The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 introduced into Federal Parliament today

May 23, 2012 |

Today the Attorney General has introduced into the Federal Parliament the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. It is the legislative implementation of the Government’s response to the Australian Law Reform Commission’s recommendations to the Privacy Act.

It is a substantial piece of legislation (text is found here on Parliament House web site, running to 236 pages on the Word Format (although it should be added there are many amendments to existing legislation).  The explanatory memorandum is also a significant document which will require careful study.

The Attorney General’s press release provides:

Changes to the Privacy Act that better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner have been introduced into the Australian Parliament today.

Attorney-General Nicola Roxon said the changes represent the most significant developments in privacy reform since Labor introduced the Privacy Act in 1988.

“In an online world, we are sharing our personal information more than ever before—whether that be by paying our bills online, buying some footy tickets for the weekend, or connecting with friends and family through social media.

“Both consumers and governments have a role to play to protect privacy. In introducing these changes, the Gillard Government is doing its bit to protect the privacy of Australian families.

“These new privacy laws focus on giving power back to consumers over how organisations use their personal information.”

Key changes to benefit consumers through the changes include:

  • clearer and tighter regulation of the use of personal information for direct marketing
  • extending privacy protections to unsolicited information
  • making it easier for consumers to access and correct information held about them
  • tightening the rules on sending personal information outside Australia
  • a higher standard of protection to be afforded to “sensitive information” – which includes health related information, DNA and biometric data
  • enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance.

The Government is also modernising credit reporting arrangements, including:

  • making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
  • making it easier for individuals to access and correct their credit reporting information
  • prohibiting the collection of credit reporting information about children
  • simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.

“There have been big changes to the way we access finance since 1990 when the existing credit reporting provisions came into effect.

“Many consumers have expressed their frustration at not being able to understand their credit rating.

“These changes will provide much more power to consumers to be able to access and, if necessary, correct their credit reports.”

The Government expects the credit industry will benefit because the reforms provides a more accurate picture of an individual’s credit situation to help them make a robust assessment of credit risk, which is expected to lead to lower credit default rates.

The Attorney General’s site on the subject is found here.

The early response for interest groups is not positive.  The Australia Privacy Foundation is scathing in its critisism.  It’s press release says:

The Government’s Privacy Amendment (Enhancing Privacy Protection) Bill 2012,introduced to Parliament today, is a backward step in Australia’s privacy protection,  not an improvement.
The Australian Privacy Foundation (APF), Australia’s leading privacy protection organisation for the past 25 years, urges the Opposition, Greens and Independents to reject the Bill completely. It should be scrapped.
Some key deficiencies of the Bill are:
• Not one of the 13 new Australian Privacy Principles (APPs) is an improvement on the existing NPPs and IPPs, and 8 of 13 are worse for privacy protection.
• For example, the existing right to anonymous transactions has been destroyed.
• The consumer’s right to ask ‘Where did you get my name?’ can be avoided wherever it is ‘impracticable’ for a business to do provide an answer.
• The personal information of any Australians can now be sent to countries with no privacy laws at all, with victims required to prove breaches occurring there.
• Exemptions from some of the APPs can be created by the Privacy Commissioner without any public hearings, notice or opportunity for public scrutiny, unlike the existing Public Interest Determination procedures.
• The improvements concerning the Privacy Commissioner are of little use unless complainants can require that the Commissoner make formal decisions under s52 of the Act. The Commissioner has made one s52 decision in 6 years, and says complainants have no right to formal decisions. Government Australian Privacy Foundation Media Release 2 proposals to allow such complainants to go direct to the Federal Court have been dropped.
• The credit reporting industry is being given the right to share information about Australians who have never had a credit default, a backward step for the privacy of every person who has ever had a loan or a credit card.
• Codes of Conduct have completely failed for 12 years, yet the government is embarking on a futile effort to breathe more life into their corpse, instead of concentrating on genuine reforms.
• The Commissioner can refuse to investigate complaints wherever he thinks investigation ‘is not warranted’, an unwarranted and unappealable discretion.
• The Commissioner can recognise another dispute resolution scheme to substitute for the Privacy Act, even if it provides lesser remedies than the Act.
• The Commissioner’s powers to require Privacy Impact Assessments (PIAs) from agencies are defective in not requiring an independent or public PIA.
• The ALRC’s proposed requirement on businesses to notify consumers and the Commissioner of any massive breaches of data security is not included.
• Removal of unjustifiable exemptions from the Act (‘small’ business; employment records; and political matters), proposed by the ALRC, is omitted.
The Bill does not even implement many of the key recommendations of the Australian Law Reform Commission (ALRC). The government has ‘cherry picked’ the recommendations and brought forward many that are most unfriendly to privacy, ignoring the ALRC’s better  recommendations. The credit industry gets what it wants, but ordinary Australians will wait forever for a second reform Bill – there should be one comprehensive Bill including all reforms.
This incomplete and consumer-hostile Bill should be rejected, says the Privacy Foundation. The government should bring back to the Parliament a Bill that comprehensively improves the Privacy Act.

How the 13 Australian Privacy Principles (APPs) go backwards
The APPs are not an improvement on the existing NPPs and IPPs. They are worse.
APP 1:
This APP fails to require disclosure of the destination and recipients of personal information sent overseas.
APP 2:
Anonymity and pseudonymity
The existing right to anonymous transactions is destroyed by this amendment.
APP 3:
Collecting solicited information
Existing limitations on collection have been abandoned, with a raft of new exemptions.
APP 4:
Receiving unsolicited information
This APP is no worse than the existing principles.

APP 5:
Notification of collection
The improvements here are insufficient, particularly the failure to require disclosure of overseas recipients.
APP 6:
Use and disclosure
This APP has the same raft of new exceptions as APP3, and is also worse than the exisiting principles in that it excludes the operation of the direct marketing and identifier principles.

APP 7:
Direct Marketing
This APP should apply to direct marketing by government as well. The consumer’s right to ask ‘Where did you get my name?’ can be avoided wherever it is ‘impracticable’ for a business to do provide an answer.

APP 8:
Cross-­?border disclosure
The personal information of any Australians can now be sent to countries with no privacy laws at all, with victims required to prove breaches occurring there. The existing inadequate principle needed strengthening, but it has been made worse.

APP 9:
Government identifiers
Protection against private sector misuse of government identifiers has now been removed.

APP 10:

APP 11:
Security and deletion

APP 12:

APP 13:

The last four APPs are no worse than the existing principles.



Leave a Reply