Privacy law changes - losing ground or catching up?

Plenty of material out there from the Privacy Commissioner and others about the changes to the Privacy Act that came into effect on 12 March. 

The headline in Business Spectator - Privacy Act revisions:Little bark no bite - was a little off the mark on the 'bite', as the Privacy Commissioner has substantially extended enforcement powers should the commissioner chose to exercise them, including to require enforceable undertakings and pursue civil penalties of up to $1.7 million for serious or repeated privacy breaches. 

But as Paul Wallbank in that report points out, the changes have been a long time coming, in many respects are designed to fight yesterday's battles and "may do little to address genuine concerns in a world where data can be cross-matched from multiple sources and processed anywhere on the planet."

This announcement on 30 January 2006 started things, well sort of rolling:

I, Philip Ruddock, Attorney-General of Australia, having regard to:

• the rapid advances in information, communication, storage, surveillance and other relevant technologies
• possible changing community perceptions of privacy and the extent to which it should be protected by legislation
• the expansion of State and Territory legislative activity in relevant areas, and
•  emerging areas that may require privacy protection,

refer to the Australian Law Reform Commission for inquiry and report pursuant to subsection 20(1) of the Australian Law Reform Commission Act 1996, matters relating to the extent to which the Privacy Act 1988 and related laws continue to provide an effective framework for the protection of privacy in Australia.

The Australian Law Reform Commission after a mammoth consultation and review effort delivered a comprehensive report in 2008 - three-volumes, 74 chapters and 295 recommendations.

Six years on, eight years after the acknowledgement of 'rapid advances' we have legislation to give effect to what the then government described in its response as the 'first phase'  reforms. 

Many aspects are positive, particularly the attempt to build privacy protection into the DNA through documented policies and procedures that are potentially subject to performance assessment by the Commissioner at any time.

But many of the ALRC recommendations are buried in the mist of time. And what looked like 'rapid advances' to Philip Ruddock in 2006 look like first reports about the Wright brothers when considered in the light of developments since the commission reported in 2008. Drones for one probably weren't preying on his mind. 

Among the recommendations put aside for second and third stage consideration but appear to have sunk beneath the waves include the removal of the exemptions from the act enjoyed by businesses with turnover of less than $3 million (there are some exceptions) and by registered political parties, and changes to the conditions for continuation of the exemption for media organisations in the conduct of journalism. Another that got to first base but no further so far is mandatory data breach notification - legislation didn't make it through Senate in the last parliament and is yet to be heard of since. 

Another biggie was to be Federal government leadership on national harmonisation.

As Professor Barbara McDonald from the Australian Law Reform Commission told a parliamentary committee recently

"At the moment, a lack of uniformity means there’s insufficient protection of people’s privacy because people don’t know what’s against the law and what’s not.”

Don't hold your breath.

The government last year after much ducking and weaving over the recommendation to legislate a cause of action for a serious and unwarranted breach of privacy ( supported by the NSW and Victorian law reform commissions who reached the same conclusion years ago) wrapped this issue in yet another reference to the ALRC to inquire into the protection of privacy in the digital era, to look at "innovative ways in which law may reduce serious invasions of privacy in the digital era" and "the necessity of balancing the value of privacy with other fundamental values including freedom of expression and open justice."

The Commission is to report by June 2014. And the process starts all over again?