ARTICLE
10 December 2008

Privacy Reform On The Horizon

SF
Spruson & Ferguson

Contributor

Spruson & Ferguson logo
Established in 1887, Spruson & Ferguson is a leading intellectual property (IP) service provider in the Asia-Pacific region, with offices in Australia, China, Indonesia, Malaysia, Philippines, Singapore, and Thailand. They offer high-quality services to clients and are part of the IPH Limited group, which includes various professional service firms operating under different brands in multiple jurisdictions. Spruson & Ferguson is an incorporated entity owned by IPH Limited, with a strong presence in the industry.
Explore Firm Details
In an August 2008 address to the National Press Club, retiring High Court Chief Justice Murray Gleeson commented that although he had previously considered certain things to be self-evidently private, he was no longer sure. His Honour stated "when you look at the kind of information people publish about themselves, it makes you wonder."
Australia Privacy
Photo of Chris Bevitt
Authors

In an August 2008 address to the National Press Club, retiring High Court Chief Justice Murray Gleeson commented that although he had previously considered certain things to be self-evidently private, he was no longer sure. His Honour stated "when you look at the kind of information people publish about themselves, it makes you wonder."

The Australian Law Reform Commission (ALRC) has been wondering the same thing, and in August 2008 released a report regarding its review of Australian privacy law and practice.

The report follows 2 years of research and public consultation by the ALRC. It concludes that Australians are concerned about privacy and want a simple system of protection that balances issues such as freedom of speech, child protection, law enforcement and national security.

One of the key recommendations in the ALRC's report was the introduction of principles and protections that apply across Australia no matter what kind of agency or organisation is handling the information.

In this regard, the ALRC recommended uniform privacy rules prescribed in a single set of Privacy Principles to apply to all federal government agencies and the private sector. The rules could also be applied to state and territory government agencies through an intergovernmental cooperative scheme. Currently there is one set of rules for government and another set for private businesses.

Another important recommendation is the removal of the exception for small businesses. Currently a business with an annual turnover of A$3 million or less is not required to comply with the Privacy Act (unless it fits into a category that must comply regardless of size, such as health service providers handling sensitive personal information).

The business community indicated a strong desire to maintain the small business exception due to the cost of complying with the Privacy Act. The ALRC considered that the cost would not be as great as feared, but recommended that the Office of the Privacy Commissioner should provide support to small businesses in understanding their obligations before the exception is removed.

More controversially, the ALRC recommended the introduction of a right to sue for a "serious invasion of privacy," allowing remedies such as an order for damages, an injunction or an apology.

This recommendation has drawn media attention including claims that if the ALRC's recommendation becomes a reality it would cramp journalistic style and that "it can safely be predicted that what you see, hear or read will be less interesting, which might be difficult to imagine."

However, the ALRC was quick to point out that its recommended formulation sets a high bar for plaintiffs. Plaintiffs would have to establish that they had a reasonable expectation of privacy, that a reasonable person would regard the conduct complained of as highly offensive and that the public interest in privacy outweighs other matters of public interest (including freedom of expression).

The bar may be high, but how high would be difficult to assess and may well introduce a level of uncertainty that motivates editors to err on the side of dullness - though only time will tell whether that occurs, or indeed whether anyone will notice. In any case, Senator John Faulkner, Cabinet Secretary and Special Minister of State, has given a clear indication that he is not progressing the recommendation at this stage, so it may never become law.

Other key recommendations made by the ALRC in its report include:

  • Simplification and streamlining - The complicated regime of privacy rules established by the Privacy Act and related laws should be replaced with a single Act dealing only with high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting. This will make it easier for businesses to understand their obligations and for individuals to know their rights.
  • Regulating cross-border data flows - Except in certain specified circumstances, an agency or organisation that transfers personal information outside the country should remain accountable for it.
  • Rationalisation of exemptions and exceptions - The current system of exemptions should be simplified and exemptions should only be permitted if there are compelling grounds (in addition to the small business exception, the ALRC recommended removal of the exemptions for political parties and employee records).
  • Improved complaint handling and stronger penalties - Streamline and strengthen the Privacy Commissioner's complaint handling procedures and introduce significant civil penalties for serious or repeated breaches of the Privacy Act.
  • More comprehensive credit reporting - In order to facilitate better risk management practices by credit suppliers and lenders, some additional categories of "positive" information should be allowed to be added to an individual's credit file in addition to the limited types of "negative" information currently permitted.
  • Health privacy - Introduce new Privacy (Health Information) Regulations to regulate this field, taking into consideration electronic health records, and the greater facilitation of health and medical research.
  • Children and young people - Intensify efforts to educate young people about control over the personal information that they post on social networking websites, including regarding the extent to which such personal information remains available even after it has been 'deleted'.

Data breach notification - Require government agencies and business organisations to notify individuals and the Privacy Commissioner if there is a real risk of serious harm occurring as a result of a data breach.

The federal government is now considering the ALRC's report and may implement certain recommendations in the next 12 to 18 months, probably those relating to Uniform Privacy Principles, credit information and health data. The government may then consider other recommendations, including those concerning the removal of exceptions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Chris Bevitt
Chris Bevitt
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More