16.08.2010
Enforcement pyramid
50.35 As discussed in Chapter 4, Professors Ian Ayres and John Braithwaite have suggested that the ideal regulatory approach to enforcing compliance with regulation is through the adoption of an explicit ‘enforcement pyramid’. Under such a model, regulators use coercive sanctions only when less interventionist measures have failed to produce compliance.[59] Breaches of increasing seriousness are dealt with by sanctions of increasing severity, with the most serious or ‘ultimate sanctions’ generally held in reserve as a threat.
50.36 There is great value in adopting the enforcement pyramid structure in the Privacy Act, as discussed further in Chapter 45. In some respects, the Privacy Act already adopts a pyramid-type structure for enforcing compliance. The approach relies initially on encouraging compliance, with determinations (and enforcement in the courts) and injunctions held in reserve. While there is some degree of escalation involved in these remedies, there are currently no civil penalties for serious contraventions of the Act, and only some limited criminal penalties attached to credit reporting, and tax file number, offences.[60]
Issues Paper 31
50.37 In IP 31, the ALRC asked whether the range of remedies available to enforce rights and obligations created by the Privacy Act required expansion. Further remedies suggested by the ALRC included administrative penalties, enforceable undertakings or other coercive orders, remedies in the nature of damages, infringement notices, civil penalties and criminal sanctions.[61]
50.38 The ALRC received mixed responses from stakeholders about the need for further enforcement mechanisms. Some stakeholders suggested that harsher penalties under the Privacy Act are unnecessary as it has not been shown that the lack of ‘teeth’ in privacy legislation has reduced compliance with privacy laws.[62] In contrast, the Australian Privacy Foundation submitted that a wider range of remedies and sanctions is desirable.[63]
50.39 A number of stakeholders in the OPC Review submitted that there should be some level of civil penalty resulting from a contravention of the Privacy Act.[64] One stakeholder stated that it is hard to convince some company boards to comply with privacy laws when no schedule of penalties is attached to non-compliance with the NPPs.[65] While recognising the resource implications of additional remedies, the Consumer Credit Legal Centre observed in a submission to the Inquiry that:
stronger enforcement mechanisms, including through civil pecuniary penalties, present the OPC with a more long-term cost-effective way of functioning. Forcing businesses and industry to be accountable by imposing greater deterrents should result in less cases and investigations by the OPC.[66]
50.40 There was no support for introducing further criminal penalties into the Privacy Act, such as for a reckless, intentionally dishonest or flagrant contravention. The OPC considered that a cautious approach should be taken to the inclusion of further criminal sanctions, and noted that ‘as privacy is unlikely to be a high policing priority, a significant increase in criminal sanctions may impede rather than facilitate better privacy protection and privacy complaint outcomes’.[67]
Discussion Paper proposal
50.41 In DP 72, the ALRC canvassed whether the range of remedies available to enforce rights and obligations created by the Privacy Act required expansion. A number of suggestions were made by stakeholders, including enforceable undertakings, civil penalties and coercive orders. Having regard to the enforcement pyramid concept, the ALRC proposed that the Privacy Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.[68]
Submissions and consultations
50.42 The ALRC received a number of submissions on this proposal. The OPC expressed its support for allowing the imposition of a civil penalty in the case of serious or repeated interferences with privacy. It argued that the definition of ‘serious’ should include explicitly cases where a respondent breaches a notice to comply arising from an own motion investigation, or where a respondent fails to report a data breach, contrary to the requirements of the Privacy Act.[69]
50.43 The Law Council of Australia argued that a civil penalty was preferable to the introduction of administrative penalties[70] or an infringement notice scheme and was consistent with the ‘light-touch’ approach of the Privacy Act.[71] PIAC stated that a civil penalty regime was likely to provide a strong incentive to comply with the Act, provided that the amount of the penalty was commensurate with the seriousness of the breach.[72] A number of other stakeholders also supported this proposal.[73]
50.44 Some stakeholders also agreed with the proposal that the OPC should develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty will be made.[74] The Law Council argued that:
A binding set of criteria would provide necessary certainty to the scheme and prevent organisations from incurring significant costs associated with determining what obligations exist.[75]
50.45 One stakeholder expressed the view that the Privacy Act should include criminal sanctions for serious irresponsible handling of personal information. It argued that criminal sanctions should apply to the senior management and directors of agencies and organisations.[76]
50.46 Other stakeholders took the view that the introduction of civil penalties was unnecessary.[77] GE Money, for example, submitted that it was not aware of ‘the sorts of significant and ongoing breaches of privacy laws by organisations that might suggest that such a regime were necessary’.[78] Another stakeholder argued that:
To the extent that there is a need to increase compliance with and enforcement of the Act, this can easily be met by using the existing powers of the Privacy Commissioner to a greater extent.[79]
ALRC’s view
50.47 The framework of compliance-oriented regulation underpinning the Privacy Act should be considered when examining whether there should be further penalties added to the Act. As discussed in Chapter 45, a compliance-oriented approach to enforcement, which includes a focus on fostering compliance in the first instance, requires the presence of punitive sanctions to be effective. This is because ‘persuasive and compliance-oriented enforcement methods are more likely to work where they are backed up by the possibility of more severe methods’.[80] The existence of a strong penalty, by itself, can act as an incentive for compliance, as long as the regulated entity knows that the regulator will impose the penalty where appropriate.
50.48 Determinations are regarded by some as a ‘strong’ penalty, because they can involve a public declaration of breach and thereby contain an element of informal, negative publicity.[81] The ALRC notes, however, that according to the OPC’s determination policy, determinations are not necessarily going to be limited to the most serious cases, ‘nor will determinations issued by the Commissioner necessarily be punitive’.[82] This approach by the OPC is consistent with the ALRC’s recommendation to increase the number of determinations issued, by giving complainants and respondents the right to require the Commissioner to issue a determination in certain circumstances.[83]
50.49 The Attorney-General’s Department publication, A Guide to Framing Commonwealth Offences, Civil Penalties and Enforcement Powers (the Guide), states that it is important that civil penalties be used in appropriate and justifiable contexts.[84] The Guide provides that the inclusion of civil penalty provisions is most likely to be appropriate and effective where:
criminal punishment is not merited (for example, offences involving harm to a person or a serious danger to public safety should always result in a criminal punishment);
the penalty is sufficient to justify court proceedings; and
there is corporate wrongdoing.[85]
50.50 The inclusion of civil penalties in the Privacy Act is appropriate and justifiable by reference to each of the circumstances outlined above.[86] Criminal sanctions would be disproportionate to the level of harm caused by a serious or repeated interference with an individual’s privacy. Financial penalties are, however, likely to be effective against agencies and organisations by providing a strong incentive to comply with the Act.
50.51 Although the significance of determinations should not be underestimated, there is a need to strengthen the overall enforcement remedies available in the Privacy Act. Accordingly, the ALRC recommends that the Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.[87] The Privacy Commissioner should be empowered to bring proceedings for pecuniary penalties in the Federal Court, similar to the approach taken with the Australian Competition and Consumer Commission (ACCC) under the TPA.[88]
50.52 Consistently with the ALRC’s recommendation in Principled Regulation (ALRC 95), the ALRC recommends that the OPC develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty under the Privacy Act would be made.[89] Examples of a serious or repeated interference with the privacy of an individual could include where the matter involves: an apparent blatant disregard of the law; a history of previous contraventions of the law; significant public detriment or significant number of complaints.[90] Civil penalties may also be pursued where there is the potential for action to have a worthwhile educative or deterrent effect. The ALRC agrees with the OPC that a serious interference with privacy should include cases where a respondent breaches a notice to comply. Failure to notify the Commissioner of a data breach as required by the Act, also may attract a civil penalty.[91]
50.53 Provision should also be made to allow for the Privacy Commissioner to accept an enforceable undertaking. An enforceable undertaking is essentially a promise enforceable in court. A breach of the undertaking is not contempt of court but, once the court has ordered the person to comply, a breach of that order is contempt.[92] Undertakings under s 87B of the TPA were introduced as an enforcement tool in 1993. Research undertaken for the ACCC in 2001 showed that undertakings were frequently used instead of court action, and often encompassed assurances by the offender to undertake a comprehensive compliance program. Undertakings also were made as part of the settlement of court proceedings.[93] Under the TPA provisions, undertakings may be published on the ACCC’s website. This approach both lends transparency to the process and serves an educative function.
50.54 Since 2005, the Australian Communications and Media Authority (ACMA) has accepted enforceable undertakings about matters concerning compliance with the Telecommunications Act 1997 (Cth). ACMA may accept undertakings
that a person will take specified action or refrain from taking specified action to comply with [the Act], or take action directed at avoiding contravention in the future.[94]
50.55 In ALRC 95, it was noted that regulators viewed enforceable undertakings as a success in terms of achieving compliance following a breach.[95] The Privacy Commissioner should be empowered, therefore, to accept an undertaking that an agency or organisation will take specified action to ensure compliance with the Privacy Act or other enactment under which the Commissioner has a power or function.
Recommendation 50-2 The Privacy Act should be amended to allow the Privacy Commissioner to seek a civil penalty in the Federal Court or Federal Magistrates Court where there is a serious or repeated interference with the privacy of an individual.
Recommendation 50-3 The Office of the Privacy Commissioner should develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty will be made.
Recommendation 50-4 The Privacy Act should be amended to empower the Privacy Commissioner to accept an undertaking that an agency or organisation will take specified action to ensure compliance with a requirement of the Privacy Act or other enactment under which the Commissioner has a power or function. Where an agency or organisation breaches such an undertaking, the Privacy Commissioner may apply to the Federal Court for an order directing the agency or organisation to comply, or any other order the court thinks appropriate.
[59] The model was first put forward in J Braithwaite, To Punish or Persuade: Enforcement of Coal Mine Safety (1985) and was further discussed in B Fisse and J Braithwaite, Corporations, Crime and Accountability (1993); C Dellit and B Fisse, ‘Civil and Criminal Liability Under Australian Securities Regulation; The Possibility of Strategic Enforcement’ in G Walker and B Fisse (eds), Securities Regulation in Australia and New Zealand (1994), 570.
[60] The ALRC recommends the repeal of these credit reporting offences: see Rec 59–9.
[61] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 6–22. The remedies are discussed in more detail at [6.180]–[6.205].
[62] See, for example, Australian Health Insurance Association, Submission PR 161, 31 January 2007.
[63] Australian Privacy Foundation, Submission PR 167, 2 February 2007. See also New South Wales Council for Civil Liberties Inc, Submission PR 156, 31 January 2007.
[64] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 132–133.
[65] Ibid, 133. This view also was expressed in a number of the ALRC’s consultations conducted during this Inquiry.
[66] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.
[67] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[68] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 46–2. See also Proposal 55–8, in relation to credit reporting.
[69] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[70] Administrative penalties in Australian law are sanctions imposed by a regulator, or by a regulator’s enforcement of legislation, without intervention by a court or tribunal.
[71] Law Council of Australia, Submission PR 527, 21 December 2007.
[72] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007
[73] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Lawyers Alliance, Submission PR 528, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australia Post, Submission PR 445, 10 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007.
[74] BUPA Australia Health, Submission PR 455, 7 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007. See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 46–2.
[75] Law Council of Australia, Submission PR 527, 21 December 2007.
[76] Smartnet, Submission PR 457, 11 December 2007.
[77] GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007.
[78] GE Money Australia, Submission PR 537, 21 December 2007.
[79] Confidential, Submission PR 536, 21 December 2007.
[80] C Parker, ‘Reinventing Regulation within the Corporation: Compliance Oriented Regulatory Innovation’ (2000) 32 Administration and Society 529, 539. See also J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science.
[81] Determinations are published, with the respondent’s name, at Office of the Privacy Commissioner, Complaint Case Notes, Summaries and Determinations (2007) <www.privacy.gov.au/act/casenotes/index
.html> at 15 May 2008.
[82] Office of the Privacy Commissioner, ‘Commissioner’s Use of s 52 Determination Power’ (2006) 1(1) Privacy Matters 2, 2.
[83] See Rec 48–5.
[84]Australian Government Attorney-General’s Department, A Guide to Framing Commonwealth Offences, Civil Penalties and Enforcement Powers (2007), [7.2].
[85]Ibid, [7.2].
[86] The ALRC has also recommended that civil as well as criminal penalties be available under Part 13 of the Telecommunications Act 1997 (Cth). See Rec 71–3.
[87] See also Rec 59–9 which recommends the imposition of a civil penalty for breaches of the credit reporting provisions.
[88]Trade Practices Act 1974 (Cth) s 77.
[89] See Australian Law Reform Commission, Principled Regulation: Federal Civil & Administrative Penalties in Australia, ALRC 95 (2002), Rec 10–1.
[90] These factors are similar to the enforcement priorities of the ACCC: see Australian Competition and Consumer Commissioner, Section 87B of the Trade Practices Act: A Guideline on the Australian Competition and Consumer Commission’s Use of Enforceable Undertakings (1999), 2.
[91] See Rec 51–1.
[92] See, eg, Australian Securities and Investments Commission Act 2001 (Cth) ss 93A, 93AA.
[93] K Yeung The Public Enforcement of Australian Competition Law (2001), 19–20.
[94]Telecommunications Act 1997 (Cth) Part 31A. Australian Communications and Media Authority Guidelines for the Use of Enforceable Undertakings—Telecommunications Obligations (2006), 1.
[95] Australian Law Reform Commission, Principled Regulation: Federal Civil & Administrative Penalties in Australia, ALRC 95 (2002), 99.