Important note - this article was originally published in the Privacy Law Bulletin in late June 2021 and reflected NSW law as at that point in time. On 12 July 2021 the NSW Government significantly extended the list of entities required by law to record details. You should not rely on this article as legal advice as to the current situation and you should check the current regulations. This article has been republished here as APP2 remains an important privacy issue generally.
The right to deal with Australian Privacy Principle (APP) entities anonymously or under a pseudonym is a less well-known but important part of the Australian privacy regime.
Retailers and those who are not required by law to record details of members of the public must exercise significant caution in communicating a desire to record details of the public, both because they may be in breach of the Privacy Act 1988 (Cth) but also because they may be misleading the public in breach of the consumer law.
The right to deal anonymously or under a pseudonym
Australian Privacy Principle 2 (APP2) is a relatively obscure and underappreciated part of the Privacy Principle framework. It provides:
individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.
subclause 2.1 does not apply if, in relation to that matter:
the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves or
it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym
In its 2008 report, the Law Reform Commission noted that the predecessor of APP2 was intended to affect the design of new technologies that collected more information than is necessary when an organisation transacts with individuals.1
It is clear that since that time technology has reached a point where organisations collect (sometimes almost inadvertently) vast swathes of information about an individual, to the extent that APP2 has become functionally meaningless.2
The Australian Government has also recognised the importance of anonymity:
This principle ensures that individuals are permitted to interact with entities while not identifying themselves, or by using a pseudonym.
This principle emphasises the importance of first considering whether it is necessary to collect personal information at all. This offers better privacy protection to individuals because it prevents an entity collecting personal information if the entity does not need to.
In some circumstances, particularly on the internet, it is not necessary for a person to identify him or herself. The entity with which the individual is dealing is not necessarily interested in the identity of the individual, but rather that the credentials of the individual have been sufficiently established for the purposes of the transaction.3
In September 2012, the Senate recognised: “This principle gives an individual the right not to identify him or herself, or to use a pseudonym, when dealing with an APP entity in relation to a particular matter.”4
The OAIC has stated that there are wider benefits to anonymity and pseudonymity than merely avoiding marketing emails including: “freedom of expression is enhanced if individuals can express controversial or minority opinions without fear of reprisal.”5
Until 2020, it was commonly accepted that in liberal democratic societies individuals could go about their business as if APP2 applied generally. This applied both at a practical humdrum level (ie citizens had a right to enter shops and premises freely and without constant surveillance) and at a deeper philosophical level.6
In 2020 governments worldwide (often encouraged by a panicked and fearful populace) used never before seen technological measures available due to the geolocation tracking in smartphones and the IoT to unwind long-existing ideas about the right to privacy and anonymity, the utmost phase of privacy.
A rash of legal and extra-legal measures, purportedly justified by COVID-19 and in some cases an open desire to politicise the pandemic in a partisan way, have brought into question whether the important principles established by APP2 mean anything at all.
Collection of customer details to assist with contact tracing
This article deals with the somewhat mundane, but important issue, of how non-scheduled businesses that are obliged to comply with the APPs (ie APP entities) can comply with APP2. It takes New South Wales (NSW) law and practices into account for reasons that will become clear (and because the author has lived experience of the NSW system).
Empirical observations in NSW
In NSW, certain businesses (such as restaurants, bars and theatres are required to obtain contact details of patterns — this is done after 1 January 2021 via a government QR code that obtains name and mobile telephone number, before that date altogether collection was required, the means was not prescribed). Those businesses are required by law to do this and so APP2 has no further effect. Those who do not have the requisite smartphone are required to enter their personal information into a secure system maintained by the service provider.
Other Australian states have similar regimes — scheduled businesses must collect personal data and so APP2 is irrelevant.
However, some retail shops have also adopted compulsory contact detail recording, before 1 January via various means, and after 1 January 2021 via the NSW Government QR code system.
The author’s experience from the Sydney central business district is that larger Australian owned general retailers do not require contact details as a condition of entry (some have signs stating they “encourage” provision of contact details but do not require them), whereas retail shops owned by multinational enterprises (where global decisions are often made in the US, where COVID-19 had a partisan political edge or Europe where the disease has caused major disruption) do require it.
Retail shops and APP2
Retail shops in NSW are not required by law to record contact details.
There is therefore a serious question as to whether it is impracticable for them to deal with individuals anonymously or pseudonymously.
For the reasons developed below, the author concludes that those businesses are at risk of breaching APP2 and therefore breaching the Privacy Act.
The first, and most obvious reason why this is so is that most shops (as noted above) do not require the collection contact details of those people who are entering, whether or not they seek to excuse it by reference to health conditions.
They still manage to function as shops.
This is the first and major difficulty for retail premises. The test of practicability must relate only to their core function, which is to sell goods to the public.
It is clear that the lack of personal data on members of the public who enter their premises to browse can have no impact upon their ability to sell goods to the public. Even at the point of sale, they do not need their customer’s data to effect a sale, for obvious reasons for cash sales and equally obvious reasons for electronic funds transfer sales.
The obvious contrast would be situations such as:
a doctor — who cannot properly administer anything beyond basic first aid without knowing a patient’s details
a law firm — where lawyers cannot comply with retainer and anti-money laundering obligations, or their tortious duties, without knowing a client’s details
home opens — where anonymous visitors could steal the vendor’s possessions
To state the contrasts is to prove the point. That means that the first stage test fails as it is quite practicable for a shop to admit the public to examine its wares and treat with the retailer while the customer is anonymous or pseudonymous.
A “health and safety” rationale?
It is conceded that Australia has an extraordinarily stringent “health and safety” legal culture.
Retail shops could assert that it is not practicable for them to operate without recording personal information on this basis.
However, a preliminary conundrum arises — the larger general retail chains tend to admit many more members of the random public but can comply with APP2.1 by inviting customers to use a QR code but not requiring them to.
That leads to two alternatives: either the larger retail chains are putting their staff and customers at extraordinary risk (and exposing themselves to significant legal liability, which has not been evidenced to date), or it is practicable from a health and safety perspective for them to comply with APP2 without requiring the surrender of personal information on entry.
Further, if the state government considered that there was such an extraordinary risk, the state government would mandate collection (which it has not, although Western Australia, which appears to have a very different approach, has). The fact that the NSW Government has not done that proves that it does not consider that it is impracticable for the APP entity to operate without collecting information. That disposes of the argument.
In any event, on a non-superficial consideration, it is hard to see how an APP entity could protect its own staff and provide a safe workplace by merely collecting the details of those who enter.
The use of collecting details of customers would be to alert those customers that someone positive for the virus had entered the shop.
The mechanics of the collection do not work the other way — ie should someone who entered the shop test positive to the virus, the unidirectional mechanics of the QR collection could not be used to reverse notify the shop that the person positive to the virus had been in it. They would merely notify all of those who had registered (including perhaps staff if the entity required them to register). The contact tracers would then advise the public generally that a certain shop had been visited by a positive person.
The APP entity might then say that it was not “practicable” from a health and safety point of view for it to operate as a shop without the ability to tell every customer who had been in the shop that they had been notified by a contact tracer that a person who was positive to the virus had been in the shop (for some sort of public relations (PR) reason).
That notification is dealt with via NSW Health Department circulars, which all members of the public can read, and not the shop.
The only distinction here is that government contact tracing would be made easier if customers used the government QR code to register their entry into a shop (as opposed to reliance on customers’ memory or credit card records), but once again if the government considered that would assist it is at liberty to amend the regulations to that effect.
The fact that it has not done so disposes of this argument.
A PR/reputation justification?
A retail shop might argue that it is impracticable to function as a shop unless it requires customers to hand over personal information because of the reputational harm it might suffer.
On any reflection, this argument must fail.
Firstly, it is hard to see how being identified as a cluster location (whether via electronic contact tracing or via the recollection of a customer when being interviewed by a contact tracer) assists the reputation of the shop. Indeed, it may even close the shop down temporarily.
Secondly, nothing the slight degree of cynicism in the above (ie the implication that it may be in the shop’s interest to conceal that it was a cluster location), it is not permissible to argue that public relations and reputation permit an entity to override the law.
Is handing over data to a third party consistent with APP2?
An interesting question arises — could an APP entity assert that as it does not have access to the QR code data, it is complying with APP2?
If an APP entity requires proof of registration, it cannot make that argument, because the only way to prove the fact of registration (ie handing over personal data) is for a staff member to view the website or app success page. That success page discloses the personal data. Therefore on the first principles the APP entity is not dealing anonymously or pseudonymously with the individual.
Secondly, to state the proposition is to disprove it. It could not be the case that an APP entity is dealing with someone on an anonymous or pseudonymous basis where that person cannot in fact be anonymous or use a pseudonym and in fact requires the person to hand over personal information to the government.
To the extent that an APP entity informs customers that registration is required by the law, they are likely in breach of the consumer law prohibition on misleading or deceptive conduct in trade or commerce.
To the extent that they require it as a condition of entry, they are similarly likely in breach of the consumer law, because they have not advised the customer that it is likely not permitted by APP2.
Technological determinism is a theory that human behaviour and regulation will change to take advantage of whatever technology is available at the time. It is submitted that the events of 2020, and the widespread disregard of APP2, which is a legal obligation, under the excuse of “health”, seem to prove the point.
1. Australian Law Reform Commission For Your Information: Australian Privacy Law and Practice Report 108 Vol 1(May 2008) 20.1.
2. As to the lack of reality in anonymisation, see for example, P Ohm “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” (2010) 57 UCLA Law Review 1701.
3. Cabinet Secretary, Senator the Hon Joe Ludwig Companion Guide — Australian Privacy Principles Cabinet Secretary, June 2010 p 9.
4. The Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 [Provisions], September 2012, cl 2.7.
5. OAIC Australian Privacy Principle 2 — Anonymity and pseudonymity Ch 2 (July 2019) cl 2.11 www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-2-app-2-anonymity-and-pseudonymity/.
6. See A Sauer “Online privacy and the online self” (2008) 4(9) PRIVLB 116 and see criticism of how government agencies have circumvented APP2; J Davidson “How the APPs fail to protect private information held by agencies” (2016) 13(8) PRIVLB 174.