Help needed! Please contribute your notes to help us finish this page.

Privacy and surveillance

Rita Matulionyte explains how online technologies affect our privacy

Privacy protection in Australia

Australia does not have a clear law protecting personal privacy as such.

Constitution

Unlike the Constitutions of many other liberal democracies, the Australian Constitution does not contain a right to privacy.

Australia does not have a comprehensive Bill of Rights, either as part of the Constitution or as federal legislation. The ACT and Victoria do have legislated bills of rights enforceable against the territory- and state-level public agencies.

At the international level, Australia is a signatory to the International Convention on Civil and Political Rights (ICCPR), which does protect the right to privacy, but the Convention rights are not directly enforceable in domestic Australian law. The Australian Government views the Privacy Act 1988 (Cth) as implementing the ICCPR's right to privacy. However, this implementation does not include a strong human right to privacy which can invalidate conflicting legislation, as is the case in many other jurisdictions which recognise the right to privacy in their Constitutions or Bills of Rights.

Common law

Various areas of law have evolved to protect aspects of an individual's space and reputation, including copyright, defamation, trespass, nuisance and confidentiality.

Until about 100 years ago, there was no formal legal notion of privacy in common law countries. But in 1890, a seminal US article from Warren and Brandeis called for a 'right to privacy', conceptualised as a 'right to be left alone' to be established in law.

In Australia, there is speculation as to whether whether a right to privacy or a tort of invasion of privacy exists in common law.

An early case, Victoria Park Racing, seemed to suggest that there was no such common law right in Australia.

But in the 2000s, there was significant development of English common law on privacy, as a result of the UK Human Rights Act (1998) coming into force which gave rise to some enforceability in domestic law of European Convention on Human Rights (ECHR) rights, including privacy and free expression. In England there is no separate tort of invasion of privacy, but the courts during this period have 'stretched' the tort of breach of confidence to cover privacy breaches. Furthermore, in 2004, a common law tort of invasion of privacy was found to exist in New Zealand.

A more recent Australian case, Lenah Game Meats, suggested that there could be a common law tort of invasion of privacy in Australian law. The High Court did not need to rule on that specific point given the facts of the case, but refused to rule out a more 'suitable' future case finding the existence of a privacy tort. The High Court suggested that a more 'suitable' scenario would involve a natural person rather than a legal person trying to establish the privacy tort.

So far, no such case has come up to the Australian High Court but there have been various decisions in lower courts on this issue.

Privacy Act 1988 (Cth) and the Australian Privacy Principles

The Privacy Act 1988 (Cth) protects information privacy - that is, it prescribes what 'personal information' organisations and federal government agencies can collect about Australians, how that information can be collected and how it must be stored, the circumstances in which the information can be used and disclosed, and what Australian citizens must be told about the information collected about them. Personal information includes things like name, address, phone number, occupation, and sensitive information like health information. Other, state-level information privacy legislation also exists, which usually applies to state government agencies e.g. Information Privacy Act 2009 (QLD).

Personal privacy in Australia is protected in a de facto way, through a myriad of laws that are not designed specifically to protect privacy but which may have that effect. For example, a person may be able to preserve the privacy of their home through trespass laws. Privacy of movement may be asserted against another individual who offends against stalking laws. Laws designed to protect reputation, such as defamation laws and passing off laws, may be used to protect a person's privacy in some cases. Finally, there are laws which protect privacy in communications, such as breach of confidence laws and the Telecommunications (Interception and Access) Act 1979 (Cth).

Rita Matulionyte explains the legal protections for privacy in Australia

The Privacy Act and the Australian Privacy Principles

Rita Matulionyte provides an introduction to the Privacy Act

The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APPs) in Schedule 1. These principles apply to “APP entities”.

An “APP entity” is defined in section 6 to mean a Commonwealth government agency or an organisation. Organisation, in turn, is defined in s. 6C to include individuals, but not small business operators. Small business operators are those businesses with an annual turnover of $3 million or less and which meet the other requirements set out in section 6D.

When considering the APPs, it is important to first identify whether you are dealing with personal information or sensitive information (or both). Sensitive information is defined in section 6 and includes health information.

If a person thinks that their privacy has been breached under the Act, they may complain to the Office of the Australian Information Commissioner (OAIC) under section 36. Section 40 gives the Commissioner the power to investigate the complaint, and under section 52, the Commissioner may make a determination that an APP entity has breached the privacy principles in the Act. The Commissioner may also order that the entity take steps to ensure that the breach is not repeated and to provide redress to the complainant. If an entity does not comply with the Commissioner's declaration, then either the individual complainant or the Commissioner can apply to the Federal Court to have the declaration enforced under s.55A.

Sections 65 and 66 of the Privacy Act provide that entities must cooperate with a Commissioner's investigation, and there are financial penalties imposed for the failure to do so.

Michael Thomson explains the role of the OAIC

Rita Matulionyte explains the APPs

APP 1 — Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 — Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

92Isabeau explains APP 8

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access,modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

Roo K explains APP 12

APP 13 — Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

There has been very little case law on the application of the Privacy Act and APPs. One recent exception is the Privacy Commissioner v Telstra case involving technology journalist Ben Grubb's metadata. Unfortunately, it is unclear in the aftermath of the case whether dynamic IP addresses constitute 'personal information' for the purposes of Australian privacy law. (NB It would constitute ‘personal data’ in EU data protection law.)

Data breaches

Mandatory data breach requirements were introduced in early 2017 as an amendment to the Privacy Act.

The amendments contain a notification scheme for certain types of data breaches involving unauthorised access/disclosure of personal information likely to lead to serious harm to individuals

The requirements are binding on APP entities, credit reporting bodies, credit providers, tax file number recipients and Internet Service Providers.

If an entity becomes aware of data breach, it must inform the federal Privacy Commissioner and inform individuals whose data is affected; if this is not practicable, the entity can publish a statement on own website.

The data breach notification scheme commences on 22 February 2018

Government surveillance

Surveillance is the monitoring of behaviour, activities, or other changing information, usually of people for the purposes of influencing/managing/directing/protecting them (Lyon 2007).

Surveillance is by governments for intelligence gathering, prevention of crime, protection of process/group/person/object or for investigation of crime.

The extent of government surveillance powers go to heart of issues about appropriate role of the state in our lives, including:

  • Rule of law
  • Liberal democratic
  • Public safety and security
  • Civil liberties and human rights (especially privacy)

Since 9/11, the War on Terror in Western countries has seen expansion of anti-terrorism and law enforcement surveillance powers in many countries.

Telecommunications (Interception and Access) Act 1979 (Cth)

This Act:

  • Makes it an offence to intercept (listen to or record) a communication passing over a ‘telecommunications system’ without the knowledge of the person making the communication
  • Also an offence to publish or retain a record of information gained in this way
  • Allows access to communcations content for law enforcement and national security purposes after obtaining a judicial warrant.

Telecommunications Act 1997

This Act imposes obligations on telecoms providers inc to provide assistance to law enforcement agencies for:

  • enforcing the criminal law and laws imposing pecuniary penalties
  • assisting the enforcement of the criminal laws in force in a foreign country
  • protecting revenue
  • safeguarding national security.

Exceptions to the Privacy Act

Most Australian government agencies are covered by the Privacy Act including AFP, Border and Crim Trac But some are not covered:

  • Office of National Assessments
  • ASIO
  • ASIS
  • ASD
  • Defence Intelligence Organisation
  • Australian Geospatial Intelligence Org

Instead, the Inspector General of Intelligence and Security provides oversight of these agencies’ activities & reviews activities for legality and propriety

Data retention

Law passed in 2015 to implement data retention scheme: Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).

Telecommunications companies must retain and secure for 2 years a set of information:

  • source and destination of a communication
  • date, time and duration of a communication
  • communication type
  • location of communications equipment.

22 law enforcement agencies are able to access this information without a needing a court warrant (except if it is a journalist’s data)

Regulating privacy-enhancing technologies

Help needed! This section is a stub. Please help out by filling in some details.

Ryan Glister explains TOR

Sooraj Sidhu explains Public Key Encryption

z

The SPAM Act

The SPAM Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.

Electronic messages include Email, SMS and instant messaging. An electronic message is commercial if it offers, advertises or promotes the supply of goods, services, land or business or investment opportunities, or if it advertises or promotes the supplier of any of these things.

Messages are SPAM if they are sent without the prior consent of the recipient. A single message may be SPAM; messages do not have to be sent in bulk.

To avoid contravening the SPAM Act, electronic messages should only be sent with the consent of the recipient, must contain clear and accurate identification of the sender and how they can be contacted, and should include an unsubscribe facility.

The financial penalties for breaching the SPAM Act are steep. A single day's contravention may result in a penalty of up to $220,000, and repeated breaches of the Act may give rise to penalties of up to $1.1 million.

Rita Matulionyte explains The SPAM Act

Anna Hall explains The SPAM Act

This page includes material from the Office of the Australian Information Commissioner, licensed under CC BY 3.0 (AU)