Paper presented at 'The New Australian Privacy Landscape' seminar - University of New South Wales Faculty of Law - 14 March 2001
Cite as: Greenleaf, Graham 'Private sector privacy: Problems of interpretation'  CyberLRes 3
The time for political debate concerning what should be covered by the Act has passed for the moment, and it is time to 'get used to' what is covered by the newly amended Privacy Act 1988. This paper seeks to identify and discuss a range of issues where interpretation of the Act is likely to be difficult or contentious (in the sense of having unexpected consequences). Special attention is given to problems which may affect e-commerce.
Some of the issues considered in this paper are not peculiar to the new privacy sector coverage, but are unresolved matters which also affect the Act's public sector coverage.
In the following discussion of each NPP, there is first a 'plain English' summary of the NPP which should not be relied on in substitution for the wording of the NPP, but may provide a useful overview.
Summary - An organisation may only collect personal information which is necessary for its activities; only by lawful and fair means and not in an unreasonably intrusive way. Wherever reasonable, an organisation must collect personal information about a person only from that person, and must make the person aware of the purpose of collection, any laws requiring the collection, the organisations to which the information is usually disclosed, and other matters. If personal information is collected from a third party, the organisation must still take steps to inform the person about the collection and these matters.
Can information be 'collected' even if it is not 'solicited' or requested by the organisation collecting it? Gunning points out that the wording of IPPs 2 and 3 in s14 implies a distinction between 'collect' and 'solicit' (with 'collect' being the broader term). Normal principles of statutory interpretation would lead to the conclusion that 'collect' has the same meaning in the NPPs.
However, Gunning argues that, insofar as the NPPs are concerned, 'the better view is that the organisation does not "collect" personal information merely by receiving unsolicited information'. He doesn't think NPPs 1.1 (collection necessary for a purpose), or 1.2 (fair means) could apply to unsolicited information, or that Parliament could have intended 1.3 (requirements to notify) to apply. Also, NPP 2.1 assumes that there is a purpose of collection which limits use and disclosure.
This reasoning is questionable, because it does not give sufficient weight to the fact that the Act, for the purposes of the NPPs, only applies to the collection of information 'if the information is collected for inclusion in a record or a generally available publication' (s16B). Mere receipt of information therefore does not make the Act applicable, there must be at least an intention formed by the recipient to 'include' (which could encompass 'retain') the information 'in a record or a generally available publication'. I suggest that at this point 'collection' of unsolicited information takes place, and the collector must have a purpose of collection (NPP 1.1) and disclose that purpose and other information to the subject (NPP 1.3). Otherwise, they can always dispose of the information.
In a nutshell, this means that any information retained in a record or generally available publication will have been collected, no matter how it was received, an interpretation which avoids hair-splitting about what is solicited and what is not. It is also consistent with the usage of 'collect' in IPP 1.
This might still mean that unsolicited written information could be read before immediate disposal, and it would not have been collected, but that is a more minor exception.
Information 'volunteered' by a customer or web site visitor will therefore be collected, as will information about person A volunteered by person B.
There is a form of 'purpose justification' principle in the European privacy Directive . Perhaps the first privacy legislation outside Europe to give some recognition to such a principle is s5(3) of the new Canadian Personal Information Protection and Electronic Documents Act 1999, which requires '(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.' 
The limit on collection limits the purposes for which systems may be developed by a form of public interest test. This has no counterpart in the Australian Bill.
Summary - An organisation may only use or disclose personal information for the purpose for which it was collected (the primary purpose), except for a use or disclosure (the secondary purpose) that the person would reasonably expect, or where the person has consented. Personal information may be used for the secondary purpose of direct marketing (even where this is not within a person's reasonable expectations) where it is impracticable for the organisation to seek the person's consent before that particular use, the person has been given an opportunity when first contacted to 'opt-out' from receiving further direct marketing communications, but the person has not opted out. There are special rules for sensitive information, and many other exceptions for health information, protection of individual and public health, other uses authorised by law, prevention, investigation and enforcement concerning breaches of the law, and similar matters.The general test for secondary use and disclosure is the 'reasonable expectations' test.
He concludes that in relation to the Privacy Act 'it is hard to see any reason why "disclose" should not be interpreted in accordance with its ordinary meaning". How does it enhance your privacy to prevent an organisation from telling someone else something about you they already know? But he points out that this means that a complainant under NPP 2 would have to 'establish that the recipient of the information was not previously aware of that information', though he believes that this would not matter much in the type of inquisitorial procedures followed by the Commissioner.
However, if this interpretation places an impossible task before the complainant, that is in itself good reason to prefer the alternative interpretation. The only consequence is likely to be that if the organisation complained about shows that it already knew the information (which it is uniquely well placed to do), the complainant is likely to be refused any damages by the Commissioner, or any injunction by a Court. This would lead to a much more fair result. I suggest that the better view is therefore that 'disclose' in the Privacy Act does include revealing information already known.
This interpretation has significant consequences for the rights of access and correction to 'existing information' (discussed later), because those rights only arise if the information is used or disclosed.
The Government adopted a House of Representatives Committee recommendation (supported by many submissions) to clarify NPP 2.1(c) so that it provides that the opportunity to opt-out of further direct marketing must be provided every time a marketing communication is sent, not just the first time. There will also be mandatory inclusions in the form of the opt-out offer, to avoid it being made difficult for consumers to contact the business.
Summary - An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.Examples related to e-commerce:
Summary - An organisation must take reasonable steps to protect personal information from misuse, loss or unauthorised access, modification or disclosure. An organisation must destroy or permanently de-identify personal information if it is no longer needed for any purpose under NPP 2.Examples related to e-commerce:
Summary - An organisation must document its policies on its management of personal information and make the document available to anyone who asks for it. On request it must provide general information about what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.NPP 5 does not concern a person's access to their own file, which is covered by NPP 6. Anyone can find out about a company's personal information policies under NPP 5, whether the company holds information about them or not.
This principle is likely to be of considerable use to consumer and civil liberties groups.
Examples related to e-commerce:
Summary - A person generally has a right of access to personal information held by an organisation about him or her, subject to a list of exceptions. If an exception applies, the organisation must consider the use of a mutually agreed intermediary. If a person is able to establish that information about him or her is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information. In any event, the person has a right to the addition of a statement claiming that information is incorrect.It is significant that NPP 6 requires intermediary access to be considered, even if the implementation of the principle is rather weak. The availability of intermediary access blunts the extent to the exceptions to access and disclosure.
Summary - Organisations must not use as their own identifiers any personal identifiers assigned by Commonwealth government agencies, and must not use or disclose such identifiers (with limited exceptions).For example, except if authorised by another law, a Medicare number cannot be used as an identifier by an insurance company or a doctor. It cannot be used or disclosed for any purpose except as authorised by law or for the purpose of dealings with the Health Insurance Commission.
There is an additional exception to this principle for the Australian Business Number (ABN), and for other exceptions to be prescribed.
In contrast, NPP 7 has no effect on the use or disclosure of a driver's licence number issued by a State government (but it may have under the Victorian Act, at least in Victoria).
Summary - A person must have the option of not identifying himself or herself when entering transactions with an organisation wherever this is lawful and practicable.This principle, which derives from the Australian Privacy Charter (and indirectly from the German 'Multimedia privacy law'), is innovative and unprecedented in sets of information privacy principles. Its implications for design of new IT systems may be substantial.
An example of when anonymity is 'practicable' is in the operation of transport payment systems such as stored value cards or tokens to pay for passage through toll roads or to pay for journeys on buses or trams. If tokens and cards are designed so that a person is always identifiable when using such a facility, this is likely to breach NPP 8.
Anonymity will not be practicable in such transactions as taking out insurance.
A major issue which will have to be resolved is whether it is legitimate for companies to design facilities such as web sites which require the disclosure of personal information as a condition of use. For example, if digital cash (in the sense of an anonymous digital payment system) becomes in common use, and it is technically possible to allow anonymous use of a web facility, will NPP 8 therefore mean that the option of paying some reasonable price premium for anonymous access must be offered in lieu of requiring disclosure of personal information in return for access?
The principle is somewhat restrictive in that it only refers to anonymity not pseudonymity. For example, it can be argued that Certification Authorities (CAs) should offer to issue digital signatures under people's pseudonyms, but not anonymously. This approach has been used by the Government Public Key Authority (GPKA) as a principle for authorising CAs.
Summary - An organisation in Australia may only transfer personal information to someone else in a foreign country if it reasonably believes that the recipient is subject to a law, binding scheme or contract which effectively upholds principles substantially similar to the NPPs. Transfers may also be made to organisations that have taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs, and for four other reasons.The question of reasonable belief could be deal with by the Privacy Commissioner publishing a 'white list' of overseas laws, schemes and model contracts which the Commissioner considers are substantially similar and are 'effective'.
For example, what belief is reasonable about the US government's 'Safe Harbor' scheme?
Although a Commissioner's 'white list' might be a basis for a 'reasonable belief', the Act does not make any such device determinative. If there was well publicised evidence, for example, that the 'Safe Harbor' scheme was not being enforced in the USA.
If one of the conditions is satisfied, then the Australian organisation which transferred the data does not have any liability under the Act for any privacy breaches which may occur subsequently. It is therefore important, from the individual's point of view, to ensure that the conditions do not allow transfers which create unjustified privacy risks.
It is important to remember that any transfer to a third party overseas also involves a 'disclosure' of personal information, and NPP 2 limiting disclosures for secondary uses must also be complied with.
Where a transfer is to the same organisation overseas, NPP 9 does not apply but the extra-territorial operation of the Act comes into play. However, where it is to the same organisation, there is no need to consider whether any of the six enabling conditions apply, and it is Australian law that will apply, not (only) the law of the foreign country.
The six conditions will generally be sufficient to allow any legitimate transfer overseas of personal information.
Condition (a) plays the role of A25 of the Directive (which allows transfers to foreign countries with 'adequate' laws), but is weaker.
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles.Instead of any objective and expert determination by a government or Privacy Commissioner of which overseas countries have 'adequate' laws (the 'white list' approach), the condition is satisfied by the mere 'reasonable belief' of the Australian organisation disclosing the information. The 'reasonable belief' need only be that the overseas arrangement 'effectively upholds' privacy principles, not that there are enforcement mechanisms substantially similar to those in the Australian Act.
Conditions (b) - (e) are similar to those in A26(1) of the Directive and largely uncontentious. Condition (f), however, is much weaker than anything found in the Directive:
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.This does not even require that the individual should have some recourse against anyone in the event that the 'reasonable steps' turn out to be inadequate.
The subjective and imprecise nature of condition (a), and the weak and imprecise nature of exception (f), means that there is real danger that personal information will be exported from Australia under conditions which give little protection to privacy.
The EU may well regard these two aspects of NPP 9 as inadequate protection for EU citizens.
Summary - An organisation must not collect sensitive information unless the person has consented, or the collection is required by law, or in limited other circumstances. Special rules apply to health information.NPP 10 is best seen as part of NPP 1.
'Sensitive information' means (s6(1) definition): (a) personal information that is information or an opinion about an individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; or (b) health information about an individual.
NPP 4 (data quality), NPP 5 (openness), NPP7 (security and retention) and NPP 9 (transborder data flows) apply irrespective of when the information was collected.
The definition in the Australian legislation is unusual in saying that the reasonable ascertaining of identity must be from the information or opinion'. However, the definition does not say that the person's identify must be able to be ascertained solely from the information concerned, it should not be interpreted this way. If it did mean that, then in any system which stored substantive information according to (and containing) a person's identification number, but kept a separate master file containing only ID numbers and identification details, the substantive information plus ID number would not constitute 'personal information' and attract the protections of the Act (security, access etc).
The better view is therefore that other sources of information may be taken into account. I suggest it is a question of fact in any given situation whether an individual's identity can be ascertained, and it is a further question of fact whether it can `reasonably' be so ascertained. Information that one person may easily be able to obtain may be completely inaccessible to another person. Who must be able to 'reasonably ascertain' a person's identity before there is personal information? The most obvious answer is 'the person who may have breached the NPP in question'. This seems clear enough when we are talking about the NPPs concerning collection, use or the provision of access to personal information, but it could lead to surprising results in the case of NPP 2 dealing with disclosure, as the question will be 'is it personal information in the hands of the person disclosing the information?', not 'is it personal information in the hands of the person receiving it?'.
On a similar point, the meaning of 'personal data collection' under Hong Kong's Personal Data (Privacy) Ordinance was considered by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data  1 HKC 692, and has been the subject of commentary. A press photographer took a photo of an unknown woman in a public place, which his employer's magazine published, without identifying the woman but ridiculing her dress sense ('Japanese Mushroom Head'). The main issue before the Court was whether the publisher had collected personal data using unfair means. The majority of the Court (Ribero JA and Godfrey VP) concluded that this was not personal data collection because the data user was not 'compiling information about an identified person or about a person whom the data user intends or seeks to identify' (emphasis added).
Gunning treats Eastweek as a case on the meaning of 'collection', but I think it makes more sense to read it as a case on the meaning of 'personal data' ('personal information' under the Australian legislation). On this approach, if Eastweek was followed in Australia it would be necessary to assess an information collector's intentions to identify a person before it was possible to determine whether the information they collected was 'personal information'.
A case like Eastweek would raise the question under the Australian legislation: 'Is it personal information if you have no intention of ascertaining the person's identity, even if you could do so with reasonable ease?' Gunning gives good examples of where this could be important (though he considers them as questions of 'collection'):
E-mail addresses There are at least four possibilities even in the easiest case, that of e-mail addresses:
Machine addresses Every computer connected to the internet has unique addresses (its numerical `IP address' such as 126.96.36.199, and its name under the Domain Name System such as bondi.austlii.ed.au). This applies equally to computers which have many users (either simultaneously or singly) and machines which normally have only a single user (such as on a person's desk at work or home). These addresses are the basis of some internet protocols, most importantly the hypertext transmission protocol (http) which is the basis of the world-wide-web. Machine addresses (eg `law34.law.unsw.edu.au' or `arkady.austlii.edu.au') rarely directly identify a person, though this is not impossible.
It is therefore a question of fact whether an individual's identity can be ascertained (though only with a degree of probability) from transactional details where only a machine address was collected, and it is a further question of fact whether it can `reasonably' be so ascertained. There are as yet no generally accessible internet facilities to match machine addresses with individuals. However, it would not be difficult for any police, private investigator or other person to make enquiries to determine who (if anyone) was the predominant user of a particular computer.
Conclusion Some Internet businesses now attempt to match information captured from transactions (such as email addresses and machine addresses) with identified individuals (and demographic information about them). Will any e-business that uses this identified data from third parties to identify those with whom they deal via the internet only via IP addresses or email addresses find that those addresses now constitute 'personal information'?
The scope of the Privacy Act's definition of `personal information' is at present uncertain in its application to cyberspace, and will require clarification by legislation or litigation if the principles in the Act are to have any consistent or sensible application to cyberspace and e-commerce.
More fundamentally, the approach of this definition misses the point to some extent. Information about the interests, understanding or consumption habits of a particular person can be and are aggregated by an internet service provider (particularly providers of advertisements to multiple sites), by use of e-mail or machine addresses, for purposes such as e-mailing customised direct marketing materials to that address, or to customise the appearance of a web page so as to appeal most to requests which come from a particular machine address. In one sense it makes no difference whether the ISP can `reasonably ascertain' the identity of the person who is associated with either the e-mail address or the http request, because the information about their consumption habits has been aggregated and used to market back to them, without them necessarily being aware of this or having consented to it. More serious consequences may also follow from such aggregation, such as decisions to limit access, or to deny some goods or services. If the definition of `personal information' excludes such activity, IPPs will be very weak in cyberspace. The definition of 'personal information' in the Act needs to be amended to include wording such as 'any information which enables interactions with an individual on a personalised basis'. This is not likely to happen for some time.
If an act or practice is required by an applicable law of a foreign country it will not constitute a breach of the Australian legislation (s13D). This avoids clashes between observance of Australian privacy law and the law of the foreign country.
The exact extent of this extra-territorial operation concerning Australians may be more extensive than it looks at first, and could easily catch in its net some overseas e-commerce operators:
Australian businesses involved in e-commerce will therefore generally have to treat the personal information of their overseas clients with the same care as their Australian clients. The exception to this is s41(4) of the Act, which limits correction of personal information (NPP 6 or IPP 7) to Australian citizens and permanent residents, in both the prior Act and the new amendments.
The government has estimated that 94% of Australian businesses would come within the $3M threshold, so the Act will only apply to 6% of all Australian businesses, plus a further unknown percentage that trade in personal information. What percentage of consumer transactions these 94% of businesses are responsible for was not stated. Similarly, the Internet Industry Association estimated that 95% of Australian Internet businesses would be exempt.
In the e-commerce context the breadth of this exemption may lead to abuses. The Internet allows quite small businesses to deal with extremely large quantities of personal information, and the rapid dissemination of information possible via the Internet means that harm caused by incorrect or improperly disclosed information can spread rapidly. There is no obvious correlation between the size of an Internet business or activity and the harm that can be done to people's privacy.
The provisions in the Bill will commence twelve months after assent (cl 2), but there is a further delay of twelve months for small businesses, whether or not they are exempt (new s16D).
(c) discloses personal information about another individual 'to anyone else' for a benefit, service or advantage; or (d) provides a benefit, service or advantage to collect personal information about another individual 'from anyone else'.SBO status will also be lost by anyone who holds health information and provides a health service, and anyone who is a contracted service provider for a Commonwealth contract (s6D(4)).
It appears from s6D(4) that it is only necessary for a business to disclose or collect information under these circumstances on one occasion for it to lose its exempt status. One disclosure in return for some advantage would be sufficient for the business to lose its exempt status in relation to all information.
SBO status is not lost because of collection with the consent of the person concerned (s6D(8)). However, collection of personal information from a third party for any form or consideration, or collection of personal information (perhaps including an IP address or email address) from a person without their consent, still poses the risk that even one occurrence can cause the loss of exempt status for the whole business.
The fragility of the SBO exemption has these consequences:
First it is necessary to understand how small businesses operated by the same SBO can swap personal information:
Until this Xmas, a large business could therefore be reorganised into a number of 'small' businesses, each with a turnover of less than $3M, which can be calculated pro-rata on the turnover of the 'new' small-business for the duration of this year (s6DA(2)). Whether this would be worth the costs and risks involved depends on how important it is to the business to stay outside the reach of privacy laws.
For example, a code could apply to all members of an industry association, if a condition of membership was consent to the application of the code.
An 'small' business that is exempt from NPP compliance cannot simply consent to be bound by a code. Only 'organisations' can be bound by a code (s18BB), and an entity that falls outside the definition of 'small business operator' is not an 'organisation' (s6C). An exempt small business must therefore both 'opt-in' to the Act (s6EA), and consent to being bound by a code, before the code has legal force in relation to that business.
Industry associations with codes will therefore need to be vigilant in ensuring that all their members are either not 'small' or have 'opted in', or both they and the relevant members could be involved in false and misleading conduct in falsely holding out compliance with enforceable privacy standards.
If a code includes a complaints procedure, the Commissioner must be satisfied, among other things, that it provides for an 'independent adjudicator' (a 'code adjudicator').
Section 52 gives the Commissioner broad powers concerning determinations of complaints, including power to award damages. Section 52(b) (b)(ii) allows him or her to order reasonable acts to redress complaint; and (c) provides for compensation including injury to feelings; (3) expenses; and (3A) corrections and additions to records. In the 12 years of the Act's operation the Commissioner has made only a handful of s52 determinations, so little guidance is available on the exercise of these powers.
New s18BB requires that a code adjudicator must be able to make 'the same' 'determinations, findings, declarations, orders and directions' as the Commissioner can make under s52. Further, the code must oblige organisations bound by it to comply with those determinations etc, and to cooperate with the adjudicator (it cannot of course oblige anyone else to cooperate).
If there is an industry code in existence which is relevant to the act or practice complained of and which includes a complaints procedure, a complainant must take their complaint to the code adjudicator (new s36A), and cannot ask the Privacy Commissioner to investigate it at the outset.
There are now three ways in which the Privacy Commissioner can investigate complaints against private sector organisations:
However, this does not affect complainants and complainees alike. Businesses complained about have in effect a right of appeal to the Federal Court on the merits of their case, whereas unsuccessful individual complainants will have no such right. This is unfair and biased.
As is currently the case under s55 of the Privacy Act, under the new ss55 and 55A, a determination of a complaint by a Code authority or by the Commissioner can only be enforced by proceedings in the Federal Court (or the new Federal Magistrates Court), and the Court has to deal with the matter by way of a hearing de novo (anew) as to whether there has been conduct constituting an interference with privacy (s55A(5)).
As a result, all that a business has to do if it is aggrieved by the way in which a Code Complaints Body or the Privacy Commissioner has dealt with their complaint, is sit on its hands and not pay the compensation or take the other steps it has been ordered to take. The complainant must then take the matter to the Federal Court, and the business can have the matter heard in full again. In effect, it obtains a right of appeal to a Court.
The problem is that an unsuccessful complainant has no such right of appeal - no right to have the matter heard de novo by any higher authority. They have no redress against a wrong interpretation of an Industry Code or the National Privacy Principles (or of other provisions of a Code or the Act), or of the wrong application of the law to the facts of the complainant's case. This is unfair and has the potential to bias the enforcement structure of the Act against consumers.
A determination will now be prima facie evidence of the facts upon which the determination is based (s55B(3)). It will be possible, however, for those facts to be challenged. This does not address the fundamental problem of unsuccessful complainants having no right of appeal, but is an improvement since the successful complainant is at least not put to proof of those facts all over again.
The defect is not, however, that businesses have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a Court or Tribunal if they wish to persist and run the risk of costs against them. The Privacy Act needs the benefit of occasional interpretation by the Courts on serious issues. Both the Privacy Commissioner's decisions and those of code adjudicators should also be subject to appeal where the issue is important enough. A right of appeal is unlikely to lead to a flood of cases. The Courts will only rarely hear a case concerning the Privacy Act, and only in cases where the code has been interpreted in favour of complainants and is therefore under attack by businesses.
Decisions of the Commissioner are subject to judicial review . This will help ensure that the Commissioner observes procedural fairness, but does not address the problem of lack of appeal rights. It will also fail to provide justice to complainants where the complaint is that the Commissioner has misinterpreted the NPPs or a code, or applied them to the facts of the complaint in a dubious fashion, or has misinterpreted some other provision of the Act.
Riediger v Privacy Commissioner (Federal Court of Australia; Sackville J, 23 September 1998), one of the few cases dealing with the Act, underlines this point. Sackville J, dismissing an application for judicial review under the ADJR Act of a decision by the Privacy Commissioner, stressed that 'an application of this kind must reveal an error related to the making of the decision itself, for example, a denial of natural justice, manifest unreasonableness, the taking into account of irrelevant considerations, and so forth ... the Court simply cannot revisit the merits of the applicant's complaints against either AVCO or OPTUS.'
Although there is now provision for appeals to the Commissioner from code adjudicators, it is likely that these will only be a small percentage of all complaints, with most being mediated successfully by code adjudicators, and others where a formal determination by the code adjudicator does not result in an appeal to the Commissioner.
There may be numerous code adjudicators, and it is possible that they may interpret the NPPs and other aspects of the law inconsistently unless the Commissioner and the interested public have effective means to find out what they are doing.
If there is not full access to determinations, then there is no transparency of the Code process and no guarantee of its integrity. The Commissioner, when issuing guidelines in relation to dealing with complaints (s18BB(3)(ii)), and when approving codes (s18BB(3)), will need to ensure that:
The Commissioner's Guidelines would also be very helpful here if they could:
98 (1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court or the Federal Magistrates Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court's opinion it is desirable to do so, requiring the person to do any act or thing.One notable feature is that both the Commissioner and 'any other person' can seek such injunctions, not just a complainant likely to be affected by the breach of the NPPs.
Courts have not in the past had an adequate appreciation that s98 is included in the Act. For example, in Ibarcena v Templar, Federal Court of Australia, Finn J  FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction. Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia,  FCA 1873, French J seemed to give an account of how complainants could come before a Court, but it omitted any mention of s98 injunctions.
 See Greenleaf G 'A Bill not worth supporting' (2000) 7 PLPR 44 for one summary of dissatisfaction.
 Labor proposed few amendments of substance to the Bill during its passage (see G Greenleaf (2000) 7 PLPR 125), so it is unrealistic to expect any major changes to privacy law for at least some time, even if there is a change of government at the next Federal election.
 A HTML version of the consolidated Act is available on my web pages at http://www2.austlii.edu.au/privacy/Privacy_Act_1988/
 See G Greenleaf and N Waters 'Putting the "National Principles" in context' (1998) 4 PLPR 161 and G Greenleaf 'Privacy and consumer organisations withhold endorsement of "National Principles" ' (1998) 5 PLPR 41, for one perspective.
 See G Greenleaf 'Victoria's Privacy Bill still sets the standard' (2000) 7 PLPR 21
 Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)
 The Information Privacy Principles (IPPs) applying to Commonwealth Government agencies.
 See the discussion in G Greenleaf 'Purposes' and the Directive' in 'Stopping surveillance: Beyond 'efficiency' and the OECD' (1996) 3 PLPR 148, available at <http://www2.austlii.edu.au/itlaw/articles/efficiency.html#Heading8>
 Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming)
 Bank of Credit and Commerce International (overseas) Ltd (in liq) v Price Waterhouse [1997 4 All ER 781; King v South Australian Psychological Board  SASC 6621
 R v Glenys Ruth Scott  SASC 5545
 cf Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming), who takes this view
 The Committee's recommendations would have imposed some checks on this intra-corporate spamming, if adopted. They wanted the Privacy Commissioner to issue guidelines (under NPP 1.3(d)) as to what companies should tell consumers about potential disclosures to their related corporations (Recommendation 21). It is a good point that, once a company has a disclosure practice to related corporations, NPP 1.3(d) requires its to be revealed during collection, but this cannot deal with the post-collection decision to disclose to a related corporation. The Committee also recommended that where corporation A has received personal information from a related corporation B that was exempt from NPP 1 when it collected the information (it might be a small business, or the information might be exempt employee information), corporation B will have to comply with NPP 1 before it discloses the information to A. In doing so, it would presumably have to inform the person concerned that his or her information was being disclosed to A. These recommendations were rejected by the Government.
 Tim Dixon'Privacy Charter sets new benchmark in privacy protection' (1995) 2 PLPR 41
 See L Bygrave 'Germany's Teleservices Data Protection Act' (1998) 5 PLPR 53
 An earlier version of this section was published as G Greenleaf 'Privacy Principles - irrelevant to cyberspace?' (1996) 3 PLPR 114
 See Raymond Wacks 'Privacy and media intrusion: A new twist' (1999) 6 PLPR 48 (re first instance decision) ; Patrick Gunning 'Central features of Australia's private sector privacy laws' (2001) 7 PLPR Issue 10 (forthcoming) (re Court of Appeal)
 Gunning treats this question as going to whether the information had been collected.
However, IP address and the domain and sub-domain information (eg `austlii.edu.au') allow the geographical and system location of the computer to be identified, along with the identify of the person with delegated responsibility to allocate the machine's addresses.
 The controversy about DoubleClick in the USA concerned this type of service.
 See later concerning the significance of this for the EU privacy Directive.
 An earlier version of some of this part is in G Greenleaf 'Reps Committee protects the "privacy free zone" ' (2000) 7 PLPR 1
 House of Representatives Legal and Constitutional Committee Report, para 2.20
 The Committee only gives irrelevant percentages for total business activity (including business-to-business activity.
 See dissenting report of Senator Stott-Despoja for discussion
 See Determination: Secretary, Department of Defence 1 PLPR 152 and Determination: Minister for Administrative Services 1 PLPR 170 for two examples.
 The problem of enforcement of Privacy Commissioner's decisions arises from Brandy v Human Rights and Equal Opportunity Commission (1995) High Court (see Casenotes (1995) 2 PLPR 32) where it was held that, in to complaints against respondents other than the Commonwealth, the previous system for lodging HREOC determinations (including Privacy Act 1988 s52 determinations) in the Federal Court, whereupon they become binding, was an invalid exercise of the judicial power. The 'quick Brandy fix' was to revert to the old system of a de novo hearing in the Federal Court in order to enforce a determination by a HREOC Commissioner or the Privacy Commissioner. Unfortunately, one of the anomalies arising from that expedient is the unfair difference in de facto appeal rights outlined above.
 It was proposed that decisions of code adjudicators would be similarly subject to judicial review - see Schedule 2 of the Bill, amendment to the definition of 'enactment' in the Administrative Decisions (Judicial Review) Act 1977 (Cth). However, when their decisions became subject to review by the Commissioner, the provision for judicial review was also dropped.
 Federal Privacy Handbook |P85-005 (CCH)
 See Casenote by P Gunning (2001) 7 PLPR Issue 10 (forthcoming)