University of New South Wales Law Journal

GRAHAM GREENLEAF ^[*]

[2] The absence in Australia of any constitutional or statutory Bill of Rights (as is now found in the United States, the United Kingdom, New Zealand and Canada) means that our courts do not have a convenient platform in domestic law from which to develop privacy law as an aspect of human rights. The High Court’s decision in Victoria Park Racing and Recreation Grounds v Taylor[2] stalled the development of any general tort of interference with privacy by Australian courts, although courts in similar jurisdictions have found some scope for common law development.[3] We now await the High Court’s decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd[4] to see if some form of a general tort of invasion of privacy can develop, at least in relation to ‘stolen’ information.[5]

[3] A general tort, however, is not the end of the story, as our courts could develop specific tortious, equitable or administrative law remedies, or principles of interpretation, that would better protect privacy. For example, the law of breach of confidence has not yet clarified which transactions involving sensitive personal information are in fact ‘circumstances of confidence’ sufficient to attract the protection of a breach of confidence action. Beyond the traditional categories of doctors and lawyers, it is difficult to know whether video shops, all forms of financial advisers, libraries and bookstores, and introduction agencies owe us a duty of confidence. Further, Part VIII of the Privacy Act 1988 (Cth) (‘Privacy Act ’), which extends the law in a novel way to give the subject of information the protection of breach of confidence law even where they are not the confider of the information (at least in some contexts), has never been utilised.

[4] In Johns v ASC,[6] the High Court opened up a principle of potential importance when it found that public bodies were limited in their use of information (including personal information) to the statutory purposes for which the information was collected. Yet there has been little use or development of this principle since that decision.[7]

[5] Perhaps our courts have not had sufficient opportunity as a result of a lack of appropriate cases coming before them, since few developments of general importance have emerged as yet, and the general law remains under-developed.

[6] In Toonen v Australia,[8] the United Nations Human Rights Committee found that Australia was in breach of the provision in the International Covenant on Civil and Political Rights (‘ICCPR’)[9] protecting privacy (art 17) in relation to Tasmania’s laws concerning sexual conduct.[10] The equivalent provision (art 8) in the European Convention for the Protection of Human Rights and Fundamental Freedoms[11] has a significant body of case law concerning information privacy (focusing on issues of excessive or intrusive collection),[12] but no equivalent use has been made (as yet) of art 17 of the ICCPR.

[7] Until now, our information privacy legislation has covered only the federal public sector (since 1988), consumer credit reporting (since 1991), the health sector in the Australian Capital Territory (since 1997), and the New South Wales (‘NSW’) public sector (only effective since mid 2000), and (to a limited extent) the telecommunications industry, uses of tax file numbers and some uses of criminal records. This is, at best, a fraction of the situations likely to cause people privacy problems. The Federal Privacy Commissioner received nearly 9 000 enquiries in 1998-99, but 65 per cent of them fell outside the Commissioner’s jurisdiction, only 1.7 per cent concerned the federal Information Privacy Principles (‘IPPs’), and only 131 complaints resulted in a formal investigation.[13] The New South Wales Privacy Committee (which ceased operation in 1999) could investigate anything but had no enforcement powers.

[8] The extension of the Privacy Act to cover (parts of) the private sector will change this situation somewhat, but the coverage is still far from comprehensive. On the Federal Government’s estimate, up to 94 per cent of businesses are potentially exempt ‘small’ businesses, and there are other potentially large areas of exemption relating to employment records, ‘publicly available information’ and the media. The Privacy and Personal Information Protection Act 1998 (NSW) has so many exemptions that it can be said to have ‘more holes than cheese’.[14] The Information Privacy Act 2000 (Vic) is much better,[15] but other States and Territories still have no legislation.

[9] While the situation is improving, the dismal coverage of Australian privacy law to date has meant that most who have bothered to complain to Privacy Commissioners in the past have been turned away, and this may continue to occur in many cases despite the new legislation.

[10] The minority who can make a privacy complaint which is not exempt from the relevant legislation still have no guarantee that the complaint will be determined according to the correct meaning of the Privacy Act. The Privacy Act does not provide for any right of appeal against determinations by the Federal Privacy Commissioner, whether in relation to complaints against public or private sector bodies. However, this limitation does not equally disadvantage complainants and the subjects of the complaint. Businesses or agencies that are complained about have, in effect, a right of appeal to the Federal Court on the merits of their case if they are found to have breached the Privacy Act, whereas unsuccessful individual complainants have no such right. This is simply unfair.

[11] A determination of a complaint by the Commissioner (or by a code authority) can only be enforced by proceedings in the Federal Court (or the Federal Magistrates Court),[16] and the court has to deal with the matter by way of a de novo hearing.[17] As a result, a dissatisfied agency or business simply has to ‘sit on its hands’ and not pay the compensation or take the other steps it has been ordered to take. If the complainant then takes the matter to the Federal Court for enforcement, the business or agency can have their case heard in full again.[18] While businesses and agencies thereby obtain (effectively) a right of appeal to a court, an unsuccessful complainant has no such right. A complainant then has no redress against a questionable but reasonable application of the law to the facts of the complainant’s case. Yet the Commissioner need not be a lawyer, and only one of the three Commissioners to date has been (Commissioner Kevin O’Connor).

[12] The defect is not that businesses and agencies have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a court or tribunal. In my opinion, such a right of appeal is unlikely to lead to a flood of cases.

[13] Decisions of the Commissioner are now subject to judicial review, which will help ensure procedural fairness, but this does not address the problem of lack of appeal rights. It will fail to provide justice to complainants where the complaint is that the Commissioner has applied the National Privacy Principles (‘NPPs’) or an industry code to the facts of a complaint in a dubious fashion.[19] Where the Commissioner has misinterpreted the IPPs, NPPs or principles in an industry code, or has misinterpreted another provision of the Privacy Act or a code, judicial review for error of law under the broader meaning of that term in the Administrative Decisions Judicial Review Act 1977 (Cth) may lie.[20] However, this only applies where the Commissioner makes a decision capable of review, such as a s 52 determination or a s 41 decision; yet (as noted below) this has only occurred twice in the history of the Privacy Act. The Federal Commissioner has therefore been the de facto authority on the meaning of the Privacy Act, despite the avenues for review specified in the Act.

[14] The Victorian and NSW privacy legislation does give complainants access to an administrative tribunal, and ultimately to the courts. Under the Privacy and Personal Information Protection Act 1998 (NSW), complainants may elect whether to have a complaint about a breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner (s 45) or resolved through an internal review by the agency concerned (s 53). The right of appeal, however, is only against an internal review by an agency (s 55), so if a complainant is dissatisfied with the Commissioner’s conciliation, they will first have to seek an internal review before their right to appeal to the Administrative Decisions Tribunal arises. The Information Privacy Act 2000 (Vic) gives dissatisfied complainants (or agencies) an unfettered right to have the NPPs and other provisions in the Act interpreted by the Victorian Civil and Administrative Appeals Tribunal and ultimately by the courts. The NPPs in these State Acts are therefore more likely to be interpreted by the courts than the IPPs in the federal Privacy Act, but as they are still in their infancy, no law has yet emerged.

[15] In over a decade, the Federal Privacy Commissioner has made only two formal 52 determinations of complaints concerning the IPPs,[21] and none concerning credit reporting under Part III(A) of the Privacy Act. In the 1998-99 financial year, the Office of the Federal Privacy Commissioner started formal investigation of 131 complaints and ‘closed’ (ie, settled or dismissed) 91 complaints under s 41 (none of which resulted in formal determinations under s 52).[22] Unfortunately, the Commissioner does not report details of decisions made under s 41(1) not to investigate or further investigate a complaint. This is disappointing, as these decisions may be significant (even though there is no breach of an IPP or NPP), and could potentially be subject to judicial review.[23]

[16] Does the fact that no complainants insisted on a formal s 52 determination mean that all 91 sets of complainants and respondents were satisfied with the result? At least in relation to complainants, there are several reasons why it is not possible to conclude this. If the Commissioner suggests to a complainant that a matter might be settled on particular terms, then even if the complainant disagrees, he or she is unlikely to insist that the Commissioner proceed to a formal s 52 determination since they cannot appeal against the determination. Few complainants are likely to be aware that, if the Commissioner makes a s 52 determination containing what may be characterised as an error of law, they are entitled to seek a contrary interpretation by means of judicial review. Complainants may decide to agree with a proposed settlement in order to resolve or at least conclude the process. As a result, there may be an unknown number (or ‘dark figure’) of dissatisfied complainants due to the Privacy Act’s structural defect in not allowing appeals against the Commissioner’s decisions. If so, a side-effect is that even fewer reasoned s 52 determinations occur, and the development of privacy law is further stunted.

[17] The Federal Privacy Commissioner’s Annual Report for 1998-99 does not indicate how many of the 91 closed complaints resulted in compensation or some other remedy in favour of the complainant, merely noting that seven complaints resulted in payment of monetary compensation, which in total amounted to $18 000.[24] Brief details are given of nine settled complaints, but not of all of those resulting in compensation. No further details of settled complaints (or even of the two formal determinations) are provided on the Commissioner’s otherwise very extensive and informative website.

[18] As a result, prior complaints provide potential complainants, respondents and their respective advisers with very little information about how the Privacy Act is interpreted. The overall impression after thirteen years of operation of the Privacy Act is that, while Commissioners are interested in ensuring justice for individual complainants, the use of the complaints function of the Act to develop privacy law, and to guide parties to future complaints, is a matter which has the lowest possible priority. In this way, the Commissioner’s Office can be seen as a black hole from which no privacy law escapes.

[19] In the absence of any guidance on the meaning of the IPPs emerging from decided complaints (or, better still, court decisions), what guidance is available? The Federal Privacy Commissioner has issued detailed guidelines on the interpretation of the IPPs, and draft guidelines on the NPPs.[25] The guidelines state that they are ‘not legally binding’ but ‘are the Privacy Commissioner’s view’ of how the IPPs work.[26] Some of the guidelines seem more like guidelines to safe and desirable practices that the Commissioner would like to see adopted (a legitimate function for them to perform), rather than consistently reliable, legal interpretations of the Act. In fact, they may be wishful thinking on the Commissioner’s part. For example, the guidelines on information collection principles state that consent ‘must be informed and free’, that ‘an agency should not seek a broader consent than is necessary for its purposes’, and that ‘if the person the information is about knows or believes that serious adverse consequences will follow if they refuse to consent, any consent they give is not freely given’.[27] No justification is given for these statements as a legal interpretation of the use of ‘consent’ in the Privacy Act and, in my opinion, they are contestable interpretations in a complex area of law.

[20] The only way to settle the meaning of the IPPs and NPPs is through litigation. Until then, much of our privacy lore, including the Commissioner’s guidelines, will remain largely speculation.

[21] Lawyers thrive on precedents. Yet Australian lawyers have had few precedents to stimulate them to think creatively about privacy law (partly due to the invisibility of the complaints function in the Privacy Act).

[22] Litigators have made little use of privacy laws, even where access to the courts is possible. For example, judicial review of s 41 decisions has not been reported. Furthermore, although it is not possible for a complainant to appeal from a Commissioner’s determination to a court in relation to a complaint about the IPPs or NPPs, an injunction can be sought to restrain a breach of the principles. Section 98 of the Privacy Act allows ‘the Commissioner or any other person’ (including, but not limited to, a complainant likely to be affected by the breach) to go directly to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the IPPs or NPPs. The injunctive power, which has never been used, allows a litigant in an appropriate case to have a particular IPP or NPP interpreted by the court, and then pursue compensation or another remedy through the Commissioner’s Office.

[23] Our courts have had limited opportunities to interpret privacy legislation for the reasons outlined above, but even where they have the results have not been encouraging. For example, courts have not taken adequate notice of s 98. In Ibarcena v Templar, Finn J seems to have proceeded on the mistaken assumption that a complainant ‘cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court’s jurisdiction and for the grant of relief’.[28] With respect, a complainant can do so by seeking an injunction, at least in relation to breaches or potential breaches where an injunction would be appropriate.[29] Similarly, in Goldie v Commonwealth of Australia,[30] French J gave an account of how complainants could come before a court, but omitted any mention of s 98 injunctions.[31]

[24] There are other reasons, of course, for the lack of privacy law. Privacy and public interest advocates and academics have spent much time arguing for the extension of privacy legislation but have made relatively little effort to analyse how the limited existing laws can be used or to find test cases. A mea culpa is therefore an appropriate end to this list.

[25] The gist of my argument has been that we need more law. The general law has not developed its potential to protect privacy. There are a series of deficiencies in our privacy legislation and in the practices of the Federal Privacy Commissioner. We need changes to our laws so that complainants can more readily take questions of interpretation and application of privacy laws to courts and tribunals. We need Privacy Commissioners who make the communication of

[26] the details of complaints resolution and the law underlying them a high priority. We need lawyers who find new ways to obtain interpretations and remedies. We need dissemination of decided cases and examples of remedies obtained, both here and overseas. We need more law than just the Commissioner’s lore.