Our reference: D2017/004690
The Director
Online Content Section
Department of Communications and the Arts
GPO Box 2154
Canberra ACT 2601
Dear Director
Submission on a proposed civil penalties regime for non-consensual sharing of intimate images
I welcome the opportunity to provide comments to the Department of Communications and the Arts (the Department) on its Discussion Paper on a civil penalties regime for non-consensual sharing of intimate images (Discussion Paper).
I strongly support reforms which provide deterrence, redress and protection against the sharing of intimate images without consent. The non-consensual sharing of these images is a serious invasion of privacy,[1] which has the potential to cause severe harm, distress and humiliation to the victim. Further, the harm that can be caused through the sharing of such images is exacerbated by rapidly increasing technological capacity for capturing images and making recordings, and the ability to distribute digital material on a vast scale.
The proposed civil penalty regime is therefore a very positive step towards providing victims of image-based abuse with redress. However, my long-held view is that the best means of addressing serious invasions of privacy would be through the introduction of a regime within the existing framework in the Privacy Act 1988 (Cth) (the Privacy Act).[2] There is a risk that the creation of new regimes which deal only with specific activities may lead to a piecemeal approach to addressing privacy. I therefore encourage the Department to carefully consider the regime’s interaction with the existing protections in the Privacy Act and I have included some suggestions below in this regard.
Interaction with the Privacy Act
The Discussion Paper proposes a civil penalty regime to deter and penalise persons and content hosts who share intimate images or videos of a person without their consent. The eSafety Commissioner would be given additional powers to investigate complaints and enforce this prohibition. The Discussion Paper seeks views on how the proposed regime will interact with existing legislative protections, and how it can best complement these mechanisms.[3]
The proposed regime will overlap with the privacy protections in the Privacy Act, which is the principal piece of Australian legislation protecting the handling of personal information.[4] In most instances intimate images or videos will constitute or include personal information. Specifically, intimate images or videos will be personal information where the person’s identity is clear or if the individual is reasonably identifiable from that image. The sharing of intimate images or videos may also involve the disclosure of other types of personal information, such as usernames and email account details.
I also note that many websites and content hosts that facilitate the sharing of non-consensual intimate images will have obligations under the Privacy Act relating to the handling of personal information, because they either:
- have an annual turnover of $3 million or more, or
- are a small businesses operator that ‘trades in personal information’, where they disclose personal information about another individual to anyone else for a benefit, service or advantage’ or ‘provide a benefit, service or advantage to collect personal information about an individual from anyone else’.[5]
In light of this overlap, I would encourage the Department to clarify how the Privacy Act would interact with the new regime and consider whether the objectives could be achieved by amending the existing privacy regulatory framework. The Department should also consider how any such regime could be structured to provide the Office of the eSafety Commissioner and my Office the flexibility to participate in joint or parallel investigations and enforcement actions. I note that the Privacy Act already provides me with the power to secure a range of remedies for individuals[6] (including awarding financial compensation) as well as the ability to seek civil penalties in certain circumstances.[7] I also have a strong, effective and collaborative working relationship with the eSafety Commissioner. Provision for this relationship would ensure appropriate resolution of matters having regard to all the circumstances.
Distinction between digital and physical forms
The Discussion Paper considers whether the definition of ‘sharing’ should be confined to the digital space, or whether it should be expanded to apply beyond this (for example, to a still digital image that is printed and then shared in physical form).[8] I would caution against drawing firm distinctions between acts and practices that occur in digital settings and physical settings. While I acknowledge that non-consensual sharing of images most often involves the sharing of images online, it is the act of distribution of intimate images, rather than the mode of distribution that causes the harm.
The Privacy Act is technologically-neutral, principles-based legislation which applies equally to paper-based and digital environments. I would support the adoption of a similar approach within the regime to preserve its relevance and adaptability.
Key definitions, terms and concepts
The Discussion Paper seeks views about key definitions, terms and concepts within the proposed civil penalty regime and complaint framework .[9] Many of these definitions and key concepts share similarities with concepts set out in the Privacy Act (such as ‘consent’ and ‘Australian link’).
My Office has published advisory guidelines on the Australian Privacy Principles and key concepts in the Privacy Act, known as the Australian Privacy Principles guidelines (APP guidelines). I refer the Department to ‘Chapter B - Key concepts’ of the APP guidelines available at www.oaic.gov.au. Given the overlap between the two regulatory schemes, these resources may be of assistance to the Department in settling on definitions for these key terms.
By way of example, ‘consent’ is an important aspect of privacy protection as it provides individuals with the ability to control the sharing of their personal information.[10] The APP Guidelines outline that at common law, consent should clearly account for the four key elements of consent set out above (it must be informed, voluntary, current and specific, and show capacity to understand and communicate).[11] In my view, it is essential that the law is clear on the definition of consent in the proposed regime. The definition should consider factors including disability, age, duress and special circumstances, such as a domestic violence context. I also consider it appropriate for the prohibition to specify that any consent to the sharing of intimate images should be express and voluntary to ensure that it is clearly and unmistakably communicated without coercion or threat.
Information-sharing by the eSafety Commissioner
The Discussion Paper asks for views on whether the eSafety Commissioner should be required to notify police and/or the relevant parent/guardian where an intimate image relates to a child.[12] There are clear benefits in the eSafety Commissioner being able to share information with enforcement bodies, particularly where that information relates to intimate images relating to a minor, as it helps to protect victims from further harm.
However, proposals which require the disclosure of personal information should aim to strike an appropriate balance, and be reasonable, necessary and proportionate, having regard to the policy objective they seek to achieve (in this case, to protect victims of non-consensual sharing of intimate images). Accordingly, any law imposing a mandatory information- requirement on the eSafety Commissioner should be drafted narrowly and clearly describe:
- the type of personal information that is authorised or required to be used or disclosed
- who may use or disclose the information, and who may receive the information and,
- the purpose for which the personal information may be used or disclosed (and, once received, the purpose for which the information may be subsequently used or disclosed).
Further, any mandatory information-sharing obligations by the eSafety Commissioner should also be subject to appropriate exceptions to balance the overall objectives with the right to privacy and other legitimate rights.[13] In particular, exceptions should include endangerment to life or physical safety, potential prejudice to an ongoing investigation, or where it is not in the public interest. By way of example, disclosure of a child’s personal information to a parent may pose further risks to their safety where the parent is also the suspected perpetrator.
To address these matters, I encourage the Department to undertake a Privacy Impact Assessment (PIA) for the administration of the proposed regime. A PIA is an assessment tool that describes the personal information flows of a project, and analyses the possible privacy impacts that those flows, and the proposal as a whole, may have on the privacy of individuals.
In this situation, a PIA would assist in identifying the privacy impacts of additional information-sharing powers or requirements by the eSafety Commissioner, and provide an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. A PIA would also assist the Department in drafting the Human Rights Compatibility Statement when developing the legislative provisions for this regime. For further information on undertaking a PIA please see the Office of the Australian Information Commissioner’s Guide to undertaking a privacy impact assessment available at www.oaic.gov.au.
If you wish to discuss any of these matters further, please contact Sarah Ghali, Director Regulation and Strategy, at [contact details removed].
Yours sincerely
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
7 July 2017
Footnotes
[1] Serious invasions of privacy can occur where there has been an interference with an individual’s home or family life, and the individual has been subjected to unauthorised surveillance, an individual’s private communication has been disclosed, or where sensitive facts relating to an individual’s private life has been disclosed.
[2] Consistent with the OAIC submission to the Australian Law Reform Commission (ALRC) inquiry into Serious invasions of privacy in the digital era. The submission is available at www.oaic.gov.au/engage-with-us/submissions/submission-to-the-alrc-on-discussion-paper-80.
[3] See question 1 on page 9 of the Discussion Paper.
[4] Personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.’ See Privacy Acts 6.
[5] See Privacy Actss 6C(1), 6D(4).
[6] See Privacy Act Part 5.
[7] See Privacy Act Part 6B.
[8] See question 30 on page 13 of the Discussion Paper.
[9] See page 12 of the Discussion Paper.
[10] Consent is particularly relevant to the context of dealing with collection of sensitive information (APP 3), use and disclosure (APP 6), direct marketing (APP 7) and cross-border disclosure of personal information (APP 8).
[11] See Chapter B – Key Concepts of OAIC’s APP guidelines available at www.oaic.gov.au.
[12] See questions 4, 5 and 6 on page 10 of the Discussion Paper.
[13] By way of example, see the exceptions to APP 6— use or disclosure of personal information.
