Digital Platforms and proposed amendments to privacy laws

Introduction

The Final Report recommends significant changes to Australia's privacy laws, which if implemented would be the first major overhaul of the privacy laws since the introduction of the Australian Privacy Principles. The proposed changes include making existing laws stricter, a new right of action and a statutory privacy tort.

Public submissions to the Platforms Inquiry have highlighted a perceived need to update existing privacy laws to effectively address issues emerging in the data economy. The Report found that consumers have an increased awareness and concern about the privacy of their personal information in the context of collection by digital platforms. In accordance with this view, recommendation 16 proposes extensive amendments to existing Australia privacy legislation in order to protect consumers' personal information.

 

Most if not all of the proposed reforms will affect the operations of media businesses in some way. This article focusses on two of the proposed changes:

• introduction of a statutory tort of invasion of privacy (recommendation 19); and
• omnibus recommendation to "strengthen" consumers' protections under the Privacy Act 1988 (Cth)(Privacy Act), and in particular an update to the definition of "personal information" (recommendation 16(a)).

Recommendation 19: a statutory tort for the invasion of privacy

The possibility of a tort of privacy has been considered in Australia for many years.

A statutory tort was proposed by the New South Wales Law Reform Commission in 2007, and again by the Australian Law Reform Commission (ALRC) in 2014. Recommendation 19 suggests the proposed tort should be formulated as it was recommended by the ALRC.

There has also long been judicial consideration of whether such a tort, or a similar confidentiality-based cause of action, exists at common law. That possibility has been open since the High Court Decision in 2001 in Australian Broadcasting Corp v Lenah Game Meats Pty Ltd (2001) 208 CLR 199; 76 ALJR 1; [2001] HCA 63. A majority of the court (including Gummow, Hayne, Gaudron and Callinan JJ) found that the High Court's decision in Victoria Park Racing & Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479 does not stand in the way of development of such a tort. Overall, cases are divided on this issue, which has not been resolved by the High Court.

If a tort is introduced, then it could have a significant impact on journalism in Australia. It could also have broader impact, particularly as it includes a limb dealing with intrusion upon seclusion.

The Proposed Tort

In 2014, the ALRC recommended that a statutory tort of serious invasions of privacy should be introduced into Australian law by way of a standalone Federal Act (2014 Recommendation). The purpose of the proposed tort was to address gaps in the existing privacy framework, which is comprised of by both Federal and State-legislation, by enabling individuals to bring actions for serious invasions of their privacy.

The ACCC recommends that the 2014 Recommendation be adopted, recognising that the extensive analysis and consultation that has been previously conducted identified the 'significant gap in existing Australian law and the need for a new statutory cause of action for individuals suffering from serious invasions of privacy'. As summarised by the Final Report, the ALRC 2014 recommendation was comprised of the following main elements:

i) Invasion into privacy: either by intrusion into seclusion or misuse of private information

ii) There must have been a reasonable expectation of privacy on behalf of the plaintiff

iii) The invasion of privacy must be:

a. either have been intentional or reckless; and

b. serious

iv) There is no requirement for actual damage to be caused by the invasion of privacy (i.e. damages for emotional distress may be awarded), with a range of remedies available including injunctions and publication of corrections.

v) Public interest considerations: the court must be satisfied that the public interest in the privacy outweighs any countervailing public interest, including freedom of speech.

The 2014 Recommendation had the potential to materially alter privacy obligations for a wide range of Australian organisations, with ramifications extending beyond the media sector. By way of illustration, the 'private information' element of an invasion of privacy would affect anyone who publishes material, whether online or otherwise, and is therefore not restricted to media companies in its application. Also, the intrusion upon seclusion element of the tort will be relevant to a variety of circumstances which are currently governed by surveillance laws, trespass and potentially also planning laws (where for example one property overlooks another). In its 2014 report, the ALRC said that:

5.18 Intrusions upon seclusion usually refer to intrusions into a person's physical private space. Watching, listening to and recording another person's private activities are the clearest and most common examples of intrusion upon seclusion. They are the types of activities the ALRC intends should be captured by this limb of the tort. To make this clear, the ALRC recommends that these types of intrusion be specifically included in the Act, as examples of intrusion upon seclusion. The examples are intended to clarify, but not limit, the meaning of `intrusion upon seclusion'.

5.19 Intrusion upon seclusion aligns with Moreham's second overarching category of invasion of privacy. Moreham writes:

Peering through a person's bedroom window, following her around, bugging her home or telephone calls, or surreptitiously taking for one's own purposes an intimate photograph or video recording are all examples of this kind of intrusion.[13]

Any privacy tort could have a significant impact on media organisations. In the UK, privacy actions have had a significant impact on the media and on media reporting at a time at which defamation cases have decreased due to the introduction of the serious harm test. Some of these cases have significance for principles such as open justice. In 2018, Cliff Richards won a landmark privacy case in the UK, after the BBC used a helicopter to record a police raid on Sir Cliff's home. The High Court of Justice in England ruled that Sir Richard had a legitimate expectation of privacy in relation to a police investigation and search of his home. This finding has given rise to significant concern on the part of media organisations. For analysis of this decision, see: https://mediawrites.law/sir-cliff-richard-wins-landmark-privacy-battle/

It should also be noted that there is currently a defamation law reform process underway amongst the states and territories. The Final Report does not provide any detailed consideration of how the proposed privacy tort might interact with any future defamation reforms and the specific defamation reform questions posed in the COAG Discussion paper of February 2019. Proposed new defamation laws are currently scheduled to be released for public consultation in December this year with responses due in early 2020, presenting a unique opportunity for the harmonisation of privacy and defamation laws in Australia.

It should also be noted that there is currently a defamation law reform process underway amongst the states and territories. The Final Report does not provide any detailed consideration of how the proposed privacy tort might interact with any future defamation reforms and the specific defamation reform questions posed in the COAG Discussion paper of February 2019. Proposed new defamation laws are currently scheduled to be released for public consultation in December this year with responses due in early 2020, presenting a unique opportunity for the harmonisation of privacy and defamation laws in Australia.

Recommendation 16(a) updating the 'personal information' definition

The ACCC recommends amendments to the definition of personal information. Section 6 of the Privacy Act provides the current definition of 'personal information':

'information or an opinion, whether true or not, and whether recorded in a particular form or not, about an identified individual, or an individual who is reasonably identifiable'.

OAIC guidance, which is non-binding, provides some examples of what personal information is for the purposes of the Act. This includes name, contact details, date of birth, medical records and bank account details.

Is the current definition problematic?

As the Privacy Act regulates how personal information is dealt with by APP entities, the definition of personal information has a critical impact on its reach. In Privacy Commissioner v Telstra Corporation Limited, the Full Federal Court held that network metadata was not sufficiently connected to an individual to be "about" the individual for the purpose of the current "personal information" definition in the Privacy Act. This has provided a basis to assume that much technical data is not personal information, and is beyond the scope of access requests under the Privacy Act.

Neither the case law nor OAIC Guidance provides clear direction on when technical data is to be considered personal information. The question in every case will be whether the data is "about" the relevant individual.

The Recommendation

The ACCC recommends that the definition of personal information be amended to bring technical data, including IP addresses and device identifiers, as well as other technical data which could be used in conjunction with other information to identify an individual, within the scope of the Privacy Act. This would in the ACCC's view better 'reflect the realities of how data is used in digital markets'.

Overseas influence

The influence of the European Union's GDPR is clear. Under the Regulation, personal information is defined broadly:

"any information relating to an identified or identifiable natural person (`data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

Further, Recital 30 of the Regulation provides that natural persons can be identified by a combination of information i.e. online and unique identifiers, and established EU case law also provides that technical data such as IP addresses can constitute personal information when held with other information that can be used to identify an individual. Redefining personal information to include technical data therefore brings Australian privacy law further in line with the EU's GDPR, providing for the reality of how personal data is collecting in the digital age.

Further reform discussion

The proposal by the ACCC to reform privacy laws will no doubt trigger a broader consideration of issues beyond those canvassed in the Final Report. As the ACCC has proposed changes to consent and personal information definition provisions that would move Australia's regulatory landscape closer to the GDPR position, a broader privacy reform discussion might include whether other GDPR concepts should be imported for example, should Australian privacy laws involve a data controller/processor distinction? It should also be noted that these proposals come at the time of other significant privacy law reforms . The Treasury Laws Amendment (Consumer Data Right) Bill 2019 was passed on 1 August 2019was enacted on 1 August 2019, and will progressively apply to the banking, energy and telecommunications sectors. Thus Australia is at a critical juncture in determining the future of its communications laws.