The Federal Government's proposed amendments to Australian privacy legislation could “unintentionally" weaken the protections for individuals already provided under current laws, the Australian Privacy Commissioner has warned.
In a submission to a senate inquiry into the amendments (pdf), commissioner Timothy Pilgrim said the proposal could broaden the scope for collection of user information by companies and water down regulatory wording.
A current mandated that solicited collections be “necessary” (a factual test) would be replaced with the amended wording “reasonably necessary” under the proposed reforms; a significantly weaker test.
Pilgrim's concerns were backed by a submission (pdf) made by the Australian Privacy Foundation (APF), which argued the proposals were “consumer-hostile” and should be withdrawn and overhauled.
The organisation suggested the Government had "cherry picked" recommendations made by the Australian Law Reform Commission (ALRC) in 2008 on privacy reform, and ignored many of the commission's better recommendations.
The commission had recommended mandatory disclosure of data leaks, a statutory action for privacy breaches, as well as the removal of exemptions for small businesses, employment records and political matters.
In addition to pressing for mandatory data breach notifications — which already form part of the privacy laws in South Korea, Taiwan and many US jurisdictions — the foundation was scathing of the Government for retaining the exemption for small businesses under the proposed reforms.
“[It] seems to have been unduly influenced by both business and agency interests, to the detriment of the interests of the citizens and consumers that the Privacy Act is intended to protect," the APF argued.
Protections 'fatally undermined'
The foundation was most caustic with amended privacy principle 8.1, which requires any company that discloses personal information outside Australia to take “reasonable steps” not to breach the proposed principles.
The APF said such protections were “fatally undermined” by the belief that the recipient country of such information would have equivalent privacy protections, or that there were international treaties requiring such disclosures. On this basis, a data exporter could be exempt from even theoretical accountability.
Instead, the foundation suggested a binding whitelist scheme of countries with adequate protections be adopted to more clearly delineate between like-minded countries and those that did not have the same ideals.
The foundation also criticised plans to exempt companies from information sharing amendments under international agreements as "policy laundering", leading the Government only to hide behind often spurious claims of "international obligations" to justify actions which would not otherwise be lawful.
The Privacy Commissioner submitted that an international agreement did not have any direct legal effect in Australia until it was incorporated into domestic law by statute, and pushed for the proposed exception to overseas data transfers be dropped.
“A treaty that has not been implemented through domestic legislation can affect neither rights nor obligations in Australian law,” the commissioner added.
The Senate Committee is scheduled to have its first hearings in Canberra on August 10 and 13.