Speech by Mark Hummerston, Assistant Privacy Commissioner, presented to the SOCAP - Swinburne Consumer Affairs Course, Melbourne,  2 October 2007. 

Introduction

Good afternoon, and thank you for your invitation to speak here today.

As I was collecting my thoughts about this presentation last week, two things occurred almost simultaneously.  As I was researching some of the Australian Law Reform Commission's publications, I noted that their Issues Paper (No. 31) Review of Privacy asked the question "Is Privacy passé?"

After all, in a time where safety, security and the threat of terrorism is often used to justify almost sweeping aside civil liberties, should the Privacy Commissioner be packing her bags and quietly slipping away?

As I pondered this the inevitable email blinked onto my computer screen - a news update from South Africa.  The news item was headed "Keeping what's personal under wraps".  The article began by saying:

"PEOPLE uneasy about the way in which their private information is used will no longer have reason to fear."

A new law is in the pipeline to regulate the way in which business is allowed to use and handle people's personal information.

For the past decade, SA has fallen behind compared to the regulatory environments of other developed and emerging economies, says Saret van Loggerenberg, senior manager in advisory services at KPMG.

There are more than 30 countries that have passed information privacy laws and the number of jurisdictions is steadily growing. Van Loggerenberg says the possible development of information privacy legislation for SA is in line with international trends.

 Information protection forms an element of safeguarding a person's right to privacy.

It provides for the legal protection of a person in instances where his or her personal information is being collected, stored, used or communicated by another person or institution."

So, no need to pack bags just yet!  Privacy is alive and well and continues to be a real concern.  The Office of the Privacy Commissioner recently commissioned a study of community attitudes[1] towards privacy.  This 2007 study was a follow-up to similar studies we conducted in 2001 and 2004.  The responses contained in the Community Attitudes Survey reinforce the view that privacy is an issue of increasing resonance with the community.

Some 69% of respondents to the survey said they were aware that Federal privacy laws existed.  Community awareness of the laws has more than doubled since first measured in 1994, when 36% said they were aware.

The level of awareness has increased significantly each subsequent survey - 43% in 2001 and 60% in 2004.

However, the survey also revealed that the community remains unsure as to the extent of coverage of the Privacy Act.  Most respondents correctly nominated that it covers government and big business.  Significant proportions also believe it applies to state government, small businesses and businesses domiciled overseas.  The majority correctly believed that the Act relates to correct handling of personal information.  However, over half also believe that some matters relating to personal privacy, for example their neighbours spying, were also covered by the Privacy Act.

And hopefully of interest to an audience of practitioners, the community continues to be quite discerning about the level of trust it places in various organisations to handle their personal information appropriately.

One significant change from our last survey (2004) is an increase in trust for health service providers and Government departments.  Trust levels have however declined for financial institutions.  Trust remained stable for charities, retailers, market research organisations and businesses selling over the internet - albeit at low levels for some groups.

Emerging issues

A great deal has changed since the Privacy Act was enacted in 1988.

There have been changes to the way Australians think about privacy, changes to the manner and speed in which personal information is handled, particularly as a result of technological developments, and there has also been the arrival of the internet as a mainstream source of public information and interaction.

In the Office's experience, one thing that hasn't changed is that Australians still deeply value their privacy as a necessary condition for living an independent, fulfilling and dignified life.

The current principles under the Privacy Act are based on the OECD data protection guidelines that were developed almost 30 years ago.[2]  At that time:

• personal computers were scarce, and the internet did not exist
• there was little of biometric technology beyond ink fingerprints
• international counter-terrorism initiatives were not the focus they are today
• surveillance systems like closed circuit television and global positioning systems were not as widespread and
• mobile phones and camera phones were a distant prospect

These modern-day phenomena have changed the circumstances surrounding data protection.  Nevertheless, the Office believes that the Privacy Act has served the community well since its enactment in 1988.

Privacy is important but of course, complete anonymity or isolation from the rest of society is neither possible nor desirable.  There will always be interactions that require individuals to be ''knowable' to another person or organisation, just as individuals will often want to share their personal information with particular people and organisations.  Privacy laws are not designed to obstruct those interactions. Rather, privacy laws are about making sure that individuals have control, to the extent possible, over when their personal information will be collected by others, and how their personal information is subsequently used. 

The Office also recognises that privacy must be protected alongside other societal interests such as free speech, security and commercial efficiency.  Indeed, the Office notes that when the private sector provisions were introduced into the Privacy Act, they were intended to be responsive to both business and consumer needs.[3]

The right to privacy is not absolute - it is often necessary to balance privacy with other important social interests, such as the safety and security of the community.  However, this should not diminish the role played by privacy in democratic societies in according individuals the freedom to pursue their daily lives with appropriate respect, dignity and anonymity.

Anonymity

Do individuals have a right to remain anonymous?

The short answer is "yes".  The National Privacy Principles require that wherever it is lawful and practicable, organisations must give people the option to transact anonymously (NPP 8).

Anonymity is an important element of privacy.  However, in some cases, it will not be practicable to do business anonymously, such as where an individual's personal information is fundamental to the transaction.  In others cases there will be legal obligations that authorise or require the individual to be identified or to show proof of their age, for example, government regulation such as a licensing law.

The primary question for an organisation in deciding whether to collect personal information is:

"Is it lawful and practicable to transact with an individual without collecting their personal information?" 

In some cases, a law may require that an individual be identified such as with some licensing laws or laws intended to prevent money laundering (though such laws may only require that the personal information be sighted, not copied and retained).  If no such laws apply, then it would be lawful for the customer to transact anonymously.  An organisation would then need to consider whether it is also practicable.  For example, knowing the name and contact details of an individual may be essential to the transaction being entered into, and the organisation would therefore be able to collect necessary personal information.

However, if it is both lawful and practicable for the individual to transact anonymously, then the organisation should not collect the personal information.  If not, then the organisation may collect the personal information as long as it complies with the NPPs.

Surveillance

Just recently the Sydney Morning Herald carried an article "There is nowhere to hide", examining the increasing incidence of surveillance - particularly by closed-circuit television cameras (cctv) in Sydney.  The article began:

"On Monday morning as you wait for your train, wave at the camera. It is there to protect you.  When you enter your office, smile into the building's surveillance system.  After you have sat for a lunchtime portrait in the mall, remove any lettuce from your teeth before the ATM takes its snapshot, and be mindful you don't jaywalk under the gaze of traffic cameras.  Later, if a colleague offers you a ride home, straighten your collar - you don't want to look suspicious in the car park video.

Welcome to the security-conscious century in security-conscious Sydney where surveillance, private and public, is seemingly everywhere: buses, taxis, airports, main streets, shopping centres, parks, stadiums, traffic hot spots, lifts, banks, casinos, convenience stores and beyond."

The Office of the Privacy Commissioner was recently asked if there had been a substantial growth in the proliferation of cctv in Australia.  I have to say "we don't know".  Increasingly cctv is being installed by all levels of government and at least equally by the private sector.  It is difficult to offer a single, consolidated figure.

A 2005 research note by the Australian Parliamentary Library cited Australian Institute of Criminology figures that, as at October 2002, Sydney had 48 open-space cameras, Brisbane 44, Perth 105, Melbourne 23, Hobart 7, Adelaide 33 and Canberra 15.  Some regional and rural areas also had similar numbers of cameras operating.

Perth installed a cctv system in 1991 - Australia's first - to monitor a city square.  By 2002 some 33 local government areas had cameras installed.  By 2006 the number had doubled to 66 local councils.

The number of cctv cameras in other environments is difficult to quantify.  By way of example, it is understood there are 5,500 cameras used in the public transport system in South East Queensland, while in NSW CityRail has more than 6,200 cameras.

The Australian Security Industry Association suggests that a "very rough estimate" puts the number of cameras monitoring Sydney at somewhere between 40,000 and 60,000.  Smile for the cameras!

If those numbers surprise you, then perhaps be grateful you are in Australia and not Britain.  Richard Thomas, the UK's Information Commissioner, has expressed the concern that Britain is "sleepwalking into a surveillance society".  How so?  It has been reported that Britain has more than 4 million cctv cameras in place, and the average Londoner can expect to be photographed up to 300 times per day.

So what do Australians think about the increasing prevalence of cctv?

I referred earlier to our study of community attitudes towards privacy.  The study sought to "understand Australians' changing awareness and opinions about privacy laws, how they apply to government and business and how individuals view a range of emerging issues, in particular, identity fraud and theft and the use of closed circuit television".

Our survey revealed that most Australians - some 92% - are aware of cctv.  Of interest is that 88% of Australians under the age of 24 said they were aware of cctv.  Amongst those aware of cctv, 79% said they were not concerned about the use of cameras in public places.  Older people were less concerned than younger people.  And perhaps of interest to you, Victorians showed higher levels of concern than other Australians.

Although 80% of Victorians said they were "not concerned", about 16% said they were "somewhat concerned" - higher than for the rest of Australia.  However, the "very concerned" category seemed stable at less than 5% across Australia.

Our study did explore what it was that people were concerned about in relation to cctv.  Of those expressing concern, about 54% (comprising 60% of males and 45% of females) were worried that the camera footage might be misused.  45% felt cctv was an invasion of privacy (42% males, 49% females), around 13% felt "uncomfortable" with cctv surveillance and a small proportion (4%) felt that cctv was not effective in stopping crime.

Law enforcement agencies are generally very enthusiastic about surveillance cameras.  They point to the role surveillance cameras play in solving crimes.  One well-known example often cited is the 1993 murder of three year old Jamie Bulger in Britain.  CCTV captured chilling footage of two 10 year old boys leading Jamie away from a shopping centre.  The boys were subsequently convicted of killing Jamie.

Much closer to home and most recently, a cctv camera recorded the three year old Qian Xun being left at the foot of the escalators at Southern Cross Railway Station on Saturday 15 September this year, here in Melbourne.

There is some evidence to suggest that cctv is potentially effective in detecting crime (particularly violent crime), but not particularly effective in preventing crime.  The most recent analysis I could find was Professor Paul Wilson's "Crime and CCTV in Australia: Understanding the Relationship"[4] - which might be a useful starting point for those who want to explore this aspect further.

So just what does the Office of the Privacy Commissioner think about the use of cctv for surveillance?

As I said earlier, the right to privacy is not absolute - it is often necessary to balance privacy with other important social interests, such as the safety and security of the community.

In practice, the Office would suggest that optical surveillance measures such as CCTV systems should only be pursued where necessary to achieve a clear objective and where such measures constitute a proportional response to a defined threat or problem.

Surveillance should be conducted in accordance with any laws, such as workplace surveillance laws.  It should not be unreasonably intrusive, and there should be notification when it is taking place.  In addition, surveillance measures should be subject to appropriate oversight to ensure that personal information is not misused and to provide individuals with a framework to seek a remedy if it is.

ID scanning

With the adoption of new technologies by many businesses, the practice of scanning ''proof of identity' documents is becoming more common.  For example, the growing practice of licensed premises scanning driver's licences before permitting entry to the club or pub.  Often these organisations say that they are required, usually under the relevant State's licensing laws, to ensure that those entering the premises are of a legal age to be able to do so.

Commonly, the driver's licence is scanned and stored in an electronic format. 

Interestingly, our Community Attitudes study found only 18% of individuals surveyed felt it was acceptable for identification documents to be copied or scanned in order to obtain entry into licensed premises.

What are the concerns people have expressed?

Firstly, personal information collected by scanning is digitised and has the potential to be used or disclosed for other purposes, such as direct marketing or the creation of customer databases.  Individuals may be concerned that scanned and electronically stored personal information can be matched to personal information held by other organisations.  This can create a detailed picture of how they go about their day to day activities.

With the rise of identity crime, there are also legitimate community concerns about possible misuse of personal information, especially with regard to identity information contained on driver's licences and other proof of identity documents.

Individuals are also concerned that the stored personal information could be compromised through hacking, computer theft or other inappropriate access.  Those who steal the personal information may be able to do significant damage to the individual, whether by committing financial, credit card or identity fraud.

A business may only scan customers' identity documents if it is necessary for its functions or activities.  In the first instance businesses should consider whether identification is required and, if so, whether simply sighting a ''proof of identity' document without scanning it would be sufficient.

Businesses that do seek to use scanning technology must make sure they comply with the National Privacy Principles in the Privacy Act, which regulate the collection and handling of personal information by businesses. In general, if an organisation scans customers' identity documents, the Privacy Act requires that, among other things, the organisation:

• collect only necessary personal information;
• give customers information about why it is collecting their personal information and how it will be handled;
• only use or disclose the personal information for the purpose of the collection, unless an exception applies;
• only retain the scanned personal information for as long as necessary, consistent with the collection purpose;
• store the personal information securely and allow access to it by the individual if requested.

Businesses may be able to have greater confidence about meeting their obligations under the Privacy Act by getting the express consent of customers before scanning identity documents.  Seeking consent is also good privacy practice and likely to promote trust between the customer and business.

I should note that if organisations collect health or other types of sensitive personal information by scanning, the Privacy Act says that they must get consent. 

What is ''sensitive' personal information and how does it affect the collection of proof of identity documents?

The Privacy Act recognises that some personal information, such as health related information and information about racial and ethnic origin, is considered ''sensitive' and affords the management of this personal information a higher level of protection.  Health information relates not only to the individual's existing health matters, but also includes information about the individual's wishes concerning future health services.  For example, the organ donor information recorded on some driver's licences is sensitive personal information.

Under NPP 10 an organisation is required to obtain the individual's consent to collect sensitive personal information, unless one of the exceptions specified in NPP 10 applies when collecting the personal information. 

What advice does the Privacy Commissioner offer?

Organisations should avoid routinely scanning identity documents unless the information they contain is necessary for one of its functions or activities.  If there is valid reason for such scanning and collection, then the personal information must be handled in a manner that complies with the Privacy Act.

Organisations should pay particular attention to the notice they provide to individuals at the time of collecting personal information and the fact that they are required to limit the collection to that which is necessary for their functions or activities.

Organisations are also required to limit the secondary use or disclosure of the personal information, and must ensure that they have robust security measures in place to protect that personal information.

Organisations that implement practices consistent with the NPPs, including ensuring they have a privacy policy in place, are in a better position to protect their customers' privacy and to avoid having a privacy complaint lodged against them with the Office of the Privacy Commissioner.

Law reform

Two weeks ago the Australian Law Reform Commission released its Discussion Paper 72 - Review of Australian Privacy Law.

The ALRC describes its discussion paper as "a blueprint with 301 proposals for overhauling Australia's complex and costly privacy laws and practices".  ALRC President, Professor David Weisbrot, has said that the discussion paper is the product of the largest public consultation process they have ever undertaken.  Some 300 submissions were received, and more than 170 meetings held, including meetings with business, consumers, young people, health officials, technology experts, privacy advocates and regulators.

Time does not permit me (and I am sure you are grateful that it doesn't) to recap all 301 proposals for reform of privacy law advanced by the ALRC.

However, I would like to touch upon one or two of the proposals, and then perhaps encourage you to visit the ALRC website and examine some of the other issues raised.

The Privacy Commissioner has said that the ALRC's review presents a "once in a generation" opportunity to influence the shape of privacy law in Australia.  For almost 20 years the Privacy Act has generally served Australia well.  However, in a time of rapidly changing technology and community expectations an assessment of the effectiveness of privacy laws is necessary to ensure they continue to meet the diverse needs of the Australian community.

One set of privacy principles

There are two sets of privacy principles in the current Privacy Act:

• The Information Privacy Principles (IPPs) apply to handling of personal information by federal and ACT public sector agencies. This includes government departments and government agencies, such as Centrelink.
• The National Privacy Principles (NPPs) apply to many private sector organisations. These include many businesses, such as banks and insurance companies, as well as many not-for-profit organisations, such as community-based associations and sporting clubs.

While the two sets of principles are similar in many areas, there are also some important differences.  For example, only the NPPs have special rules on the handling of sensitive information and the transfer of personal information overseas.

Our view, and a view held by many others, is that the two sets of principles cause confusion.  In some instances, for example when Australian Government services are outsourced to a private or not-for-profit organisation, an organisation may be bound by both the IPPs and the NPPs in relation to information that it handles in providing those services.

On releasing the ALRC discussion paper Professor Weisbrot noted that:

"The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy. The ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights."

The Privacy Commissioner agrees.   

A central theme of the Office's submission to the ALRC was the need for national consistency in privacy legislation.  Increased regulatory consistency we believe will reduce the compliance difficulties for agencies and organisations and empower individuals to understand and exercise their privacy rights with less confusion.

One way the Office believes regulatory complexity can be reduced is through the creation of a single set of privacy principles in the Privacy Act.  These principles would replace the two separate sets of principles that currently regulate Australian and ACT Government agencies (the IPPs) and the private sector (the NPPs).  A single set of principles could also serve as a model for uniform privacy legislation, which could be implemented across Australian jurisdictions. 

The Office recommended the development of a single set of principles for both Australian government agencies and private sector organisations relating to:

• Anonymity

We think this principle could include that where possible, agencies and organisations must permit individuals to interact with them anonymously.  There could be a positive obligation on an agency or organisation to ensure that the individual is provided with the choice as to whether or not to interact anonymously, if practicable.

• Notice and openness

Notification should be provided before collection of personal information begins and focuses on providing information that allows individuals to make an informed choice.

Openness relates to providing the individual with information regarding the personal information held about them, for what purposes it's used, how it is handled, and how they can access it.  Openness focuses on informing the individual of the agency's or organisation's personal information management policies. 

• Collection

Organisations and agencies should be limited to collecting personal information only for a purpose which is stated in the notice provided.  A purpose for collection needs to be provided in a clear way that does not allow it to be changed significantly over time.  Further, collection should not be undertaken in an ''unreasonably intrusive way' or by ''unfair means'.

• Collection of sensitive information

Consistent with the present NPP 10, agencies and organisations should be required to obtain consent from the individual before collecting sensitive information.  The current exceptions in NPP 10 should be retained.

• Use and disclosure

The Office considers that use and disclosure should be included in the same principle as occurs in the NPPs.  This will assist in providing a consistent approach for the handling of personal information and may go some way to alleviating some of the confusion that surrounds the identification of whether certain activities are considered a ''use' or a ''disclosure'.

• Quality

The quality of personal information is a fundamental principle in any information handling context.  It is particularly important in the context of information gathering which may lead to individuals either accessing or being denied access to services.  Organisations and agencies should be required to take reasonable steps to ensure that the personal information they collect is accurate, up to date and complete for the stated use and or disclosures.

• Security

Personal information held by organisations and agencies must be kept secure and there could be a positive obligation on organisations and agencies to implement appropriate safeguards to protect the personal information they collect and handle.  The level of safeguards should be appropriate to the sensitivity of the personal information held, i.e. the more sensitive the personal information is, the greater the security safeguards required.

• Access and correction

It is, in the Privacy Commissioner's view, a fundamental principle of fair information handling that individuals be able to access and correct information about themselves.

• Transborder data flows

Generally speaking, individuals should know when their information is transferred to another jurisdiction and how it will be used and protected.

• Identifiers

The Office believes that the current provisions (NPP 7) appear to be satisfactory in achieving the aim of ensuring that Australian government identifiers do not become de facto national identity numbers or used by private sector organisations as identifiers.

Limiting the use of identifiers is important for the privacy of individuals. Identifiers are used for the provision of important basic services and are used with high frequency, requiring that a special principle limiting their use.

The Office also considers there is a need to ensure that personal information such as biometric template information falls within the definition of identifier. 

A new tort?

Perhaps one of the more controversial proposals arising from the ALRC's discussion paper - and a topic also the subject of recent examination by the NSW Law Reform Commission - is whether or not there ought to be a cause of action for an "invasion of privacy".

The ALRC has proposed that the Privacy Act provide a statutory cause of action for invasion of privacy in circumstances, such as where:

'' there has been interference with an individual's home or family life;

• an individual has been subject to unauthorised surveillance; or
• sensitive facts about an individual's private life have been disclosed.

The ALRC notes that the Privacy Act as it is currently formulated concerns the privacy of personal information.  It does not deal with other aspects of privacy, such as a right to enjoyment of home or family life, or a right to freedom from surveillance.

"Some overseas jurisdictions have introduced legislation to protect a right to privacy and some court decisions in Australia and overseas have suggested that the common law may eventually evolve to recognise such a right. Based on community feedback, the ALRC proposes that such a right should be recognised formally in the Privacy Act."

The ALRC notes that its proposal "would allow an individual to take action in court to seek a range of remedies, including compensation.  It would apply only where there is a reasonable expectation of privacy, and where the action that is the subject of the complaint is serious enough to cause substantial offence to an ordinary person".

Such a proposal represents a significant change.  The ALRC has suggested that such a change avoids a piecemeal introduction of such a right, as is currently occurring through the common law.

As might be expected, there is not universal support for the ALRC's proposal.

I note the Attorney General is reported as saying:

"Clearly, creating a statutory tort of privacy would generate a new cause of action and would be a marked change of direction for the government given the recent defamation and tort law reforms ... [this would require] a significant level of Commonwealth, state and territory agreement."

Lawyers Weekly reports Sophie Dawson (a partner at Blake Dawson Waldron) as saying that the threshold proposed by the ALRC to permit an action is not as high as other jurisdictions.

"The test that they have chosen is actually more generous to potential claimants ... Usually the wording they use is {a privacy breach that would be] ''highly offensive' to a reasonable person, whereas the test they have used is sufficiently serious to cause ''substantial offence to an ordinary person'."

She considers that this definition is highly likely to lead to a significant amount of litigation.

And the Privacy Commissioner's view?

The Office believes that several positive arguments exist for the development of a cause of action for invasion of privacy.   A tort of privacy would send a message that privacy is an important right that warrants specific recognition and protection within the Australian community.  Whether statutory or courts-based, a tort of privacy could be developed in a way that complements existing legislative privacy protections afforded to individuals.  It may also enable privacy law to have a degree of flexibility through the development of case law which would allow for responsiveness to changes in society's attitude and values towards privacy.

Internationally, torts of privacy have been developed in other common law countries with which Australia shares a similar legal history - including the United States and New Zealand.  In countries where no tort of privacy exists the courts have attempted to protect aspects of the concept of privacy indirectly through the reliance on other existing torts such as defamation, nuisance and trespass to land.[5]  However, the difficulty with such an approach is that it results in individuals having to rely on elements of other actions which may be ill-suited to the circumstances of their grievance.

Currently, in Australia, an individual must rely on a patchwork of other actions to cover areas which a tort of privacy could address.  This results in gaps and overlaps and ultimately provides an incomplete cause of action to address a breach of privacy.  A tort could help to address the areas of privacy where gaps currently exist, such as in states that have no state-based privacy legislation covering bodily or territorial privacy.  The development of a new tort would also clarify and expand the basis upon which an invasion of privacy is actionable.

In 2001, the Australian High Court's decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Limited[6]arguably cleared the path for the development of such a tort and, in particular, Callinan J made reference to the fact that the Australian common law system could recognise a tort of invasion of privacy.[7]  The Queensland District Court subsequently recognised a tort of invasion of privacy in Grosse v Purvis[8].  However, no other cases have followed this decision.  Consequently, it may be necessary for the legislature to undertake to develop a cause of action for privacy. 

Key elements for an Australian tort of privacy

The Office notes the model for a tort of privacy developed by Professor Des Butler. The Office believes that Butler's model may usefully form the basis for further debate regarding the development of a tort of privacy in Australia.  Butler draws on the US, UK and New Zealand approaches to create the following two torts relating to invasion of privacy:[9]

            Unreasonable intrusion upon privacy, the elements being:

a.      An intentional intrusion (whether physical or otherwise) upon the situation of another (whether as to the person or his or her personal affairs) where there is a reasonable expectation of privacy; and

b.      The intrusion would be highly offensive to a reasonable person of ordinary sensibilities.

            Disclosure of private facts, the elements being:

a.      The existence of facts in relation to which there is a reasonable expectation of privacy;

b.      Publicity given to those private facts that would be highly offensive to a person of reasonable sensibilities; and

c.      The publicity results in the plaintiff suffering emotional stress, embarrassment or humiliation.[10] 

Defences

The nature of any defences will turn on how the tort is worded.  For example, in the New Zealand decision of Hosking v Runting[11]the majority was split on whether legitimate public concern should form an element of the tort or should be a defence.

Again, Professor Butler provides a detailed discussion on the nature and scope of possible defences with the most significant likely defences being:[12] 

Consent (express or implied), subject to any limitations to that consent; and

Public interest.  This is to be contrasted with matters in which the public might be interested, such as gossip or scandal.  The scope of this defence will no doubt be controversial in the clash between privacy and freedom of speech. 

Professor Butler recommends that the public interest defence should encompass:

The existing freedom of communication concerning government or political matters (as recognised in Lange v Australian Broadcasting Corporation[13]); as well as

matters of public concern, namely matters which affect people at large so that they may be legitimately interested or concerned about it.

Other defences might be based on existing defences in defamation, particularly absolute privilege[14] and qualified privilege.[15]

Location of a tort of privacy

Finally, it would be preferable to introduce a tort of privacy in a uniform manner throughout Australia, particularly to avoid inconsistencies and ''forum shopping'.  This was the impetus behind the recent introduction of uniform state and territory defamation laws.  Alternatively, both federal and state/territory legislation could be created concurrently and it is acknowledged that this has the benefit of spreading the costs associated with the regime across the state, territory and federal governments.  However, this also raises issues relating to the constitutional limits of the federal Parliament in relation to privacy.  Nevertheless, by what method a tort would be established and in what manner it would be introduced, it should not contribute to the national inconsistency that currently exists in the privacy law arena.

As to whether it is preferable to locate the tort in the Privacy Act will presumably be influenced by what role (if any) will be played by the Privacy Commissioner.  For example, if the tort will be actionable via the complaints process administered by the Privacy Commissioner, then there may be merit in streamlining all privacy-related complaints through this process.  By contrast, if the tort will be actionable directly in the Courts it may be preferable to create a separate statute, to distinguish the tort of invasion of privacy from privacy complaints handled under the Privacy Act. 

Summary

There are of course many more emerging issues in privacy.  I trust the issues I have touched upon today are of interest - they do seem to be issues that are being raised often with the Office of the Privacy Commissioner.

Thank you.

[1]http://www.privacy.gov.au/news/media/2007_15.html

[2] Organisation for Economic Cooperation and Development (OECD), ''Guidelines on the Protection of Privacy and Transborder Flows of Personal Data', Paris, 1980, available at http://www.oecd.org/document/18/0,2340,en_2649_201185_1815186_1_1_1_1,00.html.

[3] Privacy Amendment (Private Sector) Bill 2000 Second Reading Speech House of Representatives Hansard, 8 November 2000, p 22370.

[4] http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1071&context=hss_pubs

 

[5]  For example, see Ettinghausen v Australian Consolidated Press (1991) 23 NSWLR 443; Kaye v Robertson [1991] FSR 62 (English Court of Appeal)

[6] (2001) 208 CLR 199

[7]  Australian Broadcasting Corporation v Lenah Game Meats Pty Limited (2001) 208 CLR 199 per Callinan J at 328

[8] [2003] QDC 151

[9] See D Butler ''A Tort of Invasion of Privacy in Australia?'(2005) Melbourne University Law Review 11, page TBA (as retrieved from internet source) for a detailed discussion of these two torts.

[10] The first two elements are taken from the New Zealand approach, as articulated by Gault P and Blanchard J in Hosking v Runting [2005] 1 NZLR 1 at 32.  The third element is added in order to ensure that the tort is actionable per se as an intentional tort, without the need to prove that the defendant's actions resulted in a recognised psychiatric injury (as is the case in unintentional torts, such as negligence).    

[11] [2005] 1 NZLR 1

[12] See D Butler ''A Tort of Invasion of Privacy in Australia?'(2005) Melbourne University Law Review 11, page TBA (as retrieved from internet source).

[13] (1997) 189 CLR 520.

[14] Publication of parliamentary or judicial proceedings.

[15] Publication to a limited audience reasonably believed to have an interest in the matter.