136. The Terms of Reference require the ALRC to make recommendations as to legal remedies to redress serious invasions of privacy, other than a statutory cause of action, and also as to innovative ways in which the law might reduce serious invasions of privacy. Both of these aspects of the Terms of Reference need to be considered against the background of existing laws. This section of the Issues Paper gives a very brief survey of existing laws. It also poses some preliminary questions about ways in which the law or regulatory frameworks could be reformed to more effectively prevent and redress serious invasions of privacy.
137. As set out above in the ‘Scope of the Inquiry’, the ALRC does not propose to revisit legislation that has only recently been introduced or amended in significant ways, after extensive deliberation and consultation. Submissions would be welcome, however, on aspects of Commonwealth legislation that have not been recently considered and that it may be appropriate to review in order to provide greater and more accessible protection of individual privacy.
138. With respect to relevant state and territory legislation, the ALRC is particularly interested in key ways in which legislative provisions diverge in the various jurisdictions on privacy matters, as uniformity of legislation across Australia is generally desirable. Uniform legislation tends to promote clarity, comprehensibility, ease of application and compliance, and efficiency. All of these in turn better promote the policies that underpin the legislation.
The Privacy Act 1988 (Cth)
139. The Privacy Act is Australia’s key data protection law. The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information. Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.
140. The Act applies to ‘APP entities’—Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also covered, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage. The APPs cover many aspects of information privacy.
141. In addition to the APPs, the Privacy Act grants a range of powers to the Australian Privacy Commissioner, including:
investigating complaints made by individuals or on the Commissioner’s own motion about APP entities;
directing agencies to conduct privacy impact assessments; and
applying for Federal Court and Federal Circuit Court orders for civil penalties for serious or repeated breaches of the APPs.
142. A breach of an APP in respect of personal information is an ‘interference with the privacy of an individual’. Serious or repeated contraventions may give rise to a civil penalty order.
143. State and territory legislation creates data protection requirements similar to those under the Privacy Act, with application to state and territory government agencies, as well as (variously) local councils, government-owned corporations and universities.
144. The existing Commonwealth, state and territory legislation applies to major organisations such as banks, large retailers, government departments and utilities providers, which collect and store personal information. There are a large number of organisations that are exempt from the application of all of these Acts and whose activities may have an impact on individual privacy. These may include, for example, many small businesses.
Health information privacy
145. Health and genetic information is recognised as sensitive information under the Privacy Act, a status which provides it with stronger protections under the APPs than those protections applying to personal information more generally. Separate Commonwealth Acts protect healthcare identifiers and electronic health records.
146. Several state and territory laws also offer protections, including limitations on collection, use and disclosure, for health information held by state and territory public and private sector organisations.
147. The Telecommunications Act 1997 (Cth) (Telecommunications Act)provides a broad regulatory framework for telecommunications services, including internet services, with specific provisions prohibiting the disclosure, by telecommunications providers and several other types of organisation, of certain information. Contravention of these prohibitions is an offence punishable by up to two years imprisonment. A number of exemptions from the non-disclosure requirements of the Telecommunications Act exist under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), for example, for disclosures to ASIO or the Australian Federal Police.
148. The TIA Act also creates offences for improperly intercepting communications.
149. Under state and territory surveillance laws, it is illegal to record or store and distribute a recording of a private conversation obtained without the consent of the other party. Under Part 2 of the Surveillance Devices Act 1999 (Vic), the installation or use of various types of surveillance device is punishable by up to 240 penalty units or imprisonment for up to two years. However, each Act varies significantly in the devices and conduct prohibited.
150. The Surveillances Devices Act 2004 (Cth) criminalises the use of listening devices, optical devices, tracking and data surveillance devices without the consent of the party who is being recorded. This Act is restricted to the actions of Australian Government agencies and their employees.
151. Different state and territory workplace surveillance legislation prohibits employers monitoring their employees at work through covert surveillance methods such as the use of CCTV cameras or computer, internet and email surveillance.
Harassment and stalking offences
152. State and territory laws criminalising harassment and stalking vary considerably depending on the jurisdiction. Legislation in Queensland and Victoria expressly prohibits ‘cyber-harassment’ committed through ‘electronic messages’ or by ‘otherwise contacting the victim’. There is no Commonwealth legal framework to protect the ‘cyber-safety’ of minors, which may overlap with privacy concerns.
Criminal sanctions against indecent photography
153. Criminal sanctions apply where photography is used for indecent purposes. South Australia, Queensland, Victoria, Tasmania and NSW have enacted specific provisions in criminal law to prohibit indecent filming without consent. However other states do not have similar provisions.
154. The criminal law provides protection against indecent photography of children in private and public places.
Other criminal sanctions
155. Criminal sanctions currently exist for some specific invasions of privacy. For example, under s 62 of the Privacy and Personal Information Protection Act 1998 (NSW) the unauthorised or corrupt use or disclosure by a public official of personal information obtained through their official functions is an offence punishable by up to 100 penalty units or imprisonment for up two years.
Industry codes and guidelines
156. Various statutory and self-regulatory bodies oversee and enforce industry codes and guidelines which protect against invasions of privacy. The enforcement capabilities of these bodies vary significantly.
157. The ACMA is empowered under the Broadcasting Services Act 1992 (Cth) to regulate the Commercial Radio Australia Codes of Practice and Guidelines (2011), the Internet Industry Code of Practice (2008) and the Commercial Television Industry Code of Practice and the Privacy Guidelines for Broadcasters (2010). The ACMA is empowered to investigate and issue take-down notices of online content. However this latter system is primarily concerned with regulating offensive content or prohibited content under the National Classification Code, rather than the protection of an individual’s privacy.
158. The Australian Press Council oversees the adherence of its members to its Charter of Press Freedom (2003) and Statement of Privacy Principles (2011).
159. Part IIIB of the Privacy Act makes provision for the development of privacy codes (APP codes). APP codes can be developed on the initiative of ‘code developers’, or in response to a request from the Privacy Commissioner. The Commissioner may also develop an APP code. The codes set out compliance requirements for one or more APPs. The code developer may apply to the Commissioner to have the code registered. A breach of a registered code constitutes an ‘interference with privacy’ under the Act, and if the breach is serious or repeated the Commissioner may apply to the Federal Court or Federal Circuit Court for a civil penalty order.
Common law causes of action
160. There are a number of causes of action at common law which can, in some cases, be used to protect privacy or have the effect of protecting personal privacy. These causes of action protect against physical intrusions upon, and surveillance of, a person and against unauthorised disclosure of private information.
161. They include:
the tort actions for trespass to the person, particularly battery and assault;
the tort of nuisance, including interferences with airspace not protected by legislation;
the tort of defamation; and
the equitable action for breach of confidence.
Gaps in existing law
162. Although the existing law provides significant protection against some invasions of privacy, there are significant gaps or uncertainties in the protection that existing legislation and common law actions provide for serious invasions of privacy. These include the following:
The Privacy Act and state and territory equivalents deal only with information privacy and not with intrusions into personal privacy.
The Privacy Act provides for only limited civil redress to individuals who are affected by a breach of the APPs.
There are a number of organisations that are exempt from the application of the regulatory regime of existing privacy legislation, such as many businesses with an annual turnover of less than $3 million.
Legislation dealing with surveillance in general, and with workplace surveillance, is not uniform throughout Australia.
There is no tort or civil action for harassment, nor is there sufficient deterrence against ‘cyber-harassment’ in Australian law, compared with overseas jurisdictions.
The tort actions of trespass to the person, trespass to land and nuisance do not provide protection from intrusion into a person’s private activities in many situations.
Legislation and common law protection against aerial and other surveillance does not reflect advances in technology that provide a capacity for new types of invasion into personal privacy.
Tort law does not provide a remedy for intentional infliction of emotional distress which does not amount to psychiatric illness.
While the equitable action for breach of confidence can provide effective legal protection against the disclosure of private information, it is less effective after a wrongful disclosure because it is unclear or uncertain whether a plaintiff may recover compensation for emotional distress.
There is uncertainty, or at least some debate, as to the relevant principles to be applied when a court is considering whether to grant an injunction to restrain the publication of true, private information.
There is no clear legislative statement protecting freedom of speech, or explicitly requiring it or other matters of public interests to be balanced with the protection of privacy, when the court is considering the grant of an injunction to restrain publication of information or some other alleged invasion of privacy.
163. The ALRC is interested in receiving submissions about significant ways in which existing regulatory frameworks or legal remedies may be amended or strengthened to better redress serious invasions of privacy.
Question 26 If a stand-alone statutory cause of action for serious invasion of privacy is not enacted, should existing law be supplemented by legislation:
providing for a cause of action for harassment;
enabling courts to award compensation for mental or emotional distress in actions for breach of confidence;
providing for a cause of action for intrusion into the personal activities or private affairs of an individual?
Question 27 In what other ways might current laws and regulatory frameworks be amended or strengthened to better prevent or redress serious invasions of privacy?
Innovative ways to reduce serious invasions of privacy in the digital era
164. New and emerging technologies in the digital era challenge the effectiveness of protection for privacy provided by existing legal principles and regulatory frameworks:
Highly portable and increasingly affordable consumer devices, such as smartphones, are capable of holding substantial amounts of private information, including photographs, video and audio content. This information can be instantly uploaded to the internet and shared with a wide audience.
Consumers and businesses are increasingly making use of third-party services (eg ‘cloud’ services) to store data, putting the information further away from the direct control of the individual or business.
Information about individuals—including their physical and online shopping activity, location and use of social networks—can be gathered almost continuously. New methods of sharing, analysing or aggregating this information (often described as ‘big data’) have emerged that form the basis of new internet business models.
Social media platforms have expanded so that social media content can be shared by a relatively large number of people in a relatively short time.
Individuals are often unaware of the scope of information collected about them without their knowledge. Further, despite formally accepting the terms and conditions imposed by the provider of an online service or app, individuals are often unaware of particular uses that may be made of information they have voluntarily or unwittingly provided.
165. There are a number of ways in which the law might respond to these new situations. The ALRC sets out below some preliminary observations and then seeks submissions on options which would be suitable for consideration in this Inquiry.
Reviewing the role of consent in consumer contracts in the digital era
166. Australia’s existing data protection laws can be characterised as using a ‘consent-based’ model. The APPs and other restrictions on the handling of personal information typically contain exemptions when an individual has given consent for his or her personal information to be collected, used, or disclosed. Many of the privacy protections in other Commonwealth, state and territory laws operate on a similar model, and the model forms the basis of a large proportion of the data protection and privacy laws globally.
167. The fact that an individual engages with a commercial provider of internet services or applications after accepting various terms and conditions brings into play both the common law of contract and the statutory regimes for consumer protection such as the Australian Consumer Law (ACL). For example, the terms and conditions may be unclear or ambiguous, or may not cover the use of the information that is at issue. In some cases, a provider might be held to have engaged in misleading or deceptive conduct in breach of the ACL.
168. Recent commentary has suggested that the consent-based model of data protection cannot adequately respond to emerging methods of data collection and use.
Providing individuals with an enforceable right to removal of certain information
169. Social media services allow individual users to connect and share information with each other. The ease of sharing enabled by these services means that control over this information may be lost. Further, information may continue to be available indefinitely.
170. One possible solution to the loss of control over information, recently proposed in Europe, is the introduction of a ‘right to be forgotten and to erasure’. This proposal would introduce a requirement that organisations, such as social media service providers, permanently delete information at the request of the individual who is the subject of that information.
171. In the Australian context, some protection against ongoing exposure of private information may be available if data controllers (such as APP entities) were required, in limited circumstances, to delete an individual’s personal information on request.
Dealing with tracking technology
172. Various tracking technologies allow the websites visited by an individual to be reported to websites or services visited by that individual. Tracking of online activity appears to be an area of concern for many individuals.
173. Online tracking systems can be used to provide outcomes that many people desire, such as customised advertising. However, many people may want more control over whether they are subject to tracking. Globally, there has been growing interest in ‘Do Not Track’ (DNT) requests. DNT allows a user to request that websites not use online tracking tools like those described above. DNT requests are available in most modern web browsers, but there is no requirement that a website operator or service provider honour DNT requests.
174. Offline tracking is enabled by a range of systems, such as devices using Global Positioning System (GPS) receivers that allow a mobile device to record its locations over time and to report those locations. There is a public interest in much of this data, for example, for emergency services or for monitoring network traffic. However, offline tracking and the use of location data more generally may also raise privacy issues. The location of an individual at certain times can reveal, for instance, the individual’s religious views, political affiliations, medical conditions or private activities.
175. A 2012 report by the ACMA found that the risks of location data were poorly understood by consumers. Further, consumers expected to be provided with better information about how location data is used and to be able to make informed choices about whether or not to allow their location data to be used. Online and offline tracking may be better regulated within existing consumer and information privacy frameworks.
Broadening the regulation of use of metadata
176. There has been increasing concern expressed about the use of metadata. Metadata about a communication includes the time, origin, destination and duration of a communication, rather than the content. Metadata is often excluded from the privacy protection that applies to other data. For example, ss 276–278 of the Telecommunications Act prohibit only the disclosure of ‘the contents or substance of a communication’. However, metadata can also be analysed to reveal private information about the communication and an individual. It may be appropriate for some existing prohibitions about unauthorised data disclosure to be reviewed.
Dealing with aggregation of data
177. One characteristic of the digital era is the widespread collection of seemingly insignificant data into large data sets. This data can include, for instance, information uploaded by individuals to social media services, online or offline purchase history, information about individuals’ social networks (eg, the ‘friends’ of individuals), location data, and web browsing history. Aggregation of this data can often reveal unexpected personal or sensitive information about individuals.
178. A related problem is the use of large datasets to re-identify information that is initially thought to be anonymous, or de-identified. In April 2013, the Office of the Australian Information Commissioner released for consultation draft guidelines on de-identification of personal information, noting that future technologies and future increases in available data may change the risk of re-identification.
Prohibiting employer requests for access to private social media accounts
179. An area of growing concern is the use of social media to assess candidates for work, education and other opportunities.
180. A threat to privacy comes from an employer or other individual making unconscionable use of his or her position of advantage or power by requesting or demanding access to an individual’s private social media accounts. Such requests have been prohibited in various jurisdictions, in particular in a number of US states. It is unclear whether the practice of requiring social media passwords or other similar information is widespread in Australia. It may be appropriate to include such conduct as an example of a serious invasion of privacy for the purpose of a statutory cause of action or to amend laws dealing with workplace surveillance to prohibit such conduct.
Regulating aerial surveillance
181. Existing laws with regard to incursions into airspace tend to have been drafted at a time when surveillance technologies were less developed. Compliance with air navigation rules drafted for the purpose of ensuring safety and for protecting commercial and private flights from liability for mere passage through private airspace may not properly address privacy concerns about deliberate aerial surveillance or data recording by the media and others.
182. Further, in Australia, there has recently been an increase in the use by civilians of remotely piloted aircraft (RPAs), commonly known as drones. While some use of RPAs appears to be merely recreational, there have been increasing reports of the use of RPAs to carry out targeted surveillance of the activities of other individuals, businesses or organisations. This may raise privacy concerns that existing air navigation laws and regulations do not address.
183. It may be appropriate to consider how existing laws and regulations could better prevent or redress serious invasion of privacy by deliberate aerial surveillance activities, including the use of RPAs.
Question 28 In what other innovative ways may the law prevent serious invasions of privacy in the digital era?