Explanatory Memorandum
(Circulated by authority of the Treasurer, the Hon Josh Frydenberg MP)Chapter 3 Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019
3.1 This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview
Mandatory comprehensive credit reporting regime
3.2 This Bill amends the Credit Act to establish a mandatory comprehensive credit reporting regime.
3.3 Under the regime eligible licensees, who on 1 April 2020 are large ADIs, must provide credit information on consumer credit accounts to certain credit reporting bodies.
3.4 Credit information is defined in the Privacy Act 1988 and includes information about the maximum amount of credit available to a person, how well the person is meeting their repayments, details of the person's overdue payments and defaults.
3.5 Amendments to the Privacy Act 1988 which took effect in 2014 have permitted credit providers to disclose this information to credit reporting bodies but this is a voluntary scheme.
3.6 The Bill operates within the framework established by the Privacy Act but mandates the supply of credit information.
3.7 It is expected that by applying the measure to large ADIs and other credit providers within that banking group other credit providers will voluntarily share comprehensive credit information. In June 2019 large ADIs accounted for more than 80 per cent of household lending.
3.8 Regulations will set out conditions that must be met before a credit reporting body can share the information disclosed under the regime. Regulations will also set out circumstances when the credit reporting body must share credit information.
Reporting financial hardship information
3.9 This Bill amends the Privacy Act 1988 to create a new category of credit information called 'financial hardship information' and to permit this information to be reported within the credit reporting system.
3.10 This Bill also makes minor changes to the Privacy Act 1988 to improve the overall administration of credit reporting, including reducing regulation for businesses that do not participate in credit reporting.
3.11 Under these changes, financial hardship information about a consumer may be reported on their credit report: credit providers may report this information to credit reporting bodies, who can subsequently make this information available to other credit providers when a consumer applies for credit.
3.12 Financial hardship information will indicate that a monthly payment has been affected by either: a permanent variation to the terms of the consumer credit or a hardship arrangement which provides temporary relief from or deferral of the individual's obligation's in relation to the consumer credit. A hardship arrangement is broadly defined in order to recognise the diversity of arrangements that may exist between consumers and their credit providers which take into account individual circumstances.
3.13 Variations to the Privacy (Credit Reporting) Code 2014 will provide detailed guidance on the implementation of new credit reporting obligations in this Bill.
Human rights implications
3.14 The Bill engages the following human rights and freedoms:
- •
- the right to protection from arbitrary or unlawful interference with privacy under article 17 of the International Covenant on Civil and Political Rights (ICCPR);
- •
- the right against self-incrimination under article 14(3)(g) of the ICCPR;
- •
- the right to be presumed innocent until proved guilty according to law; and
- •
- the right to a fair and public hearing.
Right to protection from unlawful or arbitrary interference with an individual's privacy
3.15 Article 17 of the ICCPR prohibits unlawful or arbitrary interferences with a person's privacy, family, home, or correspondence. It also provides that everyone has a right to the protection of the law against such interference or attacks.
3.16 The right to privacy encompasses respect for informational privacy, including the right to respect for private information and private life, particularly the storing, use and sharing of personal and confidential information.
3.17 Division 2 of Schedule 3 of the Bill engages the right to privacy by requiring certain eligible licensees, initially large ADIs, to supply credit information to certain credit reporting bodies. Credit information is the personal information about individual bank customers.
3.18 The mandatory comprehensive credit reporting regime implemented by this Bill makes participation in the credit reporting system mandatory, but does not itself authorise the disclosure of an individual's credit information. The handling of personal information in the credit reporting system is regulated by Part IIIA of the Privacy Act 1988. That Part clearly defines and limits the uses and permitted disclosures of credit information.
3.19 At the time of the amendments to the Privacy Act 1988 that enabled more comprehensive credit reporting, the Government of the day expected that credit providers would voluntarily share credit information. This was the case in comparable jurisdictions.
3.20 A more comprehensive credit reporting regime allows credit providers to better establish a consumer's credit worthiness and lead to a more competitive and efficient credit market. A more comprehensive regime benefits consumers by enabling individuals with good credit histories to seek more competitive rates when purchasing credit and enabling those with a historically poor credit rating to demonstrate their credit worthiness through future consistency and reliability.
3.21 The explanatory memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which enabled comprehensive credit reporting explains the safeguards that were put in place to protect an individual's credit information.
3.22 Greater responsibility was placed on credit reporting bodies and credit providers to assist individuals to access, correct and resolve complaints about their personal information. Those amendments included specific rules to deal with pre-screening of credit offers and the freezing of access to an individual's personal information in cases of suspected fraud or identity theft.
3.23 The amendments also restricted access to repayment history information to those credit providers who hold an Australian Credit Licence and are therefore subject to responsible lending obligations.
3.24 Any effect on privacy rights was considered proportionate and limited by the introduction of specific safeguards, including:
- •
- only de-identified information can be used for the purpose of research, and the research must be reasonably connected to the credit reporting system, and
- •
- the use of credit reporting information for the purposes of pre-screening is expressly limited to the purpose of excluding adverse credit risks from marketing lists.
3.25 In considering the impact on a person's right to privacy, the explanatory memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 noted:
'In the consumer credit environment it is important to achieve a balance between privacy protection and the efficient operation of the credit market. Access to narrowly defined categories of credit information to ensure a more balanced picture of an individual's credit situation, taking into account positive action such as payment, and not just negative information like defaults, and to allow for more effective risk assessment by credit providers is balanced with the enhanced privacy protections set out above.
Any limitations on the prohibition against arbitrary interference with privacy in the Bill are clearly and narrowly defined, for the legitimate purpose of improving the management of personal and credit reporting information, and accompanied by sufficient safeguards to maintain reasonable privacy protections. The measures are reasonable, necessary and proportionate as they ensure the smallest possible set of data is used for the narrowest purposes to achieve the objective of providing a functional consumer credit market.'
3.26 The mandatory comprehensive credit reporting regime does not alter the existing protections set out by the Privacy Act 1988 governing the use and disclosure of credit information. The Bill clearly states the requirement to supply credit information only applies to the extent that the disclosure is permitted under the Privacy Act 1988.
3.27 Division 3 of Schedule 1 the Bill also engages the right to privacy by providing that regulations may set out the circumstances when a credit reporting body must share credit information received under the mandatory comprehensive credit regime. These circumstances will be limited and not extend beyond those circumstances in the Privacy Act 1988. Primarily this will be when a credit provider is seeking information about a customer's credit worthiness when considering a request for consumer credit.
3.28 The Bill extends the protections in the Privacy Act 1988 by amending the existing requirements to protect credit reporting information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Bill more clearly sets out where information held by a credit reporting body must be stored. A credit reporting body must store credit reporting information in Australia or in accordance with any security requirements prescribed by Regulations for storage outside Australia.
3.29 Schedule 2 of the Bill further engages the right to privacy by creating a new category of credit information called 'financial hardship information' and permitting the collection, use, storage and disclosure of this information in the credit reporting system. This engages the right to privacy by permitting the disclosure of personal information.
3.30 However, when applying for credit it is legitimate for a credit provider to access personal information that is directly relevant to an assessment of an individual's credit worthiness. This process facilitates the efficient allocation of credit in the community and may promote other rights, including the right to an adequate standard of living. In the context of mandatory consumer credit reporting, it is legitimate for financial hardship information about a consumer to be reported within the credit reporting system.
3.31 The potential limitation on the right to privacy is reasonable, necessary and proportionate because it balances the need for consumers to provide relevant information to a prospective credit provider in an efficient way with a number of safeguards.
3.32 The Bill sets out clearly defined and limited uses of financial hardship information in the credit reporting system. Like the existing protections for repayment history information, hardship information can only be disclosed to mortgage insurers and licensed credit providers who are subject to the responsible lending obligations. Additionally, financial hardship information will only be retained for one year (rather than two years in the case of repayment history information) and credit reporting bodies will be prohibited from using the information to calculate a credit score. Further, there will be restrictions on the use of hardship information as the sole reason for a credit provider to reduce or freeze a consumer's existing credit.
3.33 In the context of the existing protections and additional protections added by this Bill, the mandatory comprehensive credit regime is reasonable, necessary and proportionate to deliver a credit reporting system which is efficient and effective.
The right against self-incrimination under article 14(3)(g) of the ICCPR
3.34 Paragraph 3(g) of Article 14 of the ICCPR guarantees the right of an individual not to be compelled to testify against oneself or to confess guilt. The privilege against self-incrimination is recognised by the common law and applies unless it is expressly abrogated.
3.35 The right is engaged for the purposes of the new mandatory comprehensive credit reporting regime as existing Chapter 6 of the Credit Act is amended by the Bill to expand ASIC's existing compliance and enforcement powers, such as its power to conduct investigations, examine a person, gather information, and conduct hearings, to the new mandatory comprehensive credit regime.
3.36 Existing section 295 of the Credit Act expressly provides that it is not a reasonable excuse for a person to refuse or fail to produce a book in accordance with a requirement that the production of the book might tend to incriminate the person or make the person liable to a penalty.
3.37 However, existing subsection 295(3) of the Credit Act operates to provide that the information or documents cannot be used as evidence in criminal proceedings except to the extent that the proceedings relate to compliance with a disclosure notice or the provision of false or misleading information in response to a disclosure notice.
3.38 It is considered necessary to override the privilege against self-incrimination to allow ASIC to acquire all relevant information to administer the Credit Act.
3.39 The provision of derivative use immunity with respect to self-incriminating information would impair ASIC's ability to effectively perform its regulatory functions.
3.40 It is relatively straightforward to prove compliance with use immunity in that all of the evidence obtained under compulsion from the person concerned is easily identifiable and can be excluded from any subsequent criminal or civil penalty proceedings against that person.
3.41 In most cases, establishing compliance with derivative use immunity would be substantially more difficult. It would require persuading the court to the required standard that no part of the original information was taken into account, directly or indirectly, when obtaining the information upon which the prosecution is based.
3.42 This may require the introduction of Chinese walls in the agency who received the original information in order to avoid contagion of other employees of that agency who may be involved in obtaining the information upon which the prosecution is based. The effectiveness of these Chinese walls would also have to be proven.
3.43 In its submission to the Australian Law Reform Commission Inquiry into Traditional Rights and Freedoms: Issues Paper 46 (March 2015) ASIC notes: 'Any grant of derivative use immunity has the potential to render a person conviction-proof for an unforeseeable range of offences'.
3.44 The application of use immunity to only those who claim self-incrimination prior to the examination is consistent with other legislative provisions and the process is clearly explained to an examinee prior to the examination being conducted so it is up to the examinee to assert that right.
3.45 Existing section 296 of the Credit Act provides that if a requirement to produce books is made to a person who is a lawyer, and the book contains a privileged communication made by or on behalf of the lawyer in his or her capacity as a lawyer, the lawyer is entitled to refuse to comply.
3.46 The lawyer may not refuse to comply if the person, on behalf of whom the communication was made, or, if this person is a body corporate that is being wound up, the liquidator of the body, consents to the lawyer complying with the requirement but allows the person to maintain protection from the information being used against them in criminal proceedings or proceedings for the imposition of a penalty.
The right to be presumed innocent until proved guilty according to law
Assessment of civil penalties
3.47 Practice Note 2: Offence provisions, civil penalties and human rights observes that civil penalty provisions may engage criminal process rights under Articles 14 and 15 of the ICCPR, regardless of the distinction between criminal and civil penalties in domestic law. This is because the word 'criminal' has an autonomous meaning in international human rights law. When a provision imposes a civil penalty, an assessment is therefore required as to whether it amounts to a 'criminal' penalty for the purposes of the Articles 14 and 15 of the ICCPR.
3.48 The Bill includes new civil penalty provisions where:
- •
- an eligible licensee:
- -
- fails to supply credit information as required under the mandatory regime;
- -
- fails to notify the credit reporting body, ASIC and the Information Commissioner once the eligible licensee believes a credit reporting body is meeting its section 20Q obligations in the Privacy Act 1988, where the eligible licensee previously believed the credit reporting body was not meeting its obligations; and
- -
- fails to submit audited statements to the Treasurer following the initial bulk supplies.
- •
- a credit reporting body:
- -
- discloses information that it has received under the mandatory regime that it should not disclose;
- -
- fails to disclose information it has received under the mandatory regime, including not in the required timeframe or inconsistent with requirements included in the regulations;
- -
- fails to submit audited statements to the Treasurer following the initial bulk supplies.
3.49 While the provisions impose significant civil penalties it is considered appropriate to encourage compliance with the supply obligations. The approach is consistent with other civil penalties in the Credit Act.
3.50 The civil penalty provisions in the Bill should not be considered 'criminal' for the purposes of international human rights law.
3.51 While the civil penalty provisions included in the Bill are intended to deter people from non-compliance with the mandatory comprehensive credit reporting regime, none of the civil penalty provisions carry a penalty of imprisonment and there is no sanction of imprisonment for non-payment of penalty. The statement of compatibility therefore proceeds on the basis that the civil penalty provisions in the Bill do not create criminal offences for the purpose of Articles 14 and 15 of the ICCPR.
Criminal penalty provisions
3.52 The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial.
3.53 The Bill includes criminal penalty provisions of up to 100 penalty units where an eligible licensee has failed to supply credit information, provide a statement to the Treasurer or notify a credit reporting body, ASIC and the Information Commissioner when the credit provider no longer holds the belief that the credit reporting body is not .
3.54 For some offences, which mirror existing provisions in the Credit Act give ASIC information penalties, the penalty provisions are consistent with the existing penalties for the existing offences and are set at 25 penalty units or up to 6 months imprisonment, or both.
3.55 Paragraph 2 of Article 14 of the ICCPR protects the right of a person charged with a criminal offence to be presumed innocent until proven guilty according to law. The presumption of innocence is also a fundamental principle of the common law. As the Human Rights Committee has observed, the presumption of innocence 'imposes on the prosecution the burden of proving the charge, guarantees that no guilt can be presumed until the charge has been proved beyond reasonable doubt, ensures that the accused has the benefit of doubt, and requires that persons accused of a criminal act must be treated in accordance with this principle'. [1]
3.56 The presumption of innocence generally requires the prosecution to prove each element of a criminal offence beyond reasonable doubt. This is the case for the criminal offence provisions included in this Bill.
3.57 However, the Bill does place an evidential burden on a credit provider where a credit provider does not supply mandatory credit information to a credit reporting body within the required timeframe on the basis that it is the belief of the credit provider that the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988.
3.58 The imposition of an evidential burden is justified because the reason why a credit provider held the belief that the credit reporting body was not meeting its obligations under 20Q in the Privacy Act 1988will be a matter that is peculiarly within the credit provider's knowledge.
3.59 Moreover, the effect is that the credit provider must merely adduce or point to evidence that explains why the credit provider holds this 'reasonable belief'. The belief could be held as a result of stress test or audit that was conducted on the behest of the credit provider. This 'evidence' would be peculiarly within the credit provider's knowledge as such an audit or stress test would be carried out as a result of the contractual arrangement that existed between the credit provider and credit reporting body.
3.60 Once the credit provider has demonstrated why it holds this belief the prosecution must refute this beyond reasonable doubt to obtain a conviction (see section 13.3 of the Criminal Code).
3.61 As a result, the risk that a credit provider may be found guilty of an offence for not supplying credit information while the credit provider held the reasonable belief that credit reporting body was not meeting its obligations under section 20Q of the Privacy Act 1988 is low. Accordingly, to the extent this provision might be considered to limit the presumption of innocence, the limitation is reasonable in all the circumstances.
The right to a fair and public hearing
3.62 Article 14 of the ICCPR ensures that everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.
3.63 The amendments included in the Bill can leverage the existing regulation making power in section 331 of the Credit Act that allows regulations to be made that would allow ASIC to issue an infringement notice rather than pursue a civil penalty through a court.
3.64 The explanatory memorandum to the Bill indicates that the Government intends to make a regulation under this power for the purpose of issuing infringement notices for breaches of the Credit Act rather than seeking a civil penalty.
3.65 The ability to issue an infringement notice could be considered to engage the right to a fair and public hearing. However, the right of a person to fair and public hearing by a competent, independent and impartial hearing is not limited by the Bill because the existing regulation making power in section 331 of the Credit Act allows a person to elect to have the matter heard by a court rather than pay the amount specified in the infringement notice.
3.66 Moreover, the Regulatory Powers Act (Standard Provisions) Act 2014 requires that this right must be stated in any infringement notice given to the person. For these reasons the Bill is not considered to limit the right to a fair and public hearing.
3.67 The application of use immunity to only those who claim self-incrimination prior to the examination is consistent with other legislative provisions and the process is clearly explained to an examinee prior to the examination being conducted so it is up to the examinee to assert that right.