Necessary Improvements to the Australian Privacy Principles (Annex)

Abstract

Part I of this article is a Submission to the Australian Senate’s Finance and Public Administration Committee on the Exposure Draft of the Privacy Amendment Legislation submitted by the government to Parliament in 2010. The general thrust of the Submission is that the proposed Australian Privacy Principles (APPs) in the Exposure Draft Bill are weaker than the Australian Law Reform Commissson’s (ALRC’s) proposed UPPs and the current Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) for the private sector. Unless significantly improved during the Parliamentary process, this proposed Bill will lead to an overall reduction in privacy protection. The government has gone backwards instead of forwards in terms of modernising the principles, and seems to have been unduly influenced by both business and agency interests, to the detriment of the interests of the citizens and consumers who the Privacy Act is intended to protect. In the case of government agencies, a raft of changes have been ‘slipped in’ at the last minute to avoid some agencies having to rigorously apply well-designed existing exceptions. Such lazy drafting and special pleading should be rejected. There are a few improvements to the ALRC proposals in the government’s draft Bill, but in many cases proposed changes to the language of the principles which appear minor and superficially innocuous in fact have very significant adverse effects. In particular, the cross-border disclosure principle, which has an ever-increasing importance in the context of borderless networks and ‘cloud’ computing, is seriously inadequate. There are a few improvements to the ALRC proposals in the government’s draft Bill, but in many cases proposed changes to the language of the principles which appear minor and superficially innocuous in fact have very significant adverse effects. In particular, the cross-border disclosure principle, which has an ever-increasing importance in the context of borderless networks and ‘cloud’ computing, is seriously inadequate. Part II of this article is the ‘Improved Exposure Draft’ annexed to the Submission, which contains the detail of our recommended changes. Our proposed additions to and deletions from the Exposure Draft are visible from the change tracking to the document. It is unfortunate that the government has released an Exposure draft of the APPs without drafts of other provisions relating to compliance and enforcement, and some coverage, exemption and definition matters not yet addressed. We understand the rationale for a staged release, and this is acceptable in relation to the specific credit reporting and health privacy rules. But a complete judgement as to the effect of changes to the principles can only be made in the context of the Information and Privacy Commissioners’ functions and powers, and other parts of the Act, which may or may not change in the final amendment Bill. [Postscript: As of March 2012, a Bill to change the privacy principles has not been submitted to Parliament. It is expected that such a Bill will be submitted during 2012, but whether it will be any different from the Exposure Draft is unknown.]