So, I have been approached by a NSW Parliamentary committee to make a submission on whether or not we need a statutory cause of action for serious invasions of privacy.
My first thought was: why bother? We’ve been on this merry-go-round before. The ink is barely dry on the comprehensive, considered and balanced review conducted on this very topic by the Australian Law Reform Commission. The NSW Law Reform Commission also had a swing at this topic a few years back. Nothing has changed. No new laws, no new remedies.
Why should I waste my breath to answer the same question, to generate the same recommendations, the nuances of which will then be misrepresented by the media and dismissed or ignored by successive governments?
But my second thought was: I’d better at least read the terms of reference first. And lo and behold, the terms of reference also include inquiring into and reporting on the adequacy of existing remedies for serious invasions of privacy.
Well, here’s something that the Legislative Council’s Standing Committee on Law and Justice might just be able to sink their teeth into, and maybe – just maybe – could persuade the Attorney-General to immediately act upon: fixing the problems with PPIPA, the key privacy statute in NSW.
So my answer is yes. YES. Yes, we need better remedies for invasions of privacy. Because the law is failing us now.
Here’s a few examples of why.
Emerging privacy issues
The latest moral panic in privacy world is over the privacy-invasive nature of drones. Or maybe this week it is Big Data, or geolocation data, or maybe the Internet of Things. It’s hard to choose.
People like to say that the law doesn’t keep up with technology. That’s only half true.
Australian privacy law is designed to be technology-neutral, so that our laws don’t become obsolete a millisecond after they are written. (Unlike in the USA, where they have specific laws about things like the privacy of your VHS video rental records …)
Our flexible, principles-based privacy laws actually have plenty to say about what data can and can’t be collected, what can or can’t be disclosed, the need to ensure the accuracy, integrity and security of data, and everything else in between. These principles can be applied to drones or Big Data, just as they can be applied to paper files. In other words, the conduct could be regulated easily enough.
But the problem lies in the gaps where our laws don’t regulate: the person or body doing the conduct. There is also a failure of enforcement. This is why people think – incorrectly – that the law is outdated. It’s not outdated. It’s just not applied widely or deeply enough.
The black holes where the law doesn’t apply
These are pretty well documented, so here’s just a quick re-cap of all the privacy invaders who are not regulated by either NSW or federal privacy law.
Individuals not operating a business. So that revenge porn posted online? Not regulated.
Businesses with an annual turnover of less than $3M (except for health service providers). So the videographer flying drones over residential properties and filming people in their backyards? Not regulated.
Media organisations. In the business of outing Ashley Madison users on the air for entertainment value? Publishing photos of celebrities and royals in their private moments? Using a helicopter to film a family on their private property, grieving over a dead child? Not regulated.
Political parties. Hoovering up data from petitions, letters to newspapers and approaches to constituents’ local MPs, mining it to make assumptions about political opinions, and then crafting messages skewed to individual voters? Not regulated.
State-owned corporations in NSW. Public utilities which hold property, consumption, billing and payment data about land owners and residents. Not regulated.
The failure of enforcement
NSW has only a part-time Privacy Commissioner, who does not have enough staff or an independent budget, let alone any powers to levy fines or compel privacy-invaders to do anything.
Although in NSW we are blessed with a Tribunal which offers some (relatively) cheap access to justice for unrepresented complainants, the maximum compensation that can be ordered to be paid by a privacy invader to their victim is $40,000. The Tribunal has noted this is too low in serious cases of malicious breaches causing severe financial and psychological harm.
The ridiculous loopholes
And then, for the remaining public sector agencies that are actually regulated by PPIPA, there remain some unjustifiable loopholes, unique to NSW. Loopholes that are so wide you could drive a truck full of privacy-invaders through them, and still have room for a parade of dancing elephants on either side.
The Bad Cop Exemption
First up, s.27 of PPIPA.
I am a firm believer that the public interest in protecting privacy must be balanced with the public interest in effective law enforcement. There are indeed sensible exemptions for investigations and law enforcement which seek to achieve that balance.
And then there is s.27, which adds on top an entirely unnecessary blanket exemption for all police activities, other than educative or administrative ones. The effect of s.27 has been to render many police activities unaccountable in terms of privacy protection, even where a police officer acts corruptly or unlawfully – because negligent, reckless, unlawful or corrupt conduct is not an ‘administrative or educative function’.
So unlawful police behaviour like obtaining personal information by way of an invalid subpoena? Exempt.
Malicious police behaviour like disclosing information about the former gender of a woman to her boyfriend, which results in the women being assaulted by her enraged partner? Exempt.
A negligent or reckless failure to check a child protection allegation which the police “know is false or should reasonably be expected to know to be false” before acting on it? Exempt.
Systemic problems like a failure to ensure the accuracy of bail records, so that hundreds of kids end up wrongly arrested or imprisoned? Exempt.
A failure to enforce data retention rules, so that decades-old ‘spent’ convictions are disclosed to a man’s partner and employer? Exempt.
Poor data security practices like a single shared login, no register of authorised users and no staff training when accessing public street CCTV footage? Exempt.
You can have blanket exemptions which allow corruption and negligence to thrive, or you can have nuanced, sensible, balanced exemptions to enable legitimate law enforcement, but allow remedies for victims of illegitimate police conduct. Please, Parliamentary Committee – recommend abolishing s.27.
The Not In NSW Exemption
Then there is the why-is-this-still-not-fixed s.19(2) problem.
Back in 2008, the Tribunal found that s.19(2) “covers the field” for transborder disclosures (i.e. disclosing personal information to a person or body outside NSW), and therefore s.18 (the regular Disclosure principle) does not apply. Except that s.19(2) has never actually commenced. The outcome of that 2008 GQ case was that in the Tribunal’s view, there are no restrictions on disclosures outside NSW.
The effect is that a public sector agency in NSW which wants to disclose something it shouldn’t, and which would breach the general prohibition against disclosure at s.18, can circumvent the law by simply sending the information to someone outside NSW.
Just let that sink in for a bit – a public sector agency can disclose anything it likes, without being in breach of PPIPA, so long as it first sends it to someone outside NSW. A journalist in Canberra, for example.
So, a public sector agency could disclose the Premier’s mental health records; or the Attorney General’s criminal records; or records about the Police Minister’s non-payment of his council rates – assuming any such records existed – without breaching PPIPA, so long as it was sent outside NSW.
This is an outcome Parliament surely did not intend.
In GQ the Tribunal stated that the situation could be remedied by the Privacy Commissioner making a Privacy Code of Practice, but this is not true; the Privacy Commissioner can only ‘prepare’ a Code under s.19(4). It can only be ‘made’ into law by the Attorney General. Whether by way of a Code, or an amendment to the Act, political will is needed to fix this problem.
After the GQ decision in 2008, commentators including yours truly ranted and raved about this outrageous and ridiculous outcome. But seven years later, nothing. No Code, no amendment to fix the law.
In the meantime, another case has come and gone, with the same outcome: a disclosure to a woman’s employer that would have been found in breach of PPIPA if the employer had been in NSW, but because the disclosure was made to someone in the Northern Territory, it is magically exempt.
The Not Our Fault Exemption
There is also the Personal Frolic Exemption at s.21.
This one has conveniently allowed public sector agencies to avoid having to provide any redress to victims of privacy breaches caused by the conduct of their employees, by arguing that the employee wasn’t really acting as an employee when they did that bad thing, so the agency cannot possibly be held liable. Which sounds fine in theory, but leaves the victim with zero redress. The corrupt use and disclosure provisions in Part 8 of PPIPA offer no remedy to the victim of privacy harm.
So the act of looking up a person’s criminal record without authority and using it to blackmail him? Exempt.
A school teacher looking up student medical records and disclosing them to a local soccer club? Exempt.
The unauthorised disclosure of the contents of a complaint letter by an employee of a local council to the person who was the subject of the complaint? Exempt.
The disclosure of a student’s university grades by an employee of the university to her ex-husband? Exempt.
Our submission
Are existing remedies adequate, in relation to serious invasions of privacy? No.
Should a statutory cause of action for serious invasion of privacy be introduced? Yes.
But first, please – start with fixing PPIPA. Let’s get off this merry-go-round, and actually fix the law.
This submission is drawn from our experience consulting to NSW public sector agencies on privacy matters since 2004, as well as from PPIPA in Practice, our annotated guide to the Privacy and Personal Information Protection Act 1998 (PPIPA), which incorporates consideration of the more than 320 cases decided to date under PPIPA and the Health Records & Information Privacy Act 2002. For more information see www.salingerprivacy.com.au.
Photograph © Shutterstock
