Principle 9: Privacy protection is an issue of shared responsibility

2.47 Individuals must generally take some responsibility for the protection of their own privacy and the privacy of others. The exercise of personal responsibility should be encouraged, where possible. The ALRC considers that capable adults should be encouraged to take reasonable steps to use the privacy tools offered by service providers. Several stakeholders stressed the importance of personal responsibility.[72]

2.48 However, government, corporations and small businesses that process personal information also have a responsibility to provide individuals with the necessary tools to protect their own privacy. Personal responsibility can only be fully exercised when individuals are provided with the education and tools necessary to protect their privacy, and when the choices expressed by individuals are respected.[73]

2.49 Individual responsibility must therefore be balanced with the responsibility of organisations and service providers. These groups should provide transparent and accessible methods to protect the privacy of their customers. This includes providing clear privacy policies, information about how to protect privacy, and privacy warnings.

2.50 In some circumstances, individuals may not be empowered to exercise personal responsibility in a meaningful way. Professor Daniel Solove has written that, although privacy self-management is ‘certainly a laudable and necessary component of any regulatory regime’, it is being ‘tasked with doing work beyond its capabilities’.[74]

2.51 The ALRC is asked to consider how the law may redress and reduce serious invasions of privacy. But the law is not a panacea, and education has an important role to play in reducing and preventing serious invasions of privacy.[75]

2.52 In the ALRC’s view, governments and industry have a responsibility to provide adequate education and assistance, particularly for vulnerable members of the Australian community, such as people living with disabilities, children and some young people.

2.53 The OECD’s 2013 Privacy Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data highlighted the need for greater government investment in education about privacy awareness, particularly concerning online privacy protection. The Guidelines recognise that ‘more extensive and innovative uses of personal data bring greater economic and social benefits, but also increase privacy risks’.[76]

2.54 Education about privacy risks and management may be particularly important for children and young persons.[77] Research suggests that the use of privacy settings on social media is higher among older Australians. For instance, sixteen to seventeen year olds are significantly more likely to have their Facebook profiles set to private—limiting access to their private information to individuals whose online ‘friendship’ they have accepted—compared to twelve to fifteen year olds.[78] This is affirmed by evidence suggesting some young people believe the internet to be a ‘necessity of life’ and that ‘it is better to take a beating from all your classmates than to be isolated from the Internet’.[79]

2.55 This evidence may suggest the need for privacy awareness campaigns and other strategies targeted at younger Australians.

2.56 Drs Nicola Henry and Anastasia Powell underscored the importance of non-legal methods to reducing and redressing invasions of privacy which occur through the internet:

Service providers of online communities and social media networks can and should be proactive in addressing these issues by providing mechanisms for users to report hateful and/or harassing content and can dedicate sufficient resources towards monitoring and removing such content. Clear community guidelines, terms of use on internet sites, and agreement between police and service providers may also be effective. Educational initiatives are crucial in fostering an ethical digital citizenship and can do much to educate people about the right to privacy.[80]

2.57 The overall balance of recommendations in this Report is informed by the principle that responsibility for protecting privacy must often be shared.