Report of the Privacy Act Review by the Attorney General’s Department: Chapter 8, the Political Exemption. Consideration and analysis. Not a particularly elegant solution to a difficult problem.

May 21, 2023

Te political exemption in the Privacy Act raises public policy questions that the small business operator and employee records do not. It is also an area of law where the common law has developed to protect free speech. The Report undertakes a significant analysis.

The extent of the exemption:

Under the Privacy Act:

  • registered political parties are entirely exempt
  • under section 7C political representatives (MPs and local government councillors), and their affiliates and the affiliates of registered political parties are exempted from acts and practices done for any purpose in connection with an election, a referendum, or participation in another aspect of the political process.

This means that currently if a registered political party collects, uses or discloses personal information for a purpose unconnected with the political process, it is not required to comply with the Act. Other political entities are only exempt from the Act’s requirements to the extent that they are handling information for purposes connected to the political process under section 7C.

Under this exemption a registered political party can handle personal information other than for a purpose connected to the political process and still be exempted from the Privacy Act provisions. This is an anomaly given the  the rationale for the exemption was to encourage freedom of political communication.  There has been no reported instances of a political party taking advantage of this situation.  That is probably because political parties are focused on collecting information only for political reasons.

Rationale for exemption

The stated rationale for the exemptions was:

  • to encourage freedom of political communication and enhance the operation of the electoral and political process in Australia.
  • to operate in a manner consistent with the implied freedom of political communication under the Australian Constitution.

While the Australian Law Reform Commission in its Report 108 recognised the special status of political acts and practices under the Constitution as the most compelling reason for exempting political acts and practices of political entities it still concluded that registered political parties should be brought within the scope of the act and the exemption for political entities should be removed to promote public confidence in the political process and remove the advantage which the exemption confers on incumbent political entities.

The Issues Paper sought feedback on whether political acts and practices should continue to be exempted from the operation of some or all of the Australian Privacy Principles.

The Discussion Paper canvassed the approach to regulating political parties under data protection laws in the UK, Canada and New Zealand.

The Report noted that almost all submissions on this exemption considered it was not justifiable and should be narrowed or removed. The OAIC submitted that there was little evidence that data protection laws operating in other countries have had any considerable impact on political parties’ ability to perform their basic democratic roles, including political communication.

The Report proposed amending the definition of ‘organisation’ to include registered political parties, and that they be included within the scope of the exemption in section 7C of the Act.  Accordingly registered political parties would be required to comply with the APPs in the handling of personal information, to the same extent as political representatives (and political affiliates) unless exempted by the operation of the exemption in section 7C.

Regarding transparency the Report:

  • confirmed there were concerns about transparency in the handling of voters’ information whereby political parties in collecting personal information about voters from a variety of sources such as media and data brokerage services and the electoral rolls, can build large databases with detailed information about voters without their knowledge or consent. They are not required to inform voters of the ways in which their personal information is collected, or specify how it will be used or disclosed.
  • considered that greater transparency in relation to political communication may, be consistent with and support the constitutionally-prescribed system of government but serve to protect it citing LibertyWorks Inc v Commonwealth where the High Court found the purpose of the Foreign Influence Transparency Act 2018 intention of making transparent the involvement of foreign interests in political communication , was consistent with the freedom of political communication and ‘reinforces the freedom despite doing so by burdening some political communication.’
  • proposed that the Act be amended to require political entities to be more transparent about how they handle personal information by requiring entities that are covered by the political exemption in section 7C to have a privacy policy in accordance with APP 1.

Read the rest of this entry »

Australian Communications and Media Authority finds that A Current Affair breaches its privacy rules regarding publishing the identity of a person in one of its reports.

May 20, 2023

The Australian Communications and Media Authority (“ACMA”) has found that A Current Affair has breached its privacy rules in relation to a report about a neighbourhood dispute on 21 March 2022.

The media release provides:

The Australian Communications and Media Authority (ACMA) has found TCN Channel Nine (Nine) breached privacy rules in a story on A Current Affair that included mobile phone footage of a dispute between neighbours.  

An ACMA investigation found the story breached a participant’s privacy by including his name, part of his residential address and unobscured video footage of his face without his consent.

Under the Commercial Television Industry Code of Practice, broadcasters must not air personal information without consent unless it is in the public interest. 

ACMA Chair Nerida O’Loughlin said broadcasters must respect the privacy of individuals included in news and current affairs reporting.

“Broadcasters may only disclose personal information without consent if it is relevant and proportional to the public interest,” Ms O’Loughlin said.  

“In this case our investigation found it wasn’t in the public interest for Nine to disclose the individual’s name and address because it wasn’t necessary to enable the audience to understand the overall issue.

“Even if material is already available in the public sphere, as some of this footage was, a licensee has an obligation to consider how broadcasting the material may further impact people’s privacy.”

As a result of the ACMA’s investigation the licensee will train staff in the privacy requirements of the code.

FACTS

In July 2022, the Australian Communications and Media Authority (the ACMA) commenced an investigation under the Broadcasting Services Act 1992 (the BSA) into an episode of A Current Affair.

The episode was broadcast Read the rest of this entry »

Real Estate Institute of Australia call for retention of small business exemption in Privacy Act review. Nothing particularly new in the complaints

The small business exemption is a real weakness in the Privacy Act. The exemption applies to businesses with a turnover of $ 3 million or less. It was included in the amendments which brought the private sector under the regulation of the Privacy Act in 2001. The rationale for the exemption was not legal. Far from it. The stated reason was a concern about regulatory burden and cost of compliance. Given other universal regulatory obligations at the time and since, exempting small business operators from keeping records secure and not interfering with customers privacy was poor public policy. It remains so. In 2001 the volume of data held by the typical small business was modest compared with now. As costs of storing data decrease and the speed of processing increases coupled with programs to analyse data small businesses are as enthusiastic in collectng and analysing personal information as their larger counterparts. It is not hard setting up loyalty schemes and email lists. Or just want the information full stop. Real Estate agents are, generally speaking, voracious collectors of data. Of more concern is that many Real Estate agents collect more information than they need to deal with renters and register interest of potential purchasers. They have also been the subject of significant data breaches (see here, here, here, here and here).

It is then more than passing strange that the President of the Real Estate Institute of Australia, Hayden Groves, resists reform to the Privacy Act by removing the small business exemption as reported in Real estate agents push back against Australian privacy law changes designed to protect personal data. The arguments encompass the original justification for the exemption, the cost fo compliance, and then moves onto a claim that other form of regulations make coverage by the Privacy Act unnecessary. No details are provided. Of course. The additional cost complained off is not specified. There has never been Read the rest of this entry »

A timely reminder on the privacy risks with many apps. Apple blocked 1.7 million apps for privacy/security issues in 2022

May 18, 2023

Apps are notorious for having poor security and privacy controls. The reason is often as simple as the app designers wanting to get an app on the market as quickly as possible s are designed quickly, often in competition with other designers for a similar product. The developers see no point in privacy by design and have scant regard to any privacy laws. That makes them easy target for criminals.

And then there are the apps designed to skim information, as part of a hack or are otherwise used for fraudulent purposes.

It is little wonder then that Apple blocks so many apps as Bleeping Computer writes in Apple blocked 1.7 million apps for privacy, security issues in 2022.

The article Read the rest of this entry »

National Institute of Science and Technology release Advanced Encryption Standard (AES)National Institute of Science and Technology release

May 16, 2023

The National Institute of Science and Technology has produced the updated Advanced Encryption Standard (AES) on 9 May 2023.

At 46 pages it is the usual Read the rest of this entry »

Over 4.3 million records breached worldwide in April 2023.

May 8, 2023

Itgovernance has published the list of reported or otherwise discovered data breaches in April 2023 and found that there were 120 publicly disclosed breaches which resulted in 4,353,257 records being compromised. Fortunately Australian entities did not feature April’s tally. They made up a significant part of the tallies in late 2022 and earlier this year.

Some of the prominent breaches involved:

Itgovernance highlight the the following data breaches in April:

1. Shields Health Care Group

The largest data breach of April 2023 was at the Shields Health Care Group, a Massachusetts-based medical services provider. Reports emerged near the end of the month that a cyber criminal had gained unauthorised access to the organisation’s systems and had stolen the personal data of 2.3 million people. Read the rest of this entry »

Federal Trade Commission proposes a blanket ban on Facebook monetizing youth data and other restrictions.

Facebook has been the subject of action from the Federal Trade Commission (the “FTC”) on two occasions to date. The FTC announced on 3 May that it wants to amend its 2020 order against Facebook because it believes that Facebook has failed to comply with that order. Worse it claims the Facebook has misled parents about their control through its Messenger Kids app and misrepresented how much access it provides app developers to private user data.

The use and misuse of children’s personal information is a very serious and topical issue.  The FTC clearly believes that Facebook is incorrigible in its collection of this data and the use it puts it to.  The orders it seeks are quite severe, including Read the rest of this entry »

Commonwealth Attorney General announces the (re) creation of the Privacy Commissioner.

May 3, 2023

Today the Attorney General announced that the Government will create a stand alone position of Privacy Commissioner. The statement provides:

The Albanese Government will appoint a standalone Privacy Commissioner to deal with the growing threats to data security and the increasing volume and complexity of privacy issues.

Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and protect their personal information.

The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.

This action is in significant contrast to that of the former Liberal Government, which left Australia disgracefully unprepared for this challenge by failing to strengthen privacy laws, and scrapping the position of a standalone Privacy Commissioner.

The Albanese Government takes privacy regulation seriously and has already acted to significantly increase penalties for companies which fail to take adequate care of customer data and give the Australian Information Commissioner improved and new powers.

The Australian people rightly expect greater protections, transparency and control over their personal information and the appointment of the standalone Privacy Commissioner restores the Office of the Australian Information Commissioner to the three-Commissioner model Parliament originally intended.

Currently, the Australian Information Commissioner, Ms Angelene Falk, holds a dual appointment as the Privacy Commissioner. I thank Ms Falk for her dedicated service in this role since 2018. Ms Falk will remain Information Commissioner and head of the OAIC.

A merit-based selection process to fill the role of Privacy Commissioner will commence today. Ms Falk will continue as the Privacy Commissioner until this process is finalised.

Freedom of Information Commissioner

In light of the recent resignation of Mr Leo Hardiman PSM KC as Freedom of Information Commissioner, I am also pleased to announce that we have appointed Ms Toni Pirani as acting Freedom of Information Commissioner, effective 20 May 2023. I thank Mr Hardiman for his significant contribution and wish him well in his future endeavours.

Appointing an acting FOI Commissioner will ensure that the OAIC can continue to undertake its FOI functions until a permanent appointment is made.

A merit-based selection process to select the ongoing FOI Commissioner vacancy will also commence today.

Read the rest of this entry »

Privacy Act Review Report. Chapter 7: employee records exemption. A disappointingly non committal proposal.

May 2, 2023

Chapter 7 of the Attorney Generals’ Report into the Privacy Act 1988 considers the employee records exemption in the Privacy Act 1988. The employee records exemptionwas considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Australian Law Reform Commission unequivocally recommended that the it be removed by the repeal of section 7B(3) of the Privacy Act.  Unfortunately this Report has ummed and ahhed in face of vociferous and largely spurious objections by employer bodies who wish to retain the exemption come what may.  As a result the Proposal is far from unequivocal and seeks to find a half way house of improving privacy protections of those records but not entirely removing the exemption.  It also wants further consultation. Because years and years of consultation is not enough.  It is a very disappointing chapter.  Not as poorly analysed as the small business exemption but not good nevertheless.

The exemption applies to an act or practice of an organisation that is or was an employer as it directly related to its employment relationship with an individual.  In that circumstance an employee record it holds relating to the individual is exempt.  As the exemption applies to acts or practices of ‘organisations’ it covers non-public sector entities in their capacity as employers or former employers.  It does not extend to ‘agencies’.

As with the small business exemption the basis for this exemption is based on flawed assumptions and poor public policy.  Here the rationale was that the ‘handling of employee records is a matter better dealt with under workplace relations legislation.’

The exemption has led to anomolous outcomes.  The exemption applies even in relation to  the National Data Breach Notification scheme;.  As such any data breach involving personal information of employees in an employee record  is not subject to the scheme’s reporting requirements.

The Discussion Paper questioned Read the rest of this entry »

It is privacy awareness week…. this years theme “Back to Basics.”

May 1, 2023

Any opportunity to highlight the need to take privacy seriously and comply with the law should be embraced.  Privacy Awareness Week has been a feature of the privacy calendar for many years now.  It is low key but has been known to get some press from time to time.  It provides little insight to lawyers or privacy practitioners.

The message from the Commonwealth Information Commission Read the rest of this entry »