AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal

Faculty of Law, UNSW
You are here:  AustLII >> Databases >> University of New South Wales Law Journal >> 2001 >> [2001] UNSWLawJl 4

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Greenleaf, Graham --- "Tabula Rasa': Ten Reasons why Australian Privacy Law does not Exist" [2001] UNSWLawJl 4; (2001) 24(1) UNSW Law Journal 262

‘Tabula Rasa’: Ten Reasons Why Australian Privacy Law Does Not Exist

GRAHAM GREENLEAF [*]


[1] In 2001, Australia still has nothing worth describing as a body of privacy law, even though a quarter of a century has passed since the Privacy Committee Act 1975 (NSW) established the third permanent privacy protection agency in the world, and the Federal Attorney-General referred the whole issue of privacy protection to the Australian Law Reform Commission (then chaired by Kirby J). The following article sets out ten reasons why Australia has failed to develop a body of privacy law. [1 ]

I OUR COURTS HAVE NOT YET DEVELOPED THE GENERAL LAW

[2] The absence in Australia of any constitutional or statutory Bill of Rights (as is now found in the United States, the United Kingdom, New Zealand and Canada) means that our courts do not have a convenient platform in domestic law from which to develop privacy law as an aspect of human rights. The High Court’s decision in Victoria Park Racing and Recreation Grounds v Taylor[2] stalled the development of any general tort of interference with privacy by Australian courts, although courts in similar jurisdictions have found some scope for common law development.[3] We now await the High Court’s decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd[4] to see if some form of a general tort of invasion of privacy can develop, at least in relation to ‘stolen’ information.[5]

[3] A general tort, however, is not the end of the story, as our courts could develop specific tortious, equitable or administrative law remedies, or principles of interpretation, that would better protect privacy. For example, the law of breach of confidence has not yet clarified which transactions involving sensitive personal information are in fact ‘circumstances of confidence’ sufficient to attract the protection of a breach of confidence action. Beyond the traditional categories of doctors and lawyers, it is difficult to know whether video shops, all forms of financial advisers, libraries and bookstores, and introduction agencies owe us a duty of confidence. Further, Part VIII of the Privacy Act 1988 (Cth) (‘Privacy Act ’), which extends the law in a novel way to give the subject of information the protection of breach of confidence law even where they are not the confider of the information (at least in some contexts), has never been utilised.

[4] In Johns v ASC,[6] the High Court opened up a principle of potential importance when it found that public bodies were limited in their use of information (including personal information) to the statutory purposes for which the information was collected. Yet there has been little use or development of this principle since that decision.[7]

[5] Perhaps our courts have not had sufficient opportunity as a result of a lack of appropriate cases coming before them, since few developments of general importance have emerged as yet, and the general law remains under-developed.

II INTERNATIONAL INSTRUMENTS HAVE UNDER-PERFORMED

[6] In Toonen v Australia,[8] the United Nations Human Rights Committee found that Australia was in breach of the provision in the International Covenant on Civil and Political Rights (‘ICCPR’)[9] protecting privacy (art 17) in relation to Tasmania’s laws concerning sexual conduct.[10] The equivalent provision (art 8) in the European Convention for the Protection of Human Rights and Fundamental Freedoms[11] has a significant body of case law concerning information privacy (focusing on issues of excessive or intrusive collection),[12] but no equivalent use has been made (as yet) of art 17 of the ICCPR.

III LIMITED SCOPE HAS RENDERED OUR PRIVACY LEGISLATION LARGELY IRRELEVANT

[7] Until now, our information privacy legislation has covered only the federal public sector (since 1988), consumer credit reporting (since 1991), the health sector in the Australian Capital Territory (since 1997), and the New South Wales (‘NSW’) public sector (only effective since mid 2000), and (to a limited extent) the telecommunications industry, uses of tax file numbers and some uses of criminal records. This is, at best, a fraction of the situations likely to cause people privacy problems. The Federal Privacy Commissioner received nearly 9 000 enquiries in 1998-99, but 65 per cent of them fell outside the Commissioner’s jurisdiction, only 1.7 per cent concerned the federal Information Privacy Principles (‘IPPs’), and only 131 complaints resulted in a formal investigation.[13] The New South Wales Privacy Committee (which ceased operation in 1999) could investigate anything but had no enforcement powers.

IV LEGISLATION RIDDLED WITH EXCEPTIONS: MORE HOLES THAN CHEESE?

[8] The extension of the Privacy Act to cover (parts of) the private sector will change this situation somewhat, but the coverage is still far from comprehensive. On the Federal Government’s estimate, up to 94 per cent of businesses are potentially exempt ‘small’ businesses, and there are other potentially large areas of exemption relating to employment records, ‘publicly available information’ and the media. The Privacy and Personal Information Protection Act 1998 (NSW) has so many exemptions that it can be said to have ‘more holes than cheese’.[14] The Information Privacy Act 2000 (Vic) is much better,[15] but other States and Territories still have no legislation.

[9] While the situation is improving, the dismal coverage of Australian privacy law to date has meant that most who have bothered to complain to Privacy Commissioners in the past have been turned away, and this may continue to occur in many cases despite the new legislation.

V ENFORCEMENT THAT IS BIASED AGAINST COMPLAINANTS BLOCKS ACCESS TO THE COURTS

[10] The minority who can make a privacy complaint which is not exempt from the relevant legislation still have no guarantee that the complaint will be determined according to the correct meaning of the Privacy Act. The Privacy Act does not provide for any right of appeal against determinations by the Federal Privacy Commissioner, whether in relation to complaints against public or private sector bodies. However, this limitation does not equally disadvantage complainants and the subjects of the complaint. Businesses or agencies that are complained about have, in effect, a right of appeal to the Federal Court on the merits of their case if they are found to have breached the Privacy Act, whereas unsuccessful individual complainants have no such right. This is simply unfair.

[11] A determination of a complaint by the Commissioner (or by a code authority) can only be enforced by proceedings in the Federal Court (or the Federal Magistrates Court),[16] and the court has to deal with the matter by way of a de novo hearing.[17] As a result, a dissatisfied agency or business simply has to ‘sit on its hands’ and not pay the compensation or take the other steps it has been ordered to take. If the complainant then takes the matter to the Federal Court for enforcement, the business or agency can have their case heard in full again.[18] While businesses and agencies thereby obtain (effectively) a right of appeal to a court, an unsuccessful complainant has no such right. A complainant then has no redress against a questionable but reasonable application of the law to the facts of the complainant’s case. Yet the Commissioner need not be a lawyer, and only one of the three Commissioners to date has been (Commissioner Kevin O’Connor).

[12] The defect is not that businesses and agencies have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a court or tribunal. In my opinion, such a right of appeal is unlikely to lead to a flood of cases.

[13] Decisions of the Commissioner are now subject to judicial review, which will help ensure procedural fairness, but this does not address the problem of lack of appeal rights. It will fail to provide justice to complainants where the complaint is that the Commissioner has applied the National Privacy Principles (‘NPPs’) or an industry code to the facts of a complaint in a dubious fashion.[19] Where the Commissioner has misinterpreted the IPPs, NPPs or principles in an industry code, or has misinterpreted another provision of the Privacy Act or a code, judicial review for error of law under the broader meaning of that term in the Administrative Decisions Judicial Review Act 1977 (Cth) may lie.[20] However, this only applies where the Commissioner makes a decision capable of review, such as a s 52 determination or a s 41 decision; yet (as noted below) this has only occurred twice in the history of the Privacy Act. The Federal Commissioner has therefore been the de facto authority on the meaning of the Privacy Act, despite the avenues for review specified in the Act.

[14] The Victorian and NSW privacy legislation does give complainants access to an administrative tribunal, and ultimately to the courts. Under the Privacy and Personal Information Protection Act 1998 (NSW), complainants may elect whether to have a complaint about a breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner (s 45) or resolved through an internal review by the agency concerned (s 53). The right of appeal, however, is only against an internal review by an agency (s 55), so if a complainant is dissatisfied with the Commissioner’s conciliation, they will first have to seek an internal review before their right to appeal to the Administrative Decisions Tribunal arises. The Information Privacy Act 2000 (Vic) gives dissatisfied complainants (or agencies) an unfettered right to have the NPPs and other provisions in the Act interpreted by the Victorian Civil and Administrative Appeals Tribunal and ultimately by the courts. The NPPs in these State Acts are therefore more likely to be interpreted by the courts than the IPPs in the federal Privacy Act, but as they are still in their infancy, no law has yet emerged.

VI FEW FORMAL DETERMINATIONS BY COMMISSIONERS HAS LED TO A LACK OF LAW

[15] In over a decade, the Federal Privacy Commissioner has made only two formal 52 determinations of complaints concerning the IPPs,[21] and none concerning credit reporting under Part III(A) of the Privacy Act. In the 1998-99 financial year, the Office of the Federal Privacy Commissioner started formal investigation of 131 complaints and ‘closed’ (ie, settled or dismissed) 91 complaints under s 41 (none of which resulted in formal determinations under s 52).[22] Unfortunately, the Commissioner does not report details of decisions made under s 41(1) not to investigate or further investigate a complaint. This is disappointing, as these decisions may be significant (even though there is no breach of an IPP or NPP), and could potentially be subject to judicial review.[23]

[16] Does the fact that no complainants insisted on a formal s 52 determination mean that all 91 sets of complainants and respondents were satisfied with the result? At least in relation to complainants, there are several reasons why it is not possible to conclude this. If the Commissioner suggests to a complainant that a matter might be settled on particular terms, then even if the complainant disagrees, he or she is unlikely to insist that the Commissioner proceed to a formal s 52 determination since they cannot appeal against the determination. Few complainants are likely to be aware that, if the Commissioner makes a s 52 determination containing what may be characterised as an error of law, they are entitled to seek a contrary interpretation by means of judicial review. Complainants may decide to agree with a proposed settlement in order to resolve or at least conclude the process. As a result, there may be an unknown number (or ‘dark figure’) of dissatisfied complainants due to the Privacy Act’s structural defect in not allowing appeals against the Commissioner’s decisions. If so, a side-effect is that even fewer reasoned s 52 determinations occur, and the development of privacy law is further stunted.

VII SETTLED COMPLAINTS ARE NOT USED AS A GUIDE FOR SUBSEQUENT COMPLAINTS

[17] The Federal Privacy Commissioner’s Annual Report for 1998-99 does not indicate how many of the 91 closed complaints resulted in compensation or some other remedy in favour of the complainant, merely noting that seven complaints resulted in payment of monetary compensation, which in total amounted to $18 000.[24] Brief details are given of nine settled complaints, but not of all of those resulting in compensation. No further details of settled complaints (or even of the two formal determinations) are provided on the Commissioner’s otherwise very extensive and informative website.

[18] As a result, prior complaints provide potential complainants, respondents and their respective advisers with very little information about how the Privacy Act is interpreted. The overall impression after thirteen years of operation of the Privacy Act is that, while Commissioners are interested in ensuring justice for individual complainants, the use of the complaints function of the Act to develop privacy law, and to guide parties to future complaints, is a matter which has the lowest possible priority. In this way, the Commissioner’s Office can be seen as a black hole from which no privacy law escapes.

VIII GUIDELINES DRAFTED BY THE FEDERAL PRIVACY COMMISSIONER MAY BE WISHFUL THINKING

[19] In the absence of any guidance on the meaning of the IPPs emerging from decided complaints (or, better still, court decisions), what guidance is available? The Federal Privacy Commissioner has issued detailed guidelines on the interpretation of the IPPs, and draft guidelines on the NPPs.[25] The guidelines state that they are ‘not legally binding’ but ‘are the Privacy Commissioner’s view’ of how the IPPs work.[26] Some of the guidelines seem more like guidelines to safe and desirable practices that the Commissioner would like to see adopted (a legitimate function for them to perform), rather than consistently reliable, legal interpretations of the Act. In fact, they may be wishful thinking on the Commissioner’s part. For example, the guidelines on information collection principles state that consent ‘must be informed and free’, that ‘an agency should not seek a broader consent than is necessary for its purposes’, and that ‘if the person the information is about knows or believes that serious adverse consequences will follow if they refuse to consent, any consent they give is not freely given’.[27] No justification is given for these statements as a legal interpretation of the use of ‘consent’ in the Privacy Act and, in my opinion, they are contestable interpretations in a complex area of law.

[20] The only way to settle the meaning of the IPPs and NPPs is through litigation. Until then, much of our privacy lore, including the Commissioner’s guidelines, will remain largely speculation.

IX LITIGATORS HAVE MADE LITTLE USE OF PRIVACY LEGISLATION

[21] Lawyers thrive on precedents. Yet Australian lawyers have had few precedents to stimulate them to think creatively about privacy law (partly due to the invisibility of the complaints function in the Privacy Act).

[22] Litigators have made little use of privacy laws, even where access to the courts is possible. For example, judicial review of s 41 decisions has not been reported. Furthermore, although it is not possible for a complainant to appeal from a Commissioner’s determination to a court in relation to a complaint about the IPPs or NPPs, an injunction can be sought to restrain a breach of the principles. Section 98 of the Privacy Act allows ‘the Commissioner or any other person’ (including, but not limited to, a complainant likely to be affected by the breach) to go directly to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the IPPs or NPPs. The injunctive power, which has never been used, allows a litigant in an appropriate case to have a particular IPP or NPP interpreted by the court, and then pursue compensation or another remedy through the Commissioner’s Office.

X COURTS HAVE SHOWN A LIMITED APPRECIATION OF PRIVACY LEGISLATION

[23] Our courts have had limited opportunities to interpret privacy legislation for the reasons outlined above, but even where they have the results have not been encouraging. For example, courts have not taken adequate notice of s 98. In Ibarcena v Templar, Finn J seems to have proceeded on the mistaken assumption that a complainant ‘cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court’s jurisdiction and for the grant of relief’.[28] With respect, a complainant can do so by seeking an injunction, at least in relation to breaches or potential breaches where an injunction would be appropriate.[29] Similarly, in Goldie v Commonwealth of Australia,[30] French J gave an account of how complainants could come before a court, but omitted any mention of s 98 injunctions.[31]

XI CONCLUSION? WE NEED MORE LAW

[24] There are other reasons, of course, for the lack of privacy law. Privacy and public interest advocates and academics have spent much time arguing for the extension of privacy legislation but have made relatively little effort to analyse how the limited existing laws can be used or to find test cases. A mea culpa is therefore an appropriate end to this list.

[25] The gist of my argument has been that we need more law. The general law has not developed its potential to protect privacy. There are a series of deficiencies in our privacy legislation and in the practices of the Federal Privacy Commissioner. We need changes to our laws so that complainants can more readily take questions of interpretation and application of privacy laws to courts and tribunals. We need Privacy Commissioners who make the communication of

[26] the details of complaints resolution and the law underlying them a high priority. We need lawyers who find new ways to obtain interpretations and remedies. We need dissemination of decided cases and examples of remedies obtained, both here and overseas. We need more law than just the Commissioner’s lore.


[*] Professor of Law, University of New South Wales; Co-Director, Australasian Legal Information Institute; Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre.
[1 ] There are other important reasons, many of which are well put by Simon Davies in another article in this issue, entitled ‘Unprincipled Privacy: Why the Foundations of Data Protection Law are Failing Us’.
[2] [1937] HCA 45; (1937) 58 CLR 479. See the discussion of this case by Kirby J in another article in this issue, entitled ‘Privacy – In the Courts’.
[3] For example, in New Zealand, although this is apparently now in retreat. See Tim McBride, ‘Recent New Zealand case law on privacy: The Privacy Act and the Bill of Rights Act’ Pt 1 (2000) 6 Privacy Law and Policy Reporter 106.
[4] Heard 2-3 April 2001, judgment reserved; the transcript of the proceedings is available in two parts at <http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/1.html> and <http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/2.html> at 7 June 2001.
[5] The case concerns the publication of information which is the ‘fruit of a trespass’.
[6] [1993] HCA 56; (1993) 178 CLR 408.
[7] See Graham Greenleaf, ‘High Court confirms privacy right against governments’ (1994) 1 Privacy Law and Policy Reporter 1.
[8] (1994) 1(3) IHRR 97.
[9] Opened for signature 16 December 1966, 999 UNTS 171 (entered into force 23 March 1976).
[10] See Graham Greenleaf, ‘Casenote: Toonen v Australia(1994) 1 Privacy Law and Policy Reporter 50.
[11] Opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 September 1953).
[12] See Lee Bygrave, ‘Data Protection Pursuant to the Right to Privacy in Human Rights Treaties’ (1998) 6(3) International Journal of Law and Information Technology 247.
[13] Federal Privacy Commissioner, Annual Report 1998-99 (1999) 53.
[14] Graham Greenleaf, ‘A new era for public sector privacy in NSW’ (1999) 5 Privacy Law and Policy Reporter 130.
[15] See Graham Greenleaf, ‘Victoria’s privacy Bill still sets the standard’ (2000) 7 Privacy Law and Policy Reporter 21.
[16] This problem arises from the High Court’s decision in Brandy v Human Rights and Equal Opportunity Commission [1995] HCA 10; (1995) 127 ALR 1, in which it was held that in complaints against respondents other than the Commonwealth, the previous system for lodging Human Rights and Equal Opportunity Commission (‘HREOC’) determinations in the Federal Court (including Privacy Act 1998 (Cth) s 52 determinations), whereupon they became binding, was an invalid exercise of judicial power. The ‘quick Brandy fix’ was to revert to the old system of a de novo hearing in the Federal Court whenever enforcement of a determination by a HREOC Commissioner or the Federal Privacy Commissioner is required.
[17] Privacy Act 1988 (Cth) s 55A(5).
[18] Note that a determination is now prima facie evidence of the facts upon which the determination is based: Privacy Act 1988 (Cth) s 55B(3). It will be possible, however, for those facts to be challenged. This amendment does not address the fundamental problem of unsuccessful complainants having no right of appeal but is an improvement, since the successful complainant will not (or at least will not often) be required to prove the facts again.
[19] Riediger v Privacy Commissioner [1998] FCA 1742 (Unreported, Sackville J, 23 September 1998), one of the few cases dealing with the Privacy Act, underlines this point. Justice Sackville, dismissing an application for judicial review under the Administrative Decisions Judicial Review Act 1977 (Cth) of a decision by the Federal Privacy Commissioner under s 41(1) of the Privacy Act to cease investigation of the applicant’s complaint, stressed that ‘the Federal Court’s jurisdiction in these matters is limited to the
review of any error of law made by the Commissioner in the course of his decision’ and ‘an application of this kind must reveal an error related to the making of the decision itself, for example, a denial of natural justice, manifest unreasonableness, the taking into account of irrelevant considerations, and so forth ... the Court simply cannot revisit the merits of the applicant’s complaints against either [of the respondents]’: [8].
[20] Administrative Decisions Judicial Review Act 1977 (Cth) ss 5(1)(f), (j), and 6(1)(f), (j).
[21] See Federal Privacy Commissioner, Federal Privacy Handbook: A Guide to Federal Privacy Law and Practice (1998) 13-020.
[22] Federal Privacy Commissioner, above n 13, 53.
[23] See, eg, Riediger v Privacy Commissioner [1998] FCA 1742 (Unreported, Sackville J, 23 September 1998).
[24] Federal Privacy Commissioner, above n 13, 53.
[25] Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1-3 (1994); Plain English Guidelines to Information Privacy Principles 4-7 (1998); Plain English Guidelines to Information Privacy Principles 8-11 (1996); Draft Guidelines on the National Privacy Principles (2001).
[26] See, eg, Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1-3 (1994) 1; Plain English Guidelines to Information Privacy Principles 8-11 (1996) 1.
[27] Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8-11 (1996) Guideline 15.
[28] [1999] FCA 900 (Unreported, Finn J, 25 June 1999) [9].
[29] See Patrick Gunning, ‘Casenote: Ibarcena v Templar(2001) 7 Privacy Law and Policy Reporter 178.
[30] [2000] FCA 1873 (Unreported, French J, 22 December 2000).
[31] See Patrick Gunning, above n 29, 179.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJl/2001/4.html