trace its development ... Privacy Principles (APPs) that govern the collection, use, disclosure and handling of ..... We
Background Paper Privacy Purpose The purposes of this paper are to: •
provide a brief account of what privacy means
•
trace its development
•
examine the way it is protected in Australia
•
note some of the major privacy law reform initiatives in Australia
As this is a short background paper, it is not designed to provide a comprehensive review of privacy – much has been written about it by academic commentators, law reform commissions, lawyers and advocates. It functions instead as an introduction to this complex area of law and public policy. Finally, the paper provides a selected chronology of some of the major developments in privacy law (see Appendix 1).
Key concepts The term ‘privacy’ has proven to be difficult to define. The reason for this is that ‘privacy’ encompasses a bundle of different interests that ‘are tied together by the common name, but otherwise have almost nothing in common 1 except that each represents an interference with the right …“to be let alone.”’ The task of defining privacy is further complicated because other areas of the law, such as the law of property, nuisance, defamation, evidence and consumer protection law – to name only a few – can also be used to protect certain aspects of privacy. In countries with a common law tradition, the foundation of privacy law is generally traced to an article published by 2 Samuel Warren and Louis Brandeis in 1890 entitled ‘The Right to Privacy.’ Warren and Brandeis were concerned about the impact of late nineteenth century developments in technology, such as the development of the news media and photography, on intellectual and emotional life: Instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is 3 whispered in the closet shall be proclaimed from the house-tops’. They argued that those [r]ecent inventions and business developments call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right ‘to be let 4 alone’. The article was so influential that within a decade United States courts had recognised a number of privacy torts to redress the harms that Brandeis and Warren had identified. In 1960, William Prosser examined and analysed hundreds of the privacy tort cases that had been determined in the US following the Brandeis and Warren article. He concluded that the law of privacy consisted of four separate invasions of individual interests, these being: 1
William Prosser, ‘Privacy’, (1960) 48 Cal.L.Rev 383. See (1890) 4 Harv.L.Rev 193. Id. 4 Id. 2 3
Background Paper: Privacy
1
Background Paper 1.
Intrusion upon an individual’s seclusion or solitude, or into his private affairs.
2.
Public disclosure of embarrassing private facts about an individual.
3.
Publicity that places an individual in a false light in the public eye.
4.
Appropriation of an individual’s name or likeness.
5
Since that time, Prosser’s four categories have been widely debated. Some suggest that his four categories should be abandoned and replaced with a single right that involves assessing whether the ‘gravity of the harm to the plaintiff’s 6 privacy interests is outweighed by a privacy policy interest.’ Others have argued that his taxonomy is too limited and is not sufficiently comprehensive. At least one widely-recognised element of privacy is missing from Prosser’s analysis – an individual’s right to control the collection, use and disclosure of her or his personal information. Daniel Solove, one of the most influential contemporary privacy thinkers, conceptualises privacy under six general headings: Despite what appears to be a welter of different conceptions of privacy, I argue that they can be dealt with under six general headings, which capture the recurrent ideas in the discourse. These headings include: (1) the right to be let alone – Samuel Warren and Louis Brandeis’s famous formulation for the right to privacy; (2) limited access to the self – the ability to shield oneself from unwanted access by others; (3) secrecy – the concealment of certain matters from others; (4) control over personal information – the ability to exercise control over information about oneself; (5) personhood – the protection of one’s personality, individuality, and dignity; and (6) intimacy – control over, or limited access to, one’s intimate relationships or aspects of 7 life.
Legal protections of privacy Overview Australia’s legislative approach to privacy primarily reflects the fourth category of Solove’s conceptualisation of privacy – what has become known as ‘information privacy’. The Privacy Act 1988 (Cth) contains a set of Australian Privacy Principles (APPs) that govern the collection, use, disclosure and handling of ‘personal information’ by Commonwealth government agencies and large private sector organisations. Personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the 8 information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. Victoria, NSW, Queensland, Tasmania and the Northern Territory have legislation containing information privacy principles (IPPs) that govern the collection and handling of personal information by state government organisations 9 and private sector organisations that provide services on their behalf. The ACT has recently enacted legislation that 10 includes a more limited set of principles. The Office of the Australian Information Commissioner currently exercises 11 the Commissioner’s functions under the ACT legislation. In South Australia there is a non-legislative administrative 12 scheme. Western Australia does not have a public sector information privacy regime. 5
William Prosser, n1. The four torts that Prosser argues fall under the umbrella of invasion of privacy are generally abbreviated to (1) intrusion on seclusion, (2) public disclosure of private facts, (3) false light, and (4) appropriation. 6 Lior Strahilevitz, ‘Reunifying Privacy Law’, (2010) 98 Cal.L.Rev. 2007. 7 Daniel Solove, ‘Conceptualising Privacy’, (2002) 90 Cal.L.Rev 1087. 8 See Privacy Act 1988 (Cth). 9 Privacy and Data Protection Act 2014 (Vic); Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2009 (Qld); Personal Information Protection Act 2004 (Tas); Information Act (NT). More detail on Victoria’s legislation is provided below. 10 Information Privacy Act 2014 (ACT). 11 Pursuant to Information Privacy Act 2014 (ACT) s 28. 12 Published in the South Australia Department of Premier and Cabinet Circular no. 12. Background Paper: Privacy
2
Background Paper Australian law offers very limited protection for privacy interferences that fall outside the area of information privacy. Some particular provisions in other legislation – for example the Crimes Act 1914 (Cth) and state and territory surveillance devices laws – offer limited privacy protections. However these provisions relate to specific activities such as stalking and unauthorised uses of surveillance devices. While a broad right to privacy is protected under international human rights instruments to which Australia is signatory, this right has only been incorporated into 13 domestic legislation in Victoria and the ACT, and then only to a limited extent. Similarly, while there have been some judicial movements towards the creation of a common law right to privacy (including under the laws of breach of confidence), the High Court is yet to endorse such a right. Details of privacy protections at international law, Australian common law, and in legislation are discussed below.
International law International treaties Privacy is recognised as a fundamental human right in a number of international treaties. Article 12 of the Universal Declaration of Human Rights refers to privacy in these terms: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) – to date ratified by 167 member states – adopts almost identical language: No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. 14
A right to privacy is also contained in UN Convention on Migrant Workers’ Rights and the UN Convention on 15 Protection of the Child. Although the right to privacy is included in these treaties, the treaty bodies and international legal jurisprudence did little, following its reception into international law, to explain what the right to privacy meant. From 1988, when the 16 UN Human Rights Committee issued its General Comment 16 on Article 17 of the ICCPR, until the Snowden revelations in 2013, the UN treaty bodies had almost nothing to say about the right to privacy. In 1990 the UN General Assembly adopted the Guidelines concerning Computerized Personal Data Files, requesting states to take them into account in their legislation and administrative regulations. The Guidelines outline principles of ‘minimum guarantees’ that should be provided in national legislation. These principles include such things as: lawfulness and fairness, accuracy, purpose-specification, access, non-discrimination, security, supervision and 17 sanctions and transborder data flows.
Other international initiatives Some of the earliest attention to information privacy was in the USA. In the early 1970s there were proposals to link a number of federal databases. Concerns about this led, in 1973, to an advisory committee to the Secretary of Health 13
The Charter of Human Rights and Responsibilities Act 2006 (Vic) and the Human Rights Act 2004 (ACT) contain limited protections of privacy. See International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, Adopted by General Assembly resolution 45/158 of 18 December 1990, Article 14. 15 See Convention on the Rights of the Child, Adopted and opened for signature, ratification and accession by General Assembly resolution 44/25 of 20 November 1989, Article 16. 16 See http://tbinternet.ohchr.org/_layouts/treatybodyexternal/TBSearch.aspx?Lang=en&TreatyID=8&DocTypeID=11 17 Guidelines Concerning Computerized Data Files adopted by the General Assembly on 14 December 1990. 14
Background Paper: Privacy
3
Background Paper 18
producing a report entitled Records, Computers and the Rights of Citizens. The report proposed a set of fair information practices for protecting the privacy of personal information and recommended a privacy law be enacted 19 for federal agencies. The acceptance of the recommendations became the Privacy Act 1974 which embodied a set of five fair information practices, one of which was to limit the use of personal information for purposes unrelated to its purpose of collection in the absence of consent. These principles formed the foundation for the later work of the Organisation for Economic Cooperation and Development (OECD). In 1980 the OECD published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines). The OECD Guidelines were developed in a pre-internet, mainframe computing era, in response to concerns that cross-border information flows, particularly in the banking, finance and insurance sectors, were being impeded because States were reluctant to permit their citizens’ personal information to be sent across territorial borders unless the receiving State protected the information in the same manner as the sending State. The OECD Guidelines addressed this problem by proposing an information privacy framework that both protected information 20 privacy whilst simultaneously promoting the free flow of information. The OECD Guidelines form the basis of all international and national information privacy law (including information privacy law in Australia). Although there are jurisdiction-to-jurisdiction variations in the way they are implemented, they are the universal information privacy law benchmark. The OECD Guidelines establish a set of principles for the fair handling of personal information. There are eight main principles: •
The collection limitation principle – mandates limits to the collection of personal information, requires collection to be by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned.
•
The data quality principle – requires personal data to be relevant to the purposes for which they are used and should be accurate, complete and kept up to date.
•
The purpose specification principle – requires that the purpose of collecting personal information should be specified at the time of collection and its subsequent use should be limited to that purpose or other compatible purposes.
•
The use limitation principle – limits the use and disclosure of personal information to the purpose of collecting it except where there is consent or legal authority to do so.
•
The security safeguards principle – requires personal data to be protected by reasonable security safeguards.
•
The openness principle – seeks to ensure that developments, practices and policies about the collection and handling of personal information are open and transparent.
•
The individual participation principle – confers on individuals a right to obtain access to the personal information an organisation holds about them.
•
The accountability principle – requires that organisations that collect and handle personal information are accountable for meeting the requirements of the principles.
The OECD’s stated mission is ‘to promote policies that will improve the economic and social well-being of people around the world.’ It is interesting to note that the OECD’s predominant focus is on economic issues, not human rights per se. It is interesting to note that economic issues drove the development of the international privacy principles. 18
See https://epic.org/privacy/hew1973report/default.html See Public Law 93-579, 5 U.S.C. § 552a, http://www.law.cornell.edu/uscode/text/5/552a. This principle is embodied in the objects stated in section 5 of Victoria’s Privacy and Data Protection Act 2014.
19 20
Background Paper: Privacy
4
Background Paper 21
The OECD Guidelines were reviewed and updated in 2013. The 2013 Guidelines are substantially the same as the 1980 version but with added detail around transborder controls and international cooperation.
Recent international developments In 2013, in response to growing concerns about privacy in the digital era crystallised by the Snowden revelations about mass surveillance by intelligence and law enforcement agencies, the UN General Assembly requested the United Nations High Commissioner for Human Rights to submit a report on the protection and promotion of the right to privacy in the context of surveillance and the interception of digital communications and the collection of personal data. In June 2014 the High Commissioner presented the report The Right to Privacy in the Digital Age. In that Report, the High Commissioner outlined the challenges related to the right to privacy in the context of modern communications technology, and concluded that effectively addressing these would require an ‘ongoing, concerted multi-stakeholder 22 engagement.’ The High Commissioner recommended that as an immediate measure, states should review national laws and address shortcomings. He also noted the need for further analysis of issues relating to the effective protection of the law, on the principles of necessity, proportionality and legitimacy in relation to surveillance 23 practices, on measures for effective, independent and impartial oversight, and on remedial measures. In March 2015, the UN Human Rights Council resolved to appoint a Special Rapporteur (an independent expert) on the right to privacy. The Council called on all countries to support this new mandate, including by providing all necessary information requested by the Special Rapporteur, to respond promptly to his or her urgent appeals and other communications, to consider favourably his or her requests to visit their countries, and to consider implementing the recommendations made in his or her reports. In July 2015 Professor Joseph Cannataci was appointed as Special Rapporteur on the Right to Privacy. The Special Rapporteur will be responsible for carrying out research, monitoring, and document best practices. He will make recommendations to states on the implementation and realisation of the right to privacy, and report periodically to the UN Human Rights Council and General Assembly. As noted above, despite a broad right to privacy existing in numerous instruments, treaties and accords to which Australia is signatory, a broader right over and above information privacy has been incorporated into few Australian jurisdictions, and to a limited extent only. Current common law protections are also very limited, as outlined below.
Australian common law 24
Based on a 1930s decision of the High Court in Victoria Park Racing and Recreation Grounds Co Ltd v Taylor, for many years it was accepted that there is no common law right to privacy in Australia. The case involved a property owner adjacent to the Victoria Park racetrack allowing a platform to be constructed on his property to view and broadcast the races being run on the track. This facilitated unregulated off-track betting and resulted in attendance at the track plummeting. The track owner sought an injunction to restrain the broadcasting on a number of grounds, including that the neighbour interfered with the track owner’s proprietary right in the spectacle conducted on the track. The privacy issue was ‘how far can one person restrain another from invading the privacy of land which he 25 occupies, when such invasion does not involve actual entry on the land?’ The High Court decided that there had been no interference with any legal right of the track owner. With respect to privacy, Latham CJ stated: 21
See http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf United Nations General Assembly The right to privacy in the digital age: Report of the United Nations High Commissioner for Human Rights, 30 June 2014, 16. Id. 24 [1937] HCA 45. 25 Victoria Park Racing and Recreation Ground Co Ltd v Taylor, (1937) 58 CLR 479, 500 (Rich J). 22 23
Background Paper: Privacy
5
Background Paper no doubt the owner of a house would prefer that a neighbour should not have the right of looking into his windows or yard, but neither this court nor a court of law will interfere on the mere ground of invasion of privacy; and a party has a right even to open new windows, although he is thereby enabled to overlook his 26 neighbour's premises, and so interfering, perhaps, with his comfort. 27
Victoria Park had the effect of stifling further consideration of a tort of invasion of privacy in Australia, at least until the matter was again considered by the High Court in 2002 in Australian Broadcasting Corporation (ABC) v Lenah 28 Games Meats Pty Ltd. That case involved an injunction being sought to prevent the broadcast of film footage obtained inside a possum meat processing plant by animal rights activists. The challenges facing the protection of privacy in Australia were foreshadowed by Gleeson CJ, who maintained that ‘[t]he law should be more astute than in 29 the past to identify and protect interests of a kind which fall within the concept of privacy.’ The High Court indicated that Victoria Park was a decision about property law, not privacy, and did not stand in the path of the development of a cause of action for breach of privacy in Australia. While the Court’s majority did not embrace the development of a tort of privacy per se, the judgements indicated that in the future the court may be receptive to arguments that a right 30 to privacy might be recognised. Since then trial courts in Queensland and Victoria have recognised a tort of invasion of privacy. In the Queensland 31 District Court case of Grosse v Purvis Senior Judge Skoien took what he described as the ‘bold step’ of being the first 32 ‘to hold that there can be a civil action for damages based on the actionable right of an individual person to privacy,’ 33 finding that a prolonged course of stalking and harassment was an invasion of the plaintiff’s privacy. His Honour found that for the purposes of the case before him, the essential elements for the cause of action would be: a)
a willed act by the defendant
b) which intrudes upon the privacy or seclusion of the plaintiff c)
in a manner which would be considered highly offensive to a reasonable person of ordinary sensibilities
d) and which causes the plaintiff detriment in the form of mental, psychological or emotional harm or distress 34 or which prevents or hinders the plaintiff from doing an act which she is lawfully entitled to do. 35
In Jane Doe v ABC Judge Hampel in the Victorian County Court ruled that an ABC broadcast identifying a woman who had been raped by her estranged husband was a breach of privacy: I have … come to the conclusion that this is an appropriate case to respond, although cautiously, to the invitation held out by the High Court in Lenah Game Meats and to hold that the invasion, or breach of privacy alleged here is an actionable wrong which gives rise to a right to recover damages according to the ordinary 36 principles governing damages in tort. Her Honour awarded the plaintiff a substantial award of damages for overlapping causes of action for breach of 37 statutory duty, negligence and breach of privacy. Her Honour declined to state the limits of the cause of action, or to state exhaustively any special defences which should be available.
26
Victoria Park Racing and Recreation Ground Co Ltd v Taylor, (1937) 58 CLR 479, 469 (Latham CJ). See Australian Law Reform Commission, Unfair Publication: Defamation and Privacy, Report No 11, pp 112-116; Australian Law Reform Commission, Privacy, Report No 22 (1983), vol 2, 21. 28 (2002) 208 CLR 199. 29 Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, 225. 30 Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, 252. 31 Grosse v Purvis [2003] QDC 151. 32 Grosse v Purvis [2003] QDC 151, 444. 33 Ibid [442]. 34 Grosse v Purvis [2003] QDC 151, 442. 35 Jane Doe v Australian Broadcasting Corporation [2007] VCC 281. 36 Jane Doe v Australian Broadcasting Corporation [2007] VCC 281, [[157]. 37 Jane Doe v Australian Broadcasting Corporation [2007] VCC 281, [194]. 27
Background Paper: Privacy
6
Background Paper Partly as a response to slow developments in common law in Australia, there have been a number of calls for the creation of a statutory cause of action (a right to sue created by legislation) for serious invasions of privacy. The Australian Law Reform Commission, NSW Law Reform Commission and Victorian Law Reform Commission have each recommended the creation of a statutory cause of action, and have produced reports including detailed recommendations for the creation of such a right.
Extended action for breach of confidence In the United Kingdom it is firmly established that an action for breach of confidence may be used to protect individuals from privacy intrusions. United Kingdom The United Kingdom has developed privacy rights through what is known as the extended action for breach of confidence. In 2004, the House of Lords stated in Campbell v MGN Ltd (a case concerning disclosure by a newspaper that Naomi Campbell had attended a Narcotics Anonymous meeting), that there is no common law right to privacy in the UK. However, it found that breach of confidence – originally concerned with the wrongful disclosure of information obtained in a confidential setting – has evolved into a wider action concerned with misuse of private 38 information. The House of Lords confirmed that the action for breach of confidence ‘has now firmly shaken off the 39 limiting constraint of the need for an initial confidential relationship’. In that case it was noted that the right to sue 40 for breach of confidence is available in circumstances involving disclosure of private information only, and that a 41 threshold of seriousness must be achieved. The elements of this tort have most recently been laid out by the UK’s High Court of Justice in Weller & ors v 42 Associated Newspapers Limited, where Associated Newspapers Limited published online photos of the musician Paul Weller and his children on a Los Angeles street. In giving judgment, Mr Justice Dingemans applied the established two-limb test for the tort of misuse of private information: 1) whether the claimants had a reasonable expectation of privacy (as set out by the Court of Appeal in Murray v Express Newspapers) 2)
balancing all the circumstances, whether the individual’s right to privacy should yield to the publisher’s right 43 to freedom of expression (as identified by the European Court of Human Rights in Von Hannover (No.2)).
The following factors were considered in relation to test 1): a)
the attributes of the claimant
b) the nature of the activity in which the claimant was engaged c)
the place at which it was happening
d) the absence of consent and whether it was known or could be inferred e)
the effect on the claimant
38
Campbell v MGN Ltd [2004] 2 A 457. Ibid [14]. 40 Ibid [64]–[69]. 41 Ibid [27]. See also Murray v Express Newspapers, which states that information does not need to be personal or embarrassing, but are still capable of being personal or intimate: [44]. However, private life does not extend to cases of ‘innocuous, unimportant and unremarkable events’: [59]. See also Mckennitt v Ash, [282], [38]-[39]. 42 [2014] EWHC 1163 (‘Weller case’). 43 Ibid [16]–[17]. 39
Background Paper: Privacy
7
Background Paper f)
the circumstances in which and the purposes for which the information came into the hands of the publisher.
In relation to test 2), the following factors were considered: a)
the contribution of disclosure to a debate of general public interest
g)
how well known the person concerned is, and the subject of the report
h) the prior conduct of the person concerned i)
the content, form and consequences of the publication 44
b) the circumstances in which the photos were taken. The Judge was satisfied that the claimants had established both limbs of the test and accordingly awarded damages, including for emotional distress, to the claimants. Australia 45
It wasn’t until 2008 that Australian courts first considered the developments in the UK. In Giller v Procopets the Victorian Court of Appeal awarded damages (including for non-economic loss) in relation to a claim of breach of confidence resulting from misuse of personal information. The case involved the limited publication of footage of a couple’s sexual activities by one of the parties – by then a disgruntled ex-partner. 46
In 2015 Giller v Procopets was followed in the Western Australian Supreme Court decision of Wilson v Ferguson (the ‘Facebook sex-tape case’), a case involving the publication on Facebook of sexual images by an ex-partner without consent. In that case, the Court extrapolated the following elements of the action and found that: a)
the information was of a confidential nature
b) it was communicated or obtained in circumstances importing an obligation of confidence c)
47
there was an unauthorised use of the information.
As a result, the Court found that Ferguson had breached his obligation of confidentiality owed to Wilson. When considering remedies, the Court found that both injunctive relief and compensation to Wilson were available, and awarded damages, including for emotional distress, for breach of confidence involving a misuse of personal information.
Trespass and nuisance In some circumstances actions for trespass or nuisance have successfully protected individuals’ privacy. For example in 48 1986 it was found that uninvited entry onto a premises by journalists with cameras rolling constituted trespass. In 49 another case it has been held that elaborate and persistent surveillance of a neighbour’s property was a nuisance. It is important to note that trespass and nuisance are limited in their application to invasions of privacy by the fact that they may only be brought in circumstances involving privately owned land.
44
Weller case, [52]. [2008] VSCA 236. Wilson v Ferguson [2015] WASC 15. 47 Id. 48 Lincoln Hunt (Aust) Pty Ltd v Willesee (1986)4 NSWLR 457. 49 Raciti v Hughes (1995) 7 BPR 14. 45 46
Background Paper: Privacy
8
Background Paper Control over personal information Although the question of whether the law recognises a common law right to privacy in Australia remains open, there is specific High Court authority about the more limited aspect of privacy – control over personal information. 50
In Johns v Australian Securities Commission the High Court held that where a statutory power requires the provision of information for a particular purpose, the information may only be disseminated for that purpose. Brennan CJ (with whom Dawson, Gaudron and McHugh JJ agreed) stated: Information is intangible. Once obtained, it can be disseminated or used without being impaired, though dissemination or use may reduce its value or the desire of those who do not have it to obtain it. Once disseminated, it can be disseminated more widely. A person to whom information is disclosed in response to an exercise of statutory power is thus in a position to disseminate or to use it in ways which are alien to the purpose for which the power was conferred. But when a power to require disclosure of information is conferred for a particular purpose, the extent of dissemination or use of the information disclosed must itself be limited by the purpose for which the power was conferred. In other words, the purpose for which a power to require disclosure of information is conferred limits the purpose for which the information disclosed can 51 lawfully be disseminated or used. Although Johns does not seem to be a widely known decision, Brennan J’s analysis was subsequently approved by the 52 High Court in Katsuno v The Queen. On its face, Johns applies to all information, not just personal information, and represents the Australian position at common law.
Legislative protection in Victoria Victoria’s legislative approach to privacy has centred on the fourth category of Solove’s conceptualisation of privacy – control of information about oneself. This is commonly referred to as ‘information privacy’. Information privacy rights in Victoria are established in three primary pieces of legislation, the Victorian Privacy and Data Protection Act 2014, the Health Records Act 2001 and the Commonwealth Privacy Act 1988. In addition, the Victorian Charter of Human Rights and Responsibilities Act 2006 embodies a broad right to privacy consistent with Australia’s international law obligations. These are outlined below.
The Privacy and Data Protection Act 2014 The Privacy and Data Protection Act 2014 (PDPA) replaced the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005. The PDPA governs the collection and handling of personal information (excluding health information) in the Victorian public sector and, uniquely, provides for the establishment of a protective data security regime for the Victorian public sector. The Commissioner for Privacy and Data Protection (CPDP) administers the PDPA. Part 3 of the PDPA regulates the way personal information is handled by Victorian public sector organisations, 53 including local councils and contracted service providers to Victorian public sector organisations. Personal information is defined as: Information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be 50
(1993) 178 CLR 408. Johns v Australian Securities Commission (1993) 178 CLR 408 at 423. (1999) 199 CLR 40. 53 A contracted service provider is a person or body who provides services under a State contract: PDPA, s 3. 51 52
Background Paper: Privacy
9
Background Paper ascertained, from the information or opinion, but does not include information of a kind to which the Health 54 Records Act 2001 applies. Examples of personal information include an individual’s name, address, telephone number, photograph, bank 55 account details, and fingerprints. The PDPA contains ten Information Privacy Principles (IPPs) which relate to aspects of information collection and handling including collection, use and disclosure, data quality, data security, openness, access and correction, unique identifiers, anonymity and transborder data flows. The IPPs are based on the privacy principles developed by the OECD referred to earlier. An organisation must not do an act, or engage in a practice that contravenes an IPP in 56 respect of personal information collected, held, managed, used, disclosed or transferred by it. The PDPA also contains three mechanisms that may permit public sector agencies to depart from some IPPs where there is a substantial public interest in doing so. These are: •
public interest determinations
•
temporary public interest determinations
•
information usage arrangements.
57
These new mechanisms were not in the now repealed Information Privacy Act 2000. They were included in the legislation to provide an authorising environment to ensure that information privacy does not impede the free flow of 58 information (information sharing) where there is a substantial public interest in so doing. They were expected to significantly assist in the delivery of public services in the public interest, in particular in areas such as child protection programs where multiple agencies hold information. In addition to privacy obligations, the Commissioner is empowered to develop, implement and oversee a comprehensive protective data security framework in Victoria. This includes issuing Victorian protective data security standards for the confidentiality, integrity and availability of public sector data. In addition, the Commissioner may issue law enforcement data security standards for the security and integrity of law enforcement data systems and crime statistics data systems. The PDPA is the first Australian piece of legislation to combine the privacy and data protection domains into a single regulatory framework.
The Health Records Act 2001 Although information pertaining to an individual’s health is considered to be personal information, health information is expressly excluded from the PDPA. The Health Services Commissioner administers the Health Records Act 2001 (HRA) and has jurisdiction over the way that health information is collected and handled by public and private sector bodies throughout Victoria. The HRA contains Health Privacy Principles (HPPs), similar to the IPPs. ‘Health information’ is defined in the HRA as: a)
information or an opinion about— (i) the physical, mental or psychological health (at any time) of an individual; or (ii) a disability (at any time) of an individual; or
54
Privacy and Data Protection Act 2014, s 3. Office of the Victorian Privacy Commissioner, Guidelines to the Information Privacy Principles, 2011. Privacy and Data Protection Act 2014, s 20(1). 57 For more information on these mechanisms, please see CPDP’s Guidelines on Public Interest Determinations, Temporary Public Interest Guidelines, Information Usage Arrangements and Certification. 58 Second Reading Speech for the Privacy and Data Protection Bill 2014. 55 56
Background Paper: Privacy
10
Background Paper (iii) an individual's expressed wishes about the future provision of health services to him or her; or (iv) a health service provided, or to be provided, to an individual — that is also personal information; or b) other personal information collected to provide, or in providing, a health service; or c)
other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
d) other personal information that is genetic information about an individual in a form which is or could be 59 predictive of the health (at any time) of the individual or of any of his or her descendants.
The Privacy Act 1988 (Cth) The Privacy Act 1988 (Privacy Act) was passed by the Australian Parliament in 1988. The Privacy Act gave effect to, among other things, to Australia's agreement to implement the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the ICCPR. The Privacy Act regulates personal information held by federal government agencies as well as large Australian private 60
sector organisations – including those operating in Victoria. The Privacy Act contains 13 Australian Privacy Principles (APPs), and is administered by the Office of the Australian Information Commissioner.
The Charter of Human Rights and Responsibilities Act 2006 The Charter of Human Rights and Responsibilities Act 2006 (the Charter) is a Victorian law that sets out the basic rights, freedoms and responsibilities of all people in Victoria. The Charter contains twenty human rights that reflect those set out in international human rights instruments, particularly the International Covenant of Civil and Political Rights (ICCPR). The Victorian Equal Opportunity and Human Rights Commission (VEOHRC) administer the Charter. Section 13 of the Charter embodies a right to privacy that is consistent with Australia’s international law obligations under Article 12 of the Universal Declaration of Human Rights and Article 17 of the ICCPR. Section 13 states: A person has the right— a)
not to have his or her privacy, family, home or correspondence unlawfully or arbitrarily interfered with; and
b) not to have his or her reputation unlawfully attacked. The Charter protects human rights in three key ways. First, it acts as a ‘filter’ for new legislation – all new laws to be considered by Parliament require a statement of compatibility, which scrutinises how the new law compares with rights established in the Charter. If there is an inconsistency between a law and a Charter right, the statement must 61 explain why and how. The Charter also places an obligation on Courts to interpret all Victorian laws, as far as is 62 possible, in a way that is compatible with human rights. Finally, the Charter makes is unlawful for a public authority to act in a way that is incompatible with a human right or, in making a decision, to fail to give proper consideration to 63 a relevant human right.
59
Health Records Act 2001 (Vic), s 3. The Privacy Act 1988 exempts ‘small businesses’ that have an annual turnover of less than $3m, provided the business does not trade in personal information, see Privacy Act 1988 s.6C (Organisations) and s.6D (Small business and small business operators). 61 Charter of Human Rights and Responsibilities Act 2006, s 28. 62 Charter of Human Rights and Responsibilities Act 2006, s 32. 63 Charter of Human Rights and Responsibilities Act 2006, s 38. 60
Background Paper: Privacy
11
Background Paper 64
The nature of this final obligation was judicially considered most recently in the Supreme Court case of Bare v IBAC. That decision endorsed the approach to the interpretation of ‘proper consideration’ taken in Castles v Secretary of the 65 Department of Justice & Ors. In Castles, Justice Emerton noted: Proper consideration need not involve formally identifying the ‘correct’ rights or explaining their content by reference to legal principles or jurisprudence. Rather, proper consideration will involve understanding in general terms which of the rights of the person affected by the decision may be relevant and whether, and if so how, those rights will be interfered with by the decision that is made. As part of the exercise of 66 justification, proper consideration will involve balancing competing private and public interests. The majority judges in Bare broadly agreed that, based on the ‘Castles test’, the four key elements that should be present to show that a decision-maker has given ‘proper consideration’ to a relevant human right are: •
understanding, in general terms, which of the rights may be relevant and whether, and if so how, those rights will be interfered with by the decision;
•
seriously turning her or his mind to the possible impact of the decision on the person’s human rights and the implications for the person;
•
identifying the countervailing interests or obligations of the State; and
•
balancing completing private and public interests as part of the exercise of justification.
67
Other laws A number of other Victorian and federal laws offer privacy protection in specific circumstances. For example, the Crimes Act 1958 (Vic) prohibits the production of child pornography and stalking, and the Surveillance Devices Act 1999 (Vic) prohibits some uses of surveillance devices in Victoria, and the publication of information captured in certain circumstances. Federal laws such as the Aviation Transport Security Act 2004 (Cth) and the Crimes Act 1914 (Cth) also offer privacy protections in certain limited circumstances.
Law reform activity As technologies have increased in capability and threats to privacy have intensified, so too have moves to reform privacy laws. Major Australian and New Zealand law reform proposals and initiatives are outlined below.
Australian Law Reform Commission In August 2008 the Australian Law Reform Commission (ALRC) reported on whether the Privacy Act 1988 and related 68 laws continue to provide an effective framework for the protection of privacy in Australia. The Report found significant shortcomings, and provided 295 recommendations, which, had they been implemented, would have resulted in a large-scale overhaul of privacy regulation in Australia. In its report, the ALRC recommended the creation of a unified set of privacy principles that would apply to all federal government agencies, the private sector, and state and territory government agencies through an intergovernmental cooperative scheme. It also recommended the enactment of a statutory cause of action for serious invasion of privacy.
64
[2015] VSCA 197 (29 July 2015). [2010] VSC 181 (4 May 2010). Castles v Secretary of the Department of Justice & Ors [2010] VSC 181 at 185. 67 See, eg, Bare v IBAC [2015] VSCA 197 (29 July 2015) at [288]. 68 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008). 65 66
Background Paper: Privacy
12
Background Paper Implementation In 2012 the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) amended the Privacy Act to implement the major legislative elements of the Government’s first stage response to the ALRC report. Amendments included: •
replacing different privacy principles for the public and private sectors with a single set of privacy principles (the Australian Privacy Principles (APPs))
•
implementing a comprehensive credit reporting system which includes five kinds of personal information
•
providing for codes of practice under the APPs and a credit reporting code, including powers for the Privacy Commissioner to develop and register codes that are binding on specified agencies and organisations
•
clarifying the functions and powers of the federal Privacy Commissioner, increasing the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolutions services, 69 conduct investigations and promote compliance with privacy obligations.
In 2014 in a separate report, the ALRC reiterated its earlier calls for the enactment of a statutory cause of action for 70 serious invasion of privacy in its report Serious Invasions of Privacy in the Digital Era. This report drew on previous work of the ALRC, and subsequent reports by the New South Wales and Victorian Law Reform Commissions, to provide detailed recommendations on how such a cause of action should operate, including the elements, defences and remedies.
New South Wales Law Reform Commission In 2009, the New South Wales Law Reform Commission (NSWLRC) released a report, Invasion of Privacy, that examined the adequacy of NSW personal information and health information legislation, with a view to providing an effective framework for the protection of individuals’ privacy. The Commission also recommended the development of a statutory cause of action for invasion of privacy.
Victorian Law Reform Commission In 2010 the Victorian Law Reform Commission (VLRC) issued its Surveillance in Public Places: Final Report which made a number of recommendations to modernise the Victorian surveillance and privacy legislation, and to create an independent surveillance regulator in Victoria. VLRC also supported the ALRC’s recommendation for the enactment of a cause of action for serious invasions of privacy.
New Zealand Law Commission In 2010 the NZLC published the final report of an extensive four-part review into privacy: Invasion of Privacy: Penalties 71 and Remedies, which recommended a comprehensive overhaul of NZ privacy and surveillance law. In response, the NZ government stated that it was committed to replacing New Zealand privacy legislation with a new Act designed to improve the clarity, certainty, navigability and user-friendliness of privacy regulation. The new Act would incorporate
69
Id. Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era: Final Report, Report No 123 (June 2014); Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008). 71 See Office of the Privacy Commissioner, New Zealand Law Commission Privacy Review . 70
Background Paper: Privacy
13
Background Paper many of the changes recommended by the Law Commission, as well as additional proposals to strengthen the regime. 72 It would retain a principles-based approach to regulating privacy. In addition, in response to a Law Commission report into surveillance, the New Zealand government enacted the Search and Surveillance Act 2012. That Act is designed to facilitate compliance-monitoring, and the investigation and prosecution of offences in a manner that is consistent with human rights values by modernising the law of search, seizure, and surveillance to take into account advances in technologies and to regulate the use of those technologies; and providing rules that recognise the importance of the rights and entitlements affirmed in other Acts, including those relating to human rights, privacy and evidence.
Commonwealth House of Representatives Standing Committee In July 2014, the Commonwealth House of Representatives Standing Committee on Social Policy and Legal Affairs published its Inquiry into Drones and the Regulation of Air Safety and Privacy (Drones Report). The committee noted 73 the wide take-up of UAV use in Australia, and made a number of wide-sweeping recommendations. These included the introduction of legislation to provide protection against privacy-invasive technologies (with emphasis on protecting against intrusion on a person’s seclusion or private affairs); to consider simplifying Australia’s privacy regime by introducing harmonised national surveillance laws and neutral definitions of the kinds of surveillance devices; and to consider the regulation of the use of surveillance by law enforcement officers.
Conclusion Convergence of communications and information technologies, increased capacities of information collection and processing, and a heightened demand for information are placing increasing pressures on Australia’s privacy protection regime. Information privacy laws continue to lag behind developments in technology, and fall significantly short of providing comprehensive protection. For example, laws fail to extend to the activities of small organisations or individuals; and they are ill equipped to deal with newer surveillance and information-gathering technologies. Further, there is very little protection outside the sphere of information privacy – either at common law or under legislation – against unwanted invasions of privacy. The extent to which Australian privacy law remains robust and effective will depend partly on its capacity to deal with these challenges and new issues as they emerge. Some key issues requiring resolution include: 1.
Should information privacy legislation be expanded to address the large gap in coverage of the private sector, i.e. ‘small businesses’ (most Australian businesses) and individuals?
2.
How can information privacy legislation better allow for appropriate information sharing in certain circumstances, such as to support action to reduce the harm of domestic violence and to protect children?
3.
How should the law regulate devices and technologies with rapidly expanding surveillance capabilities, such as unarmed aerial devices and biometrics?
4.
How can privacy laws become robust enough to address modern information technology phenomena, such as ‘big data’ and the ‘internet of things’?
5.
Should Australia introduce a statutory cause of action for serious invasions of privacy? Or should we leave it to the common law?
72
New Zealand Ministry of Justice Government Response to Law Commission Report ‘Review of Privacy Act’ . 73 Standing Committee on Social Policy and Legal Affairs, Parliament of Australia, Eyes in the Sky: Inquiry into Drones and the Regulation of Air Safety and Privacy (2014) 5., 6–12. Background Paper: Privacy
14
Background Paper Appendix 1: Evolution of Victorian and Australian privacy law Date
Event
1890
Warren and Brandeis publish their seminal text ‘The Right to Privacy’ in the Harvard Law Review.
1901
Commonwealth of Australia established. Federal Constitution contains no right to privacy.
1937
High Court of Australia decides, in Victoria Park Racing & Recreation Grounds Co Ltd v Taylor, that there is no general common law right to sue for breach of privacy.
1948
The United Nations General Assembly adopts the Universal Declaration of Human Rights. Article 12 states ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour or reputation. Everyone has the right to the protection of law against such interference or attacks’.
1966
Article 17 of The International Covenant on Civil and Political Rights (ICCPR) provides protection against arbitrary interference with an individual’s privacy. ICCPR adopted by the United Nations General Assembly on 16 December 1966 and ratified by Australia on 13 November 1980.
1969
Sir Zelman Cowen’s ABC Boyer lecture ‘The Private Man’ gives privacy fresh prominence beyond the province of specialists.
1974
The US Privacy Act 1974, containing five fair information handling practices, is enacted.
1980
The OECD publishes its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
1983
Australian Law Reform Commission publishes its Privacy, report. The report includes a draft privacy bill and proposes the appointment of a Privacy Commissioner and the establishment of Information Privacy Principles.
1984
Australia officially adopts the OECD Guidelines, which form the basis of the Information Privacy Principles contained in the Privacy Act 1988 (Cth).
1985
The Commonwealth Government proposes introducing the Australia Card, a national identification system. The Australia Card Bill 1985 (Cth) is defeated in the Senate. It was reintroduced in 1987, without change, and was defeated again.
1986
The Commonwealth government introduces the Privacy Bill 1986 (Cth), drawing on the ALRC Privacy report of 1983. The Bill is withdrawn.
1988
In December, the Commonwealth Government passes the Privacy Act 1988 (Cth), regulating most federal public sector agencies. Australia's first Federal Privacy Commissioner appointed.
1989
Privacy Act 1988 (Cth) takes effect 1 January 1989. The Act gives effect to Australia’s agreement to implement the OECD Guidelines and its obligations under Article 17 of the ICCPR.
1991
In January, the Commonwealth government passes the Data-matching Program (Assistance and Tax) Act 1990 (Cth), which creates a specific statutory scheme for data matching. This Act allows for personal information to be exchanged between several federal public sector organisations, including the Australian Taxation Office, Veterans’ Affairs and Centrelink.
Background Paper: Privacy
15
Background Paper 1993
Johns v Australian Securities Commission rules that where a statutory power requires the provision of information for a particular purpose, the information may only be disseminated for that purpose.
1995
In October, the European Union (EU) adopts the Data Protection Directive. All 15 EU member states required to enact comprehensive privacy legislation within three years. The EU Directive prohibits the transfer of personal data to countries without adequate privacy protection.
1996
1998
In January, the Victorian Government establishes the Data Protection Advisory Council to advise on the most appropriate regulatory regime to protect personal information in the public and private sectors. The Council recommends the introduction of data protection legislation to cover the public and private sectors. After consultation with the private sector, the Federal Privacy Commissioner and the AttorneyGeneral release in February new voluntary privacy guidelines for the private sector – the National Principles for the Fair Handling of Personal Data. In May, the Commonwealth Government introduces the Privacy Amendment Bill 1998 to give effect to the government’s decision to extend the application of the Privacy Act to contractors holding personal information in relation to serviced provided to the Commonwealth. The Bill lapses with the end of parliament. In November, the Privacy and Personal Information Protection Act 1998 (NSW) is passed. The Act requires State public sector organisations to comply with information principles and establishes the New South Wales office of the Privacy Commissioner. The Act takes effect in stages from 1 February 1999, with full operation from July 2000. In December, the Victorian Government introduces the Data Protection Bill 1999 into Parliament to apply to both the private sector and the state public sector, with the stated intention of being able to adjust the Act if suitable federal private sector privacy legislation comes into effect. The Bill lapses with the change of government in October 1999. In December, the Commonwealth Government passed the Privacy Amendment (Office of the Privacy Commissioner) Act 1998, which creates the office of the Privacy Commissioner as a separate statutory authority. Prior to this Act, the Privacy Commissioner was a member of the Human Rights and Equal Opportunity Commission.
2000
In May, the Victorian Government introduces the Information Privacy Bill (successor to the Data Protection Bill 1999). Victoria's privacy scheme is limited to covering only state government agencies, local councils and certain contracted service providers. Health information is excluded from the Bill, with the intention of separate complementary legislation being later introduced. In November, the Victorian Parliament passes the Information Privacy Act 2000. From December, the Privacy Amendment (Private Sector) Act 2000 (Cth) becomes enforceable and individuals from this date can lodge complaints relating to privacy breaches by private sector entities covered by this law.
2001
In April, the Health Records Act 2001 (Vic) is passed, requiring compliance with Health Privacy Principles (HPPs). Covers health information handled by the Victorian public and private sector and gives individuals a limited right of access to their medical records. The Health Services Commissioner is given the responsibility of implementing the Act, including handling health
Background Paper: Privacy
16
Background Paper privacy complaints. The Information Privacy Act 2000 comes into operation in stages from 1 September 2001, with public sector organisations given 12 months to review their practices to become compliant with the IPPs. In November, the High Court reconsiders the 1937 Victoria Park Racing case (see above) in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, and appears to open the way for consideration of a tort of invasion of privacy for individuals, but not corporations. 2002
Victorian Health Records Act 2001 and its Health Privacy Principles become legally binding from 1 July 2002.
The Victorian Information Privacy Act becomes fully operational on 1 September 2002 and individuals can lodge complaints with the Victorian Privacy Commissioner. 2003
Queensland District Court (following Lenah Game Meats) allows damages for a breach of privacy in the case of Grosse v Purvis.
2007
Victorian County Court is the second Australian Court to award a plaintiff damages for conduct that amounts to a breach of an individual's personal privacy in the case of Jane Doe v Australian Broadcasting Corporation.
2008
The Australian Law Reform Commission (ALRC) releases its comprehensive report For Your Information: Australian Privacy Law and Practice: Final Report. This includes 295 recommendations, which, if implemented, would result in a large-scale overhaul of privacy regulation in Australia.
2009
In October, the Commonwealth Government releases the first stage of its response to the ALRC proposals. It makes an extensive commitment to redrafting and updating the structure of the Privacy Act and strengthening and clarifying the Privacy Commissioner’s powers and functions.
2010
The Office of the Australian Information Commissioner (OAIC) is established under the Australian Information Commissioner Act 2010 (Cth). This office incorporates the Australian Information Commissioner, the Privacy Commissioner and the Freedom of Information Commissioner.
2014 March
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 comes into operation, enacting a number of ALRC proposals and making many significant changes to the Privacy Act. The changes include a new set of Australian Privacy Principles (APPs) to regulate both Australian Government agencies and large businesses. Changes are also made to credit reporting, and to enhancing OAIC’s regulatory powers.
2014 September
Victoria’s Privacy and Data Protection Act 2014 (PDPA) becomes fully operational. The PDPA repeals the Information Privacy Act 2000 and the Commissioner for Law Enforcement Data Security Act 2005. It merges the previous roles of the Victorian Privacy Commissioner and the Commissioner for Law Enforcement Data Security to create a single Commissioner for Privacy and Data Protection. Many of the PDPA’s privacy provisions mirror those of the former Information Privacy Act 2000, including preserving the IPPs. However, in common with other Australian privacy legislation, the PDPA introduces new mechanisms that will permit public sector agencies to depart from some
Background Paper: Privacy
17
Background Paper IPPs where there is a substantial public interest in doing so. The PDPA also empowers the Commissioner to develop, implement and oversee a comprehensive protective data security framework in Victoria. 2015 January
The Supreme Court of Western Australian awarded equitable compensation, including for emotional distress, in a breach of confidence action involving a misuse of personal information in the case of Wilson v Ferguson (the ‘Facebook sex-tape case’).
Publication date: December 2015 Please note that the contents of this publication are for general information purposes only, and should not be relied upon as legal advice. CPDP does not guarantee or accept legal liability whatsoever arising from, or connected to the accuracy and reliability of the contents of this document. We encourage your organisation to obtain independent legal advice as necessary. Background Paper: Privacy
18
