Making Sense of Privacy Law in the ACT

Contributed by Dr Bruce Baer Arnold, University of Canberra and current to February 2022.

At a glance

It is common for people to talk about privacy rights. It is also common for people, particularly those in a privileged position, to deny that privacy rights exist. One prominent law academic famously derided the right to privacy as an indulgence by woolly-minded members of the middle class, arguing that if you have nothing to hide you have nothing to fear. Others have incorrectly claimed that privacy or legal protection for the personal sphere is a new phenomenon. That claim disregards traditional values evident in catchphrases (e.g. that ‘a man’s home is his castle’, ‘it is none of your business’ and ‘government has no place in the bedrooms’) and judicial wariness from at least 1765, in the famous case of Entick v Carrington, a common law judgment about punitive searching of private dwellings.

Language about privacy is often confusing. So is the law, which as the previous part of this chapter noted resembles a patchwork of enactments by the different legislatures (including by the ACT Legislative Assembly, discussed in The ACT Privacy Regime) and decisions by courts and tribunals. Much of that law is specific to particular industry sector or government agency or type of activity. There is major inconsistency across Australia. People in the ACT for example have clearer and stronger protection than residents in South Australia and Western Australia.

Overall, law continues to catch up with adoption of new technologies (such as mobile phones), changing social practice (such as consumer embrace of Facebook and Twitter), the drive by government and business to reduce costs by going online, responses to COVID or natural disasters such as major floods in 2022, and anxieties about national security or other crime.

In making sense of privacy law in the ACT it is accordingly important to recognise that there is no single enactment (at the Territory or Commonwealth level) that deals with all or most privacy questions. The challenge for many readers of this chapter will be to identify and apply the enactment or other law that best relates to their issue. That law may not be titled ‘The Privacy Act’. Disregard of an individual’s privacy might for example best be addressed under criminal law dealing with illicit surveillance such as covertly recording someone in a private bathroom or public toilet. It might instead be a matter of the law of confidentiality, which is particularly important for some health and commercial data protection disputes.

Before looking at the key enactments regarding privacy in the ACT it worth thinking what we mean by privacy (and why privacy is important) and then differentiating between particular types of privacy. That differentiation explains the unevenness of much of the statute law (ie enactments by the Australian parliaments).

Perhaps the most succinct definition of privacy, embodied in a very influential 1890 US article by Warren and Brandeis, is that it centres on a freedom from inappropriate interference – a right to be left alone.

That characterisation recognises that privacy is a matter of balance, rather than an absolute. We do not for example expect toddlers to have comprehensive privacy: their well-being involves scrutiny by parents or guardians. We similarly recognise the appropriateness of surveillance of terrorists, within a coherent legal framework and by law enforcement personnel who are accountable.

The expectation is that respect for privacy, in part as a manifestation of respect for the dignity of all people, will recognise the diversity of human needs and aspirations, foster trust, minimise fear and more broadly result in social goods.

For legitimacy, the interference cannot be arbitrary. It must be justifiable on the basis of public good rather than bureaucratic convenience. It cannot be disproportionate, for example fundamentally eroding the privacy of everyone rather than a restricted group of individuals. An emphasis on legitimacy is important, because the political process in Australia sometimes means that legislation disregarding privacy (and thereby disregarding the dignity that differentiates Australia from totalitarian states and terrorist groups) will often be lawful but wrong.

Privacy co-exists with and is sometimes conceptualised as confidentiality, an area of law that encompasses protection of, for example, trade secrets rather than merely intimate information about an individual. Expectations about confidentiality – a legal duty to safeguard particular information – are evident in the health sector (notably a medical practitioner’s duty to patients) and in the legal profession. Confidentiality is discussed below.

In building on privacy as a freedom from inappropriate interference, theorists and some policymakers have increasingly differentiated between discrete types of privacy. It is worth bearing those types in mind when seeking to understand the ACT and national privacy regimes, noting that they are concepts rather than judicially-recognised formal legal categories.

Informational Privacy

One type – often misunderstood as the only form of privacy – is informational privacy, in other words data that identifies an individual.

That data might be the person’s name or identity number. It might tie the person to entitlements, legal disabilities, financial assets or liabilities, consumption patterns or capabilities. It might involve a paper file or entries on an electronic database.

Informational privacy is at the heart of key enactments such as the Privacy Act 1988 (Cth) and the Information Privacy Act 2014 (ACT) discussed below, but it features in a wide range of other legislation.

Observational Privacy

Another type is what some theorists characterise as observational privacy, broadly a freedom from inappropriate watching and recording.

That freedom may be found under criminal law that is meant to deter unwanted observation (including use of cameras) in places such as public changerooms or toilets and in the family home, i.e. locations where there is a reasonable expectation that people will be left alone. It is also found under ACT legislation regarding stalking.

Much of that law is deeply traditional, evident in for example criminalisation of ‘peeping tom’ behaviour that features in both the mythical Lady Godiva story and prosecution of landlords or ADFA cadets who have placed video cameras in showers used by tenants or their peers.

Observational privacy has been strengthened by common-sense behaviour (e.g. pulling the curtains) and law about trespass, given that property owners have control over who enters their property. A later part of this chapter notes that there are no comprehensive rights allowing a celebrity or ordinary person to prevent in-person observation and electronic or other recording of the individual’s presence in a public space such as Garema Place, a footpath at Gungahlin or outside a venue such as Mooseheads.

Communication Privacy

Another perspective is communication privacy: a freedom from inappropriate interference with postal and electronic communication, and by extension with speech or gesture.

That freedom has been salient in debate about warrantless access to email, SMS and browser history data. It has appeared in debate about the mandatory retention of telecommunications metadata under Commonwealth law (in contrast to Europe where population-scale retention of telecommunication traffic data – distinct from the content of messages – has been deemed to be constitutionally impermissible as contrary to the EU human rights framework).

It is also evident in traditional law regarding ‘listening devices’ and unauthorised opening of mail, which for example criminalise unauthorised use of ‘bugs’ and ‘spycams’ or the postie reading your letters.

Note that you might accept some surveillance as part of employment or service provision, for example your employer having scope to read ‘private’ communications that occur via the employer’s corporate network. Corrections personnel similarly have scope to observe communications from inmates of a prison or detention facility.

Physical Privacy

Observational privacy coexists with what theorists have characterised as physical or bodily privacy.

It includes a freedom from inappropriate interference with your physical integrity, for example an unauthorised cavity search or coerced removal of clothing. It also includes a freedom from inappropriate taking/exploitation of samples, for example an unauthorised blood sample.

Those freedoms are not addressed under the informational privacy legislation; they are instead addressed under tort law and criminal law. They are likely to gain more attention in future given increasing commercialisation of DNA.

Note that some interference is considered to be appropriate, with for example enactments specifically providing for strip or cavity searches by law enforcement and corrections officers.

Spatial Privacy

Some privacy advocates have expressed concern about spatial privacy, particularly in relation to tracking of people using mobile phones or other devices that few consumers recognise identify their location and using technologies that employers acknowledge are tools for mapping the movement of employees from one location to another (during and outside work time).

Relational and other Privacy

Theorists have expressed concern about relational privacy, conceptualised as a freedom of association – not being surveilled through the individual’s phone contacts, ‘likes’ on Facebook and other appearances on the social graph.

Others have expressed concern more subtly about intellectual privacy: a freedom to have and express orthodox and heterodox thoughts and tastes, precluding being profiled on the basis of what books you read, what videos you watch, what websites you visit and so forth.

A salient recommendation for readers of this chapter is accordingly to look beyond what many people mistakenly think of as a ‘one size fits all’ Privacy Act. The different privacy enactments are significant but may not result in useful remedies if your privacy has been disregarded.

A right to privacy?

Is there a comprehensive ‘right to privacy’ in the ACT? A disquieting response to that question is that references to ‘rights’ are problematical unless those rights are legally enforceable, in the first instance enforceable because they are recognised by courts and more broadly enforceable because people have access to that law (something that may be difficult if you have a disagreement with a major government agency or a large overseas-based corporation).

In practice much of the language about ‘rights’ is aspirational rather enforceable. It is confusing.

Overall, as the following two parts of this chapter note, people in the ACT do not have a comprehensive and justiciable right to privacy, in other words an over-arching right that covers the different types of privacy mentioned above and that is recognised by Australian courts as overriding the enactments that are in place in the ACT or other Australian jurisdictions. It is unlikely that a comprehensive right will come into being in the near future. Australia has not signed up to a treaty that provides individuals with strong privacy right. Indeed, several of the international agreements reflected in law over the past three decades serve to lawfully erode privacy as part of taxation, counter-terrorism and money-laundering, people trafficking, national security and other regimes.

The Australian Constitution, which is essentially concerned with relations between the national government (the Commonwealth) and the states and territories, does not include a Bill of Rights. It is entirely silent on privacy, in contrast to its articulation of the Commonwealth’s powers. The national Parliament has passed a wide range of enactments that deal with privacy. Those enactments often erode protections that were provided in earlier statutes or extend exclusions in for example the Privacy Act 1988, the Data-matching Program (Assistance and Tax) Act 1990 (Cth), the Healthcare Identifiers Act 2010 (Cth) and Telecommunications (Interception and Access) Act 1979 (Cth).

One implication is that people in the ACT cannot successfully argue that an enactment of the national parliament is impermissible because it is contrary to privacy rights.

A corollary is that establishment of a justiciable national Bill of Rights, similar to that found in Canada, the United States and all of Australia’s peers, would provide individuals whose privacy has been disregarded with scope for compensation and for restriction of further disregard. Contrary to hyperbole by some people, the stronger human rights regime in the United Kingdom, Canada, New Zealand and other countries has not meaningfully prevented law enforcement.

The ACT, along with Victoria and Queensland, is one of the Australia’s three ‘human rights’ jurisdictions. In essence, under the Human Rights Act 2004 – discussed below - the ACT Government is required to consider the protection of human rights in developing new legislation and by extension in implementing that legislation. Section 12 of the Human Rights Act specifically refers to privacy, characterised as the right of all people “not to have his or her privacy, family, home or correspondence interfered with unlawfully or arbitrarily”. That right is “subject only to reasonable limits set by laws that can be demonstrably justified in a free and democratic society” (section 28).

The Act does not impose a duty on private sector entities. It may be overridden by the ACT Attorney-General. It does not give someone whose privacy has been fundamentally disregarded a right to compensation.

One implication is that the Territory’s Human Rights Act is aspirational: it is useful for education and potentially for shaming but does not offer a remedy for privacy wrongs. Readers should accordingly be wary about claims regarding rights that are readily enforceable through the courts by people whose privacy has been invaded.

Readers should also be wary about claims by ‘sovereign citizens’ that a comprehensive right of privacy is provided by Magna Carta or that people can lawfully disregard rules that they dislike. No sovereign citizen has successfully claimed immunity in an Australian court.

Privacy law is a patchwork, not a magic carpet

Preceding paragraphs have emphasised that there is not a single comprehensive privacy enactment at the national and Territory levels and that common law (ie made by judges rather than enactments by a legislature), sometimes quite old and often misunderstood, remains significant.

In part that reflects the division of power between the different Australian governments. The Commonwealth does not have exclusive power under for example the national Constitution or an international agreement. (Establishment of such an agreement in the near future is unlikely but the EU General Data Protection Regulation, aka GDPR, will influence both Australian practice and consumer expectations. The GDPR is discussed below.)

In part the absence of an over-arching enactment reflects the law-making process, which is incremental, unsystematic and often in response to a particular incident. Legislators have for example implemented law reform body recommendations regarding the criminalisation of particular behaviour that disregards privacy and have unsystematically updated technology-specific enactments regarding ‘listening devices’ so that they cover video cameras and a range of digital devices. There is variation across the Australian jurisdictions. The ACT gained an information privacy statute in 2014; South Australia and Western Australia have yet to develop corresponding enactments. The Australian parliaments have not embraced recommendations by law reform bodies at the national and state/territory levels for a statutory cause of action (aka the privacy tort) regarding a serious invasion of privacy. The tort would offset the absence of a justiciable Bill of Rights but remains a hot potato that neither the legislators nor courts want to handle.

In thinking about privacy harms and remedies – in essence does the law consider that your privacy has been inappropriately disregarded and does the law give you scope for an apology, compensation or exacerbation of that disregard – it is important to recognise that much law regarding personal information is founded on an expectation that people have a right to waive protection that they would otherwise enjoy. Contract law is fundamentally powerful and is widely used by business in relationships that involve privacy.

It is common for example for online/print terms and conditions to indicate that by entering into a contract (or merely by using an online service, for example a social media service) the consumer has authorised the business to share personal information regarding the individual with unspecified ‘third parties’.

The consumer may have no understanding of the implications of the sharing or the identity of those third parties, often because the sharing is not explained, the business’s partners are not specified and the statement regarding sharing is not readily accessible. People will accordingly agree that personal information may be lawfully misused. Their exploitation may be ethically repugnant but is often quite legal, somewhat to the surprise of many journalists and consumers.

It is also useful to recognise that organisations in the public and private sectors emphasise opt-out provision of information rather than opt-in, sometimes (as with the MyHR national health record scheme discussed below) making it quite difficult to opt out of sharing. Governments have more broadly emphasised mandatory collection of personal information, including names, addresses, birth dates and facial images. That cooption is typically legitimised by an undertaking, which might be enshrined in legislation, that the data will be safeguarded and will not be misused, usually on the basis that use will be restricted to the agency that sought the data and will not involve sharing with other agencies other than in a de-identified abstracted form.

Much public administration, including the provision of social welfare and public order, is very dependent on identifying and sorting individuals. Privacy is thus not absolute. Concerns instead often relate to whether particular data collection is necessary and proportionate. Officials often confuse what is bureaucratically convenient with what is necessary. Concerns also relate to whether data is processed, stored, shared and disposed of in ways that respect the dignity of ‘data subjects’ and minimise potential problems.

One example of such problems is data breaches that extend from illicit private searching by officials to the very large scale exposure of data through hacking or negligent system design that has featured in media reports over the past decade.

In thinking about privacy law at the Territory, national and international level it is accordingly sensible for people to identify
  • which government (or governments) has responsibility,
  • whether an enactment provides specific protection,
  • whether an individual has deliberately or implicitly relinquished privacy rights, and
  • what - if any remedies – are available regarding harms.

That requires some sense of the patchwork and an awareness that the best outcome will sometimes involve criminal rather than civil law, or tort (aka injury) law rather than the national Privacy Act.

Salient law at the national and Territory level is outlined below. Note that the coverage is not exhaustive and that as of February 2022 major changes are underway at the national level.

Commonwealth and Territory law

One starting point for tackling privacy questions is to recognise that affront is not the same as illegality and does not necessarily bring into being a cause of action, i.e. does not automatically provide the basis for damages.

People will for example often have strong feelings about photography of their children in a public place, or a newspaper item that features themselves or family members, or sharing of personal information by a business, or merely being requested/required to give data to an educational institution or government agency. That activity will generally be quite legal and often quite unremarkable in the eyes of other people.

A second starting point is to recognise that a disregard of privacy may be contrary to Commonwealth enactments, Territory enactments and common law. Specifics matter.

Commonwealth law relevant to privacy is complicated. The salient information privacy statutes and provisions deal with personal information that is provided to government agencies as part of public administration (for example as part of the taxation, census, welfare and health systems) on a mandatory basis or that is provided to businesses and health practitioners. That law coexists with law regarding telecommunications (including the internet), posts and broadcasting, three Commonwealth powers that cover both public and private networks and that involve bodies such as the Australian Communications & Media Authority (ACMA), the National Health Practitioner Ombudsman & Health Practitioner Privacy Ombudsman (NHPO) and the national eSafety Commissioner. ACMA, along with the Australian Competition & Consumer Commission (ACCC) has on occasion dealt with privacy complaints, typically more swiftly and forcefully than the Office of the Australian Information Commission (OAIC).

Broadly speaking those two groups of enactments provide readers of this chapter with some protection for disregard of their privacy by Commonwealth officials, businesses and individuals. A third group of enactments however gives the national government and its partners substantial authority to disregard privacy on the grounds of national security and law enforcement. That authority is continuing to grow and as of February 2022 a range of privacy-erosive statutes are being implemented or considered by the national parliament alongside the major review of the Privacy Act 1988.

All three groups coexist with freedom of information (FOI) and other reporting/disclosure law, such as the Corporations Act, that embody expectations about ‘openness’ as a default provision but offer privacy protection through exemptions on the basis that some information is personal. One implication for example is that although under the national Privacy Act and FOI Act you have a broad right of access to information that the Commonwealth holds about you there is no right to access tax or similar information about your neighbours, in contrast to parts of Scandinavia.

The Territory has a range of enactments. Some deal specifically with information privacy, relating to the activity of the Territory government. Some are broader, with provisions in Territory criminal law seeking to deter unauthorised surveillance (such as the covert recording of images in a public or private toilet).

The Territory has enactments regarding workplace surveillance, which should not surprise some readers of this chapter. It also has enactments that affect privacy but at first sight may be surprising, for example dealing with adoption.

Common law

The emphasis in this chapter is on enactments, otherwise referred to as Acts or statute law, i.e. law made by parliaments.

Protection from interference may however be provided by common law, i.e. judgments by courts relying on the principles evident in precedent rather than on application of enactments.

In thinking about privacy it is important to recognise that contract law will often serve to weaken or remove privacy protection, especially where there is meaningful consent. The onus is on consumers to read the ‘fine print’, which as noted above may be buried in a website. There is however an expectation under the Australian Consumer Law (Schedule 2 of the Competition & Consumer Act 2010 (Cth) and corresponding state/territory legislation) that print, digital or other statements regarding terms and conditions relating to goods and services will not be deceptive or oppressive.

It is also useful to recognise that confidentiality may provide strong protection from interference, arguably often stronger than the specific information privacy enactments because courts are conscious of the need to respect trust, are prepared to grant injunctions to minimise exacerbation of harms and on occasion are prepared to deter harms by granting substantial damages in compensation for an existing harm.

Confidentiality

The law of confidentiality predates the first references in Australian or overseas enactments to privacy. It is a feature of many areas of activity, including employment, legal practice and health services. It potentially covers sensitive personal information and thus offers scope for privacy protection but is not restricted to information about an individual and thus covers commercial or other non-personal information, including trade secrets and information that Indigenous communities identify as ‘sacred and secret’.

Confidentiality recognises that there is an individual and community benefit in respecting specific types of relationships (for example that between a husband and wife, or an employee and employer, or a lawyer and client, or a medical practitioner and patient). Those relationships involve trust and often feature someone sharing information that is intimate and that would cause distress or other harm if improperly shared.

A salient example is personal information received by your doctor in the course of providing health services. Irrespective of whether you have done anything wrong – noting the traditional claim that ‘if you have done nothing wrong you have nothing to hide and nothing to fear – you might legitimately not want your health status or conversation about your sorrows shared by a clinician, receptionist or other person without your authorisation. Curiosity and titillation are not justifications for disregarding your dignity or causing unhappiness.

Confidentiality is often understood as a matter of Equity law, in other words an area of law that is not based on an enactment and that allows someone whose confidentiality has been improperly disregarded to go to court for legal remedies that range from a public/private apology through to substantial compensation.

In practice the largest compensation payments for a serious disregard of privacy have occurred under confidentiality rather than under a privacy enactment. It is important to recognise however that disputes about confidentiality are typically dealt with in the Supreme Court: an adversarial process that may be expensive, stressful and lengthy.

The GDPR and overseas developments

As noted earlier in this chapter, there is no global privacy-specific treaty that binds Australian governments and gives residents of the ACT enforceable rights regarding disregard of their privacy by government agencies, businesses and individuals.

Both the Universal Declaration of Human Rights (UDHR) and associated Conventions refer to privacy as an aspect of the dignity of all people. They have accordingly been noted in Australian judgments but do not provide a ‘silver bullet’ that overrides ACT or other enactments and that goes beyond those enactments in providing enforceable rights.

The European Union’s General Data Protection Regulation (GDPR), a framework for enactments in the United Kingdom and other parts of Europe, is shaping consumer and business expectations regarding privacy in relation to electronic commerce. It is significant for the ACT in terms of a model – for example regarding meaningful consent – and because ACT businesses dealing with consumers within Europe will need to comply. Australian consumers are likely to reward local businesses that ‘harmonise up’ to the EU standard. Over time major Australian businesses will also be influenced by developments in other parts of the world, such as New Zealand, Canada and California. Courts in Canada and New Zealand have moved beyond Australia in dealing with claims of privacy rights; the California Privacy Rights Act of 2020 (in effect from 2023) serves as a global benchmark.

Australian regulators have until recently been more passive than overseas counterparts (in for example New Zealand and Canada) when dealing with claims by US-based social network services such as Facebook that our law does not apply. That is changing, with the Australian Competition & Consumer Commission (ACCC) for example building on its major 2019 Digital Platforms report by alerting the leading social media corporations that they are covered by Australian law and will be expected to behave. Questions about corporate (ir)responsibility were highlighted during COVID and controversies regarding ‘fake news’, alongside debate about payment as part of the emerging national media code. Changes can be expected.

ACT users of digital platforms such as Facebook, Grindr, eHarmony, Google, TikTok, Twitter and Instagram should however be conscious that the often volatile terms & conditions and offshore base of such services means that in practice consumers have weak privacy protection.

See also ‘Internet’

See ‘Consumer Protection’

See ‘Crime’

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine