Privacy Protections in Australia
Q & A by Yashi Dao, MLS Science and Technology Law Association (SATLA), with Profs Megan Richardson and Mark Taylor
Privacy Protections in Australia (Q & A Yashi Dao, MLS Science and Technology Law Association (SATLA), with Profs Megan Richardson and Mark Taylor)
INTRO Q: Can you tell us a little bit about your area of expertise and the kind of work you do as a legal researcher?
Megan: As an academic at Melbourne Law School, I have been working on privacy law issues for the last 30 years. I have also been involved in various law reform activities. For instance, I was one of a group of scholars convened by the Australian Law Reform Commission to explore the meaning of 'privacy' for its 2006-8 privacy reference, and in addition served on the international advisory panel for the New South Wales Law Reform Commission's invasion of privacy review in 2006-2009. I was also a member of the advisory committee for the Australian Law Reform Commission's reference on Serious Invasions of Privacy in the Digital Era (report published 2014). Most recently I am a chief investigator at the ARC Centre of Excellence for Automated Decision-Making and Society (ADMS). I am currently teaching the MLM subject Privacy Law with Karin Clark and Michael Rivette.
Mark: I’m a Professor in Health Law and Regulation at Melbourne Law School and Director of the research group HeLEX (Health, Law and Emerging Technology) at the University of Melbourne. I was the establishing Chair of the Confidentiality Advisory Group (England and Wales) and have served as advisor to both the Health Research Authority (England) and the National Data Guardian (England and Wales). I was legal consultant and member of the drafting group for the OECD Recommendation on Health Data Governance, I am currently a member of the Victorian Health Technology Advisory Committee, and I am on half-time secondment to the Department of Health (Cth) supporting work on national data governance. I teach the MLM subject on Health Data Governance and the JD subject Commercial Data Law with Phil Catania.
Q1: Do you think the current privacy protection laws in Australia are sufficient? What are some general criticisms regarding information privacy protection in the age of technological development?
Megan: Compared with when I started, technology has become far more sophisticated and adept at collecting, storing and transmitting personal information. But I think the capacity to draw sensitive inferences from apparently anodyne information is one of the most significant aspects. This is something I’ve been writing about: see (D Clifford, M Richardson and N Witzleb) ‘Artificial Intelligence and Sensitive Inferences: New Challenges for Data Protection Laws’, in M Findlay, J Ford, J Seoh and D Thampapillai (eds.), Regulatory Insights on Artificial Intelligence: Research for Policy (Edward Elgar, 2021).
Mark: Data protection and privacy law has tended to focus on data that relate to identified or identifiable individuals. Sometimes going so far as to regulate only data that may contribute toward an individual’s identification. This focus on identifiability is now hugely problematic. Not only is identifiability context dependent, with fluid interpretive contexts challenging any reliable assessment, but some of the most valuable uses of data are now those that identify patterns of associations between groups of people and particular dispositions, susceptibilities, or preferences. The law does not adequately protect collective interests in privacy or address group privacy concerns.
Q2: There’s a risk that privacy protection can compete with public interests that justify information disclosure, such as the implied freedom of political communication in the Constitution of Australia (ABC v Lenah Game Meats (2001) 208 CLR 199, Gleeson CJ). Under common law, how do judges decide whether information should be protected or disclosed?
Megan: In the Lenah case (here’s a more readable version), Gleeson CJ talked about there being a public interest defence to breach of confidence (which is still our main ‘common law’ doctrine for protecting privacy – actually it’s an equitable doctrine) and added that ‘to adapt it to the Australian context, it is necessary to add a qualification concerning the constitutional freedom of political communication’. That strikes me as a clear signal both that we have a public interest defence to breach of confidence which allows for balancing between privacy and free speech, and that the implied freedom of political communication will within its compass be accorded constitutional significance. It’s not just on the common law side. We’re also starting to see references to privacy in constitutional cases, eg Smethurst v Commissioner of Police (2020) and the recent LibertyWorks case.
Mark: I agree with Megan’s response and only add that it is sometimes important to recognise that there may be a public interest in protecting an individual’s privacy. For example, in relation to health information, the courts have been keen to ensure that the importance of maintaining public trust in a confidential health service is not overlooked. In fact, I’d say it is rarely a balance between individual interests and public goods. It is more often a question of how to trade-off different public goods and different individual rights and freedoms. In the UK, at least in some circumstances, there is a move to frame the question of whether information should be protected in terms of what would constitute a reasonable expectation of privacy in all the circumstances.
Q3: In The Right to Privacy (1890) 4 Harvard Law Review 193, Samuel Warren and Louis Brandeis suggested the introduction of the right to privacy under American tort law. Can similar ideas be derived to develop privacy torts within the Australian jurisdiction?
Megan: Well, yes there is an ongoing argument in Australian privacy circles that a privacy tort or torts would be preferable to our current suite of doctrines such as the equitable doctrine of breach of confidence. My view – for instance as argued in my early article on ‘Breach of Confidence, Surreptitiously or Accidentally Obtained Information and Privacy: Theory Versus Law’ (1994) 19 MULR 673 – is that breach of confidence (especially if broadly construed, as I think it should be, to cover surreptitious or improper obtaining) can provide significant support for privacy. But a common law, or indeed a statutory, tort could also have advantages in making more explicit the focus on privacy and also filling in some of the gaps in our current protection – for instance, the starting point of the breach of confidence doctrine that information is confidential, ie not public knowledge. In today’s world of easy publication eg on social networks that requirement can be problematic. (This was discussed, for instance, in the UK case of PJS v News Group Newspapers Ltd.)
Mark: Here there is an interesting distinction to be drawn between private information and confidential information. Even information that is in the public domain might interfere with an individual’s reasonable expectations of privacy if misused. An example here might be name and address information held by a doctor. Courts in the UK have developed a tort of misuse of private information which may be distinguished from the traditional equitable duty of confidence. The concern of the tort is principally the protection of human autonomy and dignity and the right to control dissemination of information about one’s private life. In some ways this is broader that the traditional equitable doctrine but in other ways narrower as, again, there is a tendency to concern only with information that relates to an identifiable individual. For reasons I gave earlier, I think therefore there may be value in developing a privacy tort alongside a duty of confidentiality with each protecting different interests and expectations.
Q4: Under statute law, the Australian information privacy protection regime comprises the main federal legislation, the Privacy Act 1988 (Cth), alongside multiple state and territory laws that add protections of varying scopes. Is this patchwork regulatory style effective, or can Australia benefit from implementing more harmonious and uniform laws?
Megan: When we ask our students questions like this, they come back with many and varied answers. I don’t have a strong view about the need for uniformity in our statutory data protection regimes. On the one hand, uniformity should hopefully reduce the burden of compliance for business, and more transparency for privacy subjects as well as allowing a body of law to develop that can be looked to for authoritative understanding of the meaning and scope of the law. On the other hand, if uniformity means harmonisation on a less than adequate regime, and lack of opportunity for experimentation then that’s not ideal.
Mark: Again, I agree entirely with Megan here. While uniformity can make things clearer, it does not always do so: differing interpretations of the requirements of the GDPR around the European Union provide examples of both. Uniformity does not necessarily result in harmony!
Q5: The EU General Data Protection Regulation (GDPR) is seen as one of the strictest privacy regulations in the world. How does the Australian Privacy Act 1988 (Cth) compare with our European counterpart? Do international laws like the GDPR have a significant influence on domestic privacy regulations like the Privacy Act 1988 (Cth)?
Megan: Our Privacy Act (which broadly speaking covers Australian federal agencies and businesses) is less rigorous than the GDPR in many respects – ranging from the information covered, to the standards applied, to the exceptions in the Act (we have some significant exceptions, eg for small business, employee records, journalism). The GDPR is making a difference though. Our law was originally modelled to some extent on OECD and EU standards and now that both of these are being updated, I think we can expect to see some further reforms in Australia (ie it’s not just that, with the European Court of Justice’s decisions in the Schrems cases, companies that trade with Europe have to meet EU standards). The GDPR was referenced in the Australian Competition and Consumer Commission’s Digital Platforms Inquiry Report 2019 (ch 7) and the Attorney-General’s Privacy Act Review Discussion Paper released in October 2021 (consultations have just closed). And there’s also the A-G’s draft Online Privacy Bill. It will be interesting to see what law reforms come out of these initiatives when the review process is completed.
Mark: I have little to add to Megan’s answer here which I think is really comprehensive. However, it is perhaps worth readers reflecting on the difference between an assessment of whether international laws such as GDPR have a significant influence and whether the influence they have is welcome and encourages democratically accountable innovation in governance or stifles it. Not seeking to imply a view here, other than the view that it is always important to separate the empirical question of what is happening from the normative question of what ought to happen.
Q9: Where can people go to find out more about your privacy research?
Megan: There’s a huge range of privacy research material out there, including material focussed on Australia – for instance I edited a special issue of the Australian Law Journal a couple of years ago which has some excellent articles, including one from Mark which he cites below. As to my work specifically, one starting point is my book Advanced Introduction to Privacy Law (which Mark notes below as well) – it’s in our library. Other recent works are listed in my University ‘Find an Expert’ profile.
Mark: I can’t do better than recommending any of Professor Richardson’s tremendous body of work on the issues of confidentiality and privacy. In addition to the things that she has mentioned already I would single out her book Advanced Introduction to Privacy Law (Edward Elgar, 2020). As for things that I’ve written, most recently I’ve considered some of these issues in Taylor MJ and Townend D ‘Towards a New Privacy: informed consent as an encumbrance to group interests?’ in Edward Dove and Niamh Nic Shuibhne (eds.) Law and Legacy in Medical Jurisprudence (Cambridge University Press, 2022) pp.367-390; Taylor MJ and Whitton T ‘Health Research and Privacy through the lens of Public Interest: A Monocle for the Myopic?’ in G Laurie et al. (eds) Handbook on Research Regulation (Cambridge University Press, 2021) pp.239-247; Taylor MJ and Paterson JM ‘Protecting Privacy in India: The Roles of Consent and Fairness in Data Protection’ (2020) Indian Journal of Law and Technology 16(1) pp.71-102; and Taylor MJ (2020) ‘”Personal Information” and Group Data under the Privacy Act 1988 (Cth)’ Australian Law Journal 94(10) pp.730-740.