Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Submission on draft determination — Clean Energy Council Limited applications A91495 & A91496

Dr Richard Chadwick
General Manager, Adjudication
Australian Competition & Consumer Commission
23 Marcus Clarke Street
Canberra ACT 2601

Dear Dr Chadwick

Submission on draft determination - Clean Energy Council Limited applications A91495 & A91496

Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the Australian Competition and Consumer Commission’s (ACCC) draft determination on the Clean Energy Council’s Limited application for revocation and substitution of authorisation, in respect of a voluntary code of conduct for solar retailers (the Code).

I have reviewed the ACCC’s draft determination and the Code and I am supportive of the inclusion of privacy enhancing measures in the Code. However, I would like to highlight some of the existing privacy obligations of potential signatories under the Australian Privacy Principles (APPs) and Part IIIA of the Privacy Act 1988 (Cth) (the Privacy Act) which should be taken into account when authorising the Code.[1]

I suggest that consideration be given to amending the Code to more closely reflect the requirements and language of the Privacy Act, in particular:

  • APP 7 of the Privacy Act which regulates the use and disclosure of personal information for the purpose of direct marketing and
  • Part IIIA of the Privacy Act which places an obligation on certain credit providers to notify individuals of particular matters.

Use of personal information for future promotion of business / direct marketing

Use of personal information for future promotion of business

Clause 2.2 of the Code seeks to limit the ways in which signatories may use personal information provided by consumers for the purpose of the future promotion of their business. It also sets out requirements to be met when undertaking direct marketing activities. My concern is that the provisions of the Code do not reflect the requirements of APP 7 in circumstances where an individual does not have a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing.

Under clause 2.2.12 of the Code, signatories may seek the consumer’s consent to receive marketing material, by way of an opt-in clause in the contract or other appropriate document. Clause 2.2.13 of the Code requires signatories to include an opt-out provision within the direct marketing material itself, regardless of whether the individual consented to the use of their information for direct marketing.

I am supportive of the inclusion of a provision in the Code that encourages signatories to seek an individual’s informed consent, as this will enable the individual to understand and exercise some control over how their personal information is handled, and assist to promote best privacy practice. However, I note that clause 2.2.12 of the Code does not create clear and specific obligations but instead is framed as best practice.

Requirements under the Privacy Act for direct marketing

APP 7 imposes specific obligations on organisations which engage in direct marketing.

In the absence of consent, to comply with APP 7, signatories would need to consider whether consumers would reasonably expect that their personal information would be used or disclosed for future promotions, given that for many consumers, buying a solar photovoltaic system may be a ‘one off’ purchase. While the reasonable expectations of the individual is a question of fact in each individual case, an individual may have a reasonable expectation where they have been properly informed of this potential use or disclosure of their personal information through an APP 5 notice that addresses that issue.

Where an organisation has collected the personal information directly from the individual, and the individual would reasonably expect their personal information to be used to direct market, the organisation has to provide a simple means for the individual to opt out of receiving direct marketing communications.

However, if the organisation has collected the individual’s personal information from a third party, or directly from the individual but the individual would not reasonably expect the information to be used to direct market, the organisation must also tell the individual about the simple means of opting out by way of a prominent statement in each direct marketing communication.

I suggest that the provisions of the Code be amended to more closely reflect the requirements of APP 7. In particular, to encourage signatories to consider the reasonable expectations of individuals and where receiving direct marketing is not within their reasonable expectations, to require signatories to include a prominent statement in each direct marketing communication about the means for opting out of future communications.

Additional matters

APP 7 imposes obligations upon organisations in relation to a ‘disclosure’ of personal information, as well as a ‘use’ of personal information, whereas the Code imposes obligations only in relation to the use of personal information. A ‘disclosure’ of personal information includes where an organisation makes personal information accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control. I suggest that the Code be amended to cover disclosure as well as use of personal information to more closely reflect the requirements and language of APP 7.

Clause 2.2 of the Code sets out minimum standards, with clause 2.2.15 of the Code permitting signatories under the Code to determine their own marketing practices beyond meeting the Codes minimum standard, if those marketing practices are in accordance with the requirements of the Privacy Act. I suggest that consideration be given to including a specific reference to APP 7 in the Code, to ensure that signatories are aware of their obligations when using or disclosing personal information for direct marketing.

Finally, I suggest that consideration be given to the Code including a definition or guidelines which explain what is meant by ‘the future promotion of their business’, to provide clarity to signatories about the type of marketing activities that are permitted under the Code.

Finance and alternative purchasing arrangements

The Code seeks to enhance consumer protection by requiring signatories to provide clear and accurate information to consumers about financing arrangements offered as an alternative to initial outright purchase, including providing a clear statement of information about the financing arrangements.

Section 21C of the Privacy Act and clause 4.1 of the Credit Reporting Privacy Code impose obligations on certain organisations and small business operators, including an organisation or small business operator that supplies goods and services where payment is deferred for 7 days or more.

Relevantly, these organisations or small business operators are obliged to provide notice to individuals of certain matters prior to collecting their information, including if the credit provider is likely to disclose their personal information to a credit reporting body and notifying an individual of the name and contact details of that credit reporting body.

I suggest that consideration also be given to amending the provisions of the Code to ensure that signatories are aware that the Code is not an exhaustive list of the notification obligations which apply to credit providers, and that credit providers are required to meet obligations imposed by section 21C of the Privacy Act and clause 4.1 of the Credit Reporting Privacy Code.

Subcontractors

Section 2.4.24 of the Code requires that signatories ensure that their employees, contractors and agents comply with the Code. I support the inclusion of this clause as privacy enhancing, as it will ensure that signatories cannot contract out of the privacy obligations imposed by the Code.

Should the ACCC wish to discuss this letter in more detail, please contact Melanie Drayton, Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim
Acting Australian Information Commissioner

19 August 2015


Footnotes

[1] The Privacy Act applies to Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million and some small businesses.