In this second post of a two-part series on privacy, I have looked at the efficacy of the National Privacy Principles.
On December 21, 2001, National Privacy Principles (NPPs) came into effect in Australia and were designed to regulate private sector organisations’ handling of personal information.
The reason for introducing the NPPs was to bring Australia into line with international standards on personal information and to instil confidence in how Australian businesses handle personal information.
Some commentators, however, have argued the legislation has fallen well short of the benchmarks set by the European Union. The NPPs were also criticised for sidestepping many critical issues by providing wide-ranging exemptions to the media and small businesses and for being substantially reliant on self-regulation.
So just how are they performing?
It was reported that during the 2009-10 financial year the Office of the Privacy Commissioner received 1,201 complaints across all areas of its jurisdiction. Interestingly, only 31 out of these 1,201 complaints related to the insurance industry. This suggests self-regulation in the form of privacy codes and policies adopted by insurers may just be working. This is the basis for one of Insurance Council of Australia’s (ICA) main arguments – that self-regulation is a highly effective and cost-efficient means of safeguarding its customers’ personal information.
An alternative explanation for the seemingly low number of complaints can be attributed to the lack of mandatory breach reporting in Australia. This approach is in contrast to other parts of the world, such as Europe and most U.S. states, where mandatory breach notification requirements mean that for even relatively minor breaches, companies are required to inform all of their affected customers that there has been a breach and what they are doing to remedy it.
In Australia, the position is markedly different, with the Privacy Commissioner itself releasing a “Guide to Handling Personal Information Security Breaches” (Guide), which includes the following four key steps to consider when responding to a breach.
Step 1: Contain the breach and do a preliminary assessment.
Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).
Step 3: Consider notification.
Step 4: Prevent future breaches.
As we have seen recently, the problem with this approach is private sector companies cannot always be trusted to act in their customers’ best interests e.g. more than 70 million PlayStation Network accounts globally were compromised and Sony waited over a week before notifying its affected customers. This issue has also been raised as a serious concern by the Privacy Commissioner, Timothy Pilgrim, who warned that “…The worst offenders often got away with little accountability and forensic investigators say almost all incidents they investigate on behalf of companies are not made public…We simply don’t know the extent of data breaches that go on.”
The damages available to individuals who have suffered from private sector privacy breaches can be accessed through the Privacy Commissioner’s complaints process, the Commissioner’s own investigation of suspected privacy breaches, or through seeking an injunction under s 98 of the Privacy Act.
Despite this seemingly accessible system, a telling statistic in a report reveals that in 2009-2010, the Privacy Commissioner did not make a single determination under s 52 of the Privacy Act.
It could be argued that this statistic is an endorsement of the current system as it suggests that privacy disputes are being successfully conciliated and resolved by the parties before the dispute reaches the stage where the Privacy Commissioner is required to make a determination.
Industry groups have argued that the remedies available under the Privacy Act are sufficient and pose significant financial risks for organisations that breach the Act. They say that although compensation to individuals may be relatively small, it is possible that a large organisation such as an insurance company or financial institution could engage in a privacy breach that required payment of compensation to a large number of consumers (such as if the unauthorised disclosure of a customer database which led to some kind of harm). The total cost of the compensation paid by the organisation could, therefore, be substantial.
Despite the existing remedies available, as part of its 2008 report on privacy law, the Australian Law Reform Commission (ALRC) recommended that the Privacy Commissioner should have increased powers to ensure compliance with the Privacy Act. The ALRC recommended that the Privacy Commissioner be empowered to bring proceedings for pecuniary penalties in the Federal Court, with powers similar to those of the Australian Competition and Consumer Commission.
This would be backed up with the power to commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce the notice The Privacy Commissioner has supported these recommendations, which are a further indication of its growing appetite for greater regulation over the private sector.
 Tim Pilgrim as quoted in ‘Thousands of Privacy Breaches Going Unreported’, Sydney Morning Herald, 27 July 2011. http://www.smh.com.au/technology/technology-news/thousands-of-privacy-breaches-going-unreported-20110727-1hzes.html
Jason Maywald is a highly experienced legal and transactional advisor in the insurance and medical assistance sectors. He holds a Bachelor of Laws from the Queensland University of Technology, and has significant experience in competitive corporate acquisitions, IPOs, commercial property acquisitions and disposals, corporate restructures, and hostile and friendly takeovers.