Australian Finance Conference Level 7, 34 Hunter Street, Sydney, 2000. GPO Box 1595, Sydney 2001

ABN 13 000 493 907 Telephone: (02) 9231-5877 Facsimile: (02) 9232-5647 e-mail:

18 November 2011

The Hon Brendan O’Connor MP

Minister for Privacy and Freedom of Information c/- Privacy and FOI Policy Branch

Department of the Prime Minister and Cabinet

1 National Circuit

BARTON ACT 2600 By email:

Dear Minister,

Issues Paper: A Commonwealth Statutory Cause of Action for Serious Invasion of

Privacy – AFC Comments

The Australian Finance Conference (AFC), the national finance industry association, appreciates the opportunity provided by you, on behalf of the Government, to comment on the Issues Paper, A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy, to assist inform the Government’s response to the Australian Law Reform Commission’s recommendations to introduce a statutory cause of action for serious invasions of privacy.

By way of background, AFC membership includes a range of credit providers, financiers, receivables managers and the two principal Australian consumer credit reporting agencies. A current membership list is attached. AFC member companies are involved in the full range of lending financial services in both the consumer and commercial markets. Our comments take note of the extensive privacy reform process which has preceded the release of the Issues Paper. The AFC has been pleased to have participated in this including through our submissions and stakeholder discussions with the Australian Law Reform Commission (ALRC).

While acknowledging that the bases for statutory causes of action being considered in the Issues Paper cover a broad range of behaviours that may constitute privacy invasions (eg stalking, harassment), the activity of AFC members that has the greatest potential to form the basis for action is that which may arise from the handling of personal information or data. We have focused on the issues raised in the Paper in this context.

AFC Members, as do others within the financial services sector, have an embedded organisational compliance culture of privacy protection of personal information. This reflects management of regulatory risk (eg from compliance obligations arising under the Privacy Act, National Consumer Credit Protection Laws, Voluntary Codes, common law breach of confidentiality obligations). For, AFC Members operating in the consumer credit market, potential loss of their Australian Credit License for non-compliance with their general conduct

IP Stat Right to Privacy AFC Comments Nov 2011 page 2

obligations (which includes non-compliance with the credit reporting provisions of the privacy legislation) with the resultant inability to continue in the consumer credit market acts as a significant incentive to ensure compliance.

More importantly, however, the compliance culture reflects acknowledgment by AFC Members that the personal information of both external stakeholders (eg customers; shareholders) and internal stakeholders (eg employees) is a critical asset to their businesses and consequently should be afforded the highest protection. Management of reputational risk equally drives compliance in this regard.

Therefore, the AFC takes issue with statements made in the Paper that the creation of a new statutory cause of action may be useful in preventing privacy breaches for our Members. In our view, the current commercial and regulatory risk management imperatives that drive compliance culture for AFC members in data management act as a sufficient inhibitor to privacy breaches. In the experience of AFC members, breaches of customer privacy through mismanagement of personal information are generally a human failing through inadvertence or negligence (eg failure to follow company policies and procedures or abuse of process by third parties) rather than an intentional or reckless action indicative of a regulatory or systemic-compliance failure by the regulated entity.

Further, we note the Government’s commitment to proposed reforms that will see in the near future greater enforcement powers available to the Information Commissioner for mishandling of data in breach of the information handling principles or credit reporting provisions. We also note the Government’s commitment to consideration of the ALRC recommendation for mandatory breach reporting (as Stage 2 of the Government response). These initiatives will have a dual consumer protection benefit of enhancing the ability of the Information Commissioner to champion the data protection rights and pursue remedies on behalf of an individual in relation to regulated entities, including AFC Members, and add further incentive to our Members and other regulated entities to adopt processes and policies in compliance with the reformed Privacy Act.

In line with the Government’s commitment to best-practice regulation we submit that it is inappropriate for the Government to consider imposing on AFC Members additional regulation to fill a gap rather than take a targeted response to address an evidence-based market failure or consumer protection risk. In our view, the material provided to date fails to establish where the existing obligations (eg under the Privacy Act; NCCL; Voluntary Codes) have failed to warrant further regulatory intervention. As indicated, the enhanced powers of the regulator under the reformed Privacy Act will act as their own incentive to ensure compliance.

In line with potential risk areas, we submit that the Government should ensure that any cause of action is targeted at that section of the population that is not regulated under the Privacy Act (eg exempt entities and for non-personal information privacy invasions (eg stalking type, paparazzi harassment type issues).

For AFC Members and others currently subject to regulation under the Privacy Act, industry codes and other laws (including the NCA), we submit that the Government is better able to achieve a policy of effective consumer protection by, as a priority, ensuring enactment of the Stage 1 Part 2 credit reporting reforms to allow more comprehensive reporting to enhance the tools available AFC Members and other providers of credit to lend responsibly.

IP Stat Right to Privacy AFC Comments Nov 2011 page 3

Therefore, in answer to the fundamental or threshold question posed in the Issues Paper, (namely: Should Australia introduce a statutory cause of action for serious invasions of privacy of an individual?), the AFC concludes that, in the absence of evidence-based justification for introduction of a statutory cause of action for mishandling of personal information by AFC members in breach of the Privacy Act, voluntary codes and other legislation (eg NCA) that the Government should not introduce a broad statutory cause of action but rather should introduce a remedy targeted at that part of the market not currently subject to regulation or covering invasions of privacy beyond those involving management of personal information.

Without this evidence it is difficult to understand where the current rights and remedies available to consumers under the current Privacy Act, the proposed reformed Privacy Act and other relevant legislation that AFC Members are subject to (eg NCA) that would warrant an additional cause of action to be available to our customers and that would justify the increased attendant operating risk and compliance cost for AFC members created by the proposed introduction of a statutory cause of action.

We would happy to discuss our comments further, as required. Please feel free to contact me or Helen Gordon, Corporate Lawyer, by phone 02 9231 5877 or via email or .

Kind regards. Yours sincerely,

Ron Hardaker

Executive Director

Attachment:

1. List of AFC Members

AFC MEMBER COMPANIES

Advantedge Financial Services Advance Business Finance Alleasing

American Express

ANZ t/as Esanda Automotive Financial Services Bank of Melbourne

Bank of Queensland BMW Australia Finance Branded Financial Services Capital Finance Australia Caterpillar Financial Australia CNH Capital

Collection House Commonwealth Bank of Australia Credit Corp Group

De Lage Landen Dun & Bradstreet FlexiGroup

Ford Credit GE Capital Genworth Financial GMAC

HP Financial Services

HSBC Bank Indigenous Business Australia International Acceptance

John Deere Financial

Kawasaki Finance Key Equipment Finance Kubota Australia Finance Komatsu Corporate Finance Leasewise Australia

Liberty Financial

Lombard Finance Macquarie Equipment Rentals Macquarie Leasing

Max Recovery Australia

Members Equity Bank


Mercedes-Benz Financial Services

Nissan Financial Services Once Australia t/as My Buy PACCAR Financial

Pepper Australia Pty Ltd Provident Capital Profinance

RABO Equipment Finance

RAC Finance RACV Finance Ricoh Finance RR Australia

Service Finance Corporation

Sharp Finance

SME Commercial Finance Solar Financial Solutions St. George Bank

Suncorp

Suttons Motors Finance The Leasing Centre Toyota Financial Services Veda Advantage

Volkswagen Financial Services

Volvo Finance Westlawn Finance Westpac

Wide Bay Australia

Yamaha Finance

Professional Associate Members: Allens Arthur Robinson

CHP Consulting Clayton Utz Dibbs Barker

Henry Davis York

011/11 V1.0