Privacy Law and Policy Reporter
Reports of the death of a common law privacy tort (see the report of the House of Lords decision in Wainwright v Home Office  UKHL 53 (16 October 2003) at (2003) 10(6) PLPR 111) may be premature, at least in New Zealand courts.
In Hosking v Simon Runting  NZCA 34 (25 March 2004) the New Zealand Court of Appeal held by a 3:2 majority (Gault P, Blanchard and Tipping JJ; Keith and Anderson JJ dissenting) that there was a tort of interference with privacy in New Zealand law, although in this case the plaintiffs were denied the remedy they sought, that being an injunction against publication. Katrine Evans gave the background to Hosking in reporting the High Court decision in (2003) 10(4) PLPR 61. Gault P and Blanchard J set out the fundamental requirements for a tort often referred to as ‘public disclosure of private facts’, as:
1. The existence of facts in respect of which there is a reasonable expectation of privacy; and
2. Publicity given to those private facts that would be considered highly offensive to an objective reasonable person .
The Court’s phrasing of the second element is derived from earlier US formulations and their use in previous NZ cases. However, it is also reminiscent of the terms used by Gleeson CJ in the somewhat different context of ABC v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, which terms were adopted by Skoien J in his formulation of an ‘intrusion’ tort in Grosse v Purvis  QDC 151 (16 June 2003) (see (2003) 10(3) PLPR 41). When a privacy tort issue finally comes back before the Australian High Court, it will certainly have two very different approaches from the UK and from NZ to consider. The Court of Appeal decision will be analysed in a later issue of PLPR. l
APEC draft Version 9 now out
The draft APEC Privacy Principles are at last publicly available, with Version 9 (consultation draft) having been released for comment (unlike previous versions) following the APEC privacy sub-group meeting in Santiago, Chile. A copy is available at <www.baker cyberlawcentre.org/appcc/apec_draft_ v9.htm>. Version 9 is in most respects similar to Version 8 (see an assessment in (2003) 10(8) PLPR 158). My further criticisms of Version 9, and 24 suggestions for improvements, are at <www2.austlii.edu.au/~graham/ publications/2004/APEC_V9_critique/ APEC_V9_critique.html>. The Chair of the APEC Electronic Commerce Steering Group (ECSG) privacy sub-group proposes to circulate Version 10 to ECSG members on 14 April, with the intention that the Principles be finalised by mid-year.
The APEC sub-group is now moving to consider implementation mechanisms, with few details of progress available except that the Chair is proposing development of ‘a mechanism for regularly reporting against each Principle’. It does not seem that any stronger method of international enforcement is under consideration. Other than that, only measures to increase co-operation between privacy protection agencies in different jurisdictions seem to be under consideration. It does not seem that APEC is considering recommending any particular standards for domestic enforcement or means by which compliance with minimum standards should be assessed in relation to data export limitations. l
The US Supreme Court has ruled in a 6:3 decision that an individual must prove he or she has suffered actual harm before he or she can receive a $1000 minimum award guaranteed by law when the government wrongfully discloses personal information.
The case, Doe v Chao (02-1377)  USCA4 188; 306 F 3d 170, arose from the Department of Labor’s use of miners’ Social Security Numbers to identify their black lung claims on official agency documents, some of which were made public. Several miners sued the agency, arguing that they were entitled to $1000 minimum damages from the government provided under the Privacy Act 1974 (US). The US District Court for the Western District of Virginia found that only one miner, Buck Doe, was entitled to damages because he had shown that he suffered sufficient emotional distress as a result of the disclosure of his Social Security Number to be awarded damages. The US Court of Appeals for the Fourth Circuit disagreed, concluding that Doe was not entitled to damages under the Privacy Act because he failed to show that any tangible harm resulted from the disclosure of his Social Security Number.
Numerous consumer and privacy organisations, and others submitted a ‘friend of the court’ brief to the Supreme Court on Doe’s behalf, arguing that the Privacy Act provides damages for those who suffer ‘adverse effects,’ which does not require actual harm. The brief pointed to the dangers of Social Security Number disclosure, the tradition of providing similar awards under other privacy laws, and the history of the Privacy Act to show that actual harm is not necessary to recover the $1000 award under the Privacy Act.
The Supreme Court concluded, however, that an individual must prove actual damages to receive the $1000 award from the government. Souter J (joined by Rehnquist CJ and O’Connor, Scalia, Thomas, and Kennedy JJ) found that the most straightforward reading of the Privacy Act supported the conclusion that an individual must prove actual harm to collect minimum damages under the Privacy Act, noting that it is unusual for a law not to require proof of harm suffered before an individual is awarded of damages.
In a dissenting opinion, Ginsburg J (joined by Stevens and Breyer JJ) argued that the majority’s interpretation of the law failed to take into account each word of the section of the Privacy Act that provides for damages. Ginsburg J pointed out that the majority’s decision is at odds with the Office of Management and Budget’s guidelines for interpreting the Privacy Act, which were issued just six months after the law was passed. Ginsburg J asserted that the majority’s holding encourages individuals to ‘arrange or manufacture’ actual damages, such as paying a fee to run a credit report, in order to be allowed to recover the minimum $1000 under the Privacy Act. Her Honour also noted that the Privacy Act’s language is similar to that of other Federal laws that do not require proof of actual harm for an individual to collect the minimum award provided under the law. In a separate dissent, Breyer J found ‘no support in any of the statute’s basic purposes for the majority’s restrictive reading of the damages provision’. l
(Adapted from Electronic Privacy Information Centre’s EPIC Alert, 11.04, 25 February 2004. For more information about the case, see EPIC’s Doe v Chao Page: <www.epic.org/ privacy/chao/)>.
The Australian Communications Authority (ACA) has issued a Discussion Paper on Privacy of Telecommunications Customer Data. This follows the failure of the industry body ACIF to reach agreement on a voluntary Code of Practice on the use of data from the shared Integrated Public Number Database. See: <www.aca.gov.au/aca_home/ issues_for_comment/index.htm>.
The ACA is also consulting on the technology of locating mobile phones, in the context of emergency service calls. l
See: <www.aca.gov.au/consumer_info/ location.pdf>.
Telecommunications interception in a muddle
The Senate Committee reviewing the proposed amendments to the Telecommunications (Interception) Act 1979 (Cth) currently in Federal Parliament has found that there is a major disagreement between the Australian Federal Police and the Director of Public Prosecutions on the one hand, and the Attorney-General’s Department and Solicitor-General on the other about how the Act applies to electronic communications.
The Committee has recommended that some parts of the Telecommunications (Interception) Amendment Bill 2004 not proceed until the disagreement has been resolved and reported to Parliament. l
See: <www.aph.gov.au/senate/ committee/legcon_ctte/tel_intercept04/report/report.pdf>.
Federal law provides for electronic surveillance
The Federal Attorney-General has introduced the Surveillance Devices Bill 2004:
... to allow the Commonwealth to consolidate and modernise its now somewhat outdated surveillance device laws and provide law enforcement agencies with access to the surveillance tools necessary to protect Australians and to investigate crime.
The Bill also allows for a surveillance device warrant to be issued in relation to a wider range of offences including terrorism offences, people trafficking and child sex tourism.
Surveillance devices include data surveillance devices, listening devices, optical surveillance devices and tracking devices. The use of surveillance devices (other than telecommunications interception) by Federal agencies is currently governed by a mixture of provisions in the Customs Act 1901 (Cth), Australian Federal Police Act 1979 (Cth) and State laws.
The Bill implements the electronic surveillance model law, tailored to the needs of the Commonwealth. The model law was developed by a Joint Working Group of Commonwealth and State and Territory officials, established by the Standing Committee of Attorneys-General and the Australasian Police Ministers’ Council, to improve the effectiveness of cross-border criminal investigations in the areas of controlled operations, assumed identities, protection of witness identity and electronic surveillance. l
Source: Media release 24 March 2004 and Explanatory Memorandum to the Bill.
Anti-money laundering reforms
An interagency unit based in the Commonwealth Attorney-General’s Department is consulting on a proposed replacement for the Financial Transaction Reports Act 1988 (Cth), under which the AUSTRAC agency collates reports from cash dealers on significant, all international and suspect financial transactions for use by a range of law enforcement agencies.
In response to recommendations of the international Financial Action Task Force (FATF), it is proposed to significantly expand the reporting requirements to cover all information about all exchanges of value — including from real estate agents and lawyers. l
See: <www.ag.gov.au/www/ agdhome.nsf/HeadingPagesDisplay/laundering?OpenDocument>.
Identity management a critical issue
The outgoing Federal Privacy Commissioner, Malcolm Crompton, has thrown down a major challenge in a speech, ‘Proof of Identity required? Getting identity management right’, given in Sydney on 30 March. The Commissioner called for a national debate on the social, economic and political consequences of identity management, ‘in part to see if we like where it is taking us, and in part to shed light on better and worse ways to go about it’. He considers this is particularly urgent:
... because there are currently a very large number of identification management projects and or proposals [he listed 30], cutting across government and private sector organisations that are being considered in a narrow range of circumstances without thinking about the big picture privacy issues.
Source: <http://privacy.gov.au/news/ media/04_04.html>.
The same issue is being addressed by a major European Union initiative, Privacy and Identity Management for Europe (PRIME). The objective of this four year, $16 million project is the research and development of solutions to empower individuals in managing their privacy in cyberspace. Its fundamental principles are ‘data minimisation’ and ‘privacy by design’. To foster market adoption, novel solutions for managing identities will be demonstrated in challenging real world scenarios, for example, from travel, location based services, e-learning, and e-health. PRIME is a multidisciplinary consortium drawn from industry and academia, co-ordinated by IBM. l
Australian States & Territories
Review of NSW privacy law
The NSW Attorney-General’s Department is conducting a statutory five year review of the Privacy and Personal Information Protection Act 1988 (NSW). Submissions are invited by 30 April. l
See <www.lawlink.nsw.gov.au/ pc.nsf/pages/ppipreview>.
Breach of Workplace Video Surveillance law
On 26 March, the NSW Industrial Relations Commission handed down a judgment against Western Sydney Area Health Service for unfair dismissal of security officers which found it to have breached the Workplace Video Surveillance Act 1998 (NSW).
The Health Service had obtained a magistrate’s warrant to conduct covert surveillance but the Tribunal found four breaches of the Act. It had exceeded the terms of the warrant in conducting the surveillance both before the period authorised and outside the workplace, and it had failed to give a report to the issuing magistrate or to provide the workers concerned with the video on request. l
Source: Privacy NSW — Staal and Tupene and Health and Research Employees’ Association of New South Wales (on behalf of Nagy and Others) and Western Sydney Area Health Service  NSWIRComm 27 (10 March 2004).
Electronic surveillance law to follow
The NSW Attorney-General announced on 30 March that the long awaited legislation to regulate electronic surveillance in the workplace will be introduced later in 2004. The legislation, first proposed by the government in 2001 in response to recommendations of the NSW Law Reform Commission, will follow the model of the Workplace Video Surveillance Act 1998 (Cth) in requiring court orders to conduct covert monitoring of private emails, and requiring overt surveillance to be carried out ‘ethically and sensibly’ including adequate prior notice. l
Source: Sydney Morning Herald <www.smh.com.au/text/articles/2004/03/30/1080544491434.html>.