Will Australia's privacy overhaul be dumped?

Privacy advocates fear that the long-awaited overhaul to Australia's 20 year old Privacy Act will die before it ever sees the light of day.

In May, the Australian Law Reform Commission (ALRC), headed up by Privacy Commissioner Leslie McCrimmon, will submit its recommendations for the overhaul of Australia's 1988 Privacy Act to the Attorney General's Department.

The recommendations will be based on findings from Discussion Paper (DP) 72, the ALRC's Review of Australian Privacy Law, which will not be publicly available until the Attorney General Robert McClelland tables the document in parliament — a process that could take months.

If implemented according to findings in DP 72, organisations could face national regulations which force them to report data breaches to affected customers, similar to laws already in place in the US.

Victims of identity theft would also be able to report such occurrences to credit reference agencies where their ratings have been affected, and the Privacy Commissioner will be given powers to enforce decisions and refer matters to the Federal Court in instances of non-compliance.

"The problem is not with the ALRC's recommendations — which will be largely sensible — it will be the implementation," Roger Clarke, chair of the Australian Privacy Foundation told ZDNet.com.au.

"When you look down the list of reports, large slabs of reports have not been proceeded with," Clarke said.

However, a spokesperson for the ALRC hit back at Clarke's claims, pointing out that a majority of its recommendations have been "substantially implemented".

According to the ALRC's 2006-07 annual report, 59 percent of its 73 recommendations over 30 years have been substantially implemented. Twenty-nine percent have been partially implemented and 12 percent are still under consideration. Of those still under consideration, eight percent have not been implemented at all and four percent are being considered.

The spokesperson added that the Privacy Act was the result of ALRC recommendations in the fist instance.

Business to get carrots before sticks
Before any review of the Privacy Act occurs, which would boost the Privacy Commissioner's powers to punish businesses that fail to comply with privacy legislation, business will be enticed to think positively of privacy.

This week the Privacy Commissioner, Karen Curtis, announced a competition for business, awarding those with the best privacy initiatives.

Large and small organisations from the private and public sector will be awarded for raising the awareness of privacy issues.

Nominations for the competition opened yesterday. However, the panel of judges is yet to be decided according to a spokesperson for the Privacy Commissioner.

"These are the first, only awards of their kind in the world. No other regulators have awards on this scale, covering the private and public sector," the spokesperson told ZDNet.com.au.

However if APF's Clarke is right, it might be difficult to find a business that genuinely cares about privacy.

"There are strong forces ranged up against the ideas [in the privacy review]. Government and business often want to make their own life easy, so we do expect some opposition to it," he said.

But there is some merit in creating awards for privacy, he said.

"We looked at [the privacy award] with some trepidation when we first heard it. The conventional attitude is that setting up awards for things, even when it's meant to be good business practice already — it's a form of encouragement and provides exposure to the principles that should be following."