AustLII Home | Databases | WorldLII | Search | Feedback

Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests
You are here:  AustLII >> Databases >> Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests >> 2024 >> [2024] AUSStaCSBSD 204

Database Search | Name Search | Recent Documents | Noteup | LawCite | Download | Help

Privacy and Other Legislation Amendment Bill 2024 - Initial Scrutiny [2024] AUSStaCSBSD 204 (9 October 2024)

Privacy and Other Legislation Amendment Bill 2024[172]

Purpose
The bill seeks to amend multiple Acts, primarily the Privacy Act 1988 (the Privacy Act), to introduce new measures, powers, definitions and penalties related to privacy. The bill also seeks to introduce a new tort of serious invasion of privacy and a new criminal offence for the release of personal data using carriage services (known as ‘doxxing’).
Portfolio
Attorney-General
Introduced
House of Representatives on 12 September 2024
Bill status
Before the House of Representatives

Exemption from disallowance[173]

1.143 The bill seeks to enable the minister to direct the Information Commissioner (the Commissioner) to develop a temporary Australian Privacy Principle code (APP code) if the minister is satisfied that it is in the public interest for the code to be developed, for the Commissioner to develop the code, and that the code should be developed urgently.[174] It also provides that while such a code is a legislative instrument, it would not be subject to disallowance.[175]

1.144 The Privacy Act 1988 (Privacy Act) already provides that the Prime Minister or the minister may make declarations relating to events of national significance or events outside of Australia.[176] The effect of such a declaration is that certain privacy protections in the Privacy Act do not apply. Currently those declarations are not legislative instruments. The bill amends the existing provisions to provide that these declarations are legislative instruments, and they are exempt from disallowance.[177]

1.145 The committee notes that disallowance is the primary means by which the Parliament exercises control over the legislative power that it has delegated to the Executive. Exempting an instrument from disallowance therefore has significant implications for parliamentary scrutiny. In June 2021, the Senate acknowledged these implications and resolved that delegated legislation should be subject to disallowance unless exceptional circumstances can be shown which would justify an exemption. In addition, the Senate resolved that any claim that circumstances justify an exemption will be subject to rigorous scrutiny, with the expectation that the claim will only be justified in rare cases.[178]

1.146 The Senate’s resolution is consistent with concerns about the inappropriate exemption of delegated legislation from disallowance expressed by this committee in its review of the Biosecurity Act 2015[179], and by the Senate Standing Committee for the Scrutiny of Delegated Legislation in its inquiry into the exemption of delegated legislation from parliamentary oversight.[180]

1.147 In light of these comments and the resolution of the Senate, the committee expects that any exemption of delegated legislation from the usual disallowance process should be fully justified in the explanatory memorandum. This justification should include an explanation of the exceptional circumstances that are said to justify the exemption and how they apply to the circumstances of the provision in question.

1.148 The explanatory memorandum states, in relation to the exemption from disallowance for a temporary APP code, that:

[i]t is necessary to exempt the instrument from disallowance to ensure that decisive action can be taken in urgent situations or where circumstances are rapidly evolving. This would establish an immediate, clear and certain legal basis for entities to handle personal information in accordance with the temporary APP code. Without an exemption, entities may be discouraged from meeting temporary APP code requirements, and not set up new processes or systems or change their practices until the disallowance period has concluded.[181]

1.149 The explanatory memorandum proceeds to list safeguards provided in lieu of disallowance, including that the temporary APP code would be developed by the Commissioner who has expertise in the field, the minister would need to be satisfied that it is in the public interest for the development of the code, and that the code would be in force for no longer than 12 months.

1.150 In relation to the emergency declaration, the explanatory memorandum provides a similar explanation noting:

It is necessary to exempt the instruments from disallowance to ensure that decisive action can be taken during an emergency or disaster. This would establish an immediate, clear and certain legal basis for entities to handle personal information in accordance with the emergency declaration. Without an exemption, entities may be discouraged from disclosing information where this may be time critical to prevent harm or render assistance to individuals at risk of harm.[182]

1.151 While the committee acknowledges the necessity of an immediate, clear and certain legal basis for entities to know their obligations, the committee considers this is achievable while allowing parliamentary oversight. The committee notes that a legislative instrument has effect from the day of commencement, which may be the day of registration, thereby establishing an immediate legal basis, and will continue to have effect unless it is disallowed within the disallowance period. The committee does not consider the need for certainty in this context to be an indication of exceptional circumstances that warrant an exemption from disallowance. The committee also notes the point made by the Senate Standing Committee for the Scrutiny of Delegated Legislation in its final report into the exemption of delegated legislation from parliamentary oversight:

A well-formed instrument that is made according to its enabling legislation and enjoys broad support will not be disallowed, and is thus unlikely to manifest any of the consequences suggested by departments. Many rationales that point to the possibility of negative outcomes call for such a significant stretch to the credulity of the Parliament that they cannot be seriously considered.[183]

1.152 Further, the committee notes that other legislative instruments within the Privacy Act have succeeded in establishing legislative certainty despite being subject to disallowance, such as the APP and Credit Reporting codes included on the Codes Register.[184]

1.153 The committee therefore draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of exempting temporary Australian Privacy Principle codes and emergency declarations from disallowance.

1.154 The committee also draws these provisions to the attention of the Senate Standing Committee for the Scrutiny of Delegated Legislation.

Reversal of the evidential burden of proof[185]

1.155 Currently, the Privacy Act provides that a person (the first person) commits an offence[186] if they disclose information provided to them about an individual to another person and they (the first person) are not a responsible person for the individual whose information they have disclosed.[187]

1.156 The bill seeks to include new offence-specific defences which provide that the offence in subsection 80Q(1) does not apply if:

• a disclosure is for the purposes of carrying out a State’s constitutional functions, powers or duties; and

• a disclosure is for the purposes of obtaining or providing legal advice in relation to the operation of Part VIA.[188]

1.157 A note to this subsection confirms that these offence-specific defences reverse the evidential burden of proof.

1.158 Additionally, the bill seeks to insert a new offence into the Privacy Act with similar offence-specific defences which reverse the evidential burden of proof.[189] The offence would occur when a person discloses personal information that relates to an individual that was disclosed to the first person under specified provisions of the bill.

1.159 However, the offence does not apply to a number of disclosures, including the disclosures listed above as well as disclosures to an individual, a court, to the person whom the information relates and more.[190]

1.160 At common law, it is ordinarily the duty of the prosecution to prove all elements of an offence. This is an important aspect of the right to be presumed innocent until proven guilty. Provisions that reverse the burden of proof and require a defendant to disprove, or raise evidence to disprove, one or more elements of an offence, interferes with this common law right.

1.161 The committee expects any such reversal of the evidential burden of proof to be justified and for the explanatory memorandum to address whether the approach taken is consistent with the Attorney-General’s Department’s Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers which states that a matter should only be included in an offence-specific defence (as opposed to being specified as an element of the offence) where:

• it is peculiarly within the knowledge of the defendant; and

• it would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish the matter.[191]

1.162 In this instance, the explanatory memorandum does not provide any justification as to why it is appropriate to reverse the evidential burden of proof in relation to proposed paragraphs 80Q2(b) and (ba). The explanatory memorandum does briefly state, in relation to proposed subsection 26XC(2), that:

[i]t is appropriate for the defendant to bear the onus of proving these matters as they are matters that, by their nature, are peculiarly within the knowledge of the defendant.[192]

1.163 The committee does not consider, with specific exception,[193] that the proposed matters for both offences are peculiarly within the defendant’s knowledge. For example, whether or not a disclosure was for the purposes of carrying out a State’s constitutional functions, powers or duties is not, in the committee’s view, a matter peculiarly within the defendant’s knowledge.

1.164 The committee considers that where a provision reverses the burden of the proof the explanatory memorandum should explicitly address relevant principles as set out in the Attorney-General’s Department’s Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers.[194]

1.165 The committee requests that an addendum to the explanatory memorandum containing a justification of these reverse burden provisions be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation.[195]

1.166 The committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of reversing the evidential burden of proof in relation to the defences and exceptions in the provisions detailed above.

Significant matters in delegated legislation[196]

1.167 Part 6 of Schedule 1 to the bill seeks to amend the Privacy Act to introduce new exceptions for Australian Privacy Principle entities (APP entities) in assessing overseas recipients prior to releasing personal information to said recipients.

1.168 Currently, the Privacy Act requires an APP entity to:

...take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.[197]

1.169 The amendments introduced via the bill would allow for APP entities to not take reasonable steps when the minister is satisfied the laws of the country, in which the personal information will be disclosed to, or a binding scheme, have an effect which is, overall, similar to the Australian Privacy Principles. Additionally, the minister must also be satisfied that there are mechanisms which individuals are able to access to enforce the protection of their personal information.[198]

1.170 However, item 38 of the bill[199] informs that countries, binding schemes, and conditions which exempt countries or binding schemes from being scrutinised prior to the disclosure of personal information, will be prescribed by the regulations.

1.171 The committee's view is that significant matters should be included in primary legislation unless a sound justification for the use of delegated legislation is provided. While the committee is accepting of listed countries or binding schemes being prescribed by the regulations, as these may change from time to time outside the control or remit of the executive, it is unclear to the committee why conditions which exempt countries or binding schemes from regard are prescribed by the regulations. These conditions would not, in the committee’s view, be subject to frequent variability due to their need to reflect the Australian Privacy Principles.

1.172 The committee expects the explanatory memorandum to provide a sound justification for the use of delegated legislation. However, in this instance, the explanatory memorandum states:

[t]he purpose of these items is to reduce the burden on APP entities in assessing whether an overseas recipient is subject to a substantially similar framework under APP 8.2(a), and help establish Australia as a trusted trading partner and support Australian businesses to compete more effectively in international markets.[200]

1.173 The committee does not consider that this provides an explanation for the use of delegated legislation in prescribing conditions which are better suited for inclusion in primary legislation.

1.174 The committee requests that an addendum to the explanatory memorandum containing a justification for the inclusion of significant matters in delegated legislation be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation.[201]

1.175 The committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of including significant matters in delegated legislation.

1.176 The committee also draws these provisions to the attention of the Senate Standing Committee for the Scrutiny of Delegated Legislation.

[172] This entry can be cited as: Senate Standing Committee for the Scrutiny of Bills, Privacy and Other Legislation Amendment Bill 2024, Scrutiny Digest 13 of 2024; [2024] AUSStaCSBSD 204.

[173] Schedule 1, item 5, proposed subsection 26GB(8), item 10, item 12 and item 43, proposed section 26X. The committee draws senators’ attention to these provisions pursuant to Senate standing order 24(1)(a)(iv).

[174] Schedule 1, item 5, proposed subsection 26GB(1).

[175] Schedule 1, item 5, proposed subsection 26GB(8).

[176] Privacy Act 1988, sections 80J and 80K.

[177] Schedule 1, items 10 and 12.

[178] Senate resolution 53B. See Journals of the Senate, No. 101, 16 June 2021, pp. 3581–3582.

[179] See Chapter 4 of the Senate Standing Committee for the Scrutiny of Bills, Review of exemption from disallowance provisions in the Biosecurity Act 2015: Scrutiny Digest 7 of 2021 (12 May 2021) pp. 33–44; and Scrutiny Digest 1 of 2022 (4 February 2022) pp. 76–86.

[180] Senate Standing Committee for the Scrutiny of Delegated Legislation, Inquiry into the exemption of delegated legislation from parliamentary oversight: Interim report (2 December 2020); and Inquiry into the exemption of delegated legislation from parliamentary oversight: Final report (16 March 2021).

[181] Explanatory memorandum, pp. 34–35.

[182] Explanatory memorandum, pp. 35–36 & 48–49.

[183] Senate Standing Committee for the Scrutiny of Delegated Legislation, Inquiry into the exemption of delegated legislation from parliamentary oversight: final report (16 March 2021) p. 109.

[184] Privacy Act 1988, sections 26A, 26M and 26U.

[185] Schedule 1, item 28, proposed paragraphs 80Q(2)(b), 80Q(2)(ba) and item 43, proposed subsection 26XC(2). The committee draws senators’ attention to these provisions pursuant to Senate standing order 24(1)(a)(i).

[186] Subsection 80Q(1).

[187] See section 6AA of the Privacy Act 1988 for the definition of a responsible person.

[188] Schedule 1, item 28, proposed paragraphs 80Q(2)(b) and (ba).

[189] Schedule 1, item 43, subdivision C, proposed section 26XC.

[190] Schedule 1, item 43, subdivision C, proposed subsection 26XC(2).

[191] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers (May 2024) p. 48.

[192] Explanatory memorandum, p. 51.

[193] See proposed paragraphs 80Q(2)(ba), 26XC(2)(c) and (e).

[194] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers (May 2024) p. 48.

[195] See Acts Interpretation Act 1901, section 15AB.

[196] Schedule 1, part 6, items 36, 37 and 38. The committee draws senators’ attention to this provision pursuant to Senate standing order 24(1)(a)(iv).

[197] Australian Privacy Principle 8.1

[198] Schedule 1, part 6, item 36, proposed subsection 100(1A).

[199] Australian Privacy Principle proposed subprinciple 8.3.

[200] Explanatory memorandum, p. 44.

[201] See Acts Interpretation Act 1901, section 15AB.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/other/AUSStaCSBSD/2024/204.html