The News of the World allegations have returned privacy reform to the Australian public agenda. As a result, the Minister for Privacy announced a new round of public consultation on privacy issues.
The current focus is on whether Australia should introduce a statutory cause of action for serious invasions of privacy (in other words, effectively, a personal right to privacy).
Another significant, although less debated, reform proposal is whether Australia should introduce mandatory breach notifications for security breaches of personal data.
If enacted, mandatory breach notifications will require companies to inform customers and the Privacy Commissioner if there has been a breach of specified personal data. Similar requirements are already in effect in Europe and several states in the US and Canada.
Given this renewed interest in privacy reform in Australia, we revisit the statutory cause of action for serious invasion of privacy (which will likely be the starting point for the public consultation proposed by the Minister for Privacy) and mandatory breach notification, both as proposed by the Australian Law Reform Commission (ALRC).
With some limited exceptions, Australian companies must collect and handle personal information in accordance with the National Privacy Principles under the Federal Privacy Act 1988 (Cth) (Privacy Act).
The National Privacy Principles require companies to take reasonable steps to protect personal data from unauthorised access. However, there is currently no requirement to notify affected individuals or the Privacy Commissioner in the event of a security/data breach.
In 2008, the ALRC published a report recommending some 295 significant changes to Australia's privacy laws. The Federal Government responded to 197 of the ALRC's 295 suggested reforms in its Stage 1 response, with its response to the remaining ALRC suggested reforms (ie Stage 2) yet to come.
The Government was expected to respond to the ALRC recommendations for its Stage 2 response in the next 12–18 months. This includes ALRC recommendations for the statutory cause of action for serious invasion of privacy (ie the right to privacy) and mandatory breach notification. Recent events may, however, accelerate the Government's consideration of and action on these.
SERIOUS INVASION OF PRIVACY
Concerned about the potential piecemeal growth of a 'right to privacy' in Australia, the ALRC recommended that a cause of action for a 'serious invasion of privacy' be enacted in Federal legislation (presumably by amendment to the Privacy Act). To date, there have been a few cases in different states, and the ALRC was of the view that by legislating a statutory cause of action, the Government could tailor the cause of action to suit its purposes and ensure that any relevant exceptions were clearly spelled out. In other words, legislating for a statutory cause of action would avoid the years of ad hoc decisions by local courts until consolidation by a state Supreme Court or the High Court, and even then, with no guarantee of the exact nature of the right or the cause of action related to it.
The ALRC recommended that, in order to establish the proposed statutory cause of action, a claimant must show:
- There is a reasonable expectation of privacy in the circumstances.
- The act or conduct complained of is highly offensive to a reasonable person of ordinary sensibilities.
- The public interest in maintaining the claimant's privacy outweighs other matters of public interest (including the interest of the public to be informed about matters of public concern and public interest allowing freedom of expression).
- The alleged infringer's acts were intentional or reckless.
In addition, the ALRC suggested that only natural persons (ie not companies) could bring the cause of action. However, there would not need to be any proof of actual damage or loss in order to maintain the action.
It is understandable, in the light of the News of the Worldallegations, that this is the area being focused on by the Federal Government in its proposed public consultation. However, in practice (if the recommendations of the ALRC are followed), it is unlikely that this reform will have a significant impact on companies operating in Australia (with the exception of media organisations). In fact, this reform might work to the benefit of corporate Australia and give company officeholders some level of protection from serious invasions of their privacy.
DATA BREACH NOTIFICATIONS
While the statutory cause of action for a serious invasion of privacy is grabbing all of the headlines and attention, corporate Australia has more to fear (in terms of costs of implementation and disruption to its current business) from the introduction of mandatory breach notification.
Real risk of serious harm
The ALRC recommended that data breach notification provisions be introduced to require companies to notify the Privacy Commissioner and affected individuals when:
- 'specified personal information' has been, or is reasonably believed to have been, acquired without authorisation; and
- the company or the Privacy Commissioner believes that this breach would 'give rise to a real risk of serious harm to any affected individual'.
The ALRC also recommended the introduction of 'civil penalties' for breaches of the notification requirements.
In the first instance, the company will adjudge whether there is a 'real risk of serious harm'. However, the ALRC recommended that companies consult with (and take into consideration the views of) the Privacy Commissioner on these issues as and when such breaches arise.
Importantly, in determining 'serious harm', the ALRC noted that consideration should be given as to whether or not the data was encrypted. If the data is adequately encrypted. it is unlikely that there will be a risk of serious harm to the affected individuals.
The ALRC also noted that similar requirements in the EU and several states in the US had varying levels of notice thresholds and that some required notice for any breach of personal data. The ARLC suggested keeping the thresholds for Australia higher so that notification is only required if the breach relates to 'specified personal information' and there is a real risk of 'serious harm'.
SPECIFIED PERSONAL INFORMATION
Not all breaches of personal information will require notice under the ALRC's proposal. Only unauthorised acquisition of/access to 'specified personal information' will trigger a breach notification requirement.
While the ARLC did not fully describe what it meant by 'specified personal information', it did indicate that 'specified personal information' would likely draw its criteria from the current definition of 'sensitive information' under the Privacy Act. Sensitive information currently includes information about an individual's religious or political affiliations, health information, criminal record etc (provided that this information was linked to an individual's name or address).
The ALRC also suggested that the following key identifying information, if linked to an individual's name or address, could also be included:
- driver's licence details
- Medicare or tax file number or any other unique identifier
- bank or credit card account numbers together with security codes.
Thus, 'specified personal information' will likely be a combination of a name or address along with other sensitive or financial information.
WHAT NEXT FOR PRIVACY REFORM?
The Australian Government has issued an exposure draft of the uniform 'Australian Privacy Principles', which are to apply to public, private, state and Federal entities, and is currently considering further legislation in response to the ALRC recommendations it considered in its Stage 1 response.
As noted above, the Government will likely soon issue its public consultation for the remainder of the ALRC's recommendations (Stage 2) and, if it follows the same process as Stage 1, it will then invite public submissions on any draft amending legislation. This will include public consultation on the privacy right and mandatory breach notification.
HOW TO PREPARE
Companies should not fear the statutory cause of action for serious invasion of privacy and can prepare for any enactment of the proposed mandatory breach notification by upgrading their security measures and policies. In particular, companies can:
- encrypt all personal data
- separate sets of personal data (eg have sensitive information and names in different records, linked by an external key)
- establish a protocol for security breaches (eg have rules on determining what kind of breach would lead to 'serious harm' and when escalation to the Privacy Commissioner is required)
- appoint a privacy officer who is responsible for communicating with the Privacy Commissioner, including to discuss your company's breach protocols.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com