It's been 12 months since the introduction of the Australian privacy law reforms. Described by one judge as "legislative porridge", the changes led to a flurry of activity, with the private sector and Commonwealth Government agencies rewriting their privacy policies and procedures to comply with a new, more prescriptive framework.
But has there really been a change in how we approach privacy or how the law is enforced? In short, it's still too early to tell. Many organisations are still working out how to meet the new requirements and there have been no determinations by the Privacy Commissioner under the new laws.
Nevertheless, there have been a number of significant developments, which give an indication as to where Australia may be heading in the privacy law sphere.
Ironically, soon after the privacy law reforms took effect on 12 March 2014, a significant change, which could affect how it will be administered and enforced, was foreshadowed.
In the May 2014 budget, the Commonwealth Government announced that the Office of the Australian Information Commissioner (OAIC) was to be abolished and the Privacy Commissioner would revert to being a statutory position within the Australian Human Rights Commission.
The legislation implementing this change is yet to be passed by Parliament.
A key area to watch will be whether the resources to enforce the new privacy regime will be reduced despite the fact that, according to the Privacy Commissioner, privacy complaints have increased by 43% (to 4,016) in the 12 months since 12 March 2014.
Guidance on the new regime
While the Privacy Commissioner hasn't published any determinations under the new regime, the Privacy Commissioner has issued two significant documents:
- the Privacy regulatory action policy (November 2014) (the Policy), and
- the Guide to securing personal information: Reasonable steps to protect personal information (January 2015) (the Guide).
The Policy outlines how the Commissioner approaches enforcement of the legislation. Its guiding principles include proportionality and consistency. Significantly, and reassuringly, the preferred regulatory approach is to work with entities to facilitate legal and best practice compliance. The Policy also notes that an entity's cooperation with the Commissioner will be considered in deciding whether to take regulatory action.
The Guide offers detailed and comprehensive information about:
- how to assess security risks to personal information held by entities (including risks of human error, technical failures and external threats or attacks), and
- steps to take to ensure information is appropriately secured (particular attention is paid to the issues of IT security and the use of cloud storage services).
The Guide is timely given the major determinations by the Commissioner in the past year have concerned security breaches under the previous provisions. Those determinations considered failures to implement appropriate access controls on information held electronically (which led to personal information becoming publicly available on websites), inadequate security procedures (such as password controls) and failures regarding vulnerability testing to prevent external hacking.
While the guidance material issued by the Privacy Commissioner is not legally enforceable, it will give rise to an expectation that entities ensure their procedures follow the recommended approaches.
Other developments—breach of confidence
One of the most interesting developments in the past 12 months has involved the rise of another avenue to protect personal information—litigation based on the equitable claim of breach of confidence.
The publication of comments made by Professor Barry Spurr of Sydney University in "personal" emails on the University's IT system, led to Professor Spurr taking court action against the news website New Matilda, including on the basis that New Matilda had engaged in a breach of confidence. The substance of the claim was that it was clear the content of the emails was private and the circumstances gave rise to an obligation of confidence.
While the issue was not resolved in the Spurr case, a recent decision by the Supreme Court of Western Australia inWilson v Ferguson , held that posting sexually explicit photos and videos of a former partner (taken during the relationship) on Facebook constituted a breach of confidence owed to the former partner.
In that case, Judge Mitchell noted the essential elements of an action in equity for breach of confidence are that the information was of a confidential nature, that it was communicated or obtained in circumstances importing an obligation of confidence, and that there was an unauthorised use of the information. These elements were found to exist on the facts of the case.
The images posted on Facebook were intimate, explicit and indicative of a confidential character. The nature of the images and the circumstances in which they were obtained were such as to make it obvious to any reasonable person that the images were for the defendant's viewing only and that any disclosure to third parties would be likely to cause immense embarrassment and distress. It was also found that the defendant misused the images by posting them on his Facebook page, so that they were accessible to hundreds of his "Facebook friends".
While it is less likely that the same level of unauthorised or deliberate conduct would be engaged in by an organisation, the prospect of a significant interference in privacy being accompanied by a claim of breach of confidence cannot be discounted.
Other developments—mandatory breach reporting
Another significant development is the revival of the debate as to whether there should be mandatory notifications of breaches of the Privacy Act 1998 (Cth). The debate has recently been reignited in the context of proposed data retention laws with the Parliamentary Joint Committee on Intelligence and Security recommending mandatory requirements to notify breaches of the proposed laws.
The Commonwealth Government has indicated support for the Committee's recommendation. It remains to be seen whether there will be any interest in extending the obligation to mandatory reporting of breaches of the