|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1.Privacy has historically been an elusive concept, quite possibly because the term itself may be interpreted along social, political, technological and legal lines. As noted in IP31 at paragraph 1.88, 'privacy' can be usefully broken down into four separate but related concepts, those being bodily, territorial, communication and information privacy.
2.The Office notes that the key focus of the ALRC's inquiry is on information privacy (see IP31, paragraph 1.64), this being the primary focus of Australia's Privacy Act 1988 (Cth). While information privacy forms the focus of this inquiry, the Office submits that it will be important for the ALRC to consider cross-over between information privacy and other forms of privacy. The Office notes that it will also be important to assess how individuals' conception of information privacy may have changed or evolved since the Privacy Act was enacted in 1988.
3.From an international law perspective, privacy is an acknowledged human right enunciated in several international instruments including the Universal Declaration of Human Rights (Article 12) and the International Covenant on Civil and Political Rights 1966 (Article 17). Australia, as a signatory to those relevant international instruments and by the enactment of domestic legislation, has acknowledged privacy as a concept and right to be protected.
4.The development of technology will continue to be of significance to the way individuals think about privacy. This will not only be evidenced domestically, but also internationally, as globalisation increasingly demands that information is allowed to flow freely across the world. As such, while Australia's domestic privacy regime must ensure adequate and appropriate privacy protections for Australians, it is imperative that the future of our regime be considered against the backdrop of the international privacy landscape.
5.The approach to privacy regulation varies internationally and regionally, and consequently an examination of information privacy protections within Australia cannot be undertaken within a vacuum. Consideration must be given to Australia's privacy regime within an international context and recognition of Australia's interaction with the spectrum of differing approaches. We must also consider that, regardless of the approach taken by other states, ultimately the 'outcome' is paramount. Having an efficient and effective regime in practice is the desired outcome.
6.There are a number of different approaches to privacy regulation across the world. The United States' approach to information privacy has tended to be relatively non- or minimally interventionist. Consequently, US privacy regulation has tended to be targeted to specific sectors or identified deficiencies.11 As such, the US approach tends to result in organisations primarily being regulated by the market or their own corporate binding rules thus facilitating the free flow of information in a market economy. However, due to changes in the international privacy landscape, in 2000 the United States negotiated the 'Safe Harbour' agreement with the European Union. This agreement permits United States companies to voluntarily sign up to comply with a number of privacy principles. Organisations that gain a Safe Harbour certification are recognised by the EU as having adequate privacy protections in place and are thus able to trade with European organisations.
7.Alternatively, the European approach to information privacy, and more specifically, the development of the European Union's Data Protection Directive has resulted in a centralised, proactive and preventative approach to information privacy. Historically the European approach has sought '?to preserve autonomy and dignity from the perceived threats of unconstrained market processes'.12 However, the EU acknowledges they continue to grapple with the aim of facilitating the free movement of personal information which is vital for the effective operation of economic activity, whilst upholding and protecting the fundamental right to privacy that should be guaranteed by national and EU authority bodies.13
8.In 2004 in the Asia-Pacific region, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework was endorsed by the APEC Ministers. This framework aims to promote a regionally consistent approach to information privacy protection within its 'Member Economies'. The preamble of the Framework similarly acknowledges the need to encourage effective information privacy protections while supporting the free flow of information in the Asia Pacific region and potentially this Framework may be the catalyst for several 'Member Economies' that currently do not have a regime in place to consider information privacy domestically. However regionally, the practical implementation of this Framework is still under development.
9.As with the APEC Privacy Framework, Australia's approach to regulating privacy is principle-based with coverage of much of the public and private sectors. The Office is of the opinion that principle-based law tends to deal well with technological change and generally encourages greater understanding by individuals and organisations of the central ideas behind the law. In this submission, the Office continues to advocate a principle-based approach to regulation of information privacy.
10.This submission also attempts to recognise the dual objectives of individual privacy protection and the necessary flow of information within society. These objectives are reflected in different measures in privacy regulation across the world. The Office notes that individual privacy protection and information flow need not be mutually exclusive. Acknowledgement of both the interests of the individual and the interests of society is inherent in facilitating the individual's interaction with society in an honest and meaningful way and the continued successful functioning of society. In essence, promoting the best interests of the individual is inextricably linked with promoting society's best interests.14
11. For example, individuals will only continue to provide correct personal information to an entity if they trust that the personal information will be used appropriately. Should an entity misuse the information and damage that trust, individuals will provide false information or choose to no longer interact with that entity thus retarding its ability to fulfil its function effectively.15 Similarly, in instances where individuals must provide their personal information to monopolistic entities to obtain a benefit or service, ensuring protections around the handling of that information reinforces an individual's willingness and openness to engage in the interaction with confidence.
12. Consequently, maintaining an information privacy regime that facilitates the convergence of these two objectives is the continued goal for Australia. The Office believes that this is best achieved by continuing to require agencies and organisations to follow certain principles regarding the collection and handling of personal information in a responsible manner whilst continuing to provide individuals with the ability to make choices and maintain control over the extent of personal information that is collected and how it is subsequently handled. For the Office, the ongoing goal must be to encourage a society that respects and values privacy.
13. The Office believes that privacy protections should be afforded to all individuals equally and these protections should be unifying rather than differential. Apart from promoting equality, the Office is of the opinion that uniform application of the Privacy Act will minimise complexity and thus assist in ensuring that the Australians clearly understand the privacy protections afforded them. For this reason the Office does not believe that the Privacy Act should be amended to provide direct protection to particular identified groups in the community.
14. In considering this issue, the Office holds the view that differential privacy protection for certain groups over others is incongruous to the notion of individual protection that currently underpins privacy regulation nationally and internationally. Furthermore, if privacy protections were tailored to address the 'particular circumstances and privacy needs'16 of certain groups, the Office contends that it would be difficult to ascertain which groups should be afforded different or additional protections.
15. From a practical perspective, the introduction of direct protection regarding the handling of personal information for certain groups may require individuals to provide even more personal information initially in order to establish group membership and thus to access a specific protection. In such circumstances, accessing added group privacy protections could be counter productive by resulting in an actual encroachment on the individual's privacy.
16. As it stands, the Privacy Act provides some added protection for information relating to an individual's racial or ethnic origin and religious beliefs or affiliations under sensitive information provisions in the NPPs. The NPPs therefore go some way to enhancing privacy protection for groups within the community. However, all types of sensitive information are afforded the same protections under the Privacy Act regardless of the particular race, ethnicity or religion to which the information may pertain. Moreover, the protections for information about race, ethnicity or religion apply to individuals associated with those groups rather than the groups themselves.
17. The Privacy Act, via the IPPs and NPPs, also imposes an obligation on agencies and organisations to ensure that the collection of personal information is carried out in a manner which is not unreasonably intrusive.17 This requires agencies and organisations to consider whether the types of personal information collected and the method used to collect is appropriate to the individual and the context. In this way, the Privacy Act does offer scope for recognising cultural difference concerning privacy. The Office's publication: 'Minding our own business - Privacy Protocol for Commonwealth agencies in the Northern Territory handling personal information of Aboriginal and Torres Strait Islander people' is an example of guidelines addressing such issues.18
18. The Office is of the opinion that privacy protection should not be extended to commercial entities. As noted above, a change along these lines would be at odds with the idea of individual privacy protection that underpins the protections contained in the Privacy Act and other relevant international instruments. As noted in IP31 at paragraph 1.56, extending privacy protections to commercial entities would be a significant departure from the widespread understanding of privacy as a human right. There is also a distinct lack of legal precedence or authority in other jurisdictions to support the right of corporations to privacy protections.19
19. Commercial entities have a number of financial reporting obligations and the provision of privacy protections to such entities may result in inconsistency and incompatibility. Additionally, commercial entities such as public companies are required to have a large degree of transparency and accountability to their shareholders and the extension of privacy protections may have the unintended effect of reducing the effectiveness of those important legal and social obligations.
20. The Office also observes that commercial entities appear to have sufficient protections provided by other laws. For example, corporations have well entrenched protections around confidential information. This further argues against extending privacy protections to these entities
21. The Office recognises that commercial entities that are sole traders may have some privacy protections under the Privacy Act. This is because information about the business activities of a sole trader may be considered personal information if the identity of the individual who is the sole trader is apparent or reasonably ascertainable. The Office suggests it could be beneficial to clarify the extent to which sole trader information is protected by the Privacy Act.
22. The Office believes that several positive arguments exist for the development of a cause of action for invasion of privacy. A tort of privacy would send a message that privacy is an important right that warrants specific recognition and protection within the Australian community. Whether statutory or courts-based, a tort of privacy could be developed in a way that complements existing legislative privacy protections afforded to individuals. It may also enable privacy law to have a degree of flexibility through the development of case law which would allow for responsiveness to changes in society's attitude and values towards privacy.
23. Internationally, torts of privacy have been developed in other common law countries with which Australia shares a similar legal history including the United States and New Zealand. In countries where no tort of privacy exists the courts have attempted to protect aspects of the concept of privacy indirectly through the reliance on other existing torts such as defamation, nuisance and trespass to land.20 However, the difficulty with such an approach is that it results in individuals having to rely on elements of other actions which may be ill-suited to the circumstances of their grievance.
24. Currently, in Australia, an individual must rely on a patchwork of other actions to cover areas which a tort of privacy could address. This results in gaps and overlaps and ultimately provides an incomplete cause of action to address a breach of privacy. A tort could help to address the areas of privacy where gaps currently exist, such as in states that have no state-based privacy legislation covering bodily or territorial privacy. The development of a new tort would also clarify and expand the basis upon which an invasion of privacy is actionable.
25. In 2001, the Australian High Court's decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Limited21 arguably cleared the path for the development of such a tort and, in particular, Callinan J made reference to the fact that the Australian common law system could recognise a tort of invasion of privacy.22 The Queensland District Court subsequently recognised a tort of invasion of privacy in Grosse v Purvis 23. However, no other cases have followed this decision. Consequently, it may be necessary for the legislature to undertake to develop a cause of action for privacy.
26. The Office notes the model for a tort of privacy developed by Professor Des Butler. The Office believes that Butler's model may usefully form the basis for further debate regarding the development of a tort of privacy in Australia. Butler draws on the US, UK and New Zealand approaches to create the following two torts relating to invasion of privacy:24
Unreasonable intrusion upon privacy, the elements being:
- An intentional intrusion (whether physical or otherwise) upon the situation of another (whether as to the person or his or her personal affairs) where there is a reasonable expectation of privacy; and
- The intrusion would be highly offensive to a reasonable person of ordinary sensibilities.
Disclosure of private facts, the elements being:
- The existence of facts in relation to which there is a reasonable expectation of privacy;
- Publicity given to those private facts that would be highly offensive to a person of reasonable sensibilities; and
- The publicity results in the plaintiff suffering emotional stress, embarrassment or humiliation.25
27. The nature of any defences will turn on how the tort is worded. For example, in the New Zealand decision of Hosking v Runting26 the majority was split on whether legitimate public concern should form an element of the tort or should be a defence.
28. Again, Professor Butler provides a detailed discussion on the nature and scope of possible defences with the most significant likely defences being:27
29. Other defences might be based on existing defences in defamation, particularly absolute privilege 29 and qualified privilege.30
30. Finally, as alluded to previously, it would be preferable to introduce a tort of privacy in a uniform manner throughout Australia, particularly to avoid inconsistencies and 'forum shopping'. This was the impetus behind the recent introduction of uniform state and territory defamation laws. Alternatively, both federal and state/territory legislation could be created concurrently and it is acknowledged that this has the benefit of spreading the costs associated with the regime across the state, territory and federal governments. However, this also raises issues relating to the constitutional limits of the federal Parliament in relation to privacy. Nevertheless, by what method a tort would be established and in what manner it would be introduced, it should not contribute to the national inconsistency that currently exists in the privacy law arena.
31. As to whether it is preferable to locate the tort in the Privacy Act will presumably be influenced by what role (if any) will be played by the Privacy Commissioner. For example, if the tort will be actionable via the complaints process administered by the Privacy Commissioner, then there may be merit in streamlining all privacy-related complaints through this process. By contrast, if the tort will be actionable directly in the Courts it may be preferable to create a separate statute, to distinguish the tort of invasion of privacy from privacy complaints handled under the Privacy Act.
11 T Loring, 'An analysis of the information privacy protection afforded by the European Union and the United States' (2002) Texas International Law Journal Vol.37, Issue 2, p 421.
12 D Lindsay, 'An Exploration of the Conceptual Basis of Privacy and the Implications for the Future of Australian Privacy Law' (2005) Melbourne University Law Review 4, available at www.austlii.edu.au//cgi-bin/disp.pl/au/journals/MULR/2005/4.html
13 'Report on the First Report on the implementation of the Data Protection Directive (95/46/EC)' 24 February 2004, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, European Parliament.
14 C Bennett and C Raab, 'The Governance of Privacy - Policy instruments in global perspective', 2003, Ashgate Publishing Limited, England, see Chapter 3 generally.
15 Ibid..
16 ALRC Review, IP31, p44.
17 Privacy Act 1988 (Cth) NPP 1.2 states that an organisation must not collect personal information in 'an unreasonably intrusive way'. Conversely, IPP 3 is less onerous and states that in the solicitation of personal information generally, the collection should "not intrude to an unreasonable extent upon the personal affairs of the individual concerned."
18 Available on the OPC website at: http://www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_79.49.pdf
19 L Bygrave, 'A right to privacy for corporations? Lenah in an international context' (2001) Privacy Law and Policy Reporter 58, available at http://www.autlii.edu.au//cgi-bin/disp.pl/au/journals/PLRR/2001/58.html?query=privacy%20and%20
20 For example, see Ettinghausen v Australian Consolidated Press (1991) 23 NSWLR 443; Kaye v Robertson [1991] FSR 62 (English Court of Appeal)
21 (2001) 208 CLR 199
22 Australian Broadcasting Corporation v Lenah Game Meats Pty Limited (2001) 208 CLR 199 per Callinan J at 328
23 [2003] QDC 151
24 See D Butler 'A Tort of Invasion of Privacy in Australia?' (2005) Melbourne University Law Review 11, page TBA (as retrieved from internet source) for a detailed discussion of these two torts.
25 The first two elements are taken from the New Zealand approach, as articulated by Gault P and Blanchard J in Hosking v Runting [2005] 1 NZLR 1 at 32. The third element is added in order to ensure that the tort is actionable per se as an intentional tort, without the need to prove that the defendant's actions resulted in a recognised psychiatric injury (as is the case in unintentional torts, such as negligence).
26 [2005] 1 NZLR 1
27 See D Butler 'A Tort of Invasion of Privacy in Australia?' (2005) Melbourne University Law Review 11, page TBA (as retrieved from internet source).
28 (1997) 189 CLR 520.
29 Publication of parliamentary or judicial proceedings.
30 Publication to a limited audience reasonably believed to have an interest in the matter.