Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2018

Roger Clarke's 'Australian Privacy Law'

History of Australian Privacy Law
The Private Sector

Emergent Draft of 26 October 2010

Roger Clarke ** [and co-authors?]

© Xamax Consultancy Pty Ltd, 2010

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

It is one chapter in a study of privacy law in Australia

1. Introduction

From a legal perspective, the federation that is the nation of Australia comprises a national jurisdiction and eight sub-national jurisdictions, six States and two Territories.

For the purposes of privacy law, a tenth context needs to be recognised - the non-government sectors. These include both for-profit business enterprises - including corporations, unincorporated businesses including sole traders, partnerships and trusts, and many cooperatives (which is the narrow interpretation of the term 'private sector') - and not-for-profit organisations - including charities, associations, clubs and some cooperatives.

Under the Australian Constitution, the non-government sectors are subject to aspects of both Commonwealth law and the laws of the States and Territories. In some contexts (such as telecommunications), one is clearly relevant and the other clearly not; but in other contexts (such as health) there are grey areas.

Powers in some sectors are clearly allocated by the constitution to the Commonwealth, and in other sectors they remain with the States. The Commonwealth has enacted in respect of the private sector generally, and the States and Territories have accepted that jurisdictional claim. The sub-national Parliaments have, however, passed privacy law in respect of particular activities, particularly the health care sector, which intersects and may conflict with the federal law.

This paper reviews the history and status of privacy law in the non-government sector. Separate papers in the series address the Commonwealth, NSW, Victoria, and the other six smaller States and Territories.

The sequence is chronological, according to the year in which the first noteworthy activity occurred.

2. The Credit Reporting Sector



The credit reporting sector nationwide was subjected to specific provisions enacted in 1989. They are contained in ss. 18A-18B and Part IIIA (ss. 18C-18V) of the Privacy Act.


Ever since their enactment, these provisions have been the subject of lobbying by the monopoly credit reference company and the financial services sector. Until 2008, the pleas had met with very limited success. The ALRC's 2008 Report, however, gifted the industry an opportunity to at last achieve its desires. If the industry is successful, the level of intrusiveness into personal data, and the amount of harm caused by errors in the industry, will both leap.


3. Outsourced Service Providers

During the 1990s, it became fashionable for large organisations to use subcontractors to perform a great many activities, particularly those somewhat peripheral to their 'core functions'. Multiple waves of 'outsourcing' swept through government agencies, with naive expectations of enormous savings, and loss of a great deal of corporate memory and expertise. A reaction to the excesses occurred ('insourcing'). By the early 2000s, a degree of rationality had returned ('right-sourcing' and 'benchmarking').

The Privacy Act 1988 applied to government agencies, and did not extend to contractors to government agencies. As the handling of personal data was outsourced, serious concern arose that privacy protections that had been in place for some time were being routinely undermined, because data subjects were reduced to a dependence on contracts to which they are not a party, and over whose terms they have no control. This left outsourcing providers who handle personal data on behalf of Commonwealth government agencies bound by, at most, limited contractual provisions.

In 1996-97, in line with its rationalist-economic credentials, the Commonwealth Government pursued a major programme of outsourcing of government I.T. services. This arose from a Government report critiqued in Clarke (1995b). At first, the initiative contained no commitment to ensuring appropriate privacy protections. Reactions by privacy advocacy groups (Dixon 1997, Clarke 1997d), reported by the media, wrung out a change in policy from the Minister for Finance.

The Privacy Amendment Bill 1998 was introduced, to extend the provisions of the Privacy Act 1988 to companies to which government agencies' data processing is outsourced (Waters 1998b). The Amendment Bill was tortuous, and the inevitable weaknesses and limitations were accordingly very difficult to detect. It was abundantly clear that the draftsman has made strenuous efforts to ensure that there was no accidental increase in the extent of existing privacy protections. The Bill passed the Government-controlled House of Representatives. In the Senate, where the Government did not enjoy a majority, it was referred to the Senate Legal & Constitutional Committee.

That Committee held public hearings. Submissions included Clarke (1998f) and CFPL (1998). Parliament was prorogued shortly before the Inquiry's reporting date, and the Bill lapsed. After the Government was returned, the Committee received the Senate's approval to continue with its reference, and to table its report. It did so in March 1999, accepting to a considerable degree the submissions of privacy advocates ('Privacy and the Private Sector: Inquiry into Privacy Issues, including the Privacy Amendment Bill 1998, Senate Legal and Constitutional Committee, March 1999).


During mid-1999, it became apparent that the Government would not reintroduce the Bill. The ostensible reason for this was that the Government was preparing comprehensive legislation to regulate the private sector. As the following section will show, however, this was not to be privacy-protective legislation, but would be highly friendly to business. Moreover, the provisions are far weaker than those in the original Privacy Act of 1988, and hence personal data that has been acquired, in most cases under legal compulsion, falls routinely into the hands of corporations, which are subject to even weaker constraints and enforcement than are agencies. This serious inadequacy remains, even in 2010.


Dec 2001: OAPC Information Sheet (Private Sector) 14 - 2001: Privacy Obligations for Commonwealth Contracts

Apr 2002: AGS Legal Briefing 'Outsourcing: Agency Obligations under the Privacy Act'

4. The Private Sector Generally - 1988-1998

The Privacy Act 1988 Act was limited to the public sector. That is because it began as a companion Bill intended to ease the passage of a grossly privacy-intrusive national identification scheme, and became a follow-on after the scheme's defeat. The Law Reform Commission Report of 1976-83 had failed so monumentally that it had generated no momentum at all, and regulation of the private sector was not yet on the agenda.

Pressure for regulation gradually grew through the 1990s, however. During 1990, a scandal arose concerning unauthorised access to records of the Department of Social Security, N.S.W. motor driver licensing, and the Health Insurance Commission. A long-running enquiry was held by the N.S.W. Independent Commission Against Corruption (ICAC 1992. See also Clarke 1992c). This disclosed that serious abuses were occurring, some on a routinised basis, and with tacit approval from and participation of public servants.

This had an impact at federal level. The House of Representatives Standing Committee on Legal and Constitutional Affairs deliberated from 1992 until 1995, producing a report (LCA 1995), reviewed in Dixon (1995). The report proposed that the Privacy Act 1988 be amended to make private contractors liable for observance of the Information Privacy Principles. Like so many other Parliamentary reports, it had no direct outcome, but it did provide some impetus for change.

Under the Australian constitution, some sectors need complementary State legislation; and effective collaboration between the States and the Commonwealth is uncommon.

In 1995, the Commonwealth Labor Government, within its Innovate Australia Program, committed to legislating privacy protections applying to the private sector generally. Labor indicated a clear preference for aspects of what was at that time referred to as 'the New Zealand model' (NZ 1993), and in particular the enactment of statutory general principles and the creation of subsidiary industry and activity codes. See Greenleaf (1995b).

During the remaining 18 months leading up to the next election, no further action occurred, but privacy legislation remained in the party platform. Labor lost power to the Coalition in March 1996.

During the March 1996 federal election, both sides of politics had committed themselves to the passage of privacy regulation for the private sector. The new Government's platform included reform of privacy laws as "a matter of the utmost priority". The Coalition's platform had used the highly descriptive term 'co-regulation' to refer to the model supported by privacy advocates, business and government regulatory agencies alike. See Greenleaf (1996a)

On 12 September 1996, the Attorney-General, Darryl Williams, announced the direction of the Government's reform agenda for privacy in the private sector (Williams 1996). A Discussion Paper was published, as a basis for consultation between September and the end of November 1996. Explicit reference was made to New Zealand's 1993 legislation.

The Discussion Paper envisaged a set of Principles related to those that already applied to the public sector, and empowerment of the Privacy Commissioner to promulgate detailed Codes for particular industries. These Codes would be negotiated with industry associations, with public participation in the development process. A critique is in Clarke (1996d). Over 100 submissions were received. They evidenced a consistent theme that uniform national legislation was essential (Greenleaf 1997a).

In March 1997, however, the Prime Minister declared, seemingly without consulting with his Attorney-General, that there would be no such legislation. The justification was costs to business, particularly small business, and it appears that lobbying by the Chief Executive of the Australian Chamber of Commerce and Industry (ACCI), Mark Paterson, was intrumental in achieving the sudden policy turnaround. This renege of an element of the Government's election platform was one of many, which it excused on the grounds of being 'non-core' promises.

During 1997, Democrat Senator Natasha Stott-Despoja led a campaign in an attempt to embarrass the Government into re-establishing its policy to introduce privacy legislation. This culminated in the tabling of a private member's Bill in August 1997. The Labor Opposition sided with the Government to preclude consideration of the Bill by the Senate Legal and Constitutional Committee (Stott-Despoja 1997).

The Prime Minister requested (or arguably directed) the Privacy Commissioner to produce a set of 'National Principles', which were to guide businesses and industry associations in their establishment of self-regulatory arrangements, which, it was asserted, would be effective, and cheaper than a statutorily-backed scheme. The matter was examined in Greenleaf (1997b). Privacy advocacy organisations initially boycotted the process, on the grounds that a set of principles that was not backed by statutory authority was worthless. Inadequacies of the process were documented in Clarke (1997h). The Privacy Commissioner separated the question of enforcement from that of the statement of principles, and with all parties agreeing that the principles would be neutral as regards the manner of implementation, privacy advocates agreed to participate in the process.

The Privacy Commissioner issued a Consultation Paper (PCA 1997), re-published in Greenleaf (1997c). Consultations ensued. On 20 February 1998, the Australian Privacy Commissioner released a document entitled 'National Principles for the Fair Handling of Personal Information' (hereafter FHIPs). These were reviewed at length in Greenleaf & Waters (1998).

There are many ways in which FHIPs was a conventional implementation of the OECD's 1980 framework. Unfortunately, however, not all voices in the consultations were accorded equal force, and as a result they contained a number of important deficiencies that needed to be addressed before they are applied. These are detailed in Clarke (1998b), with a summary in Greenleaf (1998b). In late 1998, the Privacy Commissioner held consultations to consider whether changes were needed to the Principles. The inadequacies of the document were presented by privacy advocates in consolidated form. Under pressure from industry advocates, the Privacy Commissioner chose to make very limited, and inadequate amendments.

During this period, industry associations had sought to hold off regulation by publishing codes, in some cases complemented by weak self-regulatory schemes. Examples of industry codes included the following:

The process relating to the ADMA code provide a case study in such codes. An application was made by ADMA for the imprimatur of the Australian Competition and Consumer Commission (ACCC) for a code that reflected several previous documents that had been negotiated between ADMA and government agencies, but which had not involved any meaningful consultations with consumer or privacy advocates. This became public knowledge in October 1998, when ACCC sought public comment.

More than a dozen consumer and privacy advocacy organisations submitted very forcefully to ACCC that the ADMA code did not satisfy the public interest test. See the submissions of Robin Whittle in relation to the telemarketing aspects, and of other individuals and organisations, stored on Robin's site. See also my own submissions of 21 October 1998 and 15 December 1999, and the ACS response of 15 December 1998 (Clarke 1998).

After a succession of delays, and extension of the publication date from December 1998 until August 1999, the ACCC approved an amended document. Privacy advocates were uniformly appalled at the ACCC's incapacity to withstand the pressure of segments of industry and the Prime Minister's office. As veteran advocate Robin Whittle put it: "ADMA got exactly what they wanted: Government approval of a code with minimal consumer protections, not just in their field of direct mail, but also in telemarketing and electronic commerce".

Because of the completely unbalanced nature of the process, all such schemes have been completely valueless from the viewpoint of privacy protection, because consumers by themselves have insufficient power and persistence to enforce conformance. On the other hand, to the extent that industry codes were negotiated among all stakeholders, and were subject to sanctions and actual enforcement, a co-regulatory scheme could be effective.

During 1998, the Senate Legal & Constitutional Committee considered a Privacy Act Amendment Bill relating to outsourcing by government agencies. A relatively small proportion of the Senate Committee's time was spent on the Bill itself, however. The primary questions that were investigated related to the need for statutory regulation of the private sector generally. Submissions included Clarke (1998f), (Clarke 1998h), and (CFPL 1998).

There appeared to be a very high likelihood that the Committee would have concluded, by majority, with Government members in the minority, that legislative action was essential. It is highly unlikely that this would have made any difference, but the report may have been a useful summary of the state of play in mid-late 1998. Hansard is available for the public hearings in Brisbane on 27 July, Sydney on 28 July, Melbourne on 29 July, and Canberra on 5 August 1998.

IS THIS THE EVENTUAL COMMITTEE REPORT, of 2 years later, 10 Oct 2000?

Provisions of the Privacy Amendment (Private Sector) Bill 2000

During 1998, the decision was announced that the Office of the Privacy Commissioner was to be separated from the Human Rights & Equal Opportunities Commission (HREOC). At the same time, savage cuts (of the order of 40% of the organisation's budget) were applied. Moreover, no additional funding was provided to enable the Privacy Commissioner to undertake the Prime Ministerially-imposed provision of guidance to the private sector. This further harmed the Commissioner's already seriously weakened capacity to deal with her Office's core responsibilities relating to the public sector.

During the latter part of 1998, particularly after the election in October, a series of industry associations publicly urged the government to implement 'light-touch' legislation. The situation was summarised in 'The Australian Financial Review' of 24 November 1998.

5. The Private Sector Generally - 1999-

Between the end of 1998 and the end of 2000, the Government undertook a series of steps that at first appeared potentially positive for privacy in Australia, but transpired to be extremely bad for privacy.

In 'The Age' of Friday 27 November 1998, and on page 1 of 'The Australian's Computer Pages of 1 December 1998, the Minister for Communications, Information Technology & the Arts, Senator Richard Alston, signalled a commendable turnaround in the government's policy. Speculation was rife that a paper was to be tabled in Cabinet soon, with draft legislation in the short-to-medium term. On 9 December, 'The Australian Financial Review' quoted from a Prime Ministerial adviser's letter to an industry association, as follows: "the Commonwealth will be reviewing options for private-sector data protection on a national basis".

On 16 December, a joint Press Release by the Minister for the Information Economy and the Attorney-General announced that "the Government will legislate to support and strengthen self-regulatory privacy protection in the private sector". It is to be "a light touch legislative regime based on the Privacy Commissioner's National Principles for the Fair Handling of Personal Information".

The quality of the regime, and its enforceability, were thrown into immediate doubt, however, by the statement that "The scheme will be based on industry codes and apply a legislative framework only where industry codes are not adopted". In addition, the press release made no mention of any involvement in the process of privacy and consumer advocates and representatives.

The Labor Party Platform proposed a co-regulatory scheme, and the cross-bench Democrats, who held the balance of power, had always been strongly pro-privacy legislation. It was therefore reasonable to expect that the Bill could meet with approval in the Senate.

During March-May 1999, a 'Core Consultative Group', assembled at the invitation of the Attorney-General's Department, met to provide advice to the government on the shape of legislation to regulate the private sector. Tabling of a Bill was originally intended for the second half of 1999. Staff turnover, among other things, resulted in delays, and by mid-August, it was not anticipated that a discussion draft would be available before September 1999.

In September 1999, the Attorney-General's Department released an information paper on the Government's proposed legislation. This largely reflected the outcomes of discussions of the Core Consultative Group, together with the limitations placed on that Group's deliberations by the Government's prior policy decisions. The Department subsequently stated that it received over 50 submissions in response to the paper. The media industry conducted a concerted campaign aimed at ensuring that either the legislation did not proceed, or that media use of personal data was exempted from it, in the interests of freedom of the press.

By late 1999, the schedule had been slid back to the first parliamentary session in 2000. A major media blitz occurred in early December. The Murdoch press started the snowball by publicising the kinds of information that a Packer company intended collating, and storing in a database called InfoBase, run by a large U.S. company called Acxiom, based in Arkansas.

On 14 December 1999, the Attorney-General issued a press release, and published segments of the draft Privacy Amendment (Private Sector) Bill, in RTF and PDF formats, together with a an overview, also in RTF and PDF formats.

Submissions were invited by 17 January 2000. He stated that "Government policy is settled in respect of the Bill", so it was unclear what impact submissions could possibly have on the Bill, unless the lobbyists were to speak with a great deal of force. In addition to employee information, media had gained a substantial exemption, health information was subject to a number of qualifications, and the Privacy Commissioner's Principles had been revised, nominally "to accommodate legislative language", but in practice with substantial impacts on their original effect.

The Bill tabled in the Parliament was not that which arose from the 'consultative' processes that the Attorney-General himself had instigated. Either the extremist industry associations (especially ADMA, and possibly also ACCI) negotiated separately with the Attorney-General; or the Department of Prime Minister and Cabinet (to which Williams had always been subject) gave its instructions and Williams meekly concurred. Either way, the release of the Bill made a mockery of both the man and the process.

The Bill was appalling - not merely the world's worst privacy legislation but a downright anti-privacy statute. For detailed critique and submissions, see Submission to the Commonwealth Attorney-General (January 2000), 'Privacy Bill needs much more work' (February 2000), Submission to the House of Reps. Inquiry (May 2000), and Submission to the Senate Inquiry (September 2000).


Provisions of the Privacy Amendment (Private Sector) Bill 2000

The Labor Opposition (never a friend of privacy) let the Bill through with minimal changes. The resulting statute is at Privacy Amendment (Private Sector) Act 2000. It became [in]effective on 21 December 2001. The Act created in Schedule 3 the National Privacy Principles (the NPPs), which are significantly different from the IPPs that apply to the Commonwealth public sector. The Privacy Commissioner's limited oversight powers apply to this segment of the Act as well. A critique is in Clarke (2001).

The origins of the private sector legislation are indicative of the dysfunctionality of public policy processes in Australia. During 1999, a 'Core Consultative Group' (CCG) comprising representatives of industry associations and public interest advocacy groups negotiated a draft Bill. Because that Bill displeased powerful industry associations, the Bill that Williams took to the Parliament shortly afterwards bore no relationship whatsoever to that which had been negotiated. In parallel with the CCG, a different Bill had been prepared by staff of the Department in collaboration with two industry associations, to the exclusion of privacy advocates. Given this gross breach of trust, it is unsurprising that the provisions served the perceived self-interests of the industry sectors that drafted it, legitimised privacy-invasive practices, and reduced the levels of privacy protection rather than increasing them.




FIRST-CUT APPs 2010, incl. Direct Marketing elevated to a 'Privacy Principle'

REF Greenleaf & Waters (2010)

5. Health Care

The health care sector is very large, highly complex, and involves a great array of privacy-sensitive contexts, including privacy of the person, privacy of behaviour and privacy of communications, as well as privacy of personal data. The sector comprises large and powerful lobbies. Some have a strong interest in meddling with people's bodies for reasons additional to treatment, particularly research. Some have strong interest in gaining access to personal data for research, accounting and audit purposes. Many regard privacy as less important than other interests, such as freedom to research, public health and control of financial miscreants.

The health sector straddles the public and private sectors, and large, medium small and micro-enterprises. The Australian constitution is such that the federal jurisdiction:

In 1997, the ACT legislature passed the A.C.T. Health Records (Privacy And Access) Act. The legislation is at


In March 1998, Senator Stott-Despoja introduced a Private Members Bill called the Genetic Privacy and Non-discrimination Bill 1998. This addresses collection, use and disclosure issues relating to measures of human DNA. The matter was referred to the Senate Legal and Constitutional Committee. In March 1999, the Senate Legal and Constitutional Committee tabled a report on the Stott-Despoja Genetic Privacy and Non-discrimination Bill 1998. This addressed collection, use and disclosure issues relating to measures of human DNA. As is the case with virtually all Bills that are not initiated by the Government-of-the-day, the Bill did not proceed.

The federal private sector legislation in 2000 affects organisations in the private sector that handle health care data. The exemption for small-to-medium-sized organisations does not apply in the case of health care data.

In 2001, Victoria passed the Health Records Act, affecting both public and private sector organisations. The Health Care Complaints Commissioner was provided with the responsibility to administer it, not the Privacy Commissioner. There is uncertainty about conflicts between the federal and Victorian legislation in respect of private sector organisations, and there may be between Victoria's general Information Privacy Act and the health records statute in respect of public sector organisations (e.g. in relation to the relevance of the Privacy Commissioner's PIA Guidelines). The Act is at

In 2002, NSW passed the Health Records and Information Privacy Act, affecting both public and private sector organisations. There is uncertainty about conflicts between the federal and NSW legislation. The Act is at

Victoria, NSW and the ACT all have laws specifically relating to health care data, and it is far from clear to what extent each of the conflicting laws applies to any given activity by any given organisation. The confusion may not be of much consequence, however, because there are very limited sanctions, and little or no enforcement is undertaken.

6. Telecommunications

Just how badly the Privacy Commissioners have performed is underlined by the progress made in areas outside their purview. In the telecommunications sector, the Telecommunications Act and the Telecommunications (Interception and Access) Act include provisions relating to security and privacy.

During late 1998 / early 1999, Telstra ran an appalling campaign designed to mislead the public into unblocking their lines for Caller-ID. (Presumably their commercial clients were complaining about the percentage of callers who blocked their number from being viewed by the callee). Despite a clear breach of any reasonable advertising standards (i.e. they lied), no regulatory body was prepared to consider whether they had breached any law or even any voluntary code of conduct.

Meanwhile, a few reports arose about some ISPs declining to do business with customers who turned off Caller-ID, on the grounds that disputes about whether someone else is using the account can be avoided if calls are only accepted from pre-registered telephone-numbers.

The the Australian Communications Industry Forum (ACIF) continued to be used as a means of holding consumer and privacy advocates at very long arm's length, and thereby avoiding constraints being placed on the sale-value of the next tranche of Telstra shares. Privacy protections are very limited in this area, and abuses abound.

However, in November 1999, ACIF finalised an Industry Code for the 'Protection of Personal Informaiton of Customers of Telecommunications Providers' after a public comment period in July. It claimed that this drew heavily on the Privacy Commissioner's 'National Principles for the Fair Handling of Information'. After approval by the ACIF Board, the Code is expected to go to the ACA for registration in early 2000. However, whether the industry will sign up is another matter - at the end of 1999, only four codes had attracted any signatories. Telstra had only signed one Code after two and a half years of self-regulation.

If and when that code or a revision of it is registered by the Australian Communications Authority (ACA), then the ACA would gain powers under Part 6 of the Telecommunications Act to give warnings and directions, and impose civil penalties for failure to comply. The business enterprises that would be subject to the Code are not only 'carriers' (in particular Telstra, Optus), and 'carriage service providers' (i.e. Internet access providers), but also 'content service providers' (a term whose meaning is unclear, and could be very broad).

Hence some sanctions might someday come into existence for some kinds of abuses of personal data in the telecommunications sector. In the meantime, codes of practice of particular industry associations may be of some relevance in the telecommunications arena. The insurance industry leads, the Internet industry is active, the information technology industry may develop something, and the banking industry will probably continue to pretend that it's already got one.

Meanwhile the ACIF went round in circles on Caller ID. Telstra refused to support a code which exposed it to any risk of conducting any public awareness activities for CND, arguing that it was only responsible for its own customers, it could put information in bills and occasional information brochures, and it had already spent a lot of money on the campaign. Never mind that it had never given any balanced information about why people might want to keep their number private.

ACIF is also rapidly advancing a standard that is extraordinarily privacy-invasive, but is being considered as nothing more than a technical exercise. This is the enhancement of cellular telephony to support precise location of the handset. It goes under the name 'Mobile Location Indicator For Emergency Services' (MoLI), and the pretext for the creation of this particular surveillance technology is support for emergenecy services. For a much more sceptical interpretation, see Clarke (1999). The draft was issued in June 1999, and the 5-week period for public comment closed in July 1999.

White Pages Directories used to be organised by city or town. When it was launched, the electronic service overcame some of the incidental privacy protections afforded by location-based directories. It not only enabled searches across 'Other Areas within the State', but also precluded searching within particular towns.

During the third quarter of 1999, Telstra saw an opportunity to use the heart-tugging potential of get-togethers associated with the 50th anniversary of the Snowy Mountains Scheme to continue its campaign to extend the interpretation of the White Pages' purposes. The sub-text of the advertisements and sponsored TV show was that the White Pages are how people find one another.

The intention of these extensions of usage is presumably to prepare the ground for a launch of a publicly accessible 'reverse White Pages'. If this were mainstreamed, it would be a potentially vast money-spinner, enabling Telstra to compete with list-sellers (by letting telemarketers dial random numbers, yet have subscriber-name and address up on their screen when they call). It would also be a substantial reduction in telephone subscriber privacy.

In August 1999, a Telecommunications Interception Policy Review reported that the existing arrangements were working well and no changes were needed. If privacy concerns were taken seriously by the government, this conclusion would have looked like staggering complacency.

During the decade following 2000, considerable unrest among consumers resulted in effective consultative processes that led to the regulation firstly of unsolicited email by the Spam Act 2003, and secondly of unsolicited tele-marketing calls by the Do Not Call Register Act 2006. The Spam Act is widely regarded as being appropriately-balanced, but will remain largely ineffective unless and until it becomes the basis for a multilateral convention. The Do Not Call Register attracted more than 200,000 registrations in the first 24 hours it was open, and passed 2 million registrations within the first six months, even though it fails to control charities, researchers and politicians. These statutes were negotiated in good faith by the Department of Communications, and are administered by the Australian Communications and Media Authority (ACMA). This is entirely distinct from the behaviour of the Privacy Branch of the Attorney-General's Department, now part of the Department of Prime Minister & Cabinet, which administers and tightly controls the Privacy Commissioner.

Spam Act

Do Not Call Register Act

The privacy-protective aspects of these laws are utilised much more effectively by the Telecommunications Industry Ombudsman (TIO) and the Australian Communications and Media Authority (ACMA) than by the Privacy Commissioner (ACCAN 2010).

The ALRC's 2008 Report recommended consolidation of the two very different sets of principles into Unified Privacy Principles (UPPs). If and when this occurs, it will provide the drafters with the opportunity to further weaken privacy protections. Consolidation will inevitably involve selecting the less onerous option of the two alternatives. Further, the enormous complexity of the new scheme will provide great scope for additional loopholes to be created and disguised. In addition, public interest advocacy groups are almost entirely excluded from discussions and can have only limited influence from outside the recognised 'stakeholder groups' of bureaucrats and industry associations that have control over the legislative drafting.

7. The Media


Won complete exemption in 2000

Are subject to meek and highly ineffective codes administered by the media's own Press Council, and in the case of radio and television broadcasting by ACMA

reacted with fury to the moderate proposals of the ALRC (2008) and NSWLRC (2009) relating to a statutory right of action

Have always been vicious critics of privacy regulation of the private sector, and have never hesitated to misrepresent the facts in order to vilify proposals for law

8. Not-For-Profit Organisations


large organisations are generally subject to the private sector provisions

those that handle health information are generally subject to Commonwealth and where relevant State laws in that area

won exemption from the Do Not Call legislation


9. Individuals


10. Conclusions


Relevant laws are identified in APF (2010).



See the consolidated reference list for the complete series of papers.



Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 7 August 2010 - Last Amended: 26 October 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy