Privacy Act Review
PrivacyActReview@ag.gov.au
Thank you for the extension of time to make a submission to this review of the Privacy Act.
The QCCL is an organisation of volunteers committed to the protection and extension of the civil rights and civil liberties of Queenslanders. As an organisation of volunteers, we have limited resources and time. Therefore, we have chosen only to address a number of specific, but in our view important, issues raised by your issues paper.
Definition of personal information
What approaches should be considered to ensure the Act protects an appropriate range of technical information?
Should the definition of personal information be updated to expressly include inferred personal information?
On the issue of the definition of personal information we support the position taken by Electronic Frontiers Australia in its submission to this review
Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?
The issue of what to do with de-identified and anonymized information is of critical importance given the fact that we now understand that the de-identification and anonymization process can be readily in done. Some examples include
LaTanya Sweeney, an assistant professor of computer science, technology and policy at Carnegie Mellon University, in 2004 paid $20 for a list of the dates of birth, sex and ZIP codes of voters in Cambridge, Mass. She was able to identify then-governor William Weld's information by linking it to a de-identified set of health-insurance information.
Philippe Golle of the Palo Alto Research Center in 2006 published a paper that used the 2000 U.S. Census data to estimate that one could use these same data fields -- gender, ZIP code and date of birth -- to uniquely identify 63% of the U.S. population.
When AOL publicly released a list of about 658,000 anonymous users and the Web searches each made from March to May of 2006, The New York Times demonstrated that it was able to identity among the users an unsuspecting widow in Georgia.
In October of that year, Netflix publicly released a data set containing over 100 million move ratings by 480,000 anonymous Netflix subscribers for a prize it was running. Arvind Narayanan and Vitaly Shmatikov of the University of Texas at Austin later claimed in a study that this data could be re-identified if certain other information about the movie raters was known.
As a first step, the Privacy Amendment (Reidentification Offence) Bill should be passed immediately.
One response to this has been to argue that the risk of re-identification needs to be made clearer.
The Electronic Privacy Information Center has suggested it be set at 1%
Paul Ohm in his article Broken Promises of Privacy (57 UCLA L Rev 1701) references a number of factors that should be considered in regulating the release of de-identified data
(a) The risk of reidentification.
(b) Regulators should more carefully scrutinise the release of data to the public in general
(c) restrictions should be placed on the quantity of data collected and retained
Are any other changes required to the Act to provide greater clarity around what information is 'personal information'?
See our answer to question 3
Exemptions
Small business exemption
4. Does the small business exemption in its current form strike the right balance between protecting the privacy rights of individuals and avoid imposing unnecessary compliance costs on small business?
5. Is the current threshold appropriately pitched or should the definition of small business be
amended?
6. If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way?
7. Are there businesses or acts and practices that should or should not be covered by the small business exemption?
8. Would it be appropriate for small businesses to be required to comply with some but not all of the APPs?
(a) If so, what obligations should be placed on small businesses?
(b) What would be the financial implications for small business?
9. Would there be benefits to small business if they were required to comply with some or all of the APPs?
10. Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?
These questions consider the future of the exemption for small business which is defined as a business having a turnover of less than $3 million. As 94% of Australian businesses have a turnover of less than $3million a vast hole is created in the Privacy Act . According to the Australian Small Business and Family Enterprise Ombudsman in 2020 97% of businesses have a turnover of less than $5million and 93% less than $2million . The main justification for this exemption is the significant compliance costs it allegedly imposes on small business. However, it is to be noted that the House of Representatives Committee in its review of the private sector provisions of the Privacy Act 1988 apparently received no evidence as to the extent of these compliance costs.
One of the difficulties created by this exemption is that it is impossible for a person whose privacy has been violated to know whether or not the business that they are dealing with falls within the exemption.
The Senate Legal and Constitutional References Committee at page 4.60 of its report noted that the Privacy Commissioner Ms Karen Curtis had not made an estimate of the actual costs of removing the small business exemption. Despite this she continued to support the exemption subject to removing certain categories of small business from it.
The exemption assumes that small businesses are unlikely to hold significant private information or that they are unlikely to disseminate it widely. But this is not so, as is demonstrated by small internet businesses and the collectors of tenancy information such as real estate agents. Our view would be that small businesses should be the subject of the legislation but with the power given to the Privacy Commissioner to make public interest modifications.
We agree with the approach of the Australian Privacy Foundation in its submission to the Senate Legal and Constitutional Committee enquiring to the Privacy Act at page 14 and we quote:
“We recognise that the vast majority of small businesses either handle no personal information at all or do so without any significant risk or threat to the privacy of the individuals concerned. However, privacy risks are always contextual – any organisation which holds information as basic as name and address could potentially use or disclose it in circumstances which could cause damage to the individual concerned.
The core requirements of the national privacy principles – being open about use of personal information, handling it in accordance with reasonable expectations, and keeping it secure, should apply to all organisations. It would however be reasonable to exempt many smaller businesses from any formal requirements to take particular actions, in advance of enquires.
Following on from this we would submit that where an organisation only collects and handles personal information for a purpose which is or should be obvious to the individuals concerned (a modified version of Australian Privacy Principle 5) it should not have to give the notices under privacy principle 5.2. But all organisations should be required to comply with principles 10,11 and 12 to give access and to make corrections on request. Further modifications can be made as necessary by the power of the Commissioner to make public interest determinations.
Employee records exemption
11. Is the personal information of employees adequately protected by the current scope of the employee records exemption?
12. If enhanced protections are required, how should concerns about employees' ability to
freely consent to employers' collection of their personal information be addressed?
13. Should some but not all of the APPs apply to employee records, or certain types of employee records?
The House of Representatives Committee said that:
“Privacy is a right and therefore it should not be the subject of negotiation in the employment context. Employees usually have no effective choice but to give significant personal information, often of a sensitive nature to their employer. The fact that this has resulted in breaches of employee privacy is borne out in the submission of the Federal Privacy Commissioner. He stated that alleged interferences with individuals’ privacy in the workplace make up a significant number of privacy complaints in the Federal Public Sector where the existing Privacy Act applies (about 16% of all complaints concerning the information privacy principles received in his office and a significant proportion of all general enquiries). Privacy NSW also claimed that the exemption would run - counter to widely held expectations in relation to privacy and transparent processes in the workplace which are reflected by complaints and enquiries to my office.”
In our view this exemption should be removed.
Political parties exemption
14. Should political acts and practices continue to be exempted from the operation of some or all of the APPs?
The Council fails to see how political parties are any different from private companies in their need to be able to respond, in a more targeted way to their electorate. As a consequence it is our view that this exemption should be abolished. We accept that there may be some implications from the implied freedom of communication but would have thought this would be minor.
Journalism exemption
15. Does the journalism exemption appropriately balance freedom of the media to report on matters of public interest with individuals' interests in protecting their privacy?
16. Should the scope of organisations covered by the journalism exemption be altered?
17. Should any acts and practices of media organisations be covered by the operation of some or all of the APPs?
Freedom of Speech is a fundamental value of our society. It seems to us that all the models for limiting or eliminating the press exemption involve creating a system of government regulation of the press which would have an undesirable potential
Having said that the definition of journalist should be extended beyond the traditional categories but still should require some level of regularity and organisation. The Victorian Evidence Act 2008 (Vic) provides a useful model
Section 126J(1) of that Act defines a journalist as a person engaged in the profession of journalism in connection with the publication of information, comment, opinion or analysis in news medium. In determining whether a person is engaged in the profession, the court must have regard to (s 126J(2)):
(a) whether a significant proportion of the person's professional activity involves—
(i) the practice of collecting and preparing information having the character of news or current affairs; or
(ii) commenting or providing opinion on or analysis of news or current affairs— for dissemination in a news medium;
(b) whether information, having the character of news or current affairs, collected and prepared by the person is regularly published in a news medium;
(c) whether the person's comments or opinion on or analysis of news or current affairs is regularly published in a news medium;
(d) whether, in respect of the publication of—
(i) any information collected or prepared by the person; or
(ii) any comment or opinion on or analysis of news or current affairs by the person
(iii) the person or the publisher of the information, comment, opinion or analysis is accountable to comply (through a complaints process) with recognised journalistic or media professional standards or codes of practice.
This definition links back to the current requirement that the publisher is committed to complying with published privacy standards. Those who wish to claim the benefit of the exemption need to both establish that they practice the profession of journalism and that they or the publisher have bound themselves to comply with an appropriate code of practice dealing with privacy
Consent to collection and use and disclosure of personal information
25. Is consent an effective way for people to manage their personal information?
26. What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed?
27. Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information? What would be the benefits or disadvantages of requiring individual consents for each primary purpose?
28. Are the existing protections effective to stop the unnecessary collection of personal information?
29. If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary for providing the relevant product or service, should that be grounds to deny them access to that product or service?
30. What requirements should be considered to manage 'consent fatigue' of individuals?
31. What role should consent play in the protection of privacy? Currently it is at the core of our privacy law. This is consistent with the general understanding of the concept
Ruth Gavison in her seminal article' argues that privacy is about how we are presented to the world (i.e. what information is known about us), the extent to which we are subject of attention and the extent to which people have physical access to us .
NA Moreham develops this suggesting that:
"In my view, privacy is best defined as the state of "desired in-access" or as "freedom from unwanted access". In other words, a person will be in a state of privacy if he or she is only seen, heard, touched or found out about if, and to the extent that, he or she wants to be seen, heard, touched or found out about. Something is therefore "private" if a person has a desire for privacy in relation to it: a place, event or activity will be "private" if a person wishes to be free from outside access when attending or undertaking it and information will be "private" if the person to whom it relates does not want people to know about it
It is trite to say that individual value placed on privacy will vary from individual to individual. The fundamental proposition is that some people will be more concerned about privacy than others, but most people will have some aspect of themselves which they wish to keep private.
The fundamental proposition is that the law needs to enable individuals to decide for themselves which aspects of themselves they wish to keep private and which they do not. This decision should not be left in the hands of government or private corporations who are at the very best in a situation of a conflict of interest when it comes to these matters and more often than not in fact their interest is served by the reduction in privacy
This approach is also consistent with the general approach of civil libertarians which seeks to protect individual choice. Having said that, in various areas, civil libertarians have recognised the need for the law to protect and bolster individual choice.
In the case of privacy, questions have arisen about the reality of the choice being offered particularly where in our modern technological world, access to essential services has become dependent upon the provision of personal information.
One response to this dilemma has been to remove consent as a basis for collection or disclosure and replace it with purpose or in other words data minimisation. This approach is exemplified by the recent Bill introduced into the American Congress by the well-known Democrat Senator Sherrod Brown. Under his draft Data Accountability and Transparency Act consent is done away with and the data aggregator, as anyone who collects personal data is called in the Bill “shall not collect, use, or share, or cause to be collected, used, or shared any personal data,” except for “strictly necessary” purposes. Those purposes are laid out in the bill, and they include providing a good, service, or specific feature requested by an individual in an intentional interaction,” engaging in journalism, conducting scientific research, employing workers and paying them, and complying with laws and with legal inquiries.”
It is not the official position of the QCCL now to support this model. However, it does seem to us that it may become necessary to face the fact that people are increasingly tiring of the rigmarole that they have to go through to protect their privacy. In addition, there is an increasing perception they have no choice but to sign away their privacy by agreeing to voluminous and opaque legal documents. It may well become necessary to go down the path suggested by Sen Brown, at least in relation to essential services, if we are to ensure that privacy is protected, because it is essential to the operation of a number of important human rights.
Having said that, we endorse the comments of Electronic Frontiers Australia in its submission on how to improve the voluntariness of consent.
The role of consent for loT devices and emerging technologies
32. How can the personal information of individuals be protected where loT devices collect personal information from multiple individuals?
Like Electronic Frontiers Australia, we would endorse the views of Kayleen Manwaring and Roger Clarke in Is Your Television Spying on You? The Internet of Things Needs More Than Self-Regulation - http://www.rogerclarke.com/II/IoTCJ.html
Right to erasure
33. Should a 'right to erasure' be introduced into the Act? If so, what should be the key features of such a right? What would be the financial impact on entities?
34. What considerations are necessary to achieve greater consumer control through a 'right to erasure' without negatively impacting other public interests?
This raises the issue of the “right to be forgotten”. The right to be forgotten brings into sharp focus potential conflicts between the right to freedom of speech and privacy.
This conflict can be particularly well illustrated by reference to the disclosure of old or spent criminal convictions.
The Council has a long-standing policy of supporting policies which foster rehabilitation. The New Zealand Supreme Court has held that even in the most serious cases, the passage of time may generate some new privacy interest, see Tucker v News Media Ownership Limited [1986] 2 NZLR 716. That case related to the disclosure of convictions for sex offences in 1977, some nine years prior to the proceedings. The Court restrained the disclosure of the convictions. In making that decision, the Court made reference to the American tort of invasion of privacy.
However, it is interesting to note, that in America, that tort has been held not to extend to the disclosure of previous convictions, including those which have become spent under their relevant spent convictions legislation.
The law is well illustrated by the decision of the New Jersey Supreme Court in G.D. v. Kenny 15 A.3d 300 (2011):
The tort of invasion of privacy is defined as an intentional intrusion, “physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns” that “would be highly offensive to a reasonable person.” Bisbee v. John C. Conover Agency, Inc., 186 N.J. Super. 335, 339 (1982) (quoting Restatement (Second) of Torts, supra, § 652B). The tort of improper publication of private facts occurs “when it is shown that ‘the matters revealed were actually private, that dissemination of such facts would be offensive to a reasonable person, and that there is no legitimate interest of the public in being apprised of the facts publicized.’” Romaine, supra, 109 N.J. at 297 (quoting Bisbee, supra, 186 N.J. Super. at 340). To succeed in proving that defendants committed either of those torts, G.D. must establish that he possessed a reasonable expectation of privacy in matters and concerns that are contained in his expunged criminal-conviction record. See id. at 297-99; Bisbee, supra, 186 N.J. Super. at 339-41. That he cannot do
A number of courts have found that an offender has no protected privacy interest in expunged criminal records. See, e.g., Eagle v. Morgan, 88 F.3d 620, 625-26 (8th Cir. 1996); Nilson v. Layton City, 45 F.3d 369, 372 (10th Cir. 1995); Fraternal Order of Police, Lodge No. 5 v. City of Philadelphia, 812 F.2d 105, 117 & n.8 (3d Cir. 1987); White v. Thomas, 660 F.2d 680, 686 (5th Cir. 1981); Puricelli v. Borough of Morrisville, 820 F. Supp. 908, 918 (E.D. Pa. 1993), aff’d o.b., 26 F.3d 123 (3d Cir.), cert. denied, 513 U.S. 930, 115 S. Ct. 321, 130 L. Ed. 2d 282 (1994). With regard to New Jersey’s expungement statute, the United States Court of Appeals for the Third Circuit has noted that “because expungement is available only after a minimum statutory period of ten years has elapsed, and because references to a defendant’s criminal conduct may persist in public news sources after expungement, the information expunged is never truly ‘private.’” Nunez v. Pachman, 578 F.3d 228, 229 (3d Cir. 2009). The Eighth Circuit has recognized that an expungement statute cannot “permanently erase from the public record those affairs that take place in open court,” and that “no governmental body holds the power to nullify [a] historical fact.” Eagle, supra, 88 F.3d at 626-27.
This is not a case in which a defendant peered through closed curtains into a bedroom or wrongly acquired a personal diary and made highly private information available to the public. A person has a reasonable expectation of privacy in the sanctity of his or her bedroom and personal diary from peeping toms intent on making private facts titillating fodder for the public. This case, however, deals with public acts, a guilty plea and sentence in a public courtroom, and public facts, court records available to the public over many years.
In that case, the plaintiff also sued for defamation. The Court made the following comments on his defamation claim:
It is true that under the expungement statute, as a matter of law, an expunged conviction is “deemed not to have occurred,” N.J.S.A. 2C:52-27. But the expungement statute does not transmute a once-true fact into a falsehood. It does not require the excision of records from the historical archives of newspapers or bound volumes of reported decisions or a personal diary. It cannot banish memories. It is not intended to create an Orwellian scheme whereby previously public information — long maintained in official records — now becomes beyond the reach of public discourse on penalty of a defamation action. Although our expungement statute generally permits a person whose record has been expunged to misrepresent his past, it does not alter the metaphysical truth of his past, nor does it impose a regime of silence on those who know the truth.
It seems to us, that these comments are equally applicable to the claim for breach of privacy.
In our view, a right to be forgotten, which more appropriately deals with the right to free speech would be along these lines:
(a) would only include the right to have information that a person as an internet user originally created or made available (a person’s Facebook profile, email contacts, photos, etc) rather than to information created by others based on publicly available information about a user.
(b) Following on from our discussion about consent this right would require government regulation to prevent users from signing over rights to their own information as part of the terms of use of social networks and other web services.
(c) Such a right could be coupled with the ability of users to recover monetary damages for reputational harm for information released that was intended to be private or after they have indicated that the information should be forgotten
It would be our view, that the right to be forgotten contained in the European GDPR goes beyond these principles because it would appear to include a right to have information which has been created by other people from publicly available information removed.
Statutory tort
35. Is a statutory tort for invasion of privacy serious invasions of privacy be addressed through the criminal law or through a statutory tort?
36. What types of invasions of privacy should be covered by a statutory tort?
37. Should a statutory tort of privacy apply only to intentional, reckless invasions of privacy or should it also apply to breaches of privacy as a result of negligence or gross negligence?
38. How should a statutory tort for serious invasions of privacy be balanced with competing public interests?
39. If a statutory tort for the invasion of privacy was not enacted, what other changes could be made to existing laws to provide redress for serious invasions of privacy?
The QCCL supports a statutory tort for the invasion of privacy as a means for people to take their own action to protect their privacy in cases where the statutory regime and the common law do not apply or do not provide adequate protection.
The ALRC has proposed a statutory cause of action for breach of privacy. It says the legislation should identify in a non-exhaustive way the following types of conduct as falling within it
(a) Interference with an individual’s home or family life.
(b) Subjecting an individual to unauthorised surveillance.
(c) Interference with misuse or disclosure of an individual’s correspondence or private communication.
(d) Disclosure of sensitive facts relating to an individual’s private life.
Liability would rise in these contexts if the claimant could show that in the circumstances there was a reasonable expectation of privacy and the act or conduct complained of was highly offensive to a reasonable person of ordinary sensibilities.
In determining if these conditions had been met the court would have to take into account whether the public interest of maintaining the claimant’s privacy outweighed other matters of public interest including interest of the public and being informed about matters of public concern and the public interest of promoting freedom of expression.
The action:
(a) Should not depend on proof of damage.
(b) Should be restricted to intentional or reckless acts.
(c) There should be a range of defences.
The Council supports the ALRC report approach because it does provide a cause of action for privacy which acknowledges the traditional concern of us as civil libertarians for the protection of free speech.
18 December 2020