Enforcing determinations

50.18 The Privacy Act contains provisions for the enforcement of determinations made under s 52. These mechanisms are different, depending on whether the respondent is an agency or organisation.

Enforcing determinations against organisations

50.19 The respondent to a determination under s 52 or an approved privacy code must not repeat or continue conduct covered by a declaration and must perform the act or course of conduct covered by the declaration.[25] These obligations are enforceable in the Federal Court or the Federal Magistrates Court in proceedings commenced by the complainant, the Commissioner, or an adjudicator for the approved privacy code under which the determination was made.[26] If satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court ‘may make such orders (including a declaration of right) as it thinks fit’.[27] The court is to deal with the question of whether the respondent has engaged in conduct that constitutes an interference with privacy by way of a hearing de novo.[28]

Enforcement of determinations against agencies

50.20 As with organisations, an agency must not repeat or continue conduct covered by a declaration and must perform the act or course of conduct covered by the declaration.[29] Where the respondent to a determination is the principal executive of an agency, he or she is responsible for ensuring that the determination is brought to the attention of the relevant members, officers and employees of the agency and that those people desist from or perform conduct covered by the declaration.[30]

50.21 Unlike enforcement of determinations against organisations, where a determination against an agency or principal executive includes a declaration for compensation or reimbursement for expenses, the Privacy Act provides that the complainant is entitled to be paid the amount specified. The amount is recoverable either as a debt due to the complainant by the agency or the Commonwealth.[31] If an agency or the principal executive of an agency fails to comply with obligations arising from a declaration, the Commissioner or complainant can apply to the Federal Court or Federal Magistrates Court for an order directing the agency or principal executive to comply.[32] In contrast to the provisions for organisations, the court does not have to assess, by way of a hearing de novo, whether the agency engaged in conduct that constituted an interference with privacy. Rather, on application under the Act, the court may make ‘such other orders as it thinks fit with a view to securing compliance by the respondent’.[33]

50.22 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked whether the Privacy Act provisions for enforcing determinations are adequate and administered effectively.[34] The Australian Privacy Foundation described the enforcement provisions as ‘unfortunate’ in that complainants and the Commissioner have to go through a hearing de novo to enforce a determination if an agency or organisation fails to comply with its terms.[35]

ALRC’s view

50.23 In DP 72, the ALRC identified some concerns about the process of enforcing determinations in the Federal Court. Given the constitutional restrictions on the Commissioner exercising judicial power,[36] however, the ALRC does not recommend any amendments to the enforcement provisions. The ALRC notes, however, that its recommendation that the Privacy Act should be amended to provide for a complainant or respondent to seek merits review of determinations made by the Commissioner under s 52 may provide an alternative, and less costly, ‘enforcement’ mechanism for complainants than is currently provided in the Act.[37]

[25]Privacy Act 1988 (Cth) s 55. Section 52 of the Privacy Act sets out the declarations the Privacy Commissioner can make in a determination.

[26] Ibid s 55A(1).

[27] Ibid s 55A(2).

[28] Ibid s 55A(5).

[29] Ibids 58.

[30] Ibids 59.

[31] Ibid s 60. This provision does not apply to organisations because of the limitations on Commonwealth judicial power: this issue is discussed further in Ch 3.

[32] Ibid s 62.

[33] Ibid s 62(4). See also s 61(5) regarding timing of the application.

[34] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 6–17.

[35] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[36] See the discussion in Ch 49.

[37] See Rec 49–7. This was suggested by the Office of the NSW Privacy Commissioner: Privacy NSW, Submission PR 193, 15 February 2007.