Individuals acting in a personal capacity

11.3 The development of new technologies has increased the ability of individuals to impinge on the privacy rights of others. For example, individuals can monitor the online activities of others through the use of spyware,[3] or disclose the email addresses of others in emails sent to numerous recipients.[4]

11.4 In Issues Paper 31, Review of Privacy (IP 31), the ALRC asked whether the Privacy Act should be amended to cover any acts or practices of individuals relating to their personal, family or household affairs. The majority of stakeholders who answered this question opposed any such expansion of the scope of theAct.[5]For example, Electronic Frontiers Australia submitted that the Privacy Act is not ‘an appropriate vehicle for application to the acts or practices of individuals relating to their personal, family or household affairs’. This was because it would be ‘impractical and undesirable’ to require individuals acting in a private capacity to comply with the requirements in the privacy principles.[6] Electronic Frontiers Australia submitted further that:

the primary issues of concern are publication and/or public distribution and that collection and private use of information is generally of significantly less concern except under some particular circumstances.[7]

11.5 Similarly, the Office of the Privacy Commissioner (OPC) submitted that:

the Privacy Act has been specifically tailored to regulate agencies and organisations and as such is ill-suited to the regulation of individuals in their personal capacity. For instance, it would be difficult and undesirable to require individuals to give notice or seek consent for collection of personal information. Also, applying data quality and data security principles to an individual’s address book could be inappropriate.[8]

11.6 In Discussion Paper 72, Review of Australian Privacy Law (DP 72), the ALRC did not propose the expansion of the scope of the Privacy Act to regulate individuals acting in a non-commercial capacity. It noted, however, that the proposed statutory cause of action for a serious invasion of privacy may be used against an individual acting in a non-commercial capacity as well as against an agency or organisation.[9]

Individuals and the internet

11.7 A major concern about individuals handling personal information relates to the content of information published by individuals on the internet. Individuals regularly use social networking and user-generated sites such as Facebook and YouTube to post photographs, videos and commentary that may interfere with the privacy of other individuals.[10] This phenomenon is often referred to as ‘Web 2.0’.[11] Further, it has been estimated that there are at least 100 websites that contain images of people caught showering or undressing.[12]

11.8 Throughout the Inquiry a number of stakeholders expressed concern about the permanence of personal information published on the internet by individuals.[13] One stakeholder submitted that extensive personal information about herself and several family members was published on an amateur genealogy website in late 2006. The information was posted without the knowledge or consent of the individuals to whom it related. She noted that she had requested both the individual who owned the website and the relevant internet service provider (ISP) to remove the information, but that there was ‘no one with the authority … to discover the source of this information or to have the information removed from the website’.[14] The Health Informatics Society of Australia informed the ALRC that individuals using online medical support forums sometimes publish personal information, including health information, about their relatives.[15]

11.9 Currently, a procedure exists for removing offensive or illegal content that is accessible via the internet.[16] There is no similar procedure, however, for removing other privacy-invasive information published on the internet by an individual acting in his or her non-business capacity.

Take-down notices for online content?

11.10 In DP 72, the ALRC discussed the existing scheme for removing offensive or illegal content that is accessible via the internet.[17] The online regulation scheme, which is set out in sch 7 of the Broadcasting Services Act 1992 (Cth), is administered by the Australian Communications and Media Authority (ACMA). In summary, ACMA can investigate complaints about content available via the internet. ACMA relies on the classification decisions of the Classification Board to determine whether content is ‘prohibited content’.[18] If content is prohibited content, ACMA must direct the relevant internet content host to remove it. While it is not an offence to host prohibited content, if ACMA issues a take-down notice to an internet content host, the prohibited content must be removed as soon as practicable or, at the latest, by 6 pm the next business day. ACMA may issue an interim take-down notice while awaiting the outcome of classification of content by the Classification Board.[19]

11.11 Currently, the take-down scheme administered by ACMA cannot be used to make a complaint about, or seek the removal of, information posted on the internet which constitutes an invasion of an individual’s privacy. The existing scheme’s dependence on the National Classification Code and decisions of the Classification Board limits the extent to which the take-down notice procedure can be used. It is essentially an extension of the censorship scheme into the online environment and balances a number of competing interests.

In relation to freedom of expression, [Schedule 7] is premised on the principle that what is illegal offline should also be illegal online. It does not provide for more onerous restrictions than those that apply to conventional media regulated under the Act. Definitions of prohibited material are based on specific and detailed criteria of the widely accepted national classification scheme administered by the Office of Film and Literature Classification. This scheme is designed to balance the public interest in allowing adults to read, hear and see material of their own choosing, with the public interest in protecting minors from material likely to harm or disturb them, and in protecting the community generally from offensive material.[20]

11.12 As with any scheme regulating online content, the online content classification scheme has jurisdictional limitations. If the internet content is hosted outside Australia, ACMA is unable to issue a take-down notice. If prohibited content is sufficiently serious, however, ACMA can refer it to law enforcement authorities. ACMA can also request that ISPs take appropriate technical steps to minimise access to the material by end users in Australia.[21]

11.13 In DP 72, the ALRC asked whether the existing ‘take-down’ notice scheme that deals with internet content should be broadened to address privacy issues arising from the online publication of personal information.[22] The ALRC also asked, if a take-down notice scheme were to be implemented, what criteria should be used to assess whether an interference with privacy had taken place.[23]

Submissions and consultations

11.14 Some stakeholders supported the expansion of the existing take-down notice scheme to regulate the online publication of personal information. A number of youth organisations submitted that such a scheme would provide a useful avenue for the protection of the privacy of children and young people in the online environment.[24] For example, Youthlaw submitted that it has received a number of complaints from young people about the posting of photographs of them on the internet without their consent.[25] The Public Interest Advocacy Centre (PIAC) noted that, while in some circumstances the proposed statutory cause of action would provide a remedy for interferences with privacy on the internet, a separate take-down notice scheme

would offer an effective alternative remedy to people who might not be able to afford legal representation, or who want to have the material removed from the internet immediately.[26]

11.15 Australia’s National Computer Emergency Response Team (AusCERT) submitted that it currently seeks the removal of websites that could be used to facilitate the theft of personal information. In carrying out this work, it is reliant on the cooperation of parties such as ISPs or domain name registrars. AusCERT submitted that legislation making it an offence for a website to host such content could help to prevent the theft of personal information.[27]

11.16 Several stakeholders were not in favour of expanding the existing take-down notice scheme to deal with interferences with an individual’s privacy. The Australian Government Attorney-General’s Department stated that ‘[t]he regulation of online content is a complex one and such questions cannot be addressed in isolation’.[28] Another stakeholder submitted that such a scheme could have a negative impact on freedom of expression. This was because the potential costs of defending a legal action would be an incentive for an internet content host to remove content upon receipt of a take-down notice ‘without due consideration or consultation’.[29] In addition, Telstra queried the effectiveness of an Australian-based scheme, noting that internet content can easily be moved to content hosts that are based overseas.[30]

11.17 A number of stakeholders addressed the criteria that should be used to determine when a take-down notice should be issued.[31] The National Children’s and Youth Law Centre suggested that relevant criteria could include whether: an individual had consented to, or had a reasonable expectation of, online publication; an individual had suffered harm; and the publisher intended to abuse, harm or humiliate the individual to whom the information related.[32] The Special Broadcasting Service (SBS), however, submitted that

it would be difficult to establish the objective criteria that would be necessary to make this proposal workable. Unlike the classification take-down regime which can refer to a set of ascertainable and easy to apply guidelines, any assessment as to whether material on the internet constituted an invasion of personal privacy would involve a complex case-by-case analysis. This would defeat the purpose of the proposal, that is, to provide an effective remedy for the unauthorised online publication of personal information.[33]

11.18 Other stakeholders queried which body would administer the suggested take-down notice scheme. ACMA noted that it did not have expertise in the adjudication of breaches of privacy, stating that its ‘competence in regulating content arises from its remit of assessing material in accordance with Australia’s classification scheme’.[34] In addition, the OPC did not believe it was ‘best placed to issue take-down notices or deal with a complaint about such matters’. The OPC did not have a view on which body should administer a take-down notice scheme.[35]

11.19 Further, the OPC submitted:

Given the broad variation in and use of online content, the Office considers that a separate, widespread, public consultation of community standards and views should be undertaken in any discussion related to take down notices and content that may constitute an invasion of an individual’s privacy … Such public consultation could also canvass community opinion on what criteria should be used to determine when a take down notice should be issued.[36]

11.20 Google Australia suggested that a privacy take-down notice scheme could be modelled on the safe harbour scheme for carriage service providers that is contained in the Copyright Act 1968 (Cth).[37] In this scheme, an individual can issue a take-down notice to a carriage service provider if his or her copyright is infringed. If a carriage service provider complies with such a notice, it will not be liable for damages or any other civil remedy for copyright infringement.[38]

ALRC’s view

11.21 It is not practical or desirable to expand the scope of the Privacy Act to regulate individuals acting in a non-commercial capacity. There are other methods that could deal more appropriately with situations where an individual acting in a personal capacity interferes with another individual’s privacy. In Chapter 74, the ALRC recommends that the Privacy Act be amended to include a statutory cause of action for serious invasion of privacy.[39] As discussed in that chapter, the recommended statutory cause of action may be used against an individual acting in a non-commercial capacity, as well as against an agency or organisation.

11.22 The ALRC notes that much of the concern about individuals acting in a non-commercial capacity relates to information posted by individuals on websites. While a take-down notice scheme might help to address the circumstances where individuals refuse to remove from their website personal information about another person, the ALRC does not recommend the introduction of such a scheme.

11.23 A take-down notice scheme would require a decision maker to balance the right of freedom of expression and the right to individual privacy. In the ALRC’s view, it is more appropriate for a court, rather than a regulator, to undertake such a balancing act. Finally, the ALRC queries the utility of an Australian take-down notice scheme, given the ease of moving internet content to a website hosted in another jurisdiction. The statutory cause of action for a serious invasion of privacy, therefore, is a more appropriate remedy.

11.24 The ALRC is mindful that the implementation of the statutory cause of action for a serious invasion of privacy, recommended in this Inquiry, will not address entirely the inherent difficulties in regulating the use and disclosure of personal information published on the internet.[40] For example, while the Privacy Act has extraterritorial application, enforcing an order made by an Australian court in an action for serious invasion of privacy against a website hosted overseas may be difficult.[41] In addition, information posted online can be copied onto an infinite number of other websites within seconds. It may be time consuming and costly—if not impossible—to remove altogether privacy invasive information from the internet.[42]

11.25 Accordingly, it is necessary to educate individuals about the impact on their privacy and that of others that may result from posting personal information online. While online education programs should not be directed only towards children and young people, the ALRC notes the importance of early education on the impact of the internet on privacy. In Chapter 67, the ALRC recommends that, to promote awareness of personal privacy and respect for the privacy of others, state and territory education departments should incorporate education about privacy, and in particular privacy in the online environment, into school curriculums.[43] Further, the OPC, in consultations with ACMA, should ensure that specific guidance on the privacy aspects of using social networking sites is developed and incorporated into publicly available educational material.[44]

[3] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 244.

[4] J Partridge, Submission PR 26, 4 June 2006.

[5] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[6] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[7]Ibid.

[8] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[9] In Ch 74, the ALRC recommends that the Privacy Act be amended to include a statutory cause of action for a serious invasion of privacy: Rec 74–1.

[10] See, eg, P Bazalgette, ‘Your Honour, It’s About Those Facebook Photos of You at 20 …’ The Observer (online), 20 May 2007, <observer.guardian.co.uk>.

[11] The term ‘Web 2.0’ can be used in various contexts. In this Report, it is used to refer to the social phenomenon where internet users—often individuals acting in a personal capacity—upload and distribute content such as text, photographs and videos.

[12] C Calvert, Voyeur Nation: Media, Privacy, and Peering in Modern Culture (2000), cited in D Solove, M Rotenberg and P Schwartz, Information Privacy Law (2nd ed, 2006), 100.

[13] See, eg, Health Informatics Society of Australia, Submission PR 554, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australia’s National Computer Emergency Response Team, Submission PR 474, 14 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Youth Affairs Council of Victoria Inc, Submission PR 388, 6 December 2007; J Watts, Submission PR 302, 10 July 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[14] J Watts, Submission PR 302, 10 July 2007.

[15] Health Informatics Society of Australia, Submission PR 554, 2 January 2008.

[16] The Australian Communications and Media Authority (ACMA) can investigate complaints about content available via the internet. If satisfied that content is hosted in Australia and is ‘prohibited content’—namely, content that has been given a certain classification by the Classification Board—or potentially prohibited content, ACMA must direct the relevant internet content host to remove the content: see Broadcasting Services Act 1992 (Cth) sch 7.

[17] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [8.10]–[8.16].

[18] Prohibited content is content that is, or would be, classified as RC or X18+, or is classified R18+ and not subject to a restricted access system that complies with the criteria determined by ACMA: Broadcasting Services Act 1992 (Cth) sch 7, cl 20.

[19] Ibid sch 7, cl 47.

[20] Australian Government Department of Communications‚ Information Technology and the Arts, Review of the Operation of Schedule 5 to the Broadcasting Services Act 1992: Report (2004), 14. The online regulation scheme was previously set out in sch 5 of the Broadcasting Services Act 1992 (Cth).

[21]Broadcasting Services Act 1992 (Cth) sch 7, cls 62, 69.

[22] The online regulation scheme is set out in Ibid sch 7.

[23] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 8–1.

[24] National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Youthlaw, Submission PR 390, 6 December 2007; Youth Affairs Council of Victoria Inc, Submission PR 388, 6 December 2007.

[25] Youthlaw, Submission PR 390, 6 December 2007. The privacy of children and young people is discussed further in Chs 67, 68, 69.

[26] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[27] Australia’s National Computer Emergency Response Team, Submission PR 474, 14 December 2007. Identity theft is discussed further in Ch 12.

[28] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[29] S Hawkins, Submission PR 382, 6 December 2007.

[30] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[31] See, eg, Special Broadcasting Service, Submission PR 530, 21 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007.

[32] National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007.

[33] Special Broadcasting Service, Submission PR 530, 21 December 2007.

[34] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[35] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[36] Ibid.

[37] Google Australia, Submission PR 539, 21 December 2007.

[38]Copyright Act 1968 (Cth) pt V div 2AA; Copyright Regulations 1969 (Cth) pt 3A.

[39] Rec 74–1.

[40] Remedies for a successful action for invasion of privacy are discussed in Ch 74.

[41]Privacy Act 1988 (Cth) s 5B.

[42] For a discussion of the recent failure of a judicial order to remove from the internet the content contained on a particular website, see D Gillmor, ‘Freedom of Information’, The Guardian (online), 25 February 2008, <commentisfree.guardian.co.uk>.

[43] Rec 67–3.

[44] Rec 67–2.