We all have greater rights to privacy under laws that took effect last week, a change greeted with media fanfare as a victory for the individual against telemarketers and intrusive companies. But Crikey has found the new laws may not be all they seem.

The change comes via a new set of Australian Privacy Principles (APPs), which give greater rights to privacy in relation to personal information — who collects it and what they can use it for. Sounds good; you could use the APPs to stop unwanted marketing or find out what Centrelink or Telstra has on file about you. The laws apply to all federal government agencies and all medium and large businesses. The Privacy Commissioner can fine agencies that don’t obey.

The problem is the laws may prove unwieldy and unenforceable. This Crikey reporter tried to use some of the APPs, with no success.

And it was difficult to find someone who could explain what the APPs meant in practice and how to use them. It took 20 phone calls to eight people to find someone who was across them.

“It’s a lovely facade, but what is it actually going to mean?” asked Bruce Arnold, privacy expert and assistant professor in law at the University of Canberra. He likened the new APPs to the famed Potemkin villages of imperial Russia: they look fantastic, but they might be made of cardboard.

So here’s a guide to the most important APPs and how you can use them. They’ve been added to the existing Commonwealth Privacy Act. “Agency” refers to a government agency, or firm with a turnover of $3 million-plus a year. These laws do not apply to state or local governments.

Agencies must have an accessible, up-to-date privacy policy.

You may have been contacted by a corporation saying it has updated its privacy policy. This is why (APP 1). If the policy is not there on the website, complain. Crikey‘s is on the home page.

An agency can only collect personal information in certain circumstances.

The gist here is consent — a consumer should know what information is being collected and what will happen to that information. Arnold says this is heading down the best-practice European path. “They need to tell you that they’re collecting the information,” he said. But watch out — the agency might tell you that in the fine print.

There are restrictions on what an agency can do with your information (read APPs 3 and 6). Arnold says the key is the agency must use the information for the purposes for which it was sought. For example, it might provide an optional tick-box saying “can we provide this information to marketing firms?”.

There are restrictions on direct marketing.

An agency must meet certain conditions to use your personal information for direct marketing. Privacy Commissioner Timothy Pilgrim says companies have to provide easy opt-out mechanisms for direct marketing and tell you how your private details were obtained. He told SBS:

“People will now be able to ask when they’re contacted by someone who’s direct marketing to them, ‘how did you get my information and where did you get it from?’ … If they find that it’s been provided by a company that sells lists of people, they can then contact that organisation and say, ‘I want you to take me off that list’.”

Sounds good, but Arnold says existing laws — the Spam Act, the Do Not Call Act — are more powerful and more likely to be useful. This APP (No. 7) seems to be aimed at direct mail and mail order spam, while people might be more bothered with e-spam and cold calling.

There are restrictions on sending your personal information overseas.

Let’s say an Australian company wants to forward your details to its call centre in the Philippines, or an overseas marketing company. APP 8 says the company is supposed to ensure the overseas body will not do the wrong thing. This is a big issue because banks, telcos, laws firms, marketers and publishers are increasingly using offshore services. But Arnold says there’s a question around whether this new law will make a difference.

“There’s really a need to rethink privacy, to make it anew.”

An agency must be careful with your personal information.

They’re supposed to take certain steps to avoid your personal information being misused, lost or hacked — e.g. a Telstra data breach. The issue is there are still no remedies — you can’t sue an agency that does the wrong thing. “There’s no teeth” to APP 11, Arnold said.

You have the right to access your personal information.

This could be very useful. You can ask an entity for the personal information it has about you, and it must respond within a “reasonable period”, which seems to be 30 days. There are some exceptions, but the agency has to tell you which exception it’s claiming. It can charge you for the information.

So you can ask Telstra or Westpac what information it has about your credit rating, or ask Coles about what Flybuys information it holds on you. You can ask Centrelink what it has on your file. Arnold says APP 12 is “good, and it’s common sense”.

Crikey tried this law out and found it’s tricky. I called the Commonwealth Bank to ask what was on my record. The call centre asked for my personal details, then for my account number for a closed account, which I don’t have. The representative couldn’t tell me anything, and told me to take photo ID into a branch and try that. I tried a Telstra representative, who also asked for all my personal details, then for my account number, which I didn’t have. Without that they couldn’t help. Similarly, I tried to obtain a free copy of my personal credit rating, as I’m entitled to every year under law. But after providing a very elaborate password, answering three security questions and providing all my previous addresses and the dates I lived there, the ratings agency said those details did not work and it could not process my application. Choice has a guide to ratings agencies, but it doesn’t seem easy to get a free credit rating.

Arnold says these experiences are not uncommon and it’s not easy to make the laws work. He says consumers will have to “jump through hoops” to access personal information, and might have to physically visit an office.

To summarise these new APPs, Arnold says they will help, but “it’s not going to be quite as golden as the current promo campaign”. He suggests there is some uncertainty within government about how the system will work and whether people will use it. And Arnold raises questions around whether the Office of the Privacy Commissioner has the staff or the will to enforce these laws. “Would they actually come along with the big stick?” he asked.

These APPs are part of the former federal Labor government’s response to a mammoth 2008 report by the Australian Law Reform Commission. The gist of the 74 chapters was that privacy protection should generally take precedence over other interests, and should be boosted. Matthew Rimmer, from the ANU’s college of law, says the APPs are useful but do not go far enough. They focus solely on “information privacy”, Rimmer says, but people are more concerned about phone hacking by media agencies, NSA-style mass surveillance, and genetic privacy (in the face of biotech advances). The APPs don’t really help face those threats.

“Privacy seems so fragile at the moment … There’s really a need to rethink privacy, to make it anew,” Rimmer told Crikey. Rimmer says a problem with the APPs is they don’t give individuals a course of action in cases of a serious breach of privacy; people can’t seek damages or force an apology.

Crikey asked the Privacy Commissioner’s office for an interview to explain the new APPs four times, but a spokeswoman said the office was too busy.

Peter Fray

Fetch your first 12 weeks for $12

What a year. Here at Crikey, we saw a mighty surge in subscribers throughout 2020. Your support has been nothing short of amazing — we couldn’t have got through this year like no other without you, our readers.

If you haven’t joined us yet, fetch your first 12 weeks for $12 and start 2021 with the journalism you need to navigate whatever lies ahead.

Peter Fray
Editor-in-chief of Crikey