Australian Privacy Foundation slams privacy amendments

The Australian Privacy Foundation (APF) has slammed the Federal Government's proposed amendments to privacy legislation as a “lost opportunity” in improving areas such as credit reporting practices and protection from data off-shoring.

APF board member Nigel Waters told a Senate inquiry late last week that the proposed bill would "significantly weaken" privacy protections for Australians.

The amendments would introduce a new set of privacy principles aimed at improving practices within both Government and the private sector, while providing the Privacy Commissioner with new powers, and the ability to fine companies up to $1.1 million for repeated breaches of the law.

However, Waters criticised the proposed amendments for further complicating aspects of the privacy regime, stating the act would fail to meet current international best practice standards.  

"While we are impatient for reform, we sadly feel that there are so many flaws in this package that it should not be enacted," Waters said.

"It should be withdrawn for further work to address the many criticisms that have been made in submissions."

Waters' argument to the inquiry closely followed those made by the organisation in its written submission to the Senate committee, in which the APF accused the Government of cherry-picking recommendations from a 2008 inquiry into privacy reform.

Credit reporting

The APF was especially critical of amendments to the credit reporting regime, which the organisation said could be used against consumers, rather than helping to meet responsible lending obligations.

Richard Glenn, assistant secretary at the Attorney-General Department's business and information law branch, told the Senate inquiry earlier that morning that the revised regime would give credit providers "a greater richness" of information from which to make judgements about whether a person is eligible for credit.

But Waters said the provisions would only accrue a "major loss of financial privacy for uncertain benefit".

"Although it will help in some ways, the balance, we fear, will be detrimental to consumers," he said.

Members of the financial industry called on the Government to delay the introduction of the credit reporting regime until later than the September 2013 deadline currently expected, for fear of being unable to become compliant with included requirements.

Cross-border disclosure

Another APF board member, Professor Graham Greenleaf, also attacked the proposed amendments dealing with cross-border disclosure of personal information.

The principle, as stated, would require any company that transmits personal data outside of Australia to take steps to ensure the recipient of the data remained consistent with Australian privacy principles.

In most cases, the disclosing entity remains accountable for any potential breaches of data outside of Australian data.

“While in theory imposing a liability on the exporter is a good idea, it’s an empty imposition of liability in our view,” Greenleaf said.

“The problem the individuals concerned will have is how do they prove on the balance of probability that any breach has occurred in some overseas destination? Particularly when they don’t even know where [the data] is, or what the state of the laws in that particular country is."

The foundation argued the onus of proof should be reversed in instances of an international data breach.

“Once it is shown that there has been some damage to the individual relating to their personal information ... there should be a rebuttable presumption that that has occurred because of a breach of one of the principles," Greenleaf said.

"It would then be up to the exporter and the party overseas to rebut this presumption.”

Greenleaf labelled as "completely subjective" the ability of exporters to avoid accountability when they 'reasonably believe' in the existence of similar overseas privacy laws within the recipient's country.

"There are many ways to get a 'reasonable belief' in something that's convenient for you to believe and this is just too much of an open door," Greenleaf said.

The foundation claimed the entire bill was a missed "once-in-a-generation" opportunity to improve Australian privacy protection, as well as the global trading position of Australian businesses.  

Privacy Commissioner responds

The Office of the Australian Information Commissioner was broadly supportive of the proposed bill at the public hearing, with Privacy Commissioner Timothy Pilgrim "welcom[ing] the bill and the enhancements to current privacy regulations".

"Privacy cannot be an absolute in the society in which we live," he said.

"An individual's privacy needs need to be balanced with other social interests, such as the interest of government and business in carrying out their functions and activities."

However, the OAIC also raised concerns over the implementation of the accountability model, stating that the principle "may be displaced in some instances; for example, where an individual has consented to their personal information being sent overseas".

The Attorney-General's Department was not called upon to respond to the submissions due to the inquiry running overtime.