1. Enforcement lacking, privacy law absent
The Federal Privacy Act 1988 has been in operation for twelve years, in relation to the Federal public sector, and for almost a decade in relation to credit reporting. Its enforcement mechanisms are essentially the same as will be used to enforce the new extensions of the Act to the private sector.
In this paper I examine some of the inadequacies in enforcement of our privacy legislation, first as issues of importance in the delivery of just outcomes in privacy disputes, but also as contributing reasons why Australia has failed to develop a body of privacy law. As I will try to make clear, it is something of a chicken-and-egg problem: a lack of law inhibits complainants; and inadequate enforcement mechanisms prevent law emerging.
However, the reasons for our lack of privacy law are far broader than questions of enforcement, so we first review briefly four other reasons why no significant body of privacy law has developed.
A general tort is not the end of the story, as our Courts could develop specific tortious, equitable or administrative law remedies, or principles of interpretation so as to better protect privacy. For example, the law of breach of confidence has not yet clarified which of our transactions involving sensitive personal information are in fact 'circumstances of confidence' sufficient to attract the protection of a breach of confidence action. Beyond the traditional categories of doctors and lawyers, it is difficult to know whether video shops, all forms of financial advisers, libraries and bookstores, or introduction agencies owe us a duty of confidence. Part VIII of the Privacy Act 1988, which extends the law in a novel way to give the subject of information protection of confidence law even where they are not the confider of the information (at least in some contexts) has never been utilised. In Johns v ASC (1993) 178 CLR 408, the High Court opened up a principle of potential importance when it found that public bodies were limited in their use of information (including personal information) to the statutory purposes for which the information was collected, but since then there has been little use or development of this principle[4].
Perhaps our Courts have not had sufficient opportunity by appropriate cases coming before them,. Few developments of general importance have emerged as yet, and the general law remains under-developed.
The remedies available under s52 include declarations that (i) actions interfering with privacy should cease; (ii) that the respondent should 'perform any reasonable act' to provide redress (including correction of records); and (iii) that compensation for loss or damage should be provided (including for injury to feelings or humiliation). The Commissioner can declare that the complainant is entitled to reasonable reimbursement of expenses in pursuing the complaint.
It is difficult to know under what circumstances compensation will be paid. The Commissioner's Annual Report 1998-99 notes that seven settled complaints resulted in agreements involving payment of monetary compensation, of a total amounting to $18,000. Brief details are given of nine settled complaints, but only three of those resulted in compensation, for improper disclosure to an employer of a credit problem ($1,800), improper access by an ex-spouse to a credit file ($1,000), and for costs of pursuing a complaint ($65).
The first reported example of a settled complaint[9] was against the Minister for Housing (NSW) and involved a breach of s18N. It was settled for a public apology, plus some (undisclosed) thousands of dollars compensation for hurt feelings,. It involved some significant interpretation of the Act, and showed how significant settled complaints could be.
In most respects, the remedies available under the NSW legislation (from the ADT) and the Victorian legislation (from VCAT) in relation to IPP complaints against their respective public sectors, are similar to those available under the Federal Act. However, there is a $40,000 limit on compensation in NSW.
A determination of a complaint by the Commissioner (or by a Code authority) can only be enforced by proceedings in the Federal Court (or the Federal Magistrates Court)[10], and the Court has to deal with the matter by way of a hearing de novo (anew) as to whether there has been an interference with privacy (s55A(5)). As a result, all that a dissatisfied agency or business has to do is sit on its hands and not pay the compensation or take the other steps it has been ordered to take. If the complainant then takes the matter to Court for enforcement, the business can have it heard in full again[11]. In effect, it obtains a right of appeal to a Court. An unsuccessful complainant has no such right of appeal . They have no redress against a questionable but reasonable application of the law to the facts of the complainant's case. The Commissioner need not be a lawyer, and only one of the three Commissioners to date has been (Commissioner O'Connor).
The defect is not that businesses have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a Court or Tribunal, particularly where the Commissioner is not necessarily a lawyer. A right of appeal is unlikely to lead to a flood of cases.
Decisions of the Commissioner are subject to judicial review, which will help ensure procedural fairness, but does not address the problem of lack of appeal rights. It will fail to provide justice to complainants where the complaint is that the Commissioner has applied the NPPs or a code to the facts of the complaint in a dubious fashion[12]. Where the Commissioner has made a wrong interpretation of an IPP, NPP or principles in an industry Code, or has misinterpreted some other provision of the Act or a Code, judicial review for error of law under the broader meaning of that term in the Administrative Decisions Judicial Review Act 1977 13may lie. However, this only applies where the Commissioner makes a decision capable of review, such as a s52 determination, and as noted below this has only occurred twice in the whole history of the Act. The Federal Commissioner has therefore been the de facto ultimate authority on the meaning of the Act, even though the Act does provide some avenues for review.
The Victorian and NSW privacy Acts do give complainants access to an administrative tribunal, and ultimately to the Courts. The NSW Act also does a defect which will frustrate complainants. Complainants may elect whether to have a complaint about a breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner (s45), or subject to an internal review by the agency concerned (s53). However, the right of appeal is only against an internal review by an agency (s55), so if a complainant is dissatisfied with the Commissioner's conciliation, they will first have to seek an internal review before their right to appeal to the Administrative Decisions Tribunal arises. The Victorian Act gives dissatisfied complainants (or agencies) an unfettered right to have the NPPs and other provisions interpreted by the Victorian Civil and Administrative Appeals Tribunal (VCAT) and ultimately by the Courts. The IPPs in these Acts are therefore more likely to be interpreted by the Courts than the Federal Act, but they are as yet in their infancy, so no law has emerged as yet.
Does the fact that no complainants insisted on a formal s52 determination
mean that all 91 sets of complainants and respondents were satisfied with
the result? At least in relation to complainants, there are reasons why
it is not possible to conclude this. If the
Commissioner suggests to a complainant that a matter might be settled
on particular terms, then even if the complainant disagrees, what would
be the point in their insisting that the Commissioner proceed to a formal
s52 determination if they cannot turn their disagreement into an appeal?
Few complainants are likely to be aware that, if the Commissioner makes
a s52 determination containing what may be characterised as an error of
law, then they can go outside the Act to seek a contrary interpretation
by means of judicial review. They may think that they may as well agree
with a proposed settlement and be done with it. As a result, there may
be an unknown 'dark figure' of dissatisfied complainants due to the Act's
structural defect in not allowing appeals against the Commissioner's decisions.
If so, a side effect is that we see even fewer reasoned s52 determinations
than we otherwise might expect, and the development of privacy law is thus
reduced.
As a result, potential complainants or respondents (or their advisers) have precious little information about how the Act is interpreted from prior complaints experience. The overall impression that is left by thirteen years operation of the Privacy Act is that, while Commissioners are interested in doing justice to individual complainants, the use of the complaints function of the Act to develop privacy law and to guide parties to future complaints is a matter which has the lowest possible priority. The Commissioner's office is like a black hole from which no privacy law escapes.
The only way to settle the meaning of these Principles is through litigation. Until then, much of our privacy lore, including Commissioner's Guidelines, is largely speculation.
Although the Privacy Act 1988 has not found its way to the Courts via the review of the Commissioner, other aspects of the Act could have attracted judicial attention. However, by and large they have not. There are at least 56 decisions to date where the Privacy Act 1988 has been mentioned by Australian Courts[17] but almost none of them say anything of significance.
Litigators have made little use of privacy laws as yet, even where access to the Courts is possible. The Commissioner has not been required to make s52 determinations so that judicial review could be sought.
98(1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court's opinion it is desirable to do so, requiring the person to do any act or thing.When the Commissioner is the applicant, s98(7) provides that 'the court shall not require the Commissioner or any other person, as a condition of the granting of an interim injunction, to give any undertakings as to damages'. Otherwise, if a complainant or other individual is the applicant, the threat of damages being awarded against may deter applications.
For example, Courts have not shown an adequate appreciation that s98 is included in the Act. In Ibarcena v Templar [1999] FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction, at least in relation to breaches or potential breaches where an injunction would be appropriate[18]. Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia, [2000] FCA 1873, French J gave an account of how complainants could come before a Court, but omitted any mention of s98 injunctions[19].
In another example of apparent lack of thorough consideration of privacy issues, Prasad, Rajesh Kamal [2001] MRTA 0716 (27 February 2001), the review applicant's legal representative submitted 'that the delegate acted in breach of the Privacy Act because he took, read and copied letters which the visa applicant had brought to the interview contrary to her objections'. In finding that there was no breach of the Privacy Act, the Migration Review Tribunal did not discuss whether this might constitute unfair collection under IPP 1.
The gist of my argument has been that we need more law. The general law has not developed its potential to protect privacy. There are a series of deficiencies in our privacy legislation, and the practices of the Federal Privacy Commissioner. We need changes to our laws so that complainants can more readily take questions of interpretation and application of privacy laws to Courts and Tribunals. We need Privacy Commissioners who make the communication of complaints resolution and the law underlying them a high priority. We need lawyers who find ways to obtain interpretations and remedies. We need dissemination of decided cases and examples of remedies obtained, both here and overseas. We need some law to start with in order to develop more law, not just the Commissioners' lore.
To conclude, here is a checklist of matters that serious privacy complainants, and their advisers, might consider in attempting to obtain a just resolution of a privacy dispute.
[2] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (High Court of Australia; heard 2-3 April 2001, decision reserved) - transcript http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/2.html and http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/1.html
[3] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd H2/2000 (2 and 3 April 2001) - see transcript at http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/1.html and http://www.austlii.edu.au/au/other/hca/transcripts/2000/H2/2.html , concerning the publication of information which is the 'fruit of a trespass'.
[4] G Greenleaf 'High Court Confirms Privacy Right Against Governments ' (1994) 1 PLPR 1
[5] G Greenleaf 'Casenote: Toonen v Australia' (1994) 1 PLPR 50
[6] L Bygrave 'Data Protection Pursuant to the Right to Privacy in Human Rights Treaties '(1998) 6 Int J of Law and Information Technology, no 3, 247-284
[7] G Greenleaf 'A new era for public sector privacy in NSW' (1999) 5 PLPR 130
[8] G Greenleaf ''Victoria's privacy Bill still sets the standard' (2000) 7 PLPR 21
[9] Casenote - Complaint against the Minister for Housing (NSW) and others (1994) 1 PLPR 153
[10] This problem arises from the High Court's decision in Brandy v Human Rights and Equal Opportunity Commission (1995) 183 CLR 245 (see (1995) 2 PLPR 32 for casenote), which held that, in complaints against respondents other than the Commonwealth, the previous system for lodging HREOC determinations (including Privacy Act 1988 s52 determinations) in the Federal Court, whereupon they became binding, was an invalid exercise of the judicial power. The 'quick Brandy fix' was to revert to the old system of a de novo hearing in the Federal Court in order to enforce a determination by a HREOC Commissioner or the Privacy Commissioner.
[11] A determination will now be prima facie evidence of the facts upon which the determination is based (s55B(3)). It will be possible, however, for those facts to be challenged. This does not address the fundamental problem of unsuccessful complainants having no right of appeal, but is an improvement since the successful complainant is at least not put to proof of those facts all over again.
[12]Riediger v Privacy Commissioner (Federal Court of Australia; Sackville J, 23 September 1998) Federal Privacy Handbook |P85-005, one of the few cases dealing with the Act, underlines this point. Sackville J, dismissing an application for judicial review under the ADJR Act of a decision by the Privacy Commissioner under s41(1) to cease investigation of the applicant's complaint, stressed that 'the Federal Court's jurisdiction in these matters is limited to the review of any error of law made by the Commissioner in the course of his decision' and 'an application of this kind must reveal an error related to the making of the decision itself, for example, a denial of natural justice, manifest unreasonableness, the taking into account of irrelevant considerations, and so forth ... the Court simply cannot revisit the merits of the applicant's complaints against either AVCO or OPTUS.'
13 ss5(1)(f) and (j) and 6(1)(f) and (j)
[14] See Federal Privacy Handbook |P13-020; In Determination: Secretary, Department of Defence (1994) 1 PLPR 152 - the Department breached IPPs 4 and 11;, but it requested a formal determination, so it could account for paying $5,000 compensation.; In Determination: Minister for Administrative Services 1 PLPR 170 the Commissioner couldn't decide there was any breach because either the Department or the Minister's office leaked, but who knows which?
[15] See for example, Riediger v Privacy Commissioner, supra
[16] Federal Privacy Commissioner Plain English Guidelines to Information Privacy Principles 8-11 (1996)
[17] AustLII search 27 may 2001, searching 'All case law databases' for ' pa1988108'.
[18] See Casenotes by P Gunning (2001) 7 PLPR 178-80
[19] ibid ADJR judicial review in the normal way.