1.12 Particular attention has been directed recently to the rapidly expanded technological capacity of organisations not only to collect, store and use personal information, but also to track the physical location of individuals, to keep the activities of individuals under surveillance, to collect and use information posted on social media, to intercept and interpret the details of telecommunications and emails, and to aggregate, analyse and sell data from many sources.
1.13 Organisations that may collect and process personal information include:
national and foreign security organisations;
government agencies, such as education or health entities or local councils;
law enforcement agencies;
financial institutions and credit reporting agencies;
national and international commercial entities;
social media platforms;
retail, marketing and behavioural advertising companies; and
civilian activist groups.
1.14 Corporate or governmental activities involving the processing of personal information are governed by a range of common law obligations or statutes or regulatory schemes concerned with the collection, storage or dissemination of data or with related matters such as the protection of intellectual, real and personal property, financial interests and reputation.
1.15 Data processing by commercial, government and non-government organisations may often be necessary, appropriate and lawful; carried out with relevant consents or authority or specifically authorised by statute; justified in the public interest; or within the terms and conditions specified by the relevant entity for the provision of a service. Most corporations realise the importance of taking privacy concerns seriously: quite apart from legal reasons, there are important reputational and business consequences of data breaches. Many of the organisations described above belong to industry associations which endorse the importance of privacy protection.
1.16 Nonetheless, breaches of privacy do occur as a result of the activities of these organisations for a range of reasons. Some breaches of a person’s privacy might be unavoidable; others might come about due to systemic weaknesses in a system of data protection, or through incompetence or lack of care. Some may be caused by deliberate and unpredictable activities of unauthorised third parties, intent on breaking into a data system. Some activities may be outside, or exempt from any existing regulation or law. Some activities may amount to an indefensible, unlawful and deliberate invasion of the privacy of an individual.
1.17 Modern privacy concerns are not however limited to the use of personal information by organisations. Many disputes about invasions of privacy are between individuals. Many of the cases in other jurisdictions involve the conduct of individuals. The ALRC has received submissions from individuals and representative groups concerned about:
people installing surveillance cameras which can record their neighbour’s activities;
surveillance cameras installed by activists trespassing onto private property and the subsequent posting of the footage on websites; and
harmful, invasive and distressing disclosure of personal information and images by an individual’s former partner.