Hostname: page-component-745bb68f8f-f46jp Total loading time: 0 Render date: 2025-01-30T22:43:28.120Z Has data issue: false hasContentIssue false
  • English
  • Français

Privacy Protection in Australia: The Need for an Effective Private Sector Regime

Published online by Cambridge University Press:  24 January 2025

Moira Paterson
Moira Paterson*
Affiliation:
Monash University
Get access Rights & Permissions [Opens in a new window]

Extract

Australia in the 1990s, like most other industrialised countries, is characterised by its high level of technological development, the increased automation of transactions between businesses and their customers and the reversal of pre-existing trends towards large government. These factors have combined to create an environment in which the issue of privacy and, in particular, the need for a private sector regime to protect privacy has begun to feature on the political agenda.

The need to regulate personal information became a matter of concern for the first time in Australia in the context of the controversy generated by an unsuccessful attempt to introduce a national identity card, the Australia Card. The main concern at that time focussed on the need to regulate the activities of the government; the Privacy Act 1988 (Cth), which was enacted in conjunction with initiatives to extend the use of the tax file number as a de facto identifier, covered only the activities of the Commonwealth public sector.

Type
Research Article
Information
Federal Law Review , Volume 26 , Issue 2 , June 1998 , pp. 371 - 400
Copyright
Copyright © 1998 The Australian National University

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Graham, P, “The Australia Card: A Burden Rather than a Relief?” (1986) 58(1) Australian Quarterly 14CrossRefGoogle Scholar; Greenleaf, G and Nolan, J, “The Deceptive flistory of the Australia Card” (1986) 58(4) Australian Quarterly 407CrossRefGoogle Scholar.

2 Broadband Services Expert Group, Networking Australia's Future: Final Report (1994) [Internet— http://www.dca.gov.au/pubs/network/toc.htm#af (accessed 20 June 1997)].

3 Commonwealth Parliament, House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence (1995) recommendation 38.

4 Senate Economic References Committee, Telecommunications Towards the Year 2000 (1995) ch 5.

5 Commonwealth Department of the Prime Minister and Cabinet, Office of the Chief Scientist, Agenda papers from the first meeting of the Council, 10 August 1995 (1995) at 89-90. These papers are available via the Internet at http://www.nla.gov.au/archive/gov/pmc/nisc/aug95/nisc1.html.

6 See Australian Law Reform Commission and Administrative Review Council, Open Government: a review of the Federal Freedom of Information Act 1982 (ALRC Report No 77; ARC Report No 40, 1995) recommendation 103. See also Queensland Parliament, Legal, Constitutional and Administrative Review Committee, Issues Paper, Privacy in Queensland (1997).

7 Price Waterhouse, Privacy Survey 1996. 32% believed that a Privacy Act which regulated both the public and privates sectors was the best way to address the issue of information privacy while another 32% favoured the option of a National Privacy Act together with industry-specific codes along the lines of the New Zealand Act.

8 Commonwealth Attorney-General's Department, Privacy Protection in the Private Sector,(September 1996) (the Attorney-General's Discussion Paper).

9 Extracts from Liberal and National Parties' Law and Justice Policy, February 1996 (1996) 3 Privacy Law and Policy Reporter 4.

10 Prime Minister's Press Release of 21 March 1997 [Internet — http://www.efa.org.au/Issues/Privacy/pmpr0321.html (accessed 30 June 1997)]. See also Brough, J, “Another Key Election Promise Bites the DustSydney Morning Herald 31 March 1997 at 11Google Scholar [The Sydney Morning Herald Quarterly on CD-ROM, Issue 12].

11 Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector (1997) (the Privacy Commissioner's Consultation Paper).

12 Her proposals are discussed in detail in a special issue of the Privacy Law and Policy Reporter: (1997) 4 Privacy Law and Policy Reporter.

13 See Greenleaf, G, “Principles and Mechru;tisms on Different Tracks: An Update on Private Sector Developments” (1997) 4 Privacy Law and Policy Reporter 83Google Scholar.

14 As noted by Carole Lane, all that is needed to conduct detailed online searches is a simple computer capable of running basic communications software: C Lane, Naked in Cyberspace (1997) ch 2.

15 H Garstka, “Privacy and Multimedia - An Inherent Contradiction?” Proceedings of 17th International Conference on Data Protection, Copenhagen, 1995 at 1.

16 These may be collected not only by parties to electronic transactions but also by a third party such as a bank which facilitates them: Lawson, I, Privacy and the Information Highway: Regulatory Options for Canada (1995) at 1Google Scholar.

17 Hendricks, E, “New Information Systems for Economic and Political Control in the United States” in Facing Dilemmas: Proceedings of the 16th International Conference on Data Protection, (1994) at 16Google Scholar; US Department of Commerce, National Telecommunications and Information Administration, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) at 14.

18 See Video and Library Privacy Protection Act of 1988: Joint Hearings on HR 4947 and S2361 Before Subcommittee on Courts, Civil Liberties and the Administration of Justice of the Senate Committee on the Judiciary, 100th Congress, 2d Session 80, 84 (1988). These hearings were followed by the passage of the Video Privacy Act 1988 (US).

19 W S Galkin, “Your Clickstream is Showing” (1997) 22 Computer Law Observer [Internet —http://www.law.circle.com/issue22.html]. See also the Cookie Central site at http://www.cookiecentral.com/ and R Clarke, “Protecting Your Privacy on the Internet” paper presented to a seminar on Consumer Protection on the Internet, Mitchell Library, Sydney, 1 May 1997 [Internet — http://www.anu.edu.au/people/Roger.Clarke/DV/Internet.html].

20 For example, via a transponder fitted to a car for the purposes of the collection of tolls for road use.

21 Likewise, information about a person's shopping habits within a store can be gathered by means of facial recognition technologies. For a simple explanation of this technology, see Siemens Nixdorf Advanced Technologies GmbH, “Face VACS — Your Face is the Key” [Internet — http://www.snatde/nc6/face.htm (accessed 3 June 1997)]. More generally, see the Face Recognition Home Page which is on the Internet at http://www.cs.rug.nl/~peterkr/FACE/face.html.

22 Reiman, J H, “Driving to the Panopticon: A Philosophical Exploration of the Risks to Privacy Posed by the Highway Technology of the Future” (1995) 11 Santa Clara Computer and High Technology Law Journal 27 at 29Google Scholar.,

23 In the United States the subject has been actively considered by the Federal Trade Commission which devoted to that topic a full session of its Online Privacy Workshop held in June 1997.

24 See, eg, http://www.econ.hvu.nl/~pverweij/nora/carpeopl.htm, a site which is designed to assist journalists in finding information about people.

25 The best known example is the Deja Newssearch facility.

26 CITEC, Advertising brochure, Public Access Systems. Details of the services offered by CITEC Public Access Systems are available on its web page at http://www.citec.com.au/citec/info-serv/pas.

27 These sentiments were reflected in the views expressed by the Australian Law Reform Commission in its 1983 report on privacy to the effect that it would be difficult for Australian society to maintain its traditions of individual liberty and democratic institutions unless privacy protection was strengthened: ALRC, Privacy (Report No 22, 1983) vol 1 at 17.

28 Lustgarten, L and Leigh, I, In from the Cold: National Security and Parliamentary Democracy (1994) at 39-40Google Scholar. This dual aspect of respect and self-respect is a vital dimension to privacy. In a similar vein, it has been suggested that the essence of the wrong that occurs through privacy invasions is lack of respect for the subject as a person: see Benn, S, “Privacy, Freedom and Respect for Persons” in NOMOS XIII: Privacy (1971)Google Scholar.

29 Regan, P, Legislating Privacy: Technology, Social Values and Public Policy (1995) at 32-45Google Scholar; Kearley, L, The Protection of Privacy on the Internet (1995) at 15-16Google Scholar.

30 P Regan, ibid at 27-28.

31 L N Geller et al, “Individual, Family, and Societal Discrimination” (1996) 2 Science and Engineering Ethics 71; Billings, P R, “Discrimination as a Consequence of Genetic Testing” (1992) 50 Am J Human Genetics 476Google ScholarPubMed; Nielsen, L, “Use of Medical Data on the Labour Market: A Danish Draft Bill” in Proceedings of the 17th International Conference of Data Protection & Privacy Commissioners, (1995)Google Scholar.

32 For example, the right of employers and insurers to make informed decisions on the one hand and the public interest in ensuring that people are not deterred from having tests which may be in their interest from a medical point of view.

33 Privacy Commissioner's Consultation Paper, above n 11 at 1.

34 The problems which are posed by these developments have been noted in a number of government reports. Eg, the In Confidence report (above n 3) notes that the coverage of the Privacy Act is too narrow to give adequate privacy protection, especially in an environment where outsourcing, corporatisation and privatisation have pushed a substantial amount of personal information outside the reach of the Act (recommendation 38). See Dixon, T, “In Confidence calls for tighter public sector privacy” (1995) 2 Privacy Law and Policy Reporter 101 at 104Google Scholar.

35 Bennett, C, “Privacy Protection for the Information Highway” (1995) Policy Options 43Google Scholar. The issue of the commercialisation of public data was the subject of a series of papers presented at the 17th International Conference of Data Protection & Privacy Commissioners in 1995: see Proceedings of the 17th International Conference of Data Protection & Privacy Commissioners (1995).

36 Privacy Act 1988 (Cth), s 6.

37 R Clarke, “Privacy and Public Registers” [Internet - http://www.anu.edu.au/people/Roger.Clarke/DY/PublicRegisters.html].

38 This enables a person receiving a telephone call to see the telephone number of the person making the call (unless that person takes measures necessary to prevent the revealing of that information). See Senate Economic References Committee, Telecommunications Towards the Year 2000 (1995) at 75-6.

39 Access to personal records in public hospitals is available under Freedom of Information legislation in all jurisdictions other than the Northern Territory.

40 For a useful analysis of the interdependence of the economic and technical issues see J Reidenberg, “Rules of the Road for Global Electronic Highways: Merging the Trade and Technical Paradigms” (1993) 6 Harvard J of Law & Technology 287. For examples of different approaches to these issues, compare the NSW Privacy Committee, Privacy and Data Protection in New South Wales: A Proposal for Legislation (1991), appendix 4 with the draft Principles for Providing and Using Personal Information and their Commentary, released for comment by the Privacy Working Group of the US Information Infrastructure Task Force (1994).

41 For a useful overview of multimedia initiatives in Victoria see G Baker, “$1.4m to fill a GAP means one big LEAP for State's multimedia” Age, 25 March 1997, C3. In a similar vein a US Government report has noted that “if consumers feel that their personal information will be misused or used in ways that differ from their original understanding, the commercial viability of the NII could be jeopardized as consumers hesitate to use advanced communication networks”: US Department of Commerce, National Telecommunications and Information Administration, Privacy and the NII: Safeguarding Telecommunications–Related Personal Information (1995) at 28.

42 European Parliament, Directive 95/46 on the protection of individuals with regard to the processing of the personal data and the free movement of such data, Brussels, 1995 (the European Data Protection Directive).

43 See clause 33 of the Hong Kong Personal Data (Privacy) Ordinance 1995 which was made on 3 August 1995 and Article 24 of the Taiwanese Computer-Processed Personal Data Protection Law which took effect on 13 August 1995. Malaysia has also announced that it intends to enact privacy legislation covering both the public and private sectors: see Greenleaf, G, “Private Parts - Malaysian Privacy Law” (1997) 3 Privacy Law and Policy Reporter 100Google Scholar.

44 In a speech given at the Eighteenth International Conference on Privacy and Data Protection in Ottawa on September 18, 1996, the Canadian Minister of Justice, Allan Rock, stated that: “By the year 2000, we aim to have federal legislation on the books that will provide effective, enforceable protection of privacy rights in the private sector”.

45 With the notable exception of New Zealand, jurisdictions which have private sector privacy laws generally impose restrictions on transborder data flows: see, eg, Article 17 of An Act Respecting the Protection of Personal Information in the Private Sector 1993 (Quebec).

46 Article 25(1). See G Greenleaf, “The European Privacy Directive - Completed” (1995) 2Privacy Law and Policy Reporter 81; G Greenleaf, “European Privacy Directive and data exports” (1995) 2 Privacy Law and Policy Reporter 105.

47 The United Kingdom Government appears to be proceeding on this assumption: United Kingdom Home Office, Consultation Paper on the EC Data Protection Directive (95/46/EC) (1996) paras 7.6 -7.9.

48 Greenleaf, G, “Personal Data Export Restrictions — Their Role in Developing Asia-Pacific Privacy Laws” paper presented at The New Privacy Laws: A Symposium on Preparing Privacy Laws for the 21st Century, Sydney, 19 February 1997 at 4Google Scholar.

49 Article 26(2).

50 It is arguable, for example, that the standards-based approach which is discussed below provides such scrutiny since, while adherence to a standard is purely voluntary, a body which chooses to adhere is subject to auditing.

51 Privacy Commissioners' Consultation Paper, above n 11 at 15 citing European Commission, Working party on the Protection of Individuals with regard to the Processing of Personal Data, First Orientations on Transfers of Personal Data to Third CountriesPossible Ways Forward in Assessing Adequacy, XV D/502/97-EN final, 26 June 1997.

52 For a useful summary of these see H H Perritt Jr, Law and the Information Superhighway (1996) ch 3.

53 It is moreover significant that a recent US government report acknowledges the need to consider the trade implications of the European Data Protection Directive: National Information Infrastructure Task Force, Options for Promoting Privacy on the National Information Infrastructure (April 1997) cited in Privacy Commissioner's Consultation Paper, above n 11 at 7.

54 Health Records (Privacy and Access) Act 1997 (ACT).

55 See Privacy Amendment Bill 1998.

56 See Greenleaf, G, “Commonwealth Abandons Privacy-For Now” (1997) 4 Privacy Law and Policy Reporter 1 at 3Google Scholar.

57 Privacy Commissioner's Consultation Paper, above n 11 at 47.

58 Peladeau, P, “Data Protection Saves MoneyPrivacy Journal June 1995 at 3-4Google Scholar.

59 For example, the AAMI Code of Practice and the Code of Banking Practice.

60 I Lawson, above n 16 at 24.

61 Bennett, C, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (1992)CrossRefGoogle Scholar.

62 I Lawson, above n 16 at 24-25.

63 In the case of most European countries privacy already receives general protection either via the implementation of international human rights documents in domestic legislation or by constitutional rights to privacy: I Lawson, above n 16 at 24-25.

64 Brandy v Human Rights & Equal Opportunity Commission (1995) 183 CLR 245.

65 Paper presented by Nigel Waters at the New Privacy Laws Conference, Sydney, February 1997 (at a session entitled “1970s Model Privacy Laws and Principles - Still Adequate?”).

66 OECD, Privacy and Data protection: Issues and Challenges (1994) at 46.

67 Slane B, “Implementing change: The New Zealand Privacy Experience” paper presented to the IBC Conference, Privacy in Practice, Sydney, 19-20 February 1996.

68 Section 13(1).

69 Section 13(2).

70 Law Reform Commission of Hong Kong, Privacy Sub-committee, Reform of the Law Relating to Information Privacy: A Consultative Document (1993), para 17.32 citing United Kingdom Data Protection Registrar, Fifth Report (1989) paras 236-238.

71 Voluntary codes which do not have any formal status are also used to a limited extent in other EC countries such as France: see “Direct Marketing Association Draws Up France's First Sectoral Code of Conduct” Privacy Laws & Business, (1994) at 13.

72 The Data Protection Registrar has recommended that he should have the power to give formal endorsement to codes so that breaches of them would not amount to breaches of the Act but would be taken into account by the relevant review body: Data Protection Registrar, Fifth Annual Report (1989) para 238.

73 Tucker, G, “Frontiers of Information Privacy in Australia” (1992) 3 Journal of Law and Information Science 66Google Scholar.

74 US Department of Commerce, National Telecommunications and Information Administration, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (October 1995) 12 citing Telephone Privacy: Hearings Before the Subcommittee on Telecommunications and Finance of the Committee on Energy and Finance, House of Representatives, 103rd Congress, 1st Session, 4-5 (1993) (statement of Hon George Miller, Cal) and L Morgan and E Wilson, “Anyone Can See Your Toll Oiarges”: St Petersberg Times, 1 October 1993 at1B.

75 Information and Privacy Commissioner of Ontario, Privacy Protection Models for the Private Sector (October 1995) at 5.

76 (1924] 1 KB 461.

77 Tyree, A, “Banking Law: Privacy Developments” (1997) 8 Journal of Banking and Finance Law at 45 and 47Google Scholar; Tyree, A, “Banking Code Losers” (1995) 6 Journal of Banking and Finance Law at 49-51Google Scholar.

78 United Kingdom, Report of the Committee on Data Protection, Cmnd 7772 (1979) at 161.

79 Industry Canada Discussion Paper, Privacy and the Canadian Information Highway (Ottawa: Minister of Supply and Services, 1994) Section 5 “Voluntary Codes and Standards”. This is available at http://strategis.ic.gc.ca/SSG/ih01094e.html.

80 Ibid.

81 Millar, M, “Protecting Privacy in Canada: Evaluating Recent Solutions Proposed for and by the Private SectorGovernment Information in Canada, vol 2(1)Google Scholar [Internet — http://www.usask.ca/library/gic/v2nl/millar.html (accessed (1 July 1997)].

82 CDT Comments to the FTC Consumer and Children's Online Privacy Hearing [Internet —http://www.cdt.org/privacy/9701415_cdt_ftc2.html (accessed 15 April 1997)]. For further details see the program's web site at http://www.truste.org/.

83 For a useful overview of the relevant US laws see, H H Perritt Jr, Law and the Information Superhighway (1996) ch 3.

84 Communications Law Centre, Telecommunications Privacy (November 1996) at 19.

85 Ibid.

86 Above n8.

87 Ibid at 7.

88 The Privacy Commissioner was to be given the power to issue guidelines for the avoidance of acts and practices such as telemarketing or optical surveillance that might have an adverse effect on individual privacy, even where no record was involved. However, these powers were to be confined to investigating, and making recommendations to resolve, disputes and there was to be no provision for any right of proceedings in the Federal Court as proposed in the case of the data protection provisions.

89 Attorney-General's Discussion Paper, above n 8 at 6-12.

90 See, eg, Clarke R, “Flaws in the Glass; Gashes in the Fabric” paper presented to The New Privacy Laws: A symposium on preparing privacy laws for the 21st century, Sydney, 19 February 1997 at3-4.

91 ALRC, Privacy (Report No 22, 1983).

92 For a useful discussion of the origins of these principles and a critique of them from the standpoint of technological change see J Gaudin, “The OECD Privacy Principles - can they survive technological change? Parts 1 and 2” (1996) 3 Privacy Law & Policy Reporter 143,196.

93 Further guidance concerning the application of these principles to the public sector may be found in Human Rights and Equal Opportunity Commission, Plain English Guidelines to Information Privacy Principles 1-3: Advice to Agencies about Collecting Personal Information (October 1994).

94 See, eg, R Clarke, above n 90 at 3-4.

95 Colakovski v Australian Telecommunications Commissioner (1991) 100 ALR 111.

96 Attorney-General's Discussion Paper, above n 8 at 12.

97 These codes were to be developed not only in respect of specific industries, professions and callings but also in respect of specified organisations, specified activities and specified information and in relation to specific classes of all of these.

98 It was expected that codes would be developed only in a fairly limited range of contexts as has been the case in New Zealand where only three codes have been issued so far: the GCS Information Privacy Code which covers a government-owned enterprise, GCS Ltd, that supplies computer processing to a number of government departments, the Superannuation Schemes Unique Identifier Code 1995 and the Health Information Privacy Code 1994. Further codes which are in the process of being drafted are a Telecommunications Code and a Police Code. In addition, the Credit Industry is still discussing the need for a separate code, with a final decision yet to be made.

99 Attorney-General's Discussion Paper, above n 8 at 12.

100 Ibid at 16-21.

101 It also recommended that Australian residents overseas should be required to comply with the IPPs governing storage and security, access and correction and use and disclosure.

102 Above n 11.

103 Alternative self-regulatory models are discussed ibid at 15.

104 I Lawson, above n 16 ch 14.

105 For example, there are new principles which deal with matters not covered by the IPPs, including requirements concerning destruction of records, multiple use of identifiers and anonymity.

106 The South Australian public sector is already subject to a Set of executive-imposed privacy rules based on the Commonwealth IPPs and the Victorian, New South Wales and Queensland governments are still actively considering the option of public sector legislation.

107 Article 3.1.

108 (1995) 183 CLR 245.

109 I Lawson, above n 16 at 22.

110 For example, see Privacy Commissioner, Seventh Annual Report on the Operation of the Privacy Act (1995) at 39-43.

111 See, eg, B Stewart, 'The New Privacy Laws: Exemptions and Exceptions to Privacy Principles' The New Privacy Laws: A symposium on preparing privacy laws for the 21st century, Sydney 19 February 1997 (Blair Stewart is the Manager of Codes and Legislation, Office of the Privacy Commissioner, New Zealand); Longworth, E, “Developing Industry Codes of Practice and Policies for the Australian Private Sector” (1996) 3 Privacy Law & Policy Reporter 196Google Scholar.

112 The Australian Privacy Charter Council's Privacy Charter (an initiative which brought together a wide range of experts to draft a clear statement that spells out principles to guide Australians in observing the right to privacy) provides a useful guide as to further principles that might usefully be added. These include principles to deal with the threshold issues of whether a new form of data collection is justified, freedom from surveillance, privacy of communications, privacy of private space, physical privacy, the right to anonymity, regulation of public registers and the right not to be disadvantaged by an assertion of privacy rights. For a useful discussion of these additional principles see Dixon, T, “Privacy Charter sets new benchmark in privacy protection” (1995) 2 Privacy Law and Policy Reporter 41Google Scholar.

113 New Zealand Real Estate Institute Inc, Privacy Act 1993: Compliance Programme (june 1994) at4.

114 It is interesting in this regard that some of the banks have been involved in the lobbying which has led to the abandonment in Australia of the proposed new legislation despite a statement by the New Zealand Privacy Commissioner that allegations that banks were bearing the brunt of the New Zealand Act “were simply not true”: see B Slane, “Implementing Change: The New Zealand Privacy Experience”, paper presented to the IBC Conference, Privacy in Practice, 19-20 February 1996. On the other hand, the extension of the Privacy Act to the private sector would frustrate the recommendations in the Wallis Inquiry Report that financial institutions should be permitted to use personal customer information for multiple purposes, including cross-selling and positive credit checks - see A Lampe “Data Mining could be a Problem for Consumers” Sydney Morning Herald, 11 April 1997. [Internet — http://www.smh.com.au/ns-search/daily/content/970411/business/business10.html?NS-search-set=/33cb0/aaaa00lDlcb0a9d&;NS-doc-offset=0&(accessed 15 July 1997)]. For detailed information concerning this report see the ASC web site at http://www.asc.gov.au/frames/420.html.

115 For example, Privacy Commissioner, Community Attitudes to Privacy (1995).

116 See Hilver, J, “Censorship and Privacy are Prime ConcernAustralian 17 June 1997 at 4Google Scholar.