For Your Information: Australian Privacy Law and Practice is the title of the Australian Law Reform Commission's long awaited report on Australia's Privacy Laws tabled in Federal Parliament on 11 August 20081.
By any measure the ALRC's report and the work that has gone into it is big. It is 2700 pages long with 74 chapters and 295 recommendations, and by all accounts if you print it all out, it will come in at over 5kg. The original reference was made over 2 and a half years ago and under a different Government.
More importantly the ALRC undertook an enormous volume of work to complete this report, including 585 written submissions, 3 major public forums, over 200 hundred face to face meetings, roundtables with stakeholders, and a 2 day phone in, with over 1000 members of the public calling the ALRC to share their opinions.
So perhaps it's a good thing that Senator Faulkner has indicated it is likely to be 18 months before any of the recommendations are implemented and the more controversial recommendations (including the tort of privacy and removal of exemptions) have not been given any specific timeline for review. We will all have plenty of time to get ourselves comfortable with what the new regime is going to look like.
The Parts We Expected
There are, as most observers will have expected, a number of recommendations that are not surprising.
Perhaps highest on the agenda (and in fact the first of the recommendations) is the acknowledgement of the need for a nationally consistent set of rules for the handling of personal information by organizations, removing, amongst other things, the overlap with the various state legislation, in particular the state Health Records laws.
A consistent set of Privacy Principles (the ALRC refers to them as the Unified Privacy Principles) is another recommendation that many will have expected, as well as recommendations to remove many of the exemptions from the existing legislation (employee record, small business and political party). Interestingly the ALRC observed that whilst some tightening is required, the journalism exemption should be retained.
Another of the "not surprising" bundle of recommendations is an acknowledgement of the need for improvement of the credit reporting framework.
The Current Law and Technological Developments
One of the benefits of the work undertaken by the ALRC is the opportunity it gave them to review and comment on the operation of the current privacy framework plus the recent judicial and scholarly commentary on the concept of privacy, and then to use that to inform its recommendations. Whilst too lengthy to restate here, their analysis suggests that definitions are problematic, and a pragmatic approach to law reform is favourable, such that "Rather than focusing on an overarching definition of privacy, it makes more sense,...to focus on particular points in the web and formulate a workable approach to deal with the disruption".2
The current privacy legislation was largely the result of the recommendations of the ALRC in 1983, then chaired by one of Australia's most influential jurists, Justice Michael Kirby. That too was an extensive inquiry and, at a time before Bill Gates was a household name, was far sighted enough to identify that technology represented one of the chief threats to privacy.
Consistent with the onward march in technology, high on the list in this report are recommendations regarding the need to accommodate developments in technology. These are aimed at empowering the Privacy Commissioner to consider, use and publish materials on privacy-enhancing technology and those that may impact upon privacy.
Recommendations 71 and 72 call for a number of changes to the Telecommunications Act, including a prohibition on charging a fee to keep a telephone number unlisted and that the use and disclosure provisions be redrafted to achieve a clearer and simpler regime.
The recommendation attracting perhaps the most public interest is the suggestion that there will be a cause of action for a "serious invasion of privacy"3. Whilst this is one of the areas the Government has not committed to a legislative timeframe, the ALRC suggests that to establish liability, a claimant must show that:
- there is a reasonable expectation of privacy; and
- the act complained of is highly offensive to a reasonable person of ordinary sensibilities.
In determining whether the cause of action is made out, the ALRC acknowledged that a court would have to take into account the balance between the individual's privacy and the public interest.
Other recommendations contained in the report are:
- Stronger penalties are recommended4 to enable the Privacy Commissioner to seek civil penalties for serious interference with the privacy of an individual;
- Empowering Privacy Beyond the Individual 5 – namely making recommendations to address the privacy needs of Indigenous groups;
- Privacy of Deceased people6 - recommending amendments to the Privacy Act to protect certain information relating to persons who have been dead for less that 30 years; and
- A restructure and 'beefing' up of the office and the powers of the Privacy Commissioner7.
2 Ibid at 1.67
3 Recommendation 74
4 Recommendation 50
5 Recommendations 7-1 and 7-2
6 Recommendation 8
7 Recommendation 47
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.