Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Setting the scene — Privacy law in Australia

Presentation by Timothy Pilgrim, Privacy Commissioner, to the Australian Communications and Media Authority's Citizens Conversation series, Sydney, 25 June 2013.

The public interest in privacy

I would like to begin by acknowledging the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.

It’s a pleasure to be here to speak to you today, especially with so much going on in the privacy sphere lately.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies and activities that raise privacy questions and fuel discussions– think Google glass, Facebook Home and drones, and of course the recent debate around the US PRISM system.

In 2011–12 our office received 1357 complaints, an increase of 11% from the previous year. And we are on track to receive even more complaints this year, at least a further 10% increase, confirming that people are actively looking to exercise their privacy rights.

As many of you would know, significant reforms to privacy laws will commence in March next year, and the Office of the Australian Information Commissioner has been very busy producing resources for the public and private sectors and for individuals on these changes.

Add to this the introduction of legislation to introduce mandatory data breach notification, the release of the ALRC terms of reference for the Statutory Cause of Action, and one of our Office’s most successful Privacy Awareness Weeks held last month, and you can see that there has been a lot going on in privacy.

Overview of privacy regulation

Today I have been asked to start our conversation with an overview of the role of privacy legislation in Australia, and a very brief summary of the impending changes.

Article 17 of the International Covenant on Civil and Political Rights to which Australia is a party states that:

  1. 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. 2. Everyone has the right to the protection of the law against such interference or attacks.

In Australia, in part to give effect to this, privacy is primarily protected and regulated by the Privacy Act 1988, which covers the handling of personal information. Personal information being information that identifies, or could identify, you.

As it stands at the moment, the Privacy Act currently includes ten National Privacy Principles, which apply to certain private sector organisations, and 11 Information Privacy Principles, which apply to Australian, ACT and Norfolk Island agencies. These principles cover the various stages of the information cycle from collection, through to use and disclosure, storage and destruction. The act does not apply to the acts and practices of individuals. From 12 March next year these will be replaced by the new 13 Australian Privacy Principles (APPs).

The Privacy Act is not the only law that covers privacy. There are other laws such as state and territory privacy laws, health privacy laws, telecommunications and broadcasting laws and other regulators including the ACMA, state and territory regulators and industry ombudsmen.

In the media space, which is what we are talking about in our panel today, privacy is primarily covered by broadcasting services laws and codes and overseen by the ACMA. The Press Council also has a role of course in respect of the print media.

Unlike broadcasting laws, the Privacy Act provides a remedy for individuals when personal information is mishandled. However, the Act does provide an exemption for media organisations, which I will touch on later.

Privacy reforms

Many people in today’s audience will know that in 2008 the Australian Law Reform Commission (or ALRC) released a report containing 295 recommendations to bring privacy law up-to-date with modern communication and technologies, as well as changes in the way that information is handled, used and shared.

This report has been partially implemented by the Government with the passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which will be introduced in March 2014, as I mentioned, the APPs, a single set of privacy principles to regulate both private and public sectors, changes to how personal credit information is regulated and strengthening and clarifying the Commissioners' powers and functions.

Privacy and the media

The OAIC has a history of good relationships with journalists and the media — they play an important role in privacy regulation, highlighting new technologies with privacy implications and alerting us to data breaches.

However, the relationship between privacy and the media will often raise complex issues and considerable public debate — you only have to think back to the commentary on the News of the World scandal.

The Privacy Act includes a number of exemptions that aim to balance competing rights, freedoms and ideals.

Acts and practices engaged in by media organisations in the course of journalism are exempt from the operation of the Privacy Act, provided the organisation meets certain requirements, including being publicly committed to standards that deal with privacy. We call this the journalism exemption.

The journalism exemption aims to ensure an appropriate balance between the public interest in freedom of expression and the public interest in adequately safeguarding the handling of personal information. However, the exemption does raise some questions.

The ALRC report addressed the need for a journalism exemption to be included in the Privacy Act, and concluded that it was necessary for the ongoing protection of freedom of expression. However, it did recommend that some improvements could be made in this area, including more clearly defining ‘journalism’ and addressing the adequacy of privacy standards in the industry. It also acknowledged the changing nature of technology and journalism, including the rise of blogs.

As is raised in the ACMAs occasional paper, released last week, changing technology raises issues for regulators, as does the constantly evolving forms of personal information that is available in the online environment, something raised in the recent Convergence review that I’m sure will continue to be the subject of debates in the future.

Moving back to the Privacy Act, I thought I would also mention today two other areas of reform that were recommended in the ALRC report and which were not included in the original reform legislation, but which have since moved into the spotlight. One is mandatory data breach notification, and the other is the right to sue for serious invasion of privacy, which is called a statutory cause of action, and is something that certainly may be of interest to the audience here today. 

Data breach notifications

On 29 May 2013, the Attorney-General introduced the Privacy Amendment (Privacy Alerts) Bill 2013 to the House of Representatives. This passed through the House and was referred to the Senate last Tuesday. It has been considered by senate committee, which reported last night, recommending the Bill be passed as tabled. I understand it’s to be debated in the Senate late this week.

These proposed mandatory data breach notification laws would commence in March 2014, immediately after the implementation of the Privacy Reform Act, and they would require notification of serious data breaches that would result in a real risk of serious harm.

I have supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the ALRC in 2008. Currently there is no legal requirement in Australia for government agencies or private sector organisations to notify individuals when a data breach occurs, except in limited circumstances under eHealth laws.

Without notification, people affected by serious data breaches are unable to take mitigating steps to protect their personal information — steps which only they may be able to take, such as cancelling credit cards or requesting a new Medicare number.

There is evidence to suggest that organisations are experiencing breaches and not telling people about them. For example, an April 2013 study by McAfee identified that 21 per cent of Australian organisations have experienced a data breach and that in instances of an admitted breach 18 per cent told no one outside the business.

All agencies and organisations must embed a culture that values and respects privacy. Mandatory data breach notification will go some way to achieving this. It will also compliment other privacy law reforms.

Statutory cause of action

The right to sue for serious invasion of privacy is an important privacy issue, with potentially significant consequences for the media and for individuals.

Although it is not included in the current Privacy Amendment Act, in September 2011 the Government released an issues paper that invited comment on whether Australia should introduce a statutory cause of action for serious invasions of privacy and, if so, what elements it might include.

In our submission, we acknowledged that a statutory cause of action for invasion of privacy may complement the Privacy Act reforms that are underway, by addressing areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals.

However, we considered it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute: it must be balanced against competing rights including the right to freedom of expression and the public interest in being informed about matters of public concern.

The ALRC terms of reference for the cause of action were released a fortnight ago. The terms of reference have asked the ALRC to consider the right to a statutory cause of action in the context of the online environment. We will be watching the development of this issue.

I think at this point I should hand over to David Vaile, who will be able to give you an update on the discussion around the balance between privacy and public interest.