Data Protection Laws / Privacy Acts
Last Updated: 21 Jan 2006
"The right to be let alone is indeed the beginning of all freedom."
Australian privacy laws are contained in a variety of Commonwealth, State and Territory Acts. The "Privacy Acts" are data protection laws which regulate the collection, use and disclosure of personal information about individuals; they do not protect privacy of the individual in a broader sense. In relation to use of the Internet and other telecommunications services, ISPs and telephone service providers are also required to comply with the privacy protection provisions of the Telecommunications Act 1997 (C'th) and the Telecommunications (Interception) Act 1979 (C'th). A variety of other legislation contains privacy protection provisions relevant to particular types of entities and/or practices, for example, the Spam Act, surveillance and listening devices acts, and many others.
The remainder of this page provides information about the Privacy Acts. For information about other privacy laws relevant to use of the Internet and other telecommunications systems, refer to the topic listing on EFA's Privacy and Surveillance Page.
- Commonwealth Privacy Act 1988 including:
- State & Territory Privacy Acts
- Parliamentary & Government Agency Inquiries
- Background to the Privacy Amendment (Private Sector) Act 2000 (C'th)
- Other Resources
The Privacy Act 1988 applied to Commonwealth and A.C.T. government entities and credit reporting organisations until December 2001. Since then, it has also applied to other private sector organisations.
The Privacy Amendment (Private Sector) Act 2000 (C'th) amended the Privacy Act 1988 to regulate some, but not all, private sector organisations/businesses. It was passed by Parliament in December 2000 and became operative on 21 December 2001 (some provisions did not commence until 21 December 2002).
The Act includes ten National Privacy Principles (NPPs) regulating the collection, use and disclosure of personal information by private sector organisations. The Parliament chose to leave 'flexibility' (which in context is a synonym for ambiguity) in the NPPs, and the legislation empowers the Federal Privacy Commissioner to make guidelines in relation to interpretation of the NPPs. The Commissioner's interpretation of the ambiguous aspects of the NPPs is crucial to the extent of protection of individuals' privacy provided by the legislation, at least in the first instance and the development of the guidelines in 2001 was controversial.
The Federal Privacy Commissioner is also empowered to investigate and resolve complaints made by individuals against organisations that have not complied with the NPPs, including making a formal determination. However, the Act does not provide complainants with a right of appeal against a determination of the Commissioner. It does, however, in effect provide a right of appeal to organisations complained about. If the Commissioner interprets the NPPs and law in a manner that finds a breach by the organisation, the organisation can simply refuse to comply and wait to see if the Commissioner or the complainant seek to have the Federal Court or the Federal Magistrates Court order the organisation to comply. As a Court must hear the matter anew, in effect the organisation obtains a right of appeal. However, if the Commissioner interprets the law in a non-privacy protective manner and the complainant considers the Commissioner's application of the law to the facts of their case is questionable, the complainant has no means of appeal. (There is no requirement that the Commissioner even be a lawyer.
2004/2005 Review of the 2000 Act
During the Bill's second reading speech (on 12 April 2000), the then Attorney-General Daryl Williams said that "a formal review of the operation of the legislation, and of all the exemptions, in consultation with key stakeholders" would be conducted "after it has been in operation for 2 years". However, the review of the Act did not commence until over 2.5 years later (in August 2004 with a reporting date of 31 March 2005) and a number of the exemptions were specifically excluded from the review's terms of reference. In December 2004 the Senate Legal and Constitutional References Committee commenced an Inquiry into the Privacy Act 1988 with terms of reference significantly broader than the governmental review. Further information about the 2004/05 reviews is provided below in the section titled Parliamentary & Government Agency Inquiries.
The Commonwealth Privacy Act does not apply to State/Territory government agencies (except for the A.C.T.)
Some State and Territory Parliaments have enacted privacy legislation applicable to their own government agencies/departments and some of those laws also apply to private sector organisations.
For more information see the State Privacy Laws page on the Federal Privacy Commissioner's web site which includes links to State/Territory privacy laws/regulations and to State/Territory Privacy Commissioners' web sites.
In December 2004 the Senate Legal and Constitutional References Committee commenced an Inquiry into the Privacy Act 1988 with a reporting date of 30 June 2005.
- EFA submission to the Inquiry into the Privacy Act 1988, 24 February 2005.
- EFA supplementary submission to the Inquiry into the Privacy Act 1988, 30 May 2005.
- Senate Committee Report: The real Big Brother: Inquiry into the Privacy Act 1988, 23 June 2005.
As at 14 January 2006, the Government had not yet issued a response to the Committee's report.
This review was undertaken by the Federal Privacy Commissioner at the request of the Federal Attorney General.
- OFPC Issues Paper issued for public consultation by the Federal Privacy Commissioner - October 2004.
- EFA submission in response to the OFPC Consultation/Issues Paper - December 2004.
- See also the OFPC's web page about the review with links to other submissions received by the OFPC.
- OFPC Media Release - Release of the report into the review of the private sector provisions of the Privacy Act, 18 May 2005.
- OFPC Report on the Review - Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 18 May 2005.
As at 14 January 2006, the Government had not yet issued a response to the Commissioner's report.
- EFA submission to the Federal Privacy Commissioner in response to the Consultation Paper for Information Sheet: Privacy and Collection of Publicly Available Personal Information - August 2002.
- Final Information Sheet: Privacy and Collection of Publicly Available Personal Information issued by the Federal Privacy Commissioner - 20 March 2003.
- Draft NPP Guidelines issued for public consultation by the Federal Privacy Commissioner - May 2001.
- EFA Submission to the Federal Privacy Commissioner on the draft NPP Guidelines issued for public comment - 4 July 2001.
- EFA Open Letter to the Federal Privacy Commissioner regarding revised (non-public) draft NPP Guidelines, etc - 31 August 2001 .
- Final NPP Guidelines issued by the Federal Privacy Commissioner - 18 September 2001.
In July 2000, the Senate Select Committee on Information Technologies announced an Inquiry into ePrivacy. EFA prepared a submission to the inquiry and was invited to appear at the Committee's hearing in Canberra on 21st August 2000.
- EFA submission - July 2000.
- Report by the Committee: Cookie Monsters? Privacy in the Information Society - November 2000.
Two parliamentary inquiries were conducted into the above Bill during 2000. EFA sent written submissions to both inquiries and also presented oral testimony at the House Committee's hearing:
- Senate Legal and Constitutional Legislation Committee Inquiry:
- House of Representatives Standing Committee on Legal and Constitutional Affairs Inquiry:
Introduction of the legislation
In April 2000, the Attorney General tabled the Privacy Amendment (Private Sector) Bill 2000, claiming it to be a "light touch" co-regulatory regime. The Bill was drafted as an amendment to the Privacy Act 1988. Unfortunately the Bill was riddled with exemptions for direct marketing, small business, the media and political parties, and contained weak enforcement provisions. EFA and other privacy advocates considered that the Bill was unlikely to meet the requirements of the European Data Protection Directive, thus potentially jeopardising opportunities for Australia to take its place in the global information economy. While EFA supports fair privacy legislation, EFA considered the Bill pandered to business interests and was a totally inadequate response by the government to this important issue.
In May 2000, the Federal Government referred the Privacy Amendment (Private Sector) Bill 2000 to the House Standing Committee on Legal and Constitutional Affairs for inquiry and report. EFA made a submission to the Inquiry and presented oral testimony at one of the Committee's hearings. The Committee's report was tabled in Parliament on 26 June 2000. The report made a number of positive recommendations to improve the legislation, but did not go far enough in addressing major deficiencies in the Bill.
In September 2000, the corresponding Senate Committee undertook its own inquiry, but the majority government report made only minor recommendations.
The Bill, with minor amendments, was eventually passed into law in December 2000 and became operative on 21 December 2001. (Some provisions did not commence until twelve months later on 21 December 2002).
In early 2001, the then Federal Privacy Commissioner (Malcolm Crompton) convened an NPP Guidelines Reference Group consisting of representatives from business, consumer, etc. groups (including EFA), to assist his office in developing guidelines. In May 2001, the Commissioner released draft NPP Guidelines for public consultation with a submission closure date of 6 July 2001. The introductory section stated:
"Guidelines made under this power [Section 27(1)(e) of the Privacy Act] are advisory and so are not directly legally binding. ...they are an indication of how the Commissioner would interpret and, where appropriate, apply the principles when exercising relevant powers and functions under the Privacy Act. In other words, the guidelines are directly relevant to the way the Commissioner will apply the law, for example, when handling complaints."
EFA lodged a submission that was generally supportive of the contents of the public consultation draft, and also addressed a number of areas where the guidelines could be made clearer or otherwise improved.
On 14 August 2001, a further meeting of the NPP Reference Group was held and the Commissioner invited a number of people who had not been prior participants, the majority representing business groups.
Seven days later (21 Aug), an article on the Sydney Morning Herald's Breaking News web page reported that:
"Prime Minister John Howard tonight said he would examine calls from retailers to delay new privacy guidelines for the private sector. Mr Howard, speaking at the Australian Retailers Association (ARA) annual dinner, said he was concerned at the strength of feeling among retailers about the laws. ... ARA president Hans Mueller tonight urged Mr Howard to delay the December 21 cut-off by at least one year because of problems getting the privacy guidelines in place. ... Mr Howard said he would discuss the issue with Attorney-General Daryl Williams."
(See also: Firms push privacy delay, Karen Dearne, Australian IT, 28 August 2001, wherein it was reported that the A-G was holding a meeting with the ARA chief executive to discuss delaying the effective date of the Act by 12 months.)
On 24 August 2001, the Federal Attorney General issued a media release which stated inter-alia:
"The Government is aware that the Privacy Commissioner’s initial draft guidelines, which were circulated for business and public consultation in May this year, have caused concern for many businesses. The Privacy Commissioner has accepted the need to respond to these concerns and the guidelines are in the process of being substantially revised in consultation with business and industry groups."
On the same day (24 Aug), the Federal Privacy Commissioner distributed a substantially revised draft of the guidelines to the NPP Reference Group and, apparently, unnamed others. This draft was provided to the NPP Reference Group for comment on condition of confidentiality of the contents. Regrettably, EFA is therefore unable to publish the draft or EFA's specific comments thereon. However, on 31 August 2001, EFA issued an open letter to the Commissioner expressing general disapproval of the contents of the (non-public) revised draft and stating, among other things, that:
"...it presently appears that the Federal Privacy Commissioner's office has been hijacked by politically powerful big business lobby groups with minimal interest in their customers' right to privacy. If such a perception is not factual and is not to become a widely held view in the general community, the current draft guidelines require another major overhaul, this time to restore backbone and balance."
On 18 September 2001, final Guidelines on the National Privacy Principles were made publicly available by the Privacy Commissioner. These are a slightly amended version of the non-public draft referred to in EFA's open letter and the minor amendments are insufficient to change EFA's previously expressed views.
See also: Privacy guidelines 'gutted', Karen Dearne and Kate Mackenzie, Australian IT, 18 September 2001
- "Newly released privacy guidelines have been slammed by consumer and privacy groups after a last-minute revision. Consumer advocates said political pressure had led to the gutting of guidelines covering the operation of the new private sector privacy laws..."
In addition to the Guidelines, the Privacy Commissioner issued a number of supplementary Information Sheets. It is concerning, however, that the Commissioner decided not to issue all previously planned Information Sheets and those that disappeared would have covered important, albeit controversial, issues such as Consent.
In 1997 an Australian coalition of privacy rights, commerce and academic groups commenced a campaign for fair privacy laws. Subsequently, Commonwealth legislation applicable to the private sector became operative in December 2001 although it contains many loopholes and inadequacies. See separate page for information about the campaign, campaign documents and related privacy reference materials.
- EFA's Privacy and Surveillance Page
- Australian Privacy Foundation's web site
- Federal Privacy Commissioner's web site
- How to make a privacy complaint page on the Federal Privacy Commissioner's web site
- List of Privacy Service Providers (lawyers, etc) compiled by the Federal Privacy Commissioner's office.