Kalley Chen, Dai Chen and Xu Zifeng  King & Wood Mallesons’ Security Group

Australia has had a range of general and sector-specific privacy laws for 20 years. At the Federal level, the Privacy Act 1988 (Cth) initially regulated the way in which Commonwealth agencies dealt with the personal information of Australians. The scope of the Privacy Act was expanded to also cover the handling of individuals’ credit information and, more broadly in 2001, to cover all private sector organisations and the way in which they collect, use and disclose personal information. Individual States and Territories of Australia also have specific privacy laws that regulate the way State-based agencies deal with personal information, and laws relating to privacy are also found in a variety of legislative contexts.

The result is that Australia has a myriad of privacy-related laws at different levels of Australian Government covering an often overlapping range of issues. This situation was one of the drivers behind a substantive review by the Australian Law Reform Commission (ALRC) into Australia’s privacy laws.

On 11 August 2008, ALRC released a report “For Your Information: Australian Privacy Law and Practice“. The report is a massive 3,000 pages and adopts a “principles-based” approach to regulation by making 295 recommendations. These changes will impact on all private sector organisations and the way in which they collect, use or disclose personal information.
The ALRC’s view is that “principles-based” regulation should be the primary method of regulating information privacy in Australia, supplemented by specific rules to address particular issues that arise in relation to certain industries. This “principles-based” approach contrasts to “bright line” or “complex and detailed rules” approaches where rules for specific situations are detailed in legislation.

The ALRC has recommended a basic restructure of privacy regulation following a three-tiered approach:

1) high-level principles of general application, to be encapsulated as the new “Unified Privacy Principles” (“UPPs”)provided in a streamlined Privacy Act;

2) regulations and industry codes detailing the handling of personal information in certain specified contexts, such as health and research and credit reporting; and

3) the issuance of further guidance by the Privacy Commissioner (and other relevant regulators) dealing with operational matters and explaining to end users what is expected in various circumstances, as well as providing basic advice and education.

Principles-based privacy regulation has advantages, as well as shortcomings, for private sector organisations. It often means that legislative certainty is compromised: flexibility for a regulator to respond to changed circumstances is achieved at the expense of predictability, with the result that an organisation can never be sure of the rules. Provided, however, that the regulator implementing the principles gives clear guidance as to how they are to be applied at any particular point in time and provides adequate notice of changes to that guidance, principles-based regulation can have the benefit of allowing the law to adapt to rapidly-evolving areas, particularly to address the privacy implications of new and emerging technologies.

Across the waters, China’s legislature is watching Australia work through its imminent privacy overhaul. Currently, China’s Constitution Law prohibits the infringement of the inherent dignity of the human person and their residence, and protects freedom and security of communication. Personal Privacy is partly and principally protected under the fundamental laws. Notwithstanding that there is no express right to privacy in China’s Civil Law General Principles , the administrative laws and regulations contain special regulations regarding protection of privacy based on investigation, secrecy and public hearings. The scope of personal information is expanded to include the sale of personal information pursuant to the Amendments to the Criminal Law (VII) (draft) . In addition, disadvantaged groups and professionals, such as minors, lawyers, and doctors, are required to take steps for protection of clients’ personal information. In civil judicatory trials, the People’s Court is required to accept matters where a party makes a claim for damages as a result of psychological harm caused due to infringement of their privacy. However, the claimant can only bring an action for compensation to the extent that their reputation is damaged from infringement of their privacy . There is no specific mention in the regulations about when an invasion of privacy takes place but does not lead to infringement of reputation. Overall, regulation in respect of protection of privacy in China is scattered and the scope of personal information requires clarification, especially in relation to what constitutes personal information.

Click here for complete article.

By Michelle Rowland, Sarah Alderson of the Communications & Technology Group of Gilbert + Tobin.

King & Wood established a strategic alliance with Gilbert + Tobin in November 2007.