Personal or non-business use

43.2 Individuals are included in the definition of an ‘organisation’ in the Privacy Act.[2] Section 7B(1) of the Act provides, however, that acts and practices of individuals are exempt if they are done other than in the course of business. Section 16E further provides that the National Privacy Principles (NPPs) do not apply where information is dealt with solely in the context of an individual’s personal, family or household affairs. It appears from the Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) that ‘personal, family or household affairs’ has the same meaning as ‘other than in the course of business’.[3]

43.3 There is no express reference to ‘personal, family or household affairs’ or similar wording in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD Guidelines).[4] OECD Guideline 2, however, provides that the Guidelines are only intended to

apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties.[5]

43.4 The Memorandum to the OECD Guidelines goes on to state that these risks ‘are intended to exclude data collections of an obviously innocent nature (for example, personal notebooks)’.[6]

43.5 Neither the Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) nor the Asia-Pacific Economic Cooperation (APEC) Privacy Framework apply to the handling of personal information in connection with an individual’s personal or household affairs.[7] An exemption for personal, family or household affairs also is provided for in many overseas jurisdictions, including the United Kingdom, Canada, New Zealand and Hong Kong.[8]

43.6 Privacy concerns about the exemption for personal or non-business use primarily arise in the context of developments in technology. For example, in its submissions to other inquiries into the Privacy Act, the Australian Privacy Foundation suggested that this exemption needs to be reconsidered due to increasing incidents of abuse, including ‘inappropriate use of mobile phone cameras and misguided and extremely prejudicial “vigilante” websites’.[9] In this Inquiry, much of the concern about individuals acting in their personal capacity has related to information posted by individuals on websites, such as the posting of photographs and other personal information on websites and ‘blogs’.[10]

ALRC’s view

43.7 The Privacy Act should retain an exemption for personal and non-business use of personal information. As noted above, privacy concerns about personal or non-business use of personal information primarily arise in the context of developments in technology. In this Report, the ALRC makes a number of recommendations to improve personal information handling in the online environment. In particular, the ALRC recommends that state and territory education departments should incorporate education about privacy in the online environment into school curriculums.[11]

43.8 The ALRC also recommends introducing a statutory cause of action for serious invasions of privacy. This cause of action will apply to serious breaches of an individual’s privacy arising out of personal or non-business use of personal information including, for example, where personal information is posted on an individual’s website or blog.[12]

[2]Privacy Act 1988 (Cth) s 6C(1)(a).

[3]Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [164].

[4] Privacy legislation in some overseas jurisdictions uses expressions that are similar to ‘personal, family or household affairs’, eg, ‘personal or domestic purposes’ (Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 4(2)(c)); ‘personal or domestic activities’ (Federal Data Protection Act 1990 (Germany) ss 1(2), 27).

[5]Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 2.

[6] Ibid, Memorandum, [43].

[7]European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 3(2); Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), recital 12.

[8]Data Protection Act 1998 (UK) s 36; Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 4; Privacy Act 1993 (NZ) s 56; Personal Data (Privacy) Ordinance (Hong Kong) s 52.

[9] Australian Privacy Foundation, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004; Australian Privacy Foundation, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 March 2005.

[10] Confidential, Submission PR 399, 7 December 2007; Confidential, Submission PR 49, 14 August 2006. ‘Blog’ is a shortened form of web log. It means a record of items of interest found on the internet, edited and published as a website with comments and links; or a personal diary published on the internet: Macquarie Dictionary (online ed, 2007).

[11] Rec 67–3.

[12] See Ch 74.