11 December 2020

1. Should the objects outlined in section 2A of the Act be changed? If so, what changes should be made and why?

Putting the Privacy Act in context

1.1 Privacy is a fundamental human right recognised in Article 12 of the UN Declaration of Human Rights, in Article 17 of the International Covenant on Civil and Political Rights (ICCPR),  and in many other international and regional agreements.[4]

1.2 The scope of the right to privacy is broad and contextual. It has been variously recognised as part of the right to life and to be let alone[5] and a prior condition to the exercise of other fundamental rights, including freedom, equality and democracy.[6] The High Court of Australia has recognised that the foundation of what is protected by the right of privacy is human dignity.[7]

1.3 In Australia, the right to privacy has been given effect as a data protection statute, rather than a law that protects or promotes broader concepts of privacy. In addition to the ICCPR, the Privacy Act incorporates the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines).

1.4The Privacy Act therefore seeks to give effect to the fundamental right to privacy in Australian society by preventing individuals from being subject to arbitrary interferences with their personal information and protecting them from harm stemming from the misuse of their personal information.

1.5This human rights foundation is a key reason why privacy legislation exists in Australia and internationally as a separate and complementary framework to other Australian laws that protect the rights of individuals. For example, while consumer law provides important rights for consumers in trade or commerce, privacy protections apply to individuals beyond a commercial context.

1.6It is also said that the right to privacy is not an absolute right. While not explicit, Article 17 of the ICCPR recognises that entities may have legitimate reasons to undertake projects that may limit or interfere with privacy, provided that any impacts are reasonable, necessary and proportionate to achieve a legitimate objective.

1.7Similarly, the aim of the OECD Guidelines is to strike a balance between protecting the privacy, rights and freedoms of individuals without creating barriers to trade and allowing the uninterrupted flow of personal data across national borders.

1.8The current objects in the Privacy Act seek to reflect this balance. The objects recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities. The objects also promote responsible and transparent handling of personal information and support the free flow of information while ensuring that the privacy of individuals is respected.[8] This balance is reflected throughout the Privacy Act, which provides a framework for regulated entities to assess whether any impacts on individuals’ privacy rights are necessary, reasonable and proportionate to achieving their legitimate functions and other public interests.

1.9In its contemporary context, the notion of balance in the objects of the Privacy Act risks being viewed as advantaging one party to the detriment of another. Such a viewpoint entrenches the idea that individuals’ privacy rights can only be protected if entities’ functions and activities are curtailed, or that allowing entities to go about their business will necessarily have privacy impacts for individuals.

1.10 However, balancing privacy rights with economic, security and other important public interest objectives is not a zero-sum game. There are mutual benefits to individuals and regulated entities if the rights and responsibilities in the Privacy Act are in the correct proportion. Effective privacy laws support economic growth by building trust and confidence that innovative uses of data are occurring within a framework that promotes accountability and sustainable data handling practices. Increasing individuals’ confidence in the way their personal information is managed will likely lead to greater support for services and initiatives that propose to handle this information. These are essential ingredients to a vibrant digital economy and digital government.

1.11 The OAIC considers that the Privacy Act review represents an opportunity to enhance the recognition in the Act that strong data protection and privacy rights are necessary to both protect individuals and as a precondition for consumer confidence, economic growth and to meet other societal objectives such as the protection of health, safety and security. The OAIC’s Recommendation 2 to amend s 2A to reflect the public interest in protecting privacy rights will help to achieve this outcome. The review could also consider other ways in which the mutual dependence between strong privacy protections and the interests of entities could be reflected in the objects of the Act.

1.12 Introducing a greater focus on the mutual interests in protecting individuals’ personal information will engender greater respect for privacy rights and increase individuals’ trust in the personal information handling practices of entities, which has been in decline in recent years.

Since 2007, there has been a general downward trend in trust in most of the categories presented. Trust in companies in general is down by 13%. Trust in Federal Government departments is down 14%, with a steady decline in trust over the past 13 years.[9]

Focusing privacy protections on individuals

1.13 The OAIC considers that the Privacy Act review presents an opportunity to place greater emphasis on the rights of individuals and the obligations of entities to protect those rights. A greater focus in the objects on the protection of individuals from privacy harms would support responsible innovation, economic development and other important societal objectives by promoting trust and confidence in government and commercial activities.

1.14Consequently, the OAIC recommends that the first object of the Privacy Act is amended to reflect this approach. Section 2A(a) currently states that one of the objects of the Act is:

  1. to promote the protection of the privacy of individuals; and

1.15The OAIC recommends that this object is amended to clarify that the intention of the Privacy Act is to protect individuals from harms stemming from interferences with privacy. This amendment would direct the Privacy Act towards placing a greater emphasis on the harms it is seeking to prevent.

1.16 This amended object could be modelled on the first objective of the EU General Data Protection Regulation (GDPR) which focuses on the protection of natural persons:

  1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.[10]

1.17 Also relevant is the ‘For Your Information: Australian Privacy Law and Practice (ALRC Report 108)’ (ALRC report), in which the Australian Law Reform Commission (ALRC) recommended a greater focus on the individual:

  • Recommendation 5-4 The Privacy Act should be amended to include an objects clause. The objects of the Act should be specified to:
  • (b) recognise that individuals have a right to privacy and to promote the protection of that right;

Recommendation 1 Amend the first object in s 2A of the Privacy Act to state that the predominant object of the legislation is to recognise that individuals have a right to privacy and to protect individuals having regard to the collection, use or disclosure of their personal information.

Recognising a public interest in privacy

1.18 The OAIC also considers that there would be value in the Privacy Act recognising that there is a significant public interest in privacy protections.

1.19 A societal interest in privacy protections has long been recognised, including the potential for societal harms to occur through interferences with privacy. For example, the ALRC report stated that:

Although the right to privacy is an individual right, there is a strong public interest in protecting that right. For example, it is essential that health consumers are confident that their health information will be handled appropriately or they may resist sharing that information with health service providers. This has the potential to have a negative impact on the health of the individual and is also an undesirable public policy outcome, with the potential to impact on the health of the community as a whole.[11]

1.20 It is increasingly clear that individual privacy decisions are capable of impacting other people and the community at large. Practical examples of this include:

  • The importance of personal information in the response to the COVID-19 pandemic highlighted the social interest in privacy issues.
  • The development of predictive analytics tools that require vast quantities of personal information allows for decisions to be made about an individual, regardless of whether that individual’s personal information was used to develop the technology.
  • Individual decisions around the use or disclosure of genetic information, which may be the sensitive information of multiple people.[12]
  • The disclosure of aggregated location data, which was used to identify confidential military bases.[13]
  • Increased political polarisation as a result of personalisation and targeting driven by personal information online.[14]

1.21This is also demonstrated by the privacy concerns and impacts that flowed from revelations about the activities of Cambridge Analytica or mass-scale emotional manipulation experiments on social networks.[15]

1.22 Despite being driven by personal information, these acts and practices have tested the ability of the Privacy Act to respond in a manner commensurate with the community’s expectations. The focus of the privacy framework on enabling individual privacy decisions through transparency and consent mechanisms may not be capable of addressing these collective privacy concerns.

1.23 Recognising this wider public interest in the objects of the Privacy Act would complement the OAIC’s Recommendation 1 by ensuring that the Act can address instances where privacy-affecting acts and practices have undesirable public policy outcomes, even if the privacy harms to any one individual are not significant.

1.24 This submission puts forward the view that the existing protections and obligations in the Privacy Act needs to be reconceptualised to better address activities that cause societal harm by undermining key values and fundamental rights in Australian society, in addition to impacting individuals.

Recommendation 2 Amend s 2A of the Privacy Act to more broadly state that an objective of the legislation is to promote the public interest in protecting privacy rights.

Nationally consistent privacy law

1.25 One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information. We note, however, that to date this has not been achieved, with the individual States and Territories having very different levels of privacy protection.

1.26 This is particularly important given Commonwealth, State and Territory governments are increasingly working together on national initiatives that involve sharing information across jurisdictions. In many instances, these initiatives rely on jurisdictions across Australia having privacy frameworks that are equivalent to the protections afforded by the Commonwealth Privacy Act, including commensurate protections for personal information such as mandatory data breach notification requirements.

1.27The OAIC recommends that national consistency of privacy regulation should be a key goal of the Council of Attorneys-General (CAG). Alignment of rights and obligations with the Privacy Act would ensure that Australians’ personal information is subject to similar requirements, whether that information is being handled by an Australian Government agency, a State or Territory government agency, or private sector organisations. Consistency in regulation across jurisdictions will also reduce compliance burdens and cost and provide clarity and simplicity for regulated entities and the community.

Recommendation 3 Ensure that national consistency of privacy regulation is a key goal of the Council of Attorneys-General by establishing a working group to consider amendments to State and Territory privacy laws to achieve alignment with the Privacy Act.

Footnotes

[4] For examples of other international agreements enshrining a right to privacy, see United Nations Human Rights: Office of the High Commissioner (n.d.) International Standards, United Nations Website, accessed 23 November 2020.

[5] Warren S and Brandeis L (1980), ‘The Right to Privacy’, Harvard Law Review, 4(5), pp. 193-220.

[6] Office of the Privacy Commissioner of Canada (2020) 2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act, Office of the Privacy Commissioner of Canada website, accessed 23 November 2020.

[7] See the judgment of Chief Justice Gleeson in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63, [43]. The basis of privacy in human dignity was echoed in the extensive discussion of the right of privacy in the Indian Supreme Court decision Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors (Writ Petition (Civil) No 494 of 2012), [28] - [40].

[8] Privacy Act 1988 (Cth), s 2A.

[9] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, pg. 56.

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1 (‘General Data Protection Regulation’), Article 1.

[11] See ALRC (2008), For Your Information: Australian Privacy Law and Practice (ALRC Report 108), report prepared by the ALRC, Australian Government, 5.123.

[12] Creet Prof. J (2020) Home genealogy kit sales plummet over data privacy concerns, The Conversation website, accessed 26 November 2020.

[13] Hern A (2018) Fitness tracking app Strava gives away location of secret US army bases, The Guardian website, accessed 26 November 2020.

[14] Johnson S, Kitchens B and Gray P (2020) Facebook serves as an echo chamber, especially for conservatives. Blame its algorithm, The Washington Post website, accessed 26 November 2020.

[15] Meyer R (2014) Everything We Know About Facebook's Secret Mood Manipulation Experiment, The Atlantic website, accessed 26 November 2020.