Help needed! Please contribute your notes to help us finish this page.

Privacy and Surveillance

Article 12, 1948 Universal Declaration on Human Rights (UDHR)

‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attack.’

The UDHR was adopted in the General Assembly as Resolution 217 on 10 December 1948. Among the 58 members of United Nations, 48 voted in favour, 8 abstained. Honduras and Yemen failed to vote or abstain. The historical vote on adoption does not affect the application of the UDHR on other member states who joined the United Nations later.
The UDHR is not a treaty and therefore does not itself create legal obligations for countries. It is an expression of fundamental values which are shared by all members of the international community, and therefore has arguably become binding as part of customary international law

Article 17, International Covenant on Civil and Political Rights (ICCPR)

'(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation’

'(2) Everyone has the right to the protection of the law against such interference or attacks’

There are a total of 172 parties to the ICCPR.

Article 16, Convention on the Rights of the Child

'(1) No Child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.

'(2) ‘The Child has the right to the protection of the law against such interference or attacks’

Under Art 1 in the Convention, child is defined as any human being below the age of 18

Article 14 International Convention on the Protection of All Migrant Workers and Members of their families

‘No Migrant worker or member of his or her family shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, correspondence or other communication, or to unlawful attacks on his or her honour and reputation. Each migrant worker and member of his or her family shall have the right to the protection of the law against such interference or attacks’

Treaty No.108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

This treaty is open for signature by member States of the Council of Europe and for accession by non-member states since 28 January 1981. There are a total of 57 accessions to it. In summary, it provides protection for individual against abuses arising out of collecting and processing of personal data, in order to secure their rights and fundamental freedoms, in particular his right to privacy. It imposes obligation for parties to the agreement to take appropriate security measure to prevent accidental or authorised access to personal data. It also enshrines data subject’s right to know with regards to his own personal data.

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Although not binding, this serves as guidelines on all OECD Member countries to uphold human rights and prevent interruptions in international flow of data. It represents a consensus on basic principles that can be included in existing national legislations or serves as basis for legislations in those countries who do not have any yet.

There are 8 principles governing the protection of privacy and transborder flow of personal data. They are: collection limitation principle, data quality principle, purpose specification principle, use limitation principle, security safeguards principle, openness principle, individual participation principle and accountability principle.

Right to privacy and the internet

Right to privacy is not confined to the physical world. In its sixty-eighth session of General Assembly, the United Nations (UN) adopted Resolution 68/177 regarding the right to privacy in the digital age. It recognized the increasing global trend of Internet usage and the advancement in information and communications technologies, and emphasised that the right to privacy also includes privacy in the digital world.

While gathering of an individual’s sensitive information may be necessary for the purpose of national and public security, it must be done in compliance with the state’s obligations in international human rights laws. Therefore UN called upon on States to review their legislation and practices relating to communication surveillance and collection of personal data so as to protect individual’s right to privacy, which also includes digital communications.

Interference with privacy

Under UDHR and ICCPR, the content of the right to privacy includes the term ‘interference’. What this essentially means is that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto, without any interception and without being opened or read. Any capture of communication data may potentially fall under the ‘interference’. Therefore, as suggested by the Office of UN High Commissioner for Human Rights, mass surveillance programmes adopted by many states would already be amount to ‘interfering’, and it is on the State to prove that such interception is neither arbitrary nor unlawful.

‘Unlawful’ and ‘Arbitrary’ – Qualified rights

The right to privacy under both UDHR and ICCPR is not an absolute right. It may be restricted or limited as long as it is not ‘unlawful’. This means that member states may implement laws that specifically authorize such derogation. However, member states are not unfettered. The implemented laws must not be in contravention with the provisions in the International Covenant on Civil and Political Rights, and should be ‘reasonable in particular circumstances’.

In determining the reasonableness of such limitation, references may be drawn from //Siracusa Principles// and case law. In short, they all emphasise the principles of legality, necessity and proportionality. Such a law has to be readily accessible and clear. It must be necessary and should be the least intrusive option to pursue the legitimate aim.

Australia does not have a clear law protecting personal privacy as such.

Constitution

Unlike the Constitutions of many other liberal democracies, the Australian Constitution does not contain a right to privacy. Australia does not have a comprehensive Bill of Rights, either as part of the Constitution or as federal legislation. The ACT and Victoria do have legislated bills of rights enforceable against the territory- and state-level public agencies.

At the international level, Australia is a signatory to the International Convention on Civil and Political Rights (ICCPR), which does protect the right to privacy, but the Convention rights are not directly enforceable in domestic Australian law. The Australian Government views the Privacy Act 1988 (Cth) as implementing the ICCPR's right to privacy. However, this implementation does not include a strong human right to privacy which can invalidate conflicting legislation, as is the case in many other jurisdictions which recognise the right to privacy in their Constitutions or Bills of Rights.

Common Law

Various areas of law have evolved to protect aspects of an individual's space and reputation, including copyright, defamation, trespass, nuisance and confidentiality.

Until about 100 years ago, there was no formal legal notion of privacy in common law countries. But in 1890, a seminal US article from Warren and Brandeis called for a 'right to privacy', conceptualised as a 'right to be left alone' to be established in law.

In Australia, there is speculation as to whether whether a right to privacy or a tort of invasion of privacy exists in common law.

An early case, Victoria Park Racing, seemed to suggest that there was no such common law right in Australia.

But in the 2000s, there was significant development of English common law on privacy, as a result of the UK Human Rights Act (1998) coming into force which gave rise to some enforceability in domestic law of European Convention on Human Rights (ECHR) rights, including privacy and free expression. In England there is no separate tort of invasion of privacy, but the courts during this period have 'stretched' the tort of breach of confidence to cover privacy breaches. Furthermore, in 2004, a common law tort of invasion of privacy was found to exist in New Zealand.

A more recent Australian case, Lenah Game Meats, suggested that there could be a common law tort of invasion of privacy in Australian law. The High Court did not need to rule on that specific point given the facts of the case, but refused to rule out a more 'suitable' future case finding the existence of a privacy tort. The High Court suggested that a more 'suitable' scenario would involve a natural person rather than a legal person trying to establish the privacy tort.

So far, no such case has come up to the Australian High Court but there have been various decisions in lower courts on this issue.

Privacy Act 1988 (Cth) and the Australian Privacy Principles

Rita Matulionyte Explains the Legal Protections for Privacy in Australia

The Privacy Act 1988 (Cth) protects information privacy - that is, it prescribes what 'personal information' organisations and federal government agencies can collect about Australians, how that information can be collected and how it must be stored, the circumstances in which the information can be used and disclosed, and what Australian citizens must be told about the information collected about them. Personal information includes things like name, address, phone number, occupation, and sensitive information like health information. Other, state-level information privacy legislation also exists, which usually applies to state government agencies e.g. Information Privacy Act 2009 (QLD).

Personal privacy in Australia is protected in a de facto way, through a myriad of laws that are not designed specifically to protect privacy but which may have that effect. For example, a person may be able to preserve the privacy of their home through trespass laws. Privacy of movement may be asserted against another individual who offends against stalking laws. Laws designed to protect reputation, such as defamation laws and passing off laws, may be used to protect a person's privacy in some cases. Finally, there are laws which protect privacy in communications, such as breach of confidence laws and the Telecommunications (Interception and Access) Act 1979 (Cth).

Rita Matulionyte Provides an Introduction to the Privacy Act and Video Overview by Michael Thomson Explains the Role of the OAIC

The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APPs) in Schedule 1. These principles apply to “APP entities”.

An “APP entity” is defined in section 6 to mean a Commonwealth government agency or an organisation. Organisation, in turn, is defined in s. 6C to include individuals, but not small business operators. Small business operators are those businesses with an annual turnover of $3 million or less and which meet the other requirements set out in section 6D.

When considering the APPs, it is important to first identify whether you are dealing with personal information or sensitive information (or both). Sensitive information is defined in section 6 and includes health information.

If a person thinks that their privacy has been breached under the Act, they may complain to the Office of the Australian Information Commissioner (OAIC) under section 36. Section 40 gives the Commissioner the power to investigate the complaint, and under section 52, the Commissioner may make a determination that an APP entity has breached the privacy principles in the Act. The Commissioner may also order that the entity take steps to ensure that the breach is not repeated and to provide redress to the complainant. If an entity does not comply with the Commissioner's declaration, then either the individual complainant or the Commissioner can apply to the Federal Court to have the declaration enforced under s.55A.

Sections 65 and 66 of the Privacy Act provide that entities must cooperate with a Commissioner's investigation, and there are financial penalties imposed for the failure to do so.

Rita Matulionyte Explains the APPs

APP 1 — Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 — Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

Video Overview of APP 8

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access,modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

Video Overview of APP 12

APP 13 — Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

There has been very little case law on the application of the Privacy Act and APPs. One recent exception is the Privacy Commissioner v Telstra case involving technology journalist Ben Grubb's metadata. Unfortunately, it is unclear in the aftermath of the case whether dynamic IP addresses constitute 'personal information' for the purposes of Australian privacy law. (NB It would constitute ‘personal data’ in EU data protection law.)

Mandatory data breach requirements were introduced in early 2017 as an amendment to the Privacy Act.

The amendments contain a notification scheme for certain types of data breaches involving unauthorised access/disclosure of personal information likely to lead to serious harm to individuals

The requirements are binding on APP entities, credit reporting bodies, credit providers, tax file number recipients and Internet Service Providers.

If an entity becomes aware of data breach, it must inform the federal Privacy Commissioner and inform individuals whose data is affected; if this is not practicable, the entity can publish a statement on own website.

The data breach notification scheme commences on 22 February 2018

Surveillance is the monitoring of behaviour, activities, or other changing information, usually of people for the purposes of influencing/managing/directing/protecting them (Lyon 2007). For a glossary of commonly-used terms in surveillance studies, have a look at this open access book edited by Guy McHendry.

Surveillance is by governments for intelligence gathering, prevention of crime, protection of process/group/person/object or for investigation of crime.

The extent of government surveillance powers go to heart of issues about appropriate role of the state in our lives, including:

  • Rule of law
  • Liberal democratic
  • Public safety and security
  • Civil liberties and human rights (especially privacy)

Since 9/11, the War on Terror in Western countries has seen expansion of anti-terrorism and law enforcement surveillance powers in many countries.

Telecommunications (Interception and Access) Act 1979 (Cth)

This Act:

  • Makes it an offence to intercept (listen to or record) a communication passing over a ‘telecommunications system’ without the knowledge of the person making the communication
  • Also an offence to publish or retain a record of information gained in this way
  • Allows access to communications content for law enforcement and national security purposes after obtaining a judicial warrant.

Telecommunications Act 1997

This Act imposes obligations on telecoms providers inc to provide assistance to law enforcement agencies for:

  • enforcing the criminal law and laws imposing pecuniary penalties
  • assisting the enforcement of the criminal laws in force in a foreign country
  • protecting revenue
  • safeguarding national security.

Exceptions to the Privacy Act

Most Australian government agencies are covered by the Privacy Act including AFP, Border and Crim Trac But some are not covered:

  • Office of National Assessments
  • ASIO
  • ASIS
  • ASD
  • Defence Intelligence Organisation
  • Australian Geospatial Intelligence Org

Instead, the Inspector General of Intelligence and Security provides oversight of these agencies’ activities & reviews activities for legality and propriety

Data Retention

Law passed in 2015 to implement data retention scheme: Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).

Telecommunications companies must retain and secure for 2 years a set of information:

  • source and destination of a communication
  • date, time and duration of a communication
  • communication type
  • location of communications equipment.

22 law enforcement agencies are able to access this information without a needing a court warrant (except if it is a journalist’s data)

Ryan Glister Explains TOR and Sooraj Sidhu Explains Public Key Encryption

Help needed! This section is a stub. Please help out by filling in some details.

Video Overview of the The SPAM Act by Rita Matulionyte and Anna Hall

The SPAM Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.

Electronic messages include Email, SMS and instant messaging. An electronic message is commercial if it offers, advertises or promotes the supply of goods, services, land or business or investment opportunities, or if it advertises or promotes the supplier of any of these things.

Messages are SPAM if they are sent without the prior consent of the recipient. A single message may be SPAM; messages do not have to be sent in bulk.

To avoid contravening the SPAM Act, electronic messages should only be sent with the consent of the recipient, must contain clear and accurate identification of the sender and how they can be contacted, and should include an unsubscribe facility.

The financial penalties for breaching the SPAM Act are steep. A single day's contravention may result in a penalty of up to $220,000, and repeated breaches of the Act may give rise to penalties of up to $1.1 million.

Constitution

Art 21 Constitution of India ‘No person shall be deprived of his life or personal liberty except according to procedure established by law.’

There is no express provision for the right to privacy in the Constitution of India. Over the past 60 years, there was a divergence of opinion as to whether the right to privacy is a fundamental right in India, resulting in inconsistent judgments being laid down.

In 2017, it was unanimously held in Justice KS Puttaswamy (Retd) v Union of India & Ors that the right to privacy is protected as a fundamental constitutional right under the right to life or personal liberty in Art 21 of the Constitution of India. This case serves as a landmark judgment and it explicitly overrules previous judgments where it was held that there is no fundamental right to privacy.

The right to privacy under the Indian Constitution is not an absolute right. An invasion of personal liberty must pass through the 3 fold test of legality, necessity, and proportionality.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011

The Rules is a subordinate legislation which regulates the collection and disclosure of information by any bodies corporate. It provides for a consent requirement where businesses must obtain consent in writing through letter or fax or email from the provider of sensitive personal data or information before any collection of such information. Businesses must take reasonable steps to ensure that the person has sufficient knowledge regarding the collection.

The rules also control the disclosure and transfer of information. They are permissible in cases where prior permission is obtained from the provider or when it is necessary for the performance of the lawful contract between the business and the provider of information.

Although the implementation of security practices and standards are not mandatory under the Rules, in the event of an information security breach, businesses are required to demonstrate that they have implemented security control measures.

  • cyberlaw/privacy.1561959736.txt.gz
  • Last modified: 4 months ago
  • by 112.118.228.112