Privacy and the Private Sector

In late 1999, the government announced that provisions of the existing Privacy Act will be extended to organizations in the private sector. With some significant exceptions related to the media, employee records and small businesses, this will mean that private sector organizations will now have to comply with legislated privacy standards when dealing with customer information.

One of the primary motivations for the government's move is to provide a legislative infrastructure capable of supporting the flourishing area of e-commerce. Surveys have identified consumers' privacy fears as being a major impediment to growth in e-commerce. The information paper released by the government in September 1999 points out that consumers must have confidence that the information they provide will be dealt with responsibly by businesses (see http://law.gov.au/infopaper/infopaper.html).

The government claims that its legislative approach is 'light touch' and contains efforts to accommodate the concerns of business. The resulting legislation represents a compromise between the proscriptive legislation favoured by the European Union and the self-regulation approach preferred by the United States. The Australian legislation is designed to support and encourage the development of industry codes of conduct and sets out minimum standards required of these codes. To give the industry time to develop these codes of conduct, the legislation will not commence operation until at least July 2001.

Industry codes are required to comply with legislated standards that regulate the collection, use and accuracy of personal information. Among other things, these standards are designed to ensure that:

• personal information is only collected if it is necessary to the organization's function;
  
  
• the purpose for collecting the information is made clear at the time of collection;
  
  
• personal information is only used or disclosed for the purpose for which it was collected; and
  
  
• individuals are able to access their personal information and ensure its accuracy.

As well as prescribing the content of industry codes, the legislated standards will also apply to private sector organizations that are not covered by an industry code. A breach of the standards will entitle an individual to lodge a complaint under the legislation.

The approach taken by the proposed legislation has been criticized. Privacy advocates are dismayed by what they consider to be wide-ranging exceptions to the law's application. The legislation will not cover:

• data transfers between related bodies-corporate;
  
  
• employee records;
  
  
• actions by an organization engaged "in the course of journalism"; or
  
  
• personal information held by small businesses (defined as having an annual turnover of A$1 million or less).

These exceptions reflect the government's concern to minimize the costs of compliance and any potential hindrance to freedom of speech. These exceptions have been heavily criticized for providing broadly defined safe-havens in which privacy abuses can occur. A prominent Australian privacy advocate, Roger Clarke, has gone so far as to say that "it is as though the government's intent is to create an image of a protective regime, while actually reducing privacy protections" (see http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html).

The government's legislation is still in its preliminary stages, and final comments on the draft bill were due on January 17 2000. It will be interesting to see if the legislation is amended in light of the criticism it has received. So far, the government has been responsive to business concerns about the legislation. It remains open as to whether consumers will regard this legislation as providing sufficient protection to encourage them to fully realize the potential of e-commerce.

For further information on this topic please contact Chris Fogarty at Allen Allen & Helmsley by telephone (+61 2 9230 4000) or by fax (+61 2 9230 5333) or by e-mail ([email protected]).