Privacy Law 2001 Conference - IIR Conferences - Sydney 28-30 May 2001

Enforcement of the Privacy Act:  Problems and potential

Graham Greenleaf
Professor of Law, University of New South Wales
Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre
  • 1. Enforcement lacking, privacy law absent

  • 1. Enforcement lacking, privacy law absent

    In 2001, Australia still has nothing worth describing as a body of privacy law, even though a quarter of a century has passed since the NSW Privacy Committee Act 1975 established the third permanent privacy protection agency in the world (Sweden and the German state of Hesse were slightly earlier), and the Federal Attorney-General referred the whole issue of privacy protection to the Australian Law Reform Commission (then chaired by Kirby J).

    The Federal Privacy Act 1988 has been in operation for twelve years, in relation to the Federal public sector, and for almost a decade in relation to credit reporting. Its enforcement mechanisms are essentially the same as will be used to enforce the new extensions of the Act to the private sector.

     In this paper I examine some of the inadequacies in enforcement of our privacy legislation, first as issues of importance in the delivery of just outcomes in privacy disputes, but also as contributing reasons why Australia has failed to develop a body of privacy law. As I will try to make clear, it is something of a chicken-and-egg problem: a lack of law inhibits complainants; and inadequate enforcement mechanisms prevent law emerging.

     However, the reasons for our lack of privacy law are far broader than questions of enforcement, so we first review briefly four other reasons why no significant body of privacy law has developed.

    1.1. Our courts have not yet developed the general law

    The absence in Australia of any constitutional or statutory Bill of Rights (as is now found in the USA, UK, NZ and Canada) means that our courts do not have a convenient platform in domestic law from which to develop privacy law as an aspect of human rights. The High Court's decision in Victoria Park Racing and Recreation Grounds v Taylor (1937) 58 CLR 479 (discussed by Kirby J in this issue) stalled the development of any general tort of interference with privacy by Australian Courts, although Courts in similar jurisdictions have found some scope for common law development (for example, in New Zealand though this is now in retreat[1]). We now await the High Court's decision in Lenah Game Meats [2]to see if some form of a general tort of invasion of privacy can develop, at least in relation to 'stolen' information[3].

     A general tort is not the end of the story, as our Courts could develop specific tortious, equitable or administrative law remedies, or principles of interpretation so as to better protect privacy. For example, the law of breach of confidence has not yet clarified which of our transactions involving sensitive personal information are in fact 'circumstances of confidence' sufficient to attract the protection of a breach of confidence action. Beyond the traditional categories of doctors and lawyers, it is difficult to know whether video shops, all forms of financial advisers, libraries and bookstores, or introduction agencies owe us a duty of confidence. Part VIII of the Privacy Act 1988, which extends the law in a novel way to give the subject of information protection of confidence law even where they are not the confider of the information (at least in some contexts) has never been utilised. In Johns v ASC (1993) 178 CLR 408, the High Court opened up a principle of potential importance when it found that public bodies were limited in their use of information (including personal information) to the statutory purposes for which the information was collected, but since then there has been little use or development of this principle[4].

     Perhaps our Courts have not had sufficient opportunity by appropriate cases coming before them,. Few developments of general importance have emerged as yet, and the general law remains under-developed.

    1.2. International instruments have under-performed

    In Toonen v Australia (1994) the Human Rights Committee of the United Nations found that Australia was in breach of the provision in the International Covenant on Civil and Political Rights protecting privacy (Article 17), in relation to Tasmania's laws concerning sexual conduct[5]. The equivalent Article 8 in the European Convention on Human Rights has a significant body of case law concerning information privacy (mainly issues of excessive or intrusive collection)[6], but no equivalent use has been made as yet of ICCPR A 17 .

    1.3. Limited scope has made our privacy Acts largely irrelevant

    Until now, our information privacy legislation covers only the Federal public sector (since 1988), consumer credit reporting (since 1991), the health sector in the ACT, and the NSW public sector (only effective since mid-2000), plus limited coverage of parts of the telecommunications industry, uses of tax file numbers and some aspects of uses of criminal records. This covered at best a fragment of the situations likely to cause people privacy problems. The Federal Privacy Commissioner received nearly 9,000 enquiries in 1998-9 but 65% of them fell outside the Commissioner's jurisdiction, and only 1.7% concerned the Federal IPPs. Only 131 complaints resulted in a formal investigation (Annual Report, 1998-99). The NSW Privacy Committee (RIP 1999) could investigate anything but had no enforcement powers.

    1.4. Acts riddled with exceptions: more holes than cheese?

    The extension of the Privacy Act 1988 to cover (parts of) the private sector will change this somewhat, but the coverage is still far from comprehensive. On the government's estimate, up to 94% of businesses are potentially exempt 'small' businesses, and there are other potentially large areas of exemption relating to employment records, 'publicly available information', and the media. The NSW Privacy and Personal Information Protection Act 1998 has so many exemptions it is 'more holes than cheese[7]. The Victorian Information Privacy Act 2000 is much better[8], but other States and Territories still have no legislation. The situation is improving, but the dismal coverage of our laws to date has meant that most who have bothered to complain in the past have been turned away, and this may often still occur in future.

    2. The Commissioner's office: the black hole of privacy law?

    2.1. The Commissioner's remedies and investigative powers are sufficient

    One of the strongest aspects of the Federal privacy legislation, in relation to both the public and private sectors, is the extensive investigative powers of the Federal Privacy Commissioner, and the wide range of remedies that the Commissioner can include in a s52 determination.

     The remedies available under s52 include declarations that (i) actions interfering with privacy should cease; (ii) that the respondent should 'perform any reasonable act' to provide redress (including correction of records); and (iii) that compensation for loss or damage should be provided (including for injury to feelings or humiliation). The Commissioner can declare that the complainant is entitled to reasonable reimbursement of expenses in pursuing the complaint.

     It is difficult to know under what circumstances compensation will be paid. The Commissioner's Annual Report 1998-99 notes that seven settled complaints resulted in agreements involving payment of monetary compensation, of a total amounting to $18,000. Brief details are given of nine settled complaints, but only three of those resulted in compensation, for improper disclosure to an employer of a credit problem ($1,800), improper access by an ex-spouse to a credit file ($1,000), and for costs of pursuing a complaint ($65).

    The first reported example of a settled complaint[9] was against the Minister for Housing (NSW) and involved a breach of s18N. It was settled for a public apology, plus some (undisclosed) thousands of dollars compensation for hurt feelings,. It involved some significant interpretation of the Act, and showed how significant settled complaints could be.

     In most respects, the remedies available under the NSW legislation (from the ADT) and the Victorian legislation (from VCAT) in relation to IPP complaints against their respective public sectors, are similar to those available under the Federal Act. However, there is a $40,000 limit on compensation in NSW.

    2.2. Lack of appeal rights: Enforcement biased against complainants

    The minority who can make a privacy complaint within jurisdiction still have no guarantee that the complaint will be determined according to the correct meaning of the Act. The Privacy Act 1988 does not provide for any right of appeal against determinations by the Privacy Commissioner, either in relation to complaints against public sector bodies, or private sector bodies. However, this does not disadvantage complainants and complainees alike. Businesses (or agencies) complained about have in effect a right of appeal to the Federal Court on the merits of their case, whereas unsuccessful individual complainants have no such right. This is unfair and biased.

     A determination of a complaint by the Commissioner (or by a Code authority) can only be enforced by proceedings in the Federal Court (or the Federal Magistrates Court)[10], and the Court has to deal with the matter by way of a hearing de novo (anew) as to whether there has been an interference with privacy (s55A(5)). As a result, all that a dissatisfied agency or business has to do is sit on its hands and not pay the compensation or take the other steps it has been ordered to take. If the complainant then takes the matter to Court for enforcement, the business can have it heard in full again[11]. In effect, it obtains a right of appeal to a Court. An unsuccessful complainant has no such right of appeal . They have no redress against a questionable but reasonable application of the law to the facts of the complainant's case. The Commissioner need not be a lawyer, and only one of the three Commissioners to date has been (Commissioner O'Connor).

     The defect is not that businesses have an effective right of appeal: both parties should have a right to have matters as important and complex as those that arise under the Privacy Act heard by a Court or Tribunal, particularly where the Commissioner is not necessarily a lawyer. A right of appeal is unlikely to lead to a flood of cases.

     Decisions of the Commissioner are subject to judicial review, which will help ensure procedural fairness, but does not address the problem of lack of appeal rights. It will fail to provide justice to complainants where the complaint is that the Commissioner has applied the NPPs or a code to the facts of the complaint in a dubious fashion[12]. Where the Commissioner has made a wrong interpretation of an IPP, NPP or principles in an industry Code, or has misinterpreted some other provision of the Act or a Code, judicial review for error of law under the broader meaning of that term in the Administrative Decisions Judicial Review Act 1977 13may lie. However, this only applies where the Commissioner makes a decision capable of review, such as a s52 determination, and as noted below this has only occurred twice in the whole history of the Act. The Federal Commissioner has therefore been the de facto ultimate authority on the meaning of the Act, even though the Act does provide some avenues for review.

    The Victorian and NSW privacy Acts do give complainants access to an administrative tribunal, and ultimately to the Courts. The NSW Act also does a defect which will frustrate complainants. Complainants may elect whether to have a complaint about a breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner (s45), or subject to an internal review by the agency concerned (s53). However, the right of appeal is only against an internal review by an agency (s55), so if a complainant is dissatisfied with the Commissioner's conciliation, they will first have to seek an internal review before their right to appeal to the Administrative Decisions Tribunal arises. The Victorian Act gives dissatisfied complainants (or agencies) an unfettered right to have the NPPs and other provisions interpreted by the Victorian Civil and Administrative Appeals Tribunal (VCAT) and ultimately by the Courts. The IPPs in these Acts are therefore more likely to be interpreted by the Courts than the Federal Act, but they are as yet in their infancy, so no law has emerged as yet.

    2.3. Few formal complaint decisions by Commissioners: no law emerges

    In over a decade the Federal Privacy Commissioner has made two formal s52 determinations of complaints concerning the IPPs[14], and none concerning credit reporting under Part IIIA. In 1998-99 the Commissioner's office started the formal investigation of 131 complaints, and 'closed' (ie settled or dismissed) 91 complaints (none resulted in formal determinations under s52) (Annual Report 1998-99). Unfortunately, the Commissioner does not report details of decisions made under s41(1) not to investigate or further investigate a complaint, even though these decisions may be significant decisions that there is no breach of an IPP or NPP, and they could potentially be subject to judicial review[15].

     Does the fact that no complainants insisted on a formal s52 determination mean that all 91 sets of complainants and respondents were satisfied with the result? At least in relation to complainants, there are reasons why it is not possible to conclude this. If the
    Commissioner suggests to a complainant that a matter might be settled on particular terms, then even if the complainant disagrees, what would be the point in their insisting that the Commissioner proceed to a formal s52 determination if they cannot turn their disagreement into an appeal? Few complainants are likely to be aware that, if the Commissioner makes a s52 determination containing what may be characterised as an error of law, then they can go outside the Act to seek a contrary interpretation by means of judicial review. They may think that they may as well agree with a proposed settlement and be done with it. As a result, there may be an unknown 'dark figure' of dissatisfied complainants due to the Act's structural defect in not allowing appeals against the Commissioner's decisions. If so, a side effect is that we see even fewer reasoned s52 determinations than we otherwise might expect, and the development of privacy law is thus reduced.

    2.4. Settled complaints are not used to guide subsequent complainants

    The Annual Report mentioned above does not indicate how many of the 91 closed complaints resulted in compensation or some other remedy in favour of the complainant, merely noting that seven complaints resulted in payment of monetary compensation, of a total amounting to $18,000. Brief details are given of nine settled complaints, but not even of all of those resulting in compensation. No further details of settled complaints (or even of the two formal determinations) are provided on the Commissioner's otherwise very extensive and informative web site.

    As a result, potential complainants or respondents (or their advisers) have precious little information about how the Act is interpreted from prior complaints experience. The overall impression that is left by thirteen years operation of the Privacy Act is that, while Commissioners are interested in doing justice to individual complainants, the use of the complaints function of the Act to develop privacy law and to guide parties to future complaints is a matter which has the lowest possible priority. The Commissioner's office is like a black hole from which no privacy law escapes.

    2.5. Privacy Commissioner Guidelines may be wishful thinking

    In the absence of any guidance on the meaning of the IPPs emerging from decided complaints (or, better still, Court decisions), where do we turn? The Federal Privacy Commissioner has issued detailed Guidelines on the interpretation of the IPPs, and draft Guidelines to the NPPs. The Guidelines say they are 'not legally binding' but 'are the Privacy Commissioner's view of how IPPs 8-11 work'[16]. Some of the Guidelines seem more like guidelines to safe and desirable practices that the Commissioner would like to see adopted (and that is a legitimate function for them to perform), but it is difficult to see them as consistently reliable interpretations of the Act. They may be wishful thinking on the Commissioner's part. For example, the Guidelines on collection principles state that - 'consent ... must be informed and free', that 'an agency should not seek a broader consent than is necessary for its purposes', and that ' if the person the information is about knows or believes that serious adverse consequences will follow if they refuse to consent, any consent they give is not freely given'. No justification is given for these statements as a legal interpretation of the use of 'consent' in the Act, and they are contestable interpretations in a complex area of law.

    The only way to settle the meaning of these Principles is through litigation. Until then, much of our privacy lore, including Commissioner's Guidelines, is largely speculation.

    3. The Privacy Act in the courts - not

    3.1. No significant Court decisions

    There is not a single case that even mentions s52 (determinations) let alone seeks judicial review of them, and only one decision seeking judicial review of the Commissioner's s41 power to refuse to investigate further (Reidiger).

     Although the Privacy Act 1988 has not found its way to the Courts via the review of the Commissioner, other aspects of the Act could have attracted judicial attention. However, by and large they have not. There are at least 56 decisions to date where the Privacy Act 1988 has been mentioned by Australian Courts[17] but almost none of them say anything of significance.

    3.2. Litigators have made little use of privacy legislation

    Lawyers thrive on precedents. Australian lawyers have had few examples before them to stimulate them to think creatively about privacy law. The invisibility of the complaints function in the Federal Act has helped stunt the creativity of lawyers.

     Litigators have made little use of privacy laws as yet, even where access to the Courts is possible. The Commissioner has not been required to make s52 determinations so that judicial review could be sought.

    3.3. Injunctions under s98

    Another example is that litigators have not utilised the fact that, although it is not possible for a complainant to appeal from a determination by the Commissioner to a Court in relation to a complaint about the Federal IPPs or the NPPs, an injunction can be sought to restrain a breach. Section 98 of the Privacy Act 1988 allows 'the Commissioner or any other person' (including, but not limited to, a complainant likely to be affected by the breach) to go directly to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the IPPs or NPPs. The injunction power, which has never been used, allows a litigant in an appropriate case to have an IPP or NPP interpreted by the Courts, and then pursue compensation or another remedy from the Commissioner.
    98(1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court's opinion it is desirable to do so, requiring the person to do any act or thing.
    When the Commissioner is the applicant, s98(7) provides that 'the court shall not require the Commissioner or any other person, as a condition of the granting of an interim injunction, to give any undertakings as to damages'. Otherwise, if a complainant or other individual is the applicant, the threat of damages being awarded against may deter applications.

    3.4. Courts have shown a limited appreciation of privacy legislation

    Our Courts have had limited opportunities to interpret privacy legislation, for the reasons outlined above, but even where they have the results have not been encouraging.

    For example, Courts have not shown an adequate appreciation that s98 is included in the Act. In Ibarcena v Templar [1999] FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction, at least in relation to breaches or potential breaches where an injunction would be appropriate[18]. Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia, [2000] FCA 1873, French J gave an account of how complainants could come before a Court, but omitted any mention of s98 injunctions[19].

     In another example of apparent lack of thorough consideration of privacy issues, Prasad, Rajesh Kamal [2001] MRTA 0716 (27 February 2001), the review applicant's legal representative submitted 'that the delegate acted in breach of the Privacy Act because he took, read and copied letters which the visa applicant had brought to the interview contrary to her objections'. In finding that there was no breach of the Privacy Act, the Migration Review Tribunal did not discuss whether this might constitute unfair collection under IPP 1.

    4. Conclusions

    4.1. We need more law, not lore

    There are other reasons for our lack of privacy law. Privacy advocates and academics have spent much time arguing for the extension of privacy legislation, but have made relatively little effort to analyse how the limited existing laws can be used or find test cases. Public interest advocates have made little use of the Act..

    The gist of my argument has been that we need more law. The general law has not developed its potential to protect privacy. There are a series of deficiencies in our privacy legislation, and the practices of the Federal Privacy Commissioner. We need changes to our laws so that complainants can more readily take questions of interpretation and application of privacy laws to Courts and Tribunals. We need Privacy Commissioners who make the communication of complaints resolution and the law underlying them a high priority. We need lawyers who find ways to obtain interpretations and remedies. We need dissemination of decided cases and examples of remedies obtained, both here and overseas. We need some law to start with in order to develop more law, not just the Commissioners' lore.

    4.2. A checklist for serious complainants

    Where there is a serious invasion of privacy, and a business or agency that does not offer immediate redress, complainants will need to take a serious approach to using all the resources that privacy law places before them to obtain a remedy. As with any other litigation, the powers and remedies available from officials such as Privacy Commissioners are among the available tools to achieve a desired outcome. Since complainants have no right of appeal against decisions of the Commissioner, care has to be taken to insure that the Commissioner interprets the Act correctly, and obtains all the facts.

     To conclude, here is a checklist of matters that serious privacy complainants, and their advisers, might consider in attempting to obtain a just resolution of a privacy dispute.

    1. Consider making a representative complaint under s38. There is strength in numbers, and more media interest.
    2. If the Commissioner refuses to investigate (or to investigate further, under s41, consider seeking judicial review under the ADJR Act.
    3. If you are dissatisfied with a proposed resolution of a complaint, do not agree to a settlement, but insist on a s52 determination so that there is a decision subject to judicial review under the ADJR Act.
    4. Seek judicial review under the ADJR Act as an error of law if the Commissioner has misinterpreted the NPPs, IPPs, an industry code or any other provision of the Act, in making either a s41 decision or a s52 determination.
    5. Seek judicial review under the ADJR Act if the Commissioner has in any way acted unfairly in reaching a s40 decision or s52 determination.
    6. Insist on a hearing. Before any s52 determination is made, insist on both the right to make written submissions, and to appear before the Commissioner in an oral hearing (s43(5)). Request the Commissioner to give the other party directions to attend if necessary (s46). Request the Commissioner's consent to have your legal representative attend the conference (s47).
    7. In any s52 determination, submit that the Commissioner should include compensation for loss or damage (s52(1)(iii)), including injury to feelings and humiliation (s52(1A)).
    8. In any s52 determination, submit to the Commissioner that reimbursement of reasonable expenses (including legal expenses) should be awarded in your favour (s52(3)).
    9. If it is necessary to enforce a s52 determination, ask the Commissioner to commence the proceedings (s55A(1)(a)). It looks worse if the Commissioner sues a company.
    10. If a complaint has an element of urgency or ongoing damage, consider seeking a s98 injunction against the company or agency even before the Commissioner investigates the complaint. Request the Commissioner to apply for the injunction, so as to avoid undertakings as to damages (s98(7)). If the Commissioner refuses, consider seeking an injunction yourself, but be aware of the risks of undertakings as to damages, and costs.
    11. If the Commissioner refuses to investigate a private sector complaints because of an exemption in the Act (exempt small business, political parties, media exemption etc), or because the Act has a delayed commencement (all small businesses), complain to the NSW Privacy Commissioner (investigative powers, possible damaging publicity).
    12. Always consider complaining to your MP at the same time as to the Commissioner.
    13. Media publicity can be very effective to encourage an appropriate settlement, but be careful of defamation dangers.
    14. Where a complaint involves an industry Code, the following steps are important: