Submission to Office of the Australian Privacy
Commissioner on the APP Guidelines 1-5
Law Council of Australia
Business Law Section
Privacy Committee
4 October 2013
Privacy Committee, Business Law Section
Law Council of Australia
Introduction
The Privacy Committee of the Business Law Section of the Law Council of Australia (the
Committee) is grateful for the opportunity afforded by the Office of the Australian Privacy
Commissioner to comment on Draft Guidelines to Australian Privacy Principles 1 to 5 (the Draft
Guidelines).
In general terms the Guidelines will provide some assistance to people in coming to understand
the requirements of the APPs contained in the amendments to the Privacy Act. However there
are a number of areas where there are some concerns.
The Committee makes a number of observations and recommendations in respect of the
following issues



The need for practical examples and alignment
Meaning of carrying on business in Australia
Meaning of use and disclosure
These are expanded on below.
Privacy Policies and Collection Statements
It may be useful if there were some more examples of a practical nature.
At paragraph 1.8 of the Draft Guidelines there is a statement as follows:
'…the policy should be written in a style and length that makes it easy to understand and
suitable for web publication',
and further at paragraph 1.9:
'The policy is not expected to contain the level of detail that may be recorded under
APP 1.2 about the practices, procedures and systems adopted to ensure APP
compliance. The policy is also not required to contain the same level of detail as a
collection notice provided to an individual under APP 5.1, which will provide more specific
information relevant to a particular collection of personal information from the individual.'
It is difficult to reconcile these statements or to reconcile them with the current practice in a
large number of organisations. It is important that the style and length should be appropriate to
make it easy to understand and that privacy policies should not be of undue length. However
this is equally important of collection statements. It is very often necessary to make a collection
statement short so that it only contains the essential information as otherwise it also will not be
read. The current practice in a large number of organisations is to give a short collection
statement setting out the most important information that a person should know and expanding
reference the privacy policy, where the collection practices are expanded for those who wish to
obtain more detail.
The proposal contained in the Draft Guidelines appears to be the reverse of this and will not
achieve the objectives which the Privacy Commissioner wishes to obtain of providing a
consumer with easy access to understanding a particular organisation's practices in relation to
use and disclosure without it being obstructed by detail.
Other Issues
Page | 2
Privacy Committee, Business Law Section
Law Council of Australia
We refer to some other issues by reference to the paragraphs where they are contained in the
Draft Guidelines:
B.11
This relates to the definition of 'carrying on business in Australia'. The Draft Guidelines reflect
the Explanatory Memorandum when they say that:
'An APP entity that has an online presence (but no physical presence) in Australia, and
that collects personal information from individuals who are physically in Australia, "carries
on business in Australia or an external Territory" under s 5B(3)(b).'
B.107-9
This section relates to 'use'. We note that at B.109 it is stated that:
'A use may also include an entity providing personal information to a contractor (for
example, under a contract for information technology services, or mailing house services),
if the contractor only uses the information to perform a function of the contract, and under
the terms of a contract, the entity maintains control over the information.'
As a matter of clarification, is it correct that on the approach, where a person uses a cloud
service provider as a contractor merely to store information and that cloud service provider is
overseas, it would not be regarded by the Privacy Commissioner as an overseas disclosure
(with all that entails) and would only constitute a 'use' by the APP Entity. If this is the case it
should be spelt out as it will be important to determine what to put in a collection notice in a
privacy policy.
APP 5
APP 5 relates to the notification of collection of personal information and we have touched on
this above. We suggest that APP 5 does not pay a sufficient regard to the fact that very often it
will not be necessary to provide people with information because it will be self-evident. For
example, at paragraph 5.16 examples are given of the consequences that may result if a
person's personal information is not collected, one being that 'an individual cannot be notified of
the results of a competition they entered'. Including such statement in a collection notice is
unnecessary verbiage as it is quite obvious what the result would be if the personal information
is not provided. There are many other cases where a person of normal intelligence would know
what the reasonable consequences would be of not providing information. Entities should not
be encouraged to provide unnecessary information in collection notices as it is contrary to the
principle of making statement and policies shorten as it discourages consumers from reading
information which really is important.
Meaning of “carries on business in Australia”
The Draft Guideline as to when an organisation “carries on business in Australia” is wrong in
law, and one would be acting in error if you exercised powers under the Act on the basis that a
foreign organisation with no physical presence in Australia carried on business in Australia
merely because that organisation collected personal information from individuals who were
physically present in Australia.
Paragraph B.11 of the Draft Guidelines states the following:
Page | 3
Privacy Committee, Business Law Section
Law Council of Australia
“An APP entity that has an online presence (but no physical presence) in Australia, and
that collects personal information from individuals who are physically in Australia, ‘carries
on business in Australia or an external Territory’ under s 5B(3)(b).”
The Draft Guidelines cite the Explanatory Memorandum as authority for this proposition.
However, for the reasons set out below, it is in the Committees opinion inappropriate to have
regard to the text of the Explanatory Memorandum, let alone to adopt the statement contained
in the Explanatory Memorandum, when interpreting the phrase “carries on business in
Australia”.
Established meaning of the phrase “carries on business in Australia”
The phrase “carries on business in Australia” is not defined in the Act. However, it is a concept
that is relevant to a number of areas of Australian law. Numerous decisions of the courts have
made authoritative statements as to its meaning. In Luckins v Highway Motel (Carnarvon) Pty
Ltd (1975) 133 CLR 164 the High Court held that whether an organisation is “carrying on
business” in Australia is a question of fact. It will depend on a close analysis of the nature of the
enterprise conducted by the organisation, and the location of the actors undertaking the relevant
activities.
In Campbell v Gebo Investments (Labuan) Ltd (2005) 190 FLR 209; [2005] NSWSC 544
Barrett J considered the question:
“whether physical acts outside Australia which result in business communication with
persons in Australia are, by reason of the territorial quality of the receipt of the
communication, properly regarded as carrying on business in Australia. The question
applies equally to a situation where a person outside Australia telephones persons in
Australia or sends a messages by post or email to persons in Australia and, as a result of
those acts performed by the person outside Australia, receives responses which amount
to or lead to transactions forming part of some undoubted business activity”
His Honour concluded:
“Case law makes it clear that the territorial concept of carrying on business involves acts
within the relevant territory that amount to or are ancillary to transactions that make up or
support the business. …
Advances in technology making it possible for material uploaded on to the Internet in
some place unknown to be accessed with ease by anyone in Australia with Internet
facilities who wishes (or chances) to access it cannot be seen as having carried with them
any alteration of principles as to the place of carrying on business developed at times
when such communication was unknown. It has never been suggested that someone
who by, say, letters posted in another country and addressed to recipients in Australia,
seeks to interest those persons in business transactions to be entered into in the other
country and in fact succeeds in concluding such transactions with some of them thereby
carries on business in Australia, even though, depending on precise circumstances, the
solicitation may contravene some other Australian law. There is a need for some physical
activity in Australia through human instrumentalities, being activity that itself forms part of
the course of conducting business.”
It can be seen at once that the statement in paragraph B.11 of the Draft Guidelines is
inconsistent with the established meaning of the phrase “carries on business in Australia”, in
particular in its application to online businesses with no physical presence in Australia.
Page | 4
Privacy Committee, Business Law Section
Law Council of Australia
The proper role of the Explanatory Memorandum – Acts Interpretation Act
Under section 15AB of the Acts Interpretation Act 1901 (Cth), when interpreting a provision of
an Act consideration may be given to the content of an Explanatory Memorandum:
(a) to confirm that the meaning of the provision is the ordinary meaning conveyed by the
text of the provision; or
(b) to determine the meaning of the provision when:
(i) the provision is ambiguous or obscure; or
(ii) the ordinary meaning conveyed by the text of the provision taking into account its
context in the Act and the purpose or object underlying the Act leads to a result that is
manifestly absurd or is unreasonable.
Clearly, paragraph (a) above does not apply – the content of the Explanatory Memorandum is
contrary to the ordinary meaning of the phrase “carries on business in Australia”.
Accordingly, in order to give consideration to the content of the Explanatory Memorandum it
would be necessary to conclude that one or both of the following applies:
(c) the phrase “carries on business in Australia” is ambiguous or obscure; or
(d) it would be manifestly absurd or unreasonable if the Act did not apply extra-territorially to
organisations with no physical presence in Australia who collect personal information
from individuals located in Australia.
The concept of whether an organisation carries on business within a jurisdiction is one with a
lengthy history in the general law. Whilst there may be occasions on which reasonable minds
may differ as to whether an organisation has carried on business in Australia in particular
circumstances, the principles are well understood. In my view the concept is neither ambiguous
nor obscure.
The ordinary meaning conveyed by the phrase “carries on business in Australia” leads to the
result that foreign organisations with no physical presence in Australia will not be liable for
conduct in breach of the requirements of the APPs in respect of personal information they
collect from individuals in Australia unless those foreign organisations undertake some physical
activity in Australia through human instrumentalities, being activity that itself forms part of the
course of conducting business. Properly understood, that has been the result of the operation
of the Privacy Act since section 5B was introduced in 2000. The Privacy Commissioner
appears to have recognised this position in a number of case notes on investigations involving
foreign organisations.1 The Australian Law Reform Commission in their review of the Privacy
Act did not recommend the extension or clarification of the concept of carrying on business in
Australia. Rather, the ALRC explained that:
“The purpose of s 5B is to stop organisations avoiding their obligations under the Act by
transferring the handling of personal information to countries with lower privacy protection
standards”2
That purpose is fulfilled by interpreting the phrase “carries on business in Australia” according to
its ordinary meaning. In my view, the result of adopting the ordinary meaning is not manifestly
absurd nor unreasonable.
1
For example, Own-motion investigation reports into Dell Australia and Epsilon, and Sony
Playstation/Qriocity, both of which contain statements about jurisdictional issues.
2
ALRC, For Your Information, Vol 2, para 31.72.
Page | 5
Privacy Committee, Business Law Section
Law Council of Australia
For these reasons, I submit that s15AB of the Acts Interpretation Act does not permit you to
adopt the comments contained in the Explanatory Memorandum when interpreting the phrase
“carries on business in Australia”.
Meaning of “disclosure”
The Draft Guidelines fail to address decisions of the courts in a series of cases interpreting the
meaning of the verb “disclose” or the noun “disclosure”, particularly in information law cases.
The general definition proposed in paragraph B48 of the draft guidelines has never been
contemplated in any of the relevant court decisions as a possible meaning of “disclosure”.
Some of the examples in paragraph B50 do not involve any communication of information by
one party to another and could not ever constitute a “disclosure”. The guidelines should be
amended so as to reflect the orthodox understanding of the concept of “disclosure”.
Courts have generally, but not invariably, held that the essence of disclosure of information is
making known to a person information that the person to whom the disclosure is made did not
previously know
In Nasr v State of New South Wales [2007] NSWCA 101; (2007) 170 A Crim R 78, Campbell JA
(with whom Beazley and Hodgson JJA agreed) said at [127]:
"The essence of disclosure of information is making known to a person information that
the person to whom the disclosure is made did not previously know: R v Skeen &
Freeman [1859] EngR 90; (1859) Bell 97; 169 ER 1182 ("uncovering ... discovering ...
revealing ... imparting of what was secret ... [or] telling that which had been concealed");
Foster v Federal Commissioner of Taxation (1951) 82 CLR 606 at 614-5 ("... a statement
of fact by way of disclosure so as to reveal or make apparent that which (so far as the
"discloser" knows) was previously unknown to the person to whom the statement was
made"); R v Gidlow [1983] 2 Qd R 557 at 559 ("telling that which has been kept
concealed"); Dun & Bradstreet (Australia) Pty Ltd v Lyle (1977) 15 SASR 297 at 299; A-G
v Associated Newspapers Ltd [1994] UKHL 1; [1994] 2 AC 238 at 248 ("to open up to the
knowledge of others"); Real Estate Opportunities Limited v Aberdeen Asset Managers
Jersey Limited [2007] EWCA Civ 197 at [78] ("the revelation of information for the first
time")."
The case of Nasr relevantly involved information about old convictions which had become spent
convictions by the time that an officer at a local court provided a copy of the relevant charge
sheet to a solicitor with carriage of a separate prosecution against Mr Nasr. Mr Nasr argued
that the provision of the information by the court officer to the solicitor contravened section 13 of
the Criminal Records Act 1991 (NSW) which provided that:
“A person who has access to records of convictions kept by or on behalf of a public
authority and who, without lawful authority, discloses to any other person any information
concerning a spent conviction is guilty of an offence.”
In the Court of Appeal, it was held that Mr Nasr had not discharged his onus to establish to the
civil standard of proof that there had been a contravention of section 13. This was because
there was no evidence before the court of the knowledge that the solicitor who received the
charge sheet had about the old convictions at the time the sheet was provided to her. To the
contrary, it was clear that the solicitor knew enough about Mr Nasr’s past to request a copy of
the charge sheet. Accordingly, there was no proof that the court officer had “disclosed”
information concerning a spent conviction to the solicitor. The Court of Appeal held that
Page | 6
Privacy Committee, Business Law Section
Law Council of Australia
“disclose” in section 18 of the Privacy and Personal Information Protection Act 1998 (NSW) –
the equivalent in NSW privacy legislation to NPP 2 and APP 6 - was used in the same sense.3
The NSW Administrative Decisions Tribunal – the tribunal with primary jurisdiction to determine
proceedings under the NSW privacy legislation is bound by, and has followed, the decision in
Nasr as to the meaning of “disclose” in a series of decisions under the NSW privacy legislation.4
In the context of the New Zealand Privacy Act, the New Zealand Court of Appeal appears to
have assumed the correctness of an argument by ANZ National Bank that personal information
had not been “disclosed” to the bank by an insurer to the extent that information had originally
been collected by bank staff before being communicated by the bank to the insurer.5
Whilst the decision in Nasr reflects the ordinary meaning adopted by the courts of the word
“disclose” in a variety of different statutory contexts, not all court decisions involving the
meaning of the word “disclose” have reached the same conclusion. Notably, it has been held
that “disclose” does not have this meaning in the context of the Bankruptcy Act 1966 (Cth)
which, by s 269, provided that it was an offence for an undischarged bankrupt to carry on
business in the name of a partnership ‘without disclosing to every person with whom ... the
partnership deals, his or her true name and the fact that he or she is an undischarged
bankrupt’6. In that case, Ms Scott was an undischarged bankrupt carrying on business in the
name of a partnership. She appealed from a conviction against s 269 by arguing that it was
necessary for the prosecution to establish that a credit provider who extended credit to the
partnership did not know that she was an undischarged bankrupt. Doyle CJ said:
“Section 269 is intended to protect persons dealing with an undischarged bankrupt. That
will best be achieved if the bankrupt must disclose that status on the occasion of each
relevant dealing. Otherwise, the person who forgets that a person is an undischarged
bankrupt, or assumes from silence that the bankruptcy has terminated, is at risk. It is
sensible to require the bankrupt to leave nothing to chance. It is reasonable not to rest
the obligation upon the bankrupt’s belief about the need to convey the information. In my
opinion to require a bankrupt to tell a person what that person already knows — that the
informant is an undischarged bankrupt — is not to impose an empty ritual. It is to ensure,
at the risk of needless repetition on occasions, that the credit provider is told or reminded
of a most material fact. ... I conclude that the section requires the bankrupt to tell the other
party of his or her status on the occasion of each relevant transaction. That obligation is
imposed and exists even though the credit provider knows that the other party is an
undischarged bankrupt.”
This conclusion rests on the purpose of the bankruptcy law (that is, the mischief the offence was
intended to protect against).
3
Nasr v State of New South Wales [2007] NSWCA 101; (2007) 170 A Crim R 78 at [132].
These include AIF v The University of Western Sydney [2013] NSWADT 20; PN v Department of
Education and Training [2009] NSWADT 287; RL v Department of Education and Training [2009]
NSWADT 257; ZR v NSW Department of Education and Training [2009] NSWADT 84; Nasr has also
been followed by the Appeal Panel of the ADT when interpreting s29(3) of the Security Industry Act 1997
(NSW), which provides that “In determining an application for a review of any decision to refuse to grant a
licence or to revoke a licence that was made on the ground of the applicant not being a fit and proper
person, the Administrative Decisions Tribunal: (a) is to ensure that it does not, in the reasons for its
decision or otherwise, disclose the existence or content of any criminal intelligence report or other
criminal information … without the approval of the Commissioner”: AVS Group Australia Pty Ltd v
Commissioner of Police, New South Wales Police Force (GD) [2010] NSWADTAP 26
5
ANZ National Bank Ltd v Tower Insurance Ltd [2010] NZCA 267 at [152] to [155]. However,
because not all relevant information in the possession of the bank had originally been collected by bank
staff, it was not necessary to determine the issue.
6
R v Glenys Ruth Scott (1996) 131 FLR 137
4
Page | 7
Privacy Committee, Business Law Section
Law Council of Australia
The other example of a decision maker adopting a broader meaning of the verb “disclose” is the
decision of Deputy President Forgie of the Administrative Appeals Tribunal in Pratt
Consolidated Holdings Pty Ltd and Commissioner of Taxation [2011] AATA 907, where it was
decided that to “disclose” information meant to “allow (something hidden) to be seen”. Deputy
President Forgie considered the approach taken in Nasr and decided that in the context of a
statutory prohibition against the disclosure of “protected information” by a taxation officer the
statutory provision in issue used the term “disclose” more broadly.
The Draft Guidelines should refer to the accepted meanings of “disclosure”
Of course, unlike the NSW Administrative Decisions Tribunal, the Commissioner is not bound to
follow the decision of the NSW Court of Appeal in Nasr. However given that Nasr decided the
meaning of “disclosure” for the purposes of NSW privacy legislation, which implements
concepts that are very similar to those found in the NPPs and APPs, the decision should be
considered by any court exercising jurisdiction under the Privacy Act called upon to determine
whether there had been a “disclosure” of information in contravention of an APP. Accordingly,
an administrative decision maker such as the Commissioner should also have regard to the
decision. It is therefore surprising that the draft guidelines fail to refer to the approach taken by
the NSW Court of Appeal in Nasr or to the alternative approach taken by the AAT in the Pratt
decision.7
The draft guidelines should be amended so as to refer to the accepted meanings of
“disclosure”. If the Commissioner considers that the decision in Nasr should not be followed
when interpreting the APPs, the Commissioner’s rationale for adopting that approach should be
explained so that APP entities are aware that the Commissioner’s approach is different from
that adopted by the NSW courts under the NSW privacy legislation.
Some of the examples of “disclosures” are plainly wrong.
Paragraph B50 of the Draft Guidelines lists four examples of conduct which the Commissioner
considers would be “disclosures”. Two of those examples do not involve any communication of
information by the APP entity to another person. Putting to one side the question of the
necessary state of knowledge of a recipient of information, it is fundamental to the concept of a
disclosure that someone has received the information in question.
The two objectionable examples are as follows:
“an APP entity publishes personal information on the internet and the information is
accessible to other entities (even if not actually collected by another entity) …
an APP entity does not take reasonable steps to ensure the security of personal
information as required by APP 11 … resulting in accessibility of that information to others
outside the entity”
In the first of these examples the text in parenthesis reveals the erroneous approach. If it was
the case that no-one ever viewed the information that was published on the internet, there could
be no “disclosure”. It would be no different to printing the information on a piece of paper which
was never subsequently seen by anyone. Of course, the likelihood of that occurring is remote,
and the Commissioner could justifiably infer that information published on the internet has
7
This debate over the meaning of “disclose” in Australian privacy law is over 10 years old – see
Gunning “Central features of Australia’s private sector privacy law” (2001) 7 PLPR 189 and Greenleaf
“Key concepts undermining the NPPs — a second opinion” (2001) 8 PLPR 1. Gunning suggested that
the courts would adopt the approach ultimately adopted in Nasr. Greenleaf suggested that a broader
meaning was appropriate, and that the knowledge of the recipient was not relevant to whether there was
a disclosure of information. However, Greenleaf advocated that the (then) draft guidelines on the NPPs
acknowledge the authority of decisions against his view.
Page | 8
Privacy Committee, Business Law Section
Law Council of Australia
actually been communicated to one or more persons. If it ever became contentious as to
whether someone had viewed the information on the internet, the Commissioner has powers to
gather information – such as logs maintained by servers – to investigate the veracity of an
assertion by an APP entity that no-one ever saw the information. Assuming that communication
of the information published on the internet would involve a breach of APP 6 if someone actually
viewed the information, the mere publication of the information (in the absence of an actual
disclosure) is likely to contravene APP 11 (the security principle) in that it would be evidence of
a failure to take reasonable steps to protect the information from unauthorised access or
disclosure.
The second example suffers from the same error. Simply because it is possible that others
outside the entity might obtain access to the information does not mean that there has actually
been a disclosure of the information to anyone. Obviously such a disclosure would be a real
possibility or risk. But it is clearly wrong to state that every breach of the security principle that
results in information being accessible to others outside the APP entity necessarily involves a
“disclosure” of that information.
Conclusions
We would welcome an opportunity to discuss this with you and the Office in more detail.
Page | 9