Australian law and data protection
Don’t think data privacy is a big deal? Here’s a lesson from history. Before World War II, the Netherlands established a record of religion in Amsterdam, which the Nazis later used to round up people of Jewish faith, street address by street address.
“It led to the death of many of those people,” says former High Court justice Michael Kirby, who heard this story while in Europe in the 1970s as the chair of an OECD expert group drafting new privacy guidelines. “This had taught them how information was not neutral, information was sometimes sensitive, and sometimes literally a matter of life and death.”
Spurred on by its dark past, Europe has often led the world on privacy reform. The first national data protection laws, for example, were enacted in Scandinavia.
Now they’re doing it again. This week the European Union’s new General Data Protection Regulation (GDPR) came into force, which Kirby says is likely to inspire more stringent privacy regulations in other countries.
It’s the wake-up call Australia needs. Legal experts interviewed by The Saturday Paper say our own privacy regulation is weak, inconsistent, riddled with exemptions, and failing to keep up with technological advances. They claim our two major parties have left us exposed because they’re too cowardly to stand up to vested media interests, especially News Corp.
So what is the GDPR? A general data protection regulation doesn’t sound revolutionary, but it’s the most comprehensive privacy regulation of any jurisdiction to date, and it’s specifically aimed at bringing big tech companies such as Facebook to heel. “When it comes to data privacy, we’ve moved from the little league to the Olympics,” explains Steve Ingram of consultancy PricewaterhouseCoopers Australia.
While the definition of personal information is similar to Australia’s Privacy Act, other aspects of the regulation are in a whole different ballpark. Under the GDPR, for example, the bar for consent is much higher – it must be ‘‘freely given, specific, informed and unambiguous”, whereas in Australia it can be merely implied.
Some concepts have no equivalent in Australian law. The GDPR includes a “right to be forgotten” so that people can ask search engines to remove results about them. Since an earlier ruling in May 2014, Google has already delisted more than 900,000 URLs associated with the names of EU citizens.
Importantly, it backs these rights with serious penalties – up to €20 million ($A31 million), or 4 per cent of annual global turnover, whichever is higher. For a tech behemoth such as Facebook, this could run into the billions.
“This is absolutely aimed at the big tech companies that could previously afford to shrug off the cost of small fines as just part of doing business in Europe,” says Anna Johnston, director of Salinger Privacy.
Here’s a scenario that illustrates the difference. Imagine a woman suffered domestic violence in the ’80s, took it to court, and identifying details appeared in the judgement at the time. Decades later, those musty papers are digitised and somehow appear in Google search results, even though publishers try to avoid it. Some spiteful person posts this information on Facebook, exposing the woman’s private history to the world.
What could she do? If she were European, the woman could evoke the “right to be forgotten” and ask Google to remove the reference. She could complain to a data protection authority that can reach across borders and impose penalties large enough to motivate a response. If that fails, the GDPR ensures she has the right to sue.
In Australia her options are much more limited, says David Vaile, of the Australian Privacy Foundation. There is no “right to be forgotten” here. Our Privacy Act has many exemptions – for media companies, political parties, small businesses and individuals – and limited foreign reach. “Her only choice is to complain to the privacy commissioner, and the first thing they do is check for ways this might be outside their jurisdiction,” says Vaile. They’re overstretched and slow to respond, they don’t have to investigate, penalties are small change for a big corporation, and even if they do make a decision, it’s not enforceable.
Most gallingly, the woman couldn’t sue in court for herself. Vaile says while citizens can sue for breach of privacy in the EU, Canada, Britain, the United States or New Zealand, that legal right is denied to Australians.
The reason comes down to a peculiar High Court case in 1937. A radio station had constructed a platform to peer over the tall fence surrounding a racecourse, so it could broadcast the results without paying an entry fee. The court concluded that Australia’s common law did not provide specific legal protections for invasion of privacy, and the judgement has stuck.
In the more than 80 years since, no case has come before the High Court with precisely the right set of circumstances to overturn this longstanding principle, although a case in 2001 did leave open the possibility of change.
Meanwhile, experts have been recommending that the parliament do its job and create legislation that would fill this obvious gap in the law. “The possibility of having a general tort or civil remedy of privacy has been now advanced by I think five successive reports of law reform bodies in Australia beginning with the work of the Australian Law Reform Commission back in 1977 or thereabouts,” Kirby told The Saturday Paper.
The most recent report from the Australian Law Reform Commission was tabled in parliament in September 2014, but we’re still waiting. “Every time it comes forward powerful interests in the media and elsewhere oppose it and nothing gets done,” says Kirby.
David Vaile was on the advisory panel for this 2014 report, and noted many media companies engaged with the process but News Corp effectively boycotted it. The Murdoch press appeared completely opposed, he says, perhaps because they wanted to keep publishing “puerile tabloid stories that wouldn’t pass a public interest defence”.
“It’s like it was the gutter journalism, snooping into people’s dirty underwear, they wanted to protect,” he adds.
Again and again our two major parties have shied away from a fight with Australia’s most powerful media company, and the reform has stalled. But Vaile hopes the recent Cambridge Analytica scandal and now the EU’s new data laws could be the catalyst we need.
“I’m hoping that scrutiny would put back on the agenda the idea that people should actually have a right to protect their privacy,” he says. “Whereas at the moment they can complain to a weak, compromised, overloaded commissioner.”
That brings us to the Office of the Australian Information Commissioner (OAIC), the federal agency that handles both freedom of information requests and privacy complaints. It’s important work, but critics say the OAIC is starved of resources, slow and timid.
In the 30 years since the Privacy Act was introduced, the OAIC has made only 37 complaints determinations, and the highest compensation amount, even for breaches by multibillion-dollar companies, is $20,000. The lowest is nil.
“We have a Commonwealth watchdog that’s underfed and doesn’t like coming out of its kennel when there’s rain or thunder or any loud noises,” says Bruce Baer Arnold, an assistant professor of law at the University of Canberra. “It doesn’t want to bite the Commonwealth hand that feeds it.”
Perhaps it’s a case of twice shy. In 2014 the Abbott government tried to abolish the OAIC through a cost-cutting measure, but couldn’t get the legislation through the Senate, leaving the agency on life support. The Canberra office closed, and for a time Australia’s information commissioner was working from home.
In the 2016–17 budget, the federal government backtracked on its measure to kill off the OAIC, and funding was returned. Attorney-General Christian Porter told The Saturday Paper that the most recent federal budget included an additional $12.9 million over four years for the OAIC as “part of the establishment of the new National Consumer Data Right”.
In response to calls for the right to sue over invasions of privacy, he says it’s not needed because other existing laws do the job. “Australian law currently provides avenues for individuals to seek redress for interferences with their privacy – for example torts such as trespass, nuisance, defamation and breach of confidence.”
But Arnold says this ignores more than a decade of reports demonstrating that these existing remedies are inadequate and ineffective for invasion of privacy. “If the attorney-general bothered to read the Australian Law Reform Commission report he would see immediately that those avenues typically lead to dead ends,” he says.
Privacy, once lost, is irretrievable. Europe’s history of authoritarian regimes shows we can’t predict how our sensitive information will be used in the future, which is why we need to guard it so closely.
Reflecting on 40 years of watching privacy law develop, Kirby offers another warning. “What has happened is that the technology has grown ever so much more powerful and the collection of information has grown enormously and therefore the provision of effective legal protections is a challenge to virtually every developed society,” he says.
It’s a challenge our two major parties have so far failed to meet.
This article was first published in the print edition of The Saturday Paper on May 26, 2018 as "Witless protection". Subscribe here.