Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)
3.1. Regulatory framework overview
The starting point for developing an effective regulatory framework for credit reporting is to accept that credit reporting is ‘different’ to most other information practices. It raises a complex combination of privacy, consumer and economic issues that may never be adequately addressed in a single regulatory instrument.
From a privacy perspective, credit reporting needs to be dealt with by a specific approach as the usual privacy protection of consent is not available as a practical privacy protection in the credit reporting environment.
From a consumer protection perspective, credit reporting is a small subset of broader consumer issues in the marketing and provision of credit, and is difficult to regulate as a stand-alone function.
In addition, there is a broader debate about the style and structure of effective regulation in Australia:
- Responsive regulation
John Braithwaite has developed a theory of ‘responsive regulation’ that has become very popular in Australia. Broadly, this theory argues that the degree of government regulation should depend upon the behaviour of those regulated. In the credit reporting environment this approach would encourage the development of a tiered approach to regulation, with an industry Code containing the majority of requirements, and legislation only coming in to play in ‘response’ to specific concerns. In practice, the credit reporting sector already has a long history of problems in areas like data quality that have resulted in regulation being escalated to the legislation layer. Once there, it is difficult for the industry to justify their return to the self-regulatory layer without being able to display significant improvements.
- Hybrid regulation
The use of hybrid regulatory systems has significant support in Australia. This approach is particularly concerned with ‘quasi-regulation’, a system of regulation that is not explicitly government regulation (i.e. not all regulation is black-letter law) but with which private sector bodies are encouraged by the government to comply. Hybrid regulation might also involve ‘co-regulation’; where the regulation is created by industry, but is underpinned by legislation. The majority of financial services regulation in Australia is a form of hybrid regulation.
The following advice on the development of an efficient regulatory framework for credit reporting is based on a tiered or hybrid regulatory approach.
This broad approach is consistent with the proposals of the ALRC in DP72. Their regulatory framework is summarised as follows:
[T]he ALRC proposes a model for new credit reporting regulation. Under this model, the credit reporting provisions of the Privacy Act would be repealed and credit reporting regulated under the general provisions of the Act and the proposed UPPs. Privacy rules imposing obligations on credit reporting agencies and credit providers specifically would be promulgated in regulations under the Act in the proposed Privacy (Credit Reporting Information) Regulations.
In addition, the ALRC proposes the development of an industry Code:
Proposal 50-11: Credit reporting agencies and credit providers should develop, in consultation with consumer groups and regulators, including the Office of the Privacy Commissioner, an industry code dealing with operational matters such as default reporting obligations and protocols and procedures for the auditing of credit reporting information.
The findings and recommendations in this Report are also based on several key assumptions about credit reporting:
- Credit reporting is different from most information practices and cannot be effectively regulated by generic privacy law;
- Credit reporting is difficult to separate from the marketing and provision of credit, so credit reporting regulation needs to be considered together with general credit regulation; and
- The ALRC review of privacy legislation is an important opportunity to achieve reform of credit reporting regulation, but it is not the only appropriate forum for reform.
The result of applying these assumptions is that the regulatory framework clearly requires multiple elements or layers. This Report finds that the development of an effective regulatory framework for credit reporting requires three broad elements:
- General principles;
- Detailed regulations; and
- Industry operating rules.
However, the exact application and location of these three elements needs to take into consideration the overlap between privacy and consumer protection issues.
Using this structure, the Report makes the following findings:
 Braithwaite J, Rewards and Regulations, Journal of Law and Society, vol 29, no 1, March 2002, pages 12–26,
 Commonwealth Inter-Departmental Committee on Quasi-Regulation, Black-Letter Law, December 1997, <http://www.obpr.gov.au/__data/assets/pdf_file/0006/69666/greyletterlaw.pdf>.
 Paragraph 50.160, DP72.