Privacy Advocates and the
Privacy Commissioner's Discussion Paper of August 1997
Regarding (Self-)Regulation of the Private Sector

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 10 October 1997

© Xamax Consultancy Pty Ltd, 1997

This paper was prepared for the Privacy Commissioner's Forums in October/November 1997

This document is at


Privacy emerged as a serious social concern in the late 1960s. Laws were passed in the majority of advanced western nations in the period 1970-1985. Because inconsistencies between the laws of the various nations threatened commerce, codification was undertaken, most notably by the OECD in 1980.

Some of these laws have applied to both the public and the private sectors since their commencement. In other instances, it was considered that experience should first be gathered in relation to the public sector, and regulation imposed on the private sector at a later stage.

Australia was a late implementor of privacy protection laws, with the Privacy Act being passed only at the end of 1988. It provides a privacy protection framework, but also contains some significant inadequacies. The Act's primary focus is the public sector. But it also applied from the very beginning to the private sector, in respect of the handling of the Tax File Number. It was extended in 1989 to consumer credit reporting. It is in the process of being further extended, to corporations that provide personal data outsourcing services to federal government agencies.

During the last quarter-century, enormous advances have been made in information technology, and the potential invasiveness of applications has become ever more intense. Moreover, organisations are increasingly eager to take advantage of data surveillance technologies, and to achieve greater data-intensity in their relationships with individuals. This has resulted in the formulation of enhanced protections, such as the Australian Privacy Charter, and the European Directive.

Public concern continues to increase. Modern technologies present ample opportunity for scare-mongers to generate high levels of paranoia, and hence undermine investments. Examples of applications that are especially exposed are electronic services delivery, Internet commerce, intelligent transportation systems, and anything that involves smart-cards or biometrics.

With every news story, the pressure increases for regulation of the private sector, and intensified regulation of government uses of personal data. The Democrats have tabled a draft Bill in the Senate. The States of Victoria and N.S.W. are in the process of responding to the public's demands, and Victoria appears likely to extend its Act to the private sector. The ACT has stated its intention to legislate for subject access to health care data. These initiatives raise the spectre of a 'patchwork quilt' of regulatory regimes. The EU Directive's implicit threat of raising non-tariff trade barriers adds futher pressure.

Purely self-regulatory schemes have been given their opportunity, and have failed to deliver. They are inadequate to control the mavericks, in any industry, private or public sector. The inconsiderate actions of the mavericks harm not only the privacy of individuals, but also public confidence. As a result, the reputation and costs of 'fair dealing' organisations suffer as well. In addition, if individual corporations have to demonstrate their compliance with EU standards, those companies will bear higher costs than if the nation were to impose the same conditions through legislation.

Formal regulation brings with it considerable costs and bureacracy. The Privacy Act 1988 is, in any case, an inappropriate model for the private sector. Better alternatives exist, which are capable of satisfying the needs of individuals for protections against abusive behaviour; as well as the needs of 'fair dealing' organisations for protections against the excesses of other companies in their sector; at the same time as ensuring consistency nationwide, and containing costs. It is important to appreciate that no clear demonstration has ever been provided that privacy regulation results in major costs to large or small business, provided that public awareness and education campaigns are conducted, no meaningless registration process is imposed, and phasing-in periods are implemented.

During the mid-1990s, a meeting of the minds has occurred between privacy advocates on the one hand, and industry associations and corporations on the other. The general shape of a workable regulatory regime has emerged. It involves:

The current initiative of the Privacy Commissioner falls short of the workable regulatory regime that is needed. Because of the Prime Minister's revocation of his Government's undertaking to establish co-regulatory protective scheme, the Commissioner's proposal omits the vital legislative layer.

The privacy advocacy community rejects the proposal for a self-regulatory scheme. It is not prepared to participate in the consultative process, until and unless the proposals are strengthened through the inclusion of legislative stiffening. The current proposal cannot have credibility with the media and the public without the support of the privacy advocacy movement.

Many corporations and industry associations are already seeking a privacy regime with teeth, and very few corporations or associations have declared opposition to the proposition. The supporters are as diverse as AmEx, the Australian Direct Marketing Association, and representatives of pawnbrokers. This is because they believe that nothing less will satisfy the public's demands, and prevent the privacy issue becoming bad for business through impacts on image and on cost-profiles. The privacy advocacy community suggests to all industry representatives that they should demand that the proposals be strengthened.

As soon as the agenda is enhanced to include legislative force behind the codes, the advocacy movement will invest great efforts in the negotiation of a consensus proposal among the stakeholders, and in the development of specific industry codes.


A large number of references are available on the author's web-pages, including an introduction and definitions.


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 8 October 1997

Last Amended: 10 October 1997

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472