Privacy and Other Legislation Amendment Bill 2024

1.         The Queensland Council for Civil Liberties (“the QCCL”) is a not-for-profit organisation that promotes civil liberties and receives queries from members of the public regarding their civil liberties and individual rights.

2.         We make this submission in response to the Privacy and Other Legislation Amendment Bill 2024 (“the Bill”) referred to the Legal and Constitutional Affairs Legislation Committee on 19 September 2024.

3.         QCCL has long considered that the Privacy Act 1998 (Cth) (“the Act”) provides inadequate protection for individual rights to privacy particularly having regard to the threats posed by rapidly evolving information technology.

4.         Although we welcome and support the Bill, we consider that significant and further work is required in relation to both its terms and to fully implement the 116 proposals contained within the Privacy Act Review Report. That further work should not be delayed and should be a priority to ensure that Australia’s privacy law (and the protection that is afforded by clearly articulated rights) is modernized without delay.

5.         To assist the Committee, we make the following submissions in response to the Bill.

General Observations

6.         Broadly, we commend the majority of the amendments to be made by the Bill. However, we are concerned to ensure that aspects of these amendments are more clearly addressed and make the following comments in relation to aspects of the Bill:

a.         We support the recognition of the public interest in protecting privacy in s. 2A(a) of the Act and the expansion of international obligations in s 2A(h) of the Act. We consider that this recognition ought, however, to be more clearly framed such that international law (particularly as it relates to technology related privacy issues) may be used to aide the beneficial operation of the Act.

b.         We submit that there should be greater circumscription of the types of information that can be collected and the manner in which that information can be used during Emergency Declarations under s 80KA of the Act noting that this section, without further clarification, may be contradictory to the amendments to the Act (which we support) in ss 2A(a) and (h).

c.         We support the introduction of a Children’s Online Privacy Code, as children are among the most vulnerable users of the internet and particular susceptible to targeted marketing and other forms of online manipulation.

d.         We support the addition of greater civil penalties under Part 8 and enhanced powers for the Courts to make orders under Part 9.

e.         In principle, we support the insertion of Australian Privacy Principle (APP) 1.7 – 1.9 relating to automated decisions in an APP entity’s privacy policies; however, we submit that this insertion requires further consultation to ensure that the definitions and operation of this inclusion to the APPs are workable and fit for purpose.

Statutory Tort for Serious Invasion of Privacy

7.         QCCL has long advocated for the introduction of a statutory tort for serious invasion of privacy and we strongly support the introduction of such a tort.

8.         In particular, the QCCL:

a.         supports a tort which applies to both intrusion upon seclusion and the misuse of information.

b.         supports the provision for damages for emotional distress under paragraph 11(3).

c.         agrees with the inclusion of an exception for professional journalism. We consider that there should be an explicit requirement that the dissemination of the ‘journalistic material’ be genuinely in the public interest. It is conceded that the phrase ‘journalistic material’ does import the notion of ‘public interest’ somewhat, but the mere fact that information has been disseminated by a professional journalist says nothing about the quality of that information.

9.         Without diminishing support for the introduction of a statutory tort for serious invasion of privacy, we respectfully suggest that legislative guidance ought to be provided to aid the interpretation of key concepts of ‘invasion of privacy’ and ‘reasonable expectation of privacy’. This could be achieved by making direct reference to the objects at s 2A (and particularly to s 2A(h) and clarifying that Schedule 2 operates with its own definitions noting that there may otherwise be difficulty in importing definitions otherwise contained within the Act to the operation of a statutory tort for serious invasion of privacy. We consider that this is particularly important to ensure that this welcomed inclusion remains able to address emerging privacy issues associated with technology.

Doxing Offences

10.      Our main objection to the Bill is in relation to the creation of the two new ‘doxing offences’ under the Criminal Code Act 1995 (Cth).

11.      As a general proposition, we do not consider that the doxing offences should be introduced without substantial further consultation.

12.      Notwithstanding our submission that doxing offences in the form contained in the Bill should not be introduced, we submit that; if it were to be introduced, doxxing should be an offence only to the extent it can be equated to harassment or stalking as the unacceptable behavior and consequences are similar.

13.      We adopt the eSafety Commissioner’s definition of doxing as the ‘intentional online exposure of an individual’s identity, private information or personal details without their consent.’ To this we would add that doxing is usually engaged in to cause intentional harm to the doxed individual, whether that be to expose that person to threats to their safety, or to certain reputational consequences, such as community ostracism and loss of employment. 

14.      Our reservations with respect to the design of the offences are as follows.

15.      Firstly, we note that the fault elements under sections 474.17C(c) and 474.17D(d) are objective, that is, guilt arises where ‘the person engages in the conduct in a way that reasonable persons would regard as being, in all the circumstances, menacing or harassing.’ We consider that it is oppressive for criminal responsibility to arise without it being incumbent upon the prosecution to establish that the accused intended to do a clearly defined harm to a person. While the sensation of having been ‘menaced’ or ‘harassed’ is not to be trivialised, a prison sentence of six and seven years for these offences is out of all proportion to this degree of fault.

16.      This offence also engages issues of free speech and appears to significantly intersect with the existing law of defamation. Both these principles demand the offence be narrowly specified to achieve the objective of creating a meaningful protection for individual’s privacy.

17.      We consider that an appropriate fault element could be taken from the intention to cause ‘detriment’ for stalking offences under the Queensland Criminal Code 1899 being:

a.         apprehension or fear of violence to, or against property of, the doxxed person or another person;

b.         serious mental, psychological or emotional harm;

c.         prevention or hindrance from doing an act a person is lawfully entitled to do;

d.         compulsion to do an act a person is lawfully entitled to abstain from doing.

18.      Next, we take issue with the concepts of ‘publication’ and ‘distribution’ of information in the offences. As the explanatory memoranda provides publication includes “to the public at large, or to a section of the public.’ ‘Distribution’ is to be construed ‘broadly’ and extends to situations where information is shared ‘with, a recipient or recipients, for example in a chat or via email [which] could be done in a single message.” Our concern is that these definitions would attach severe criminal responsibility to conversations occurring entirely in private, between as few as two individuals, without the need to establish any intention to cause harm. We consider that that there should be express protections and exclusions for particular circumstances:

a.    the law must exclude private communications, such as by text or email between small groups of say up to four people

b.    where the information was already publicly available.

c.     where the information was shared for the purposes of a genuine industrial dispute.

d.    where the information was shared for the purposes of a genuine political or other genuine public dispute or issue carried on in the public interest.

e.    where the information was shared by a person for the person’s lawful trade, business or occupation.

f.      where the parties to the publication or distribution has a legitimate interest in sharing or obtaining the information.

19.      We note that the definition of personal data means ‘information… that enables the individual to be identified, contacted, or located’ and includes the individual’s name, photograph, place of education or work. Such information has been ubiquitously shared on social media for years. This raises concerns that sharing information which is readily available on LinkedIn, or Facebook or indeed a phone book could place citizens at risk of the very significant custodial sentences provided for in these amendments. At the very least the exception provided above at 14.b. would be a reasonable precaution against this risk.

20.      We note that the offence is limited to certain protected groups. In our view if this law is justified then it is so for everyone. We accept that in a law of general application the fact an offence against that law is motivated by malice toward a protected group, would legitimately be a circumstance of aggravation in sentencing

21.      We trust that these submissions assist the Committee and we confirm that we are willing to assist further with any public hearing(s) associated with this process.