the Attorney‑General’s Department and the Privacy Commissioner that reasonable steps taken by organisations will be taken into account in a determination at the OAIC and when the Privacy Commissioner makes a decision as to whether to seek a civil penalty order in relation to a breach. It notes that not all breaches will be dealt with by civil penalty.

2.42               The Committee accepts the Attorney-General’s Department’s concern that creating defences such as those proposed in some submissions may have a detrimental effect on the overall security of personal information in some circumstances.

2.43               Following due consideration, the Committee is of the view that the manner in which the provisions will function in practice will perhaps only be wholly understood once the regime is in operation. At this point, the Committee considers the correct balance has been achieved to ensure protection while permitting the flow of data required for effective business.

2.44               However, to safeguard the desired operation of the provisions, the Committee recommends that the prospect of introducing such a defence or exemption be re-evaluated in a review of the operation of the new privacy laws. This review should be conducted twelve months after the Act commences.

Compliance with overseas laws

2.45               The Committee acknowledges industry’s concern regarding the conflict of certain overseas laws and the APPs.

2.46               However, based on advice from the Attorney-General’s Department, the Committee concludes that this is not an issue specific to changes implemented through the Privacy Amendment Bill. Consequently, the Committee has not considered this issue in detail.

2.47               The Committee is pleased to note the Attorney-General’s Department’s intention to continue negotiations with stakeholders, with a view to identifying a method to prevent this conflict from arising.

Direct marketing

2.48               The Committee acknowledges industry’s concerns that the characterisation of the direct marketing provision as a prohibition may have adverse effects for the direct marketing industry.

2.49               The Committee has not formed a view as to the degree of any adverse effect that may materialise but is satisfied this approach was taken following consultation and as a result of comments to the exposure draft of this Bill.

2.50               At this stage, the Committee considers that amendments to the drafting of these provisions are not required.

‘Opt out’ provisions for direct marketing

2.51               The Committee appreciates industry’s concern about the requirements of the ‘opt out’ provisions for direct marketing. However, the Committee notes that APP 7 does not apply to all direct marketing, is intended to be flexible and can be fulfilled in a variety of ways.

2.52               The Committee is satisfied with the provisions as they stand, but suggests that their operation be evaluated in a review to be carried out twelve months after commencement of the Act.