Privacy Commissioner investigations for serious invasions of privacy

Recommendation 16–1 The Commonwealth Government should consider extending the Privacy Commissioner’s powers so that the Commissioner may investigate complaints about serious invasions of privacy and make appropriate declarations. Such declarations would require referral to a court for enforcement.

16.4 There may be a number of benefits to empowering the Privacy Commissioner to investigate complaints about serious invasions of privacy, in addition to providing a cause of action allowing individuals to undertake court proceedings for serious invasion of privacy.[1] These benefits may include:

  • greater accessibility and lower cost of a complaints mechanism as compared to court proceedings;[2]

  • use of the Commissioner’s experience and expertise in handling privacy complaints;[3]

  • benefits of providing the Commissioner with a formal role in addressing serious invasions of privacy, including the benefits of avoiding the fragmentation that might occur if the Commissioner had no such role;[4] and

  • significant public awareness of the Commissioner in relation to privacy concerns.[5]

16.5 The mechanism might face challenges, including:

  • the need for additional resources to be provided to the Commissioner; and

  • the limitations of exemptions in the Privacy Act 1988 (Cth), which generally does not apply to individuals, small businesses or media organisations.

16.6 A power for the Commissioner to investigate complaints about serious invasions of privacy could be integrated with the Commissioner’s existing powers to investigate complaints about breaches of information privacy. The Privacy Act currently provides for complaints to be made to the Commissioner where there may have been an ‘interference with the privacy of an individual’.[6] Under the Act, an interference with the privacy of an individual will have occurred where there has been a breach of:

  • any of the Australian Privacy Principles (APPs);[7]

  • a registered APP code;[8]

  • the credit reporting provisions or the registered CR code;[9]

  • certain rules relating to tax file numbers;[10] or

  • certain provisions of other legislation, where that legislation provides that a particular act or conduct is an interference with the privacy of an individual for the purposes of the Privacy Act.[11]

16.7 The Privacy Act could be amended to provide that a serious invasion of privacy would also be an interference with the privacy of an individual. This approach was suggested by Professor Graham Greenleaf, who submitted that, if an Act providing for the tort for serious invasions of privacy were enacted:

a new sub-section 13(6) should be added to the Privacy Act 1988: ‘(6) A serious invasion of privacy under the [Act providing the statutory tort] is an interference with the privacy of an individual …’[12]

16.8 In the event that an interference with the privacy of an individual occurs, the Commissioner has the power to receive and investigate a complaint from the individual whose privacy has been interfered with, or to begin an ‘own motion investigation’ of the interference.[13] Following an investigation, the Commissioner may make a determination including various declarations, such as a declaration that the respondent to the complaint must take specified actions, a declaration that the respondent must take steps to redress any loss or damage suffered by the complainant, or a declaration that the complainant is entitled to a specified amount of compensation.[14] A determination following an investigation is enforceable through the Federal Court and Federal Circuit Court, on application of either the complainant or the Commissioner.[15] If a serious invasion of privacy was also an interference with the privacy of an individual under the Privacy Act, these same determinations could be made following a complaint to the Commissioner about a serious invasion of privacy.

16.9 Further consequences of an interference with the privacy of an individual under the Privacy Act include:

  • where an interference with the privacy of an individual is ‘serious’ or ‘repeated’, the Commissioner is empowered to seek civil pecuniary penalties from the Federal Court or Federal Circuit Court;[16] and

  • where a person has engaged in, or is engaging in, conduct that contravenes the Act, an individual or the Commissioner may apply to the Federal Court or the Federal Circuit Court for an injunction.[17]

16.10 The media, small businesses and individuals are not exempt from liability under the tort for serious invasions of privacy discussed in Part 2 of this Report. However, they are generally exempt from regulation under the Privacy Act.[18] If the Commissioner’s functions were extended to hear complaints about serious invasions of privacy, this should include complaints about invasions of privacy by the media, small business and individuals. There would be little value in extending the Commissioner’s powers if the existing exemptions also applied to complaints made under the extended powers. The amendments to the Privacy Act would need to make this clear.

16.11 Before any extended powers were conferred on the Commissioner, consideration would need to be given to whether or not the extended powers would require the Commissioner to exercise a judicial power. The Australian Constitution restricts the conferral of judicial powers on non-judicial bodies.[19] Although ‘judicial power’ has not been exhaustively defined, one characteristic of a judicial power is its binding nature.[20] A determination under the Privacy Act complaints process is not binding, since it must be enforced through action in the Federal Court or Federal Magistrates Court. This suggests that the Privacy Act does not confer judicial powers on the Commissioner.[21]

Deletion, removal and de-identification

16.12 The Commissioner’s existing powers in relation to an interference with the privacy of an individual include a power to make a declaration that the respondent ‘must not repeat or continue such conduct’[22] or a declaration that the respondent ‘must take specified steps within a specified period to ensure that such conduct is not repeated or continued’.[23] It appears that such declarations may require the respondent to delete, remove or de-identify personal information.

16.13 A number of stakeholders supported the introduction of a regulator take-down mechanism.[24] However, there is a risk that such a system may have an undesirably chilling effect on online freedom of expression, and any such power would need to balance the interests of the complainant against the interests of the party in publishing the material and broader public interests. The power would need to be exercised with caution.

16.14 The existing availability of declarations that a respondent to a complaint not repeat or continue the conduct complained about may provide a suitable mechanism for individuals to seek to have information removed, while avoiding the chilling effect that may come from other take-down mechanisms. There may be no need to confer substantial new powers on the Commissioner, beyond the power to investigate complaints about serious invasions of privacy. Furthermore, a declaration that a respondent must not repeat or continue the conduct complained about would not, by itself, be enforceable; the complainant would need to apply to the Federal Court or Federal Circuit Court for enforcement if the respondent refused to comply with the Commissioner’s declaration.

16.15 Several stakeholders were opposed to any take-down mechanism on the grounds that such a mechanism may, in some cases, be ineffective.[25] The Australian Mobile Telecommunications Association and Communications Alliance submitted that, given the speed and volume at which content is created and published online,

the implementation of such a system is likely to be impossible to comply with and costly and time-consuming for government and business, as well as being ineffective in relation to user-generated content.[26]

16.16 Several other organisations noted the difficulty of effectively removing information that has become more widely available,[27] or where the respondent is located overseas.[28]

16.17 The ALRC acknowledges that a take-down mechanism may have limited effect in cases where material has been widely disseminated or where material is hosted overseas. However, the ALRC considers that the possibility of the mechanism having limited effect in some cases is not, in itself, a reason not to make the mechanism available in those cases where it may be effective. This is particularly the case given that the Commissioner is already empowered to make the relevant declarations under the existing provisions of the Privacy Act.

Complaints about media invasions of privacy

16.18 In the Discussion Paper, the ALRC proposed an extension of the powers of the Australian Communications and Media Authority (ACMA). However, the ALRC has concluded that such declarations would be more appropriately made by the Privacy Commissioner.

16.19 The proposed extension would have allowed the ACMA to make a declaration that the complainant was entitled to a specified amount of compensation, in response to a complaint about a serious invasion of privacy in breach of a broadcasting code of conduct. This would have been equivalent to the powers of the Privacy Commissioner.

16.20 Although the Commissioner already has such powers under the Privacy Act,[29] the relevant provisions of the Privacy Act do not apply to a media organisation acting in a journalistic capacity if the organisation has publicly committed to observing privacy standards.[30] The result is that an individual whose privacy is invaded by a broadcaster has little access, if any, to regulatory mechanisms providing for compensatory redress.

16.21 The ACMA’s powers with respect to broadcasting codes of conduct are provided under the Broadcasting Services Act 1992 (Cth). These powers are primarily exercised by promoting self-regulation—in which industry members regulate themselves under industry guidelines, codes or standards; and co-regulation—in which industry members develop guidelines, codes or standards that are enforceable under legislation.

16.22 If a code is breached, the ACMA may: determine an industry standard;[31] make compliance with the code a condition of the broadcaster’s licence;[32] or accept an enforceable undertaking from the broadcaster that the broadcaster will comply with the code.[33] Further consequences exist, including civil penalties, criminal penalties and suspension or cancellation of a broadcaster’s licence, for a breach of a standard,[34] a licence condition[35] or an enforceable undertaking.[36] If a complaint is made against the ABC or SBS, the ACMA may recommend that the broadcaster take action to comply with the relevant code, or that the broadcaster take other action including publishing an apology or retraction.[37]

16.23 There was significant opposition from broadcasters and media organisations to the proposal to extend the ACMA’s powers. A key argument among broadcasters was that the proposal was inconsistent with the ACMA’s existing role as the manager of a co-regulatory scheme which has the goal of ‘encouraging broadcasters to reflect community standards’.[38] The Australian Subscription Television and Radio Association (ASTRA) submitted, for example, that

Such a proposal would represent a significant shift in the functions and powers of the ACMA. The ACMA does not currently have the power to order compensation be paid to an individual in relation to a breach of any broadcasting code of practice, broadcasting licence condition or any other obligation on broadcasters established under the Broadcasting Services Act 1992 (BSA). This does not represent a ‘limitation’ of the ACMA’s powers under the BSA—rather, it reflects … the intention of the regulatory framework for broadcasting established by Parliament.[39]

16.24 Stakeholders—including the ACMA itself—were also concerned that, if the ACMA were empowered to suggest compensation for invasions of privacy, there would be increased fragmentation of privacy protections. This fragmentation would result in confusion and complexity for individuals and organisations:

  • different regulators would regulate privacy in different sectors;[40]

  • the new power would apply only to breaches of broadcasting codes involving serious invasions of privacy, and not to other breaches of the codes;[41]

  • within the media sector, different regulatory schemes would apply to different forms of media.[42]

16.25 The risks of fragmentation under the proposed ACMA power are, to a large extent, an unavoidable consequence of the fragmented nature of media regulation in Australia. While the ACMA has powers relating to broadcast media under the Broadcasting Services Act, regulation of non-broadcast media is a matter of self-regulation by the Australian Press Council.

16.26 Although a number of stakeholders were supportive of the proposed ACMA power,[43] the ALRC has determined, in view of the changes to the existing regulatory landscape that would be involved, not to proceed with the proposal.

16.27 The ACMA suggested, as an alternative to the proposed new power, that the ACMA should be empowered:

[to] refer found privacy breaches to the [Office of the Australian Information Commissioner] to make a determination as to the seriousness of the breach, to provide for conciliation and to make [a] declaration as to the amount of any compensation payable.[44]

16.28 Noting that the ACMA’s role, as discussed above, is not to provide individual redress, the ALRC agrees that the Privacy Commissioner is an appropriate body to make declarations relating to compensation for serious invasions of privacy. However, if the Commissioner’s powers are extended to include investigating complaints about serious invasions of privacy by broadcasters or other media, the media exemption of the Privacy Act should not apply in respect of complaints about serious invasions of privacy. The media exemption could, however, continue to apply in respect of information privacy under others parts of the Privacy Act.

Conciliation process

16.29 An alternative to extending the Commissioner’s existing investigation powers is a conciliation process operated by the Commissioner. Such a conciliation process could be similar to that used by the Australian Human Rights Commission (AHRC). Under pt IIB of the Australian Human Rights Commission Act 1986 (Cth), the President of the AHRC may attempt to conciliate a complaint alleging unlawful discrimination. In certain circumstances—for example, where the President of the AHRC is satisfied that there is no reasonable prospect of the matter being settled by conciliation—a complaint may be taken to the Federal Court or the Federal Circuit Court.[45]

16.30 The Law Institute of Victoria expressed a preference for this type of model, whereby

the Privacy Commissioner would be providing alternative dispute resolution services, rather than making a finding about the claim. If the dispute is not resolved, the plaintiff would be required to pursue the claim through the courts.[46]

16.31 A conciliation process would not be binding on parties. However, conciliation may lead to satisfactory outcomes for both parties, without the need to resort to court proceedings. In the event that conciliation was unsuccessful, the complaint could be taken to a court under the tort for serious invasions of privacy, if that statutory tort were enacted.

16.32 The conciliation process would thus provide an initial low cost mechanism for resolving disputes. Such a process need not be mandatory. However, the ALRC recommends that a failure to make a reasonable attempt at conciliation should be a factor considered by a court in the event that damages were to be awarded.[47]