Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs Legislation Committee

BOND, Ms Carolyn, Co-Chief Executive Officer, Consumer Action Law Centre

GREENLEAF, Professor Graham William, Board Member, Australian Privacy Foundation

WATERS, Mr Nigel, Public Officer and Policy Coordinator, Australian Privacy Foundation

Ms Bond's evidence taken via teleconference.

CHAIR: We reconvene the public hearing of the Senate Legal and Constitutional Affairs Legislation Committee into the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. Welcome. We have submissions; the Australian Privacy Foundation is No. 49 and the Consumer Action Law Centre is No. 5. I ask you both to make a brief opening statement, and then we will go to questions. Mr Waters, I know you are on a very time-sensitive program here, so perhaps you and your colleague might like to go first.

Mr Waters : Thank you for the opportunity to address the committee. I will have to leave at about five to 4:00 with your indulgence, but my colleague will be able to stay on.

CHAIR: That is fine.

Mr Waters : After I have given my introductory remarks, if you have any specific questions for me, we might take those and then go back to Professor Greenleaf.

CHAIR: We will see how we go.

Mr Waters : Thank you. The Australian Privacy Foundation and both of us personally have been closely involved in the privacy law reform process, including the ALRC inquiry, for many years. We made detailed submissions on the exposure drafts of the Australian Privacy Principles and credit reporting provisions last year. This bill includes the APPs largely unchanged but has a significant rewrite of part 3A on credit reporting and also contains completely new provisions on commissioner's powers and functions which we have not had the opportunity to comment on before. Our overall conclusion is that, while there are some improvements, there are also many ways in which the bill would significantly weaken privacy protection for Australians—the direct opposite of the bill's title. The government has cherry picked some recommendations from the ALRC report, failing to accept or deferring some of the more important ones and giving in to subsequent lobbying, particularly from government agencies.

We are also very disappointed that the bill, far from simplifying the privacy regime, makes it significantly more complicated, particularly in the credit reporting area but also in the APPs. Laws which cannot be readily understood either by individuals or by regulated entities are bad laws.

We note that we are not alone in many of our concerns. There are major criticisms in submissions not only from many other civil society non-government organisations but also from the three privacy commissioners who have made submissions, including the federal commissioner, who is charged with implementing this law. Even business organisations are concerned about the complexity of the bill—amongst other concerns which we do not necessarily share. Furthermore, it seems unlikely that the act even as amended would meet current international best practice standards, specifically European Union adequacy, which has been a stated government objective.

We are impatient for reform and have waited far too long already—four years since the ALRC reported—and we note as an aside the contrasting speed with which the government is able to progress legislation involving greater privacy intrusion, particularly in the law enforcement and national security areas. However, whilst we are impatient for reform, we sadly feel that there are so many flaws in this package that it should not be enacted. It should be withdrawn for further work to address the many criticisms that have been made in submissions. At the very least major amendments are required before it would be an acceptable reform bill.

I will skip to a few comments on credit reporting. My colleague will address the main concerns about the APPs and the enforcement provisions. On credit reporting we see the provisions as involving a major loss of financial privacy for uncertain benefit. Industry claims were always speculative, and the initial findings of the pilot project about which you have now had some results presented to you confirm our fears that extra information is more or just as likely to be used to find new and creative ways to push credit rather than just helping to meet responsible lending obligations, though it will help in that respect in some ways. The balance, we fear, will be, as you heard from our colleague this morning, detrimental to consumers.

The credit reporting regime has highly complex provisions. It is definitely no simplification. The safeguards that have been included need strengthening. There are many other detailed issues which are addressed by the financial counselling non-government organisations in their submissions and which we fully support. I will leave it to what you have already heard from Ms Lane and to what Ms Bond will add, but we do support all their concerns. I might stop at that point. I think we will have time to take questions after Professor Greenleaf.

CHAIR: Okay. Professor Greenleaf, do you have some opening comments?

Prof. Greenleaf : Yes. First I should say we have handed up through the committee's offices what I think is headed a supplementary submission, but it is actually just corrections to our previous submissions. While we had argued the substance of a number of amendments to the legislation, we had not singled them out as formal submissions we were making. This one page simply formally states we are making those submissions as well.

CHAIR: That is fine.

Prof. Greenleaf : I would like to briefly address aspects of the powers of the commissioner and also the Australian Privacy Principles. We have singled out in our submission quite a number of additional enforcement powers that are being given to the commissioner and which we broadly support. We propose a number of amendments to make improvements to them, but basically they have our support. However, the single most important reform in relation to the commissioner's powers is in our view fundamentally flawed. Senator Wright has pointed out a few moments ago that in the whole almost-25-year history of the act commissioners have only made nine determinations under section 52—the only enforceable decisions they are able to make. In fact, four of those were on one complaint; one of the commissioners was trying to get his batting average up somewhat and separated them out. So there have really only been six in the whole history of the act.

At present, of course, there is no right of appeal against those determinations either, but we regard this not only as a rather pathetic record of inaction by successive privacy commissioners in the exercise of their most important power under the act but also, in combination with the lack of any appeal rights, as having deprived everyone of the benefit of any jurisprudence on this act because nothing can get to a tribunal like the AAT or the courts. Consequently, we do not get any guidance as to what the act really means.

Although it seems to be a secret reform in this bill—it is not even mentioned in the second reading speech—a new right of appeal to the AAT against section 52 determinations has been provided for the first time. Of course we support that; we strongly called for it back in 2001. Unfortunately, it will be of little use—in fact, useless—unless complainants can also require the commissioner to make formal decisions under section 52 of the act. Successive commissioners, including the current one, have adopted a policy that complainants have no right to require or even really to ask for a formal determination to be made under section 52, even one dismissing their complaint and formally declaring and setting out the reasons that their complaint is not substantiated. Without such a formal decision, they will have no right of appeal under the new section 96 right of appeal, so it will be a completely empty reform as things stand. The current commissioner has confirmed that he is sticking to this 'you have no right to a decision' policy in fact sheets 10 and 12, which he issued only in June this year. So on the current track record of this commissioner, only one person—even theoretically—would be able to avail themselves of this new right of appeal in the commissioner's tenure, and only half a dozen people in the whole history of the Privacy Act. What use is that, we ask?

So we submit that the commissioner should be required at the request of the complainant to do his or her job of making a determination under section 52 whenever the commissioner proposed to refuse to investigate or cease investigation on a complaint on whatever ground.

That is the most important aspect of the powers we want to focus on; however, we would also single out, as is detailed in our submission, that most countries around the world with privacy laws have now enacted or are enacting data breach notification requirements. There are already a number of laws in the Asia-Pacific region that have them, and they are common elsewhere. We should not have to wait for an over-the-horizon second tranche of this legislation that may never come for a reform that everyone else is regarding as rather commonplace now.

We would also like to single out that the desirable requirement of privacy impact assessments is of relatively little value unless PIAs are required to be made public and made in time to influence the decisions of the departments concerned. That is all set out in our submission.

I want to turn for a minute or two to the Australian Privacy Principles. While it was a laudable aim to combine the NPPs and the IPPs and try to get one set of privacy standards across Australia, what we have ended up with with the APPs is in fact a serious step backwards. On our detailed analysis in this paper, eight of the 13 principles are weaker than the NPPs or IPPs, so we have no advance. A number of them are very seriously defective. The most important of those is APP 8, concerning cross-border disclosures. The current provision in the NPPs is also quite defective—I am certainly not here to sing its praises—but the proposal in APP 8 as it stands is worse but is capable of being improved.

APP 8, as I am sure you all know, is a rather complex provision. It essentially comes in two parts. Unless an exporter of personal data avails themselves of one of the exceptions in the principle and therefore has no liability under any circumstances for the export of the data once it has left their hands, they will be liable for any breaches in theory of the principles by the party overseas that imports them. This is provided they also take reasonable steps before exporting the data. While in theory imposing a liability on the exporter is a good idea, it is in our view an empty imposition of liability. The problem that the individuals concerned will have is how they prove on the balance of probability that any breach has occurred in some overseas destination, particularly when they do not even know where it is or the state of the laws in that particular country. APPs 1, 5 and 8 are all defective in various ways in not requiring the country of destination or the state of the laws in the country of destination to be notified to the individuals concerned. And then, at any rate, how do they prove what has occurred in a foreign destination?

The only way we can see that this can be dealt with is if in effect the onus of proof is reversed. Once it is shown that there is some damage to the individual relating to their personal information and that the information has been exported overseas, there should be a rebuttable presumption that this has occurred because of a breach of one of the principles. It would then be up to the exporter and the party overseas, with information from them, to rebut this presumption. That is pretty much the situation that occurs through a number of provisions in the new Korean legislation, so it is not unprecedented at all.

That is—sort of—the key deficiency of that part of APP8. But the deficiencies in the other part, where exporters can have themselves exempted from even theoretical liability, are just as serious, and are by-and-large inherited from the current NPP. The main one is that there is an exception where the exporter reasonably believes in the existence of some overseas privacy law having some effect similar to Australia—that a completely subjective standard, rather than any objective standard of whether such similar protections actually does exist. Now, of course, there are many ways to get a reasonable belief in something that is convenient for you to believe, and this is just too much of an open door and needs reform as well. There are many more criticisms we make of that, but I will leave it at that.

Finally I would like to mention one other of the APPs, and that is the anonymity principle—as it used to be called in the NPPs. Even though it has never been used it will be an increasingly important principle in the future that organisations should only collect any personal information where that is necessary for the service that they are offering. And if they can offer a service without the collection of any personal information at all, then they should do so—that is the gist of the anonymity principle. Australia is one of only three countries in the world that has that: Germany, Korea and us. For obvious reasons, with the collection of information via the internet becoming more and more prevalent, that principle of anonymous provision of services where possible is going to become more and more important.

But for a number of technical drafting reasons, the new principle in the APPs gives organisations the option of anonymity or pseudonymity, and pseudonymity is so easily reversed at a later stage that the really valuable anonymity principle is being lost. This is possibly unintentional, but we did point it out in our last submission in some detail—and nothing has happened—so it seems to be intentional at this stage. We think that is a serious backward step. But that is in keeping with the rest of these APPs, eight out of 13 of which march backwards as well.

As my colleague, Mr Waters, has said, the overall effect of this is that the whole bill is a lost opportunity. It is a missed opportunity in a once-in-a-generation—it seems—bill, which is all we get with privacy legislation, for Australian consumers and citizens to get seriously better protection. And it is a missed opportunity for Australia as a whole in relation to the trading position of Australian businesses and in relation to Australia's reputation overseas as a country that adequately protects human rights.

CHAIR: Ms Bond, did you have some comments you wanted to make?

Ms Bond : The Consumer Action Law Centre generally supports the submissions that have been made by the Consumer Credit Legal Centre and by the Privacy Foundation; and, given that you have heard from the Consumer Credit Legal Centre this morning and the time available, I would just like to talk about one issue, and that is serious credit infringements.

This is an issue that causes a lot of angst for consumers. It leads to very unfair outcomes, and we actually have a solution that industry agrees to and consumer advocates agree to that will resolve this. We just think that the bill has to incorporate that proposal. We think it is actually better for consumers and industry thinks it is better for them.

Serious credit infringements are the only type of credit listing that rely, at least in part, on the opinion of the creditor. In some cases these are listed where someone has had their name on the electricity bill while they were a student and do not even realise that they have this serious credit infringement on years later. It remains on the record as long as bankruptcy, and actually longer than a court judgement. So you would be better being sued and having a court judgement on your credit report than forgetting that you had an electricity bill in your name when you were in a group house. Basically, you end up with a lot of innocent people who have this listing that has links to fraud—even though we know it is not always just used in relation to fraud.

The solution that has been developed and agreed—Veda has agreed and ARCA, which represents a broad range of the industry, have also agreed in their submission—is outlined in our submission. It basically means that instead of serious credit infringement that there are two versions of a type of warning that can be put on a credit report reasonably early. The payoff for the consumer is that it can be removed in a range of circumstances, including where the consumer has made contact with the credit provider and given them their contact details. We think this would stop had a lot of the sorts of complaints we see and the issue that really upsets a lot of people, and with a solution that would keep us all happy. We suggest that that be put into the bill. That is basically all I have to say.

Senator HUMPHRIES: Professor Greenleaf, just in respect of what you said, that the need for appeal rights from commissioners ought to exist: what are the arrangements generally in other countries with respect to appeals from determinations, or even non-determinations, by privacy commissioners in equivalent jurisdictions?

Prof. Greenleaf : I cannot offer any instances where no such right of appeal exists. For example, it is one of the requirements of the European Union in its adequacy criteria that individuals have a right of access to the courts to pursue their complaints. Certainly, in all European countries there would be a right to go from privacy commissioners' decisions to the courts. It is certainly so in Korea and it is so, to the very limited extent that it happens, in Hong Kong. It will be under the new Taiwan legislation that will come into effect in a few months' time. The Philippines act has just come in, New Zealand—I cannot think of any counter examples to this. But that is not so much of the point: it is more the lack of a right to require a decision to be made in the first place that is the real problem now.

Senator HUMPHRIES: On that point: unfortunately, we have already had the Privacy Commissioner appear before us so we cannot put the question to him, but there must be some rationale that has been articulated at some point for not wanting to make determinations? Some constraint that is felt by the structure of the act, or whatever; has the commissioner at some point outlined why he has not felt it necessary to make determinations in most cases?

Prof. Greenleaf : Other than a nebulous sort of floodgates fear, it has never been articulated that I have heard in any way better than that. I think the commissioners—all successive commissioners—wanted to maintain whatever control they could over the complaints process and not let complainants ever have the whip hand—it is not quite the expression I want!—never have any ability to control the process and insist that things be done at any stage in the process.

Mr Waters : I think that on top of that it has been an unwillingness—again, we stress that it is successive commissioners—to expose themselves to scrutiny by a tribunal or a court.

Prof. Greenleaf : Apart from that, too, one of the things about section 52 determinations is that when one is made the commissioner has adopted the practice of giving a fully set out set of reasons of why a complaint was rejected in relation to the provisions of the act. That is something the commissioner never does when just dismissing a complaint, but perhaps reporting a brief complaint summary; you never get a fully articulated set of reasons under the act.

Section 52 would actually require commissioners to apply themselves in relation to what the act means and how it operates, as Commissioner Pilgrim did in a very good way in the one determination that he has made about the leagues club that was in breach of the act. But we never ever see well-articulated arguments from the privacy commissioner's office about what the Privacy Act means; we do not get it from the courts, we do not get it from the tribunal and we do not even get it from the privacy commissioner. Everyone is clueless as to what the Privacy Act means. It does not help business either.

Senator HUMPHRIES: With respect to the points you made, Professor Greenleaf, about Privacy Principle 8—the lack of any sort of objectivity about that I think was the point that you made—

Prof. Greenleaf : About one half of it, yes.

Senator HUMPHRIES: Yes, that one half of it. It seems to me highly unsatisfactory to let a breach of the principles rest on the question of how well informed an entity might be about the state of law in a another country. Say if we are talking about the law of the United States, and there is a highly-publicised change in the law; how many years or months does it take before a person in Australia who deals with the United States frequently should be deemed to know that that has occurred? It is very unsatisfactory.

Is it appropriate, do you think, to consider changing that in some way so that the privacy commissioner or someone else can actually publish a list of countries whose regime is compatible with Australia so that a party in this situation will have somewhere to refer to to know whether or not they can transmit information to that place?

Prof. Greenleaf : Yes, it is compatible, and that type of white-listing arrangement is provided for under legislation in various countries. There is quite a number, including Hong Kong. The Malaysian act is another one; that is not in force yet. That can be a useful help to businesses, certainly, and it is a desirable thing once you have a principle that requires businesses to get it correct objectively as to whether the law is of the required standard. Then you certainly need to give whatever help you can to businesses to make an accurate assessment of that, and guidance from the privacy commissioner concerning that would certainly be valuable. Then, even if a business were technically in breach of the legislation because, say, a court decided that a country that was listed on the commissioner's white list should not perhaps have been included there, you certainly would not find any serious penalties being imposed on any business that made a mistake based on advice from the commissioner.

But in fairness to the individuals concerned, it should be an objective standard as to where their information goes. So I think that your suggestion is right; that is a very valuable thing to have.

Senator WRIGHT: I might ask some questions of Ms Bond at this stage. You have expressed your views fairly clearly about the serious credit infringement situation. It is interesting to me that you have been able to reach a joint proposal to the consumer advocates' and Veda's advantage. The argument you put is that that therefore meets the needs of both business and the consumer advocates. Would you just like to expand a bit more on the aspect about request-to-correct information and what, in your view, is still lacking in what is currently proposed—although it is a step forward from what was previously proposed, I think?

Ms Bond : Sorry; I am not sure about that question. Is it that about the serious credit infringement?

Senator WRIGHT: No. Sorry; I have moved on. It is about another aspect about of your submission, in relation to requests to correct information. You say that you are pleased that the previously proposed process has been changed, amended—

Ms Bond : And this focus is on who has a responsibility.

Senator WRIGHT: Yes, but I think you are saying essentially that there is still room for improvement, in that the current proposal still does not meet the recommendation of the Australian Law Reform Commission. Could you just explain what your thinking is about that.

Ms Bond : We raised the issue about who was responsible for correction. Is that—

Senator WRIGHT: I have been looking at your submission, and you say in the submission:

… we note that the procedure in proposed section 20U still does not meet the standard recommended by the Australian Law Reform Commission … Under the ALRC recommendation, a credit provider who failed to either provide evidence to substantiate the listing or refer the matter to external dispute resolution within 30 days would be required to correct the information as requested.

I would just like you to talk through that. You say that there is an improvement. Why do you think that there is still a way to go, which is the implicit submission that you are making?

Ms Bond : I think the issue there is what the obligation is on, say, the credit provider or the party that receives that request. I have not got the bill in front of me, but, while there is an obligation for them to investigate and to respond, the Law Reform Commission recommended that there should be an obligation to either amend the listing or otherwise the consumer has a right to have that amended. Our concern is that time could drag out and that there is very little pressure on the credit provider or the credit reporting agency to respond, and the consumer could end up having a long, ongoing dispute.

Senator WRIGHT: In relation to the complaint handling, you say:

We strongly support the intent behind the complaint handling process at proposed section 23B, but we are concerned that the obligation may ultimately be counter-productive and have recommended an amendment.

Why do you think it may be counterproductive? Is that because of the potential of having a third party involved who may not want to be part of that process?

Ms Bond : Yes. I have to stress that we have pressed for years and years to stop the sort of merry-go-round that consumers have had to deal with where they are pushed from one place to the other to the other, and we accept that drafting this has really been an attempt to address that, which we have strongly supported. However, when you look at the detail, although we believe that any party involved would have an obligation to deal with the dispute, in the bill it is so broad that a third party who may have nothing to do with the problem at all may end up with an obligation to try and deal with the dispute. Our concern is that there may be very little buy-in from that party. For example, if I go and try and get a mobile phone and they say, 'No; there's something on your credit report,' and I find out that the Commonwealth Bank has listed a default on my credit report, under the bill I could expect the mobile phone provider to have to deal with that dispute. While I think that the bank involved and the credit reporting agency should have an obligation, we have concerns that, by adding that other party that has nothing to do with the listing that is of concern, we may end up with a responsibility on an entity that is really not engaged in resolving the dispute.

Senator WRIGHT: You say that the Consumer Action Law Centre supports the submissions that have been made by the Australian Privacy Foundation and the Consumer Credit Legal Centre in New South Wales. There were quite strong submissions made to the committee by Ms Lane of the Consumer Credit Legal Centre in relation to the undesirability of including past payment history in what is recorded in credit reporting and creditworthiness, for various reasons. Do you want to make any comments on your views about that?

Ms Bond : We probably have not gone as in depth in our submissions on that issue. In the very early days, we raised some concerns about providing more information. As Nigel Waters suggested, our concerns were probably more along the lines that it opens up marketing opportunities for businesses, even with their own customers, that might not have been available for them. I think our key concern at the moment is that there are enough provisions to deal flexibly with hardship. We have worked for years to get consumers to come to see us and talk to their lenders and things like that when they are in trouble. I think that having additional information could make people feel a bit nervous about talking about being in trouble or trying to get variations.

Senator WRIGHT: One of the aspects of the evidence that was given was the fact that, if there are negotiations going on where payments are not being made but it is on the basis of an agreement to deal with hardship, that may not look good on the record, even though that would not tell the whole story. That was my understanding about one of the aspects that was of concern to Mr Lane.

Ms Bond : That is right. I think one of the tests for this will be whether somebody who decides to put their hand up and say, 'I'm in hardship'—rather than perhaps go and borrow money elsewhere, which sometimes happens because they are desperate, and then they try to rob Peter to pay Paul—someone who actually puts their hand up and says, 'Okay; I'm going to come clean and talk to my credit providers and try to make an arrangement,' will in fact be disadvantaged above somebody who is robbing Peter to pay Paul, which in the end it is not a good outcome for anybody.

Senator WRIGHT: There were two other concerns that I found interesting to consider. One was that, in having that repayment history information included, there was the potential for increasing the propensity to have risk based pricing. Do you have a view about that?

Ms Bond : I do not have much doubt that it does enable risk based pricing. I know there are economic arguments for it, but we know that the people who would be most disadvantaged would be those who are disadvantaged. So, yes, we do have concerns with how that might play out in the credit market. I think there will be some impacts from this repayment information that industry may expect, but I think the rest of us might be quite surprised with some of the impacts of it in the marketing and the way that products are designed, the way that marketing is targeted to current customers and all that sort of thing.

Senator WRIGHT: There are two other matters that I will just quickly raise with you. One is in relation to evidence provided by the Financial Ombudsman about the incidence of incorrect information—incorrectly made credit listings and incorrectly made serious credit infringement listings—that they were aware of. What really came out in the evidence then was that there seems to be scant information about the degree to which there are incorrect listings made and no reliable data—so we may be looking at tip of the iceberg or we may not be. Do you have a view about that? Obviously if there is a concern about rectifying incorrect listings it would be helpful to know to what extent there is an incidence of that, to what extent that occurs, because the consequences are clearly very serious. One of the arguments that Ms Lane was making was that, if you allow the previous repayment history to be included, that is a whole lot more information, but if we are not sure that the information that is being recorded is being recorded correctly then that increases the potential for incorrect listings as well. Do you have a view about the paucity or otherwise of statistics and data, about incorrect listings, and any recommendations about how that could be overcome?

Ms Bond : We would welcome more data on that. It has never really been easy to get data on the number of inaccurate or accurate listings. I think one of the concerns—and maybe this will improve under the new laws; I do not know—has been that the Privacy Commissioner and regulator has focused very much on, 'Did that person owe that money?' rather than the processes. I sometimes think there have been incorrect listings because there has been incorrect time, incorrect notification and other reasons like that that things should not be listed, and it has been very difficult for consumers to challenge it. I understand there is a bit of an argument that, if you have only got two things on your credit report and one is wrong then it is 50 per cent wrong, whereas if you have got 20 things on your credit report and one thing is wrong it might not have as much impact. But perhaps some sort of public reporting would help us to understand a bit more about how accurate listings are, because we have relied a lot on individual complaints, and it has been difficult for people to complain. I think the issue that was raised by the speakers in the previous session is an important one, about how systemic issues are dealt with. We have had cases where we thought that there were hundreds of thousands of people affected by something that should not have been listed, and it has been very difficult to have systemic issues investigated properly.

Senator WRIGHT: Thank you. I do not have any other questions.

CHAIR: As there are no further questions, Professor and Ms Bond, we thank you very much for your submissions. It was a pretty comprehensive submission, Professor Greenleaf. It is going to take us a while to cross-reference all your recommendations with some of the other evidence we have heard today and the legislation itself, but thanks very much for that detail.

Prof. Greenleaf : Thank you.

Ms Bond : Thank you.

CHAIR: We were going to go to the department to wrap up for the afternoon, but we have come to the conclusion—which may or may not be a good thing for officers of the department—that we do not want to hear from you this afternoon because we are due to finish at 4.30 and we have questions which are going to go beyond 20 minutes. Also, we would all like the opportunity to read and review today's transcript and to test some of what we have heard today against the knowledge in the department or the provisions in this legislation. We will get back to you with a time and a date in the next sitting fortnight when we might come and take evidence from you over a couple of hours. I thank all the witness for their evidence today and for their submissions.

Committee adjourned at 16:13