PHR2004 - Commonwealth of Australia

Commonwealth of Australia

While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States contain any express provisions relating to privacy. There is continued debate about the value of a Bill of Rights, but no current proposals.[1] The Constitution limits the legislative power of the Commonwealth (federal) government, with areas not expressly authorized being reserved for the States. The constitutionality of federal laws imposing privacy rules on the private sector has been questioned, but not so far challenged. Most commentators believe that the Commonwealth could base any private sector privacy law on a "cocktail" of constitutional powers including those giving authority over telecommunications, corporations and foreign affairs (e.g., treaties).

Privacy Law in Australia comprises several Commonwealth (federal) statutes covering particular sectors and activities, some State or Territory laws with limited effect, and the residual common law protections.

In Australia there has until recently been no recognition of a general tort of protection of privacy. Very occasionally the common law been used in support of privacy rights through actions for breach of confidence, defamation, trespass or nuisance.

In the 2001 Lenah v ABC decision,[2] the High Court discussed the issue and effectively issued an invitation that a tort might be found if the right case came forward involving an individual (the Lenah case involved allegations of breach of corporate privacy). In June 2003, a Queensland District Court judge took up the invitation and in Grosse v Purvis[3] awarded the plaintiff AUD 178,000 for breach of privacy occasioned by intrusion and harassment over a sustained period. It remains to be seen if this affirmation of a common law right is upheld if appealed, or followed in other cases.

The principal federal statute is the Privacy Act of 1988,[4] which has four main areas of application and which gives partial effect to Australia's commitment to the Organization for Economic Cooperation and Development (OECD) Guidelines and to the International Covenant on Civil and Political Rights (ICCPR), Article 17. It creates a set of eleven Information Privacy Principles (IPP), based on those in the OECD Guidelines that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The origins of the Privacy Act derived from protests in the mid-1980s against the Australia Card scheme – a proposal for a universal national identity card and number. That controversial proposal was dropped, but use of the TFN was enhanced to match income from different sources with the Privacy Act providing some safeguards. The use of the TFN has been further extended to include benefits administration as well as taxation. Some controls over this matching activity were introduced in 1990.[5] In June 2004, the Privacy Commissioner called for a renewed debate on identity management – though not a debate on the possibility of another Australia Card proposal – because "identity management is the big next push in response to fraud and theft."[6]

After several policy reversals, the conservative government introduced legislation to extend privacy protection to the private sector in April 2000. The Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 and took effect in December 2001 (a year later for some small businesses). The law puts in place National Privacy Principles (NPPs) based on the National Principles for Fair Handling of Personal Information originally developed by the Federal Privacy Commissioner in 1998 as a self-regulatory substitute for legislation. Private companies are now required to observe these principles although they can apply to the Privacy Commissioner for approval of a self-developed Code of Practice containing principles that are an "overall equivalent" to the NPPs. The Act has been widely criticized as failing to meet international standards of privacy protection. A promised review for privacy protection for employee records has yet to commence, although an inter-departmental committee has been looking into the need for specific privacy protection for childrens' personal information. The Attorney General indicated in 2000 that the Privacy Act would undergo a full review within two years, but as of April 2004, such review was not yet undertaken.[7]

The NPPs impose a lower standard of protection in several areas than the EU Data Protection Directive. For example, organizations are required to obtain consent from customers for secondary use of their personal information for marketing purposes where it is "practicable"; otherwise, they can initiate direct marketing contact, providing they give the individual the choice to opt out of further communications. Controls on the transfer of personal information overseas are also limited, requiring only that organizations take "reasonable steps" to ensure personal information will be protected, or "reasonably believe" that the information will be subject to similar protection as applied in the Australian law. In addition, the Act provides for several broad exemptions for employee records (defined as a record of personal information relating to the employment of the employee including, for example, health information, contact details, salary or wages, performance and conduct, trade union membership, recreation and sick leaves, banking affairs, etc.); media organizations (defined very broadly); and small businesses (defined as having less than AUD 3 million annual turnover and not disclosing personal information for a benefit). According to the Federal Government the small business exemption will exempt about 94 percent of all Australian businesses but only 30 percent of total business sales, an exception that includes many Internet companies.[8] There are also weaknesses in the enforcement regime including, for example, allowing privacy complaints to be handled initially by an industry-appointed code authority, although a right of appeal to the Privacy Commissioner was inserted by Opposition parties. The Act does, however, include an innovative principle of anonymity. Principle 8 states that: "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation."

In March 2001, the Article 29 Data Protection Working Party of the European Commission expressed many reservations about the Act, suggesting that it would not, as currently written, satisfy the adequacy test in Articles 25 and 26 of the EU Data Protection Directive for data to flow to third countries.[9] The group recommended the introduction of additional safeguards to address these concerns. In response, the Attorney General issued a press release stating that the Committee's comments "display an ignorance about Australia's law and practice and do not go to the substance of whether our law is fundamentally "adequate" from a trading point of view." He acknowledged that officials from Australia and Europe would "obviously" continue to talk but that "Australia will only look at options that do not impose unnecessary burdens on business." In May 2003, the Attorney General convened a meeting of a consultative group to discuss, amongst other things, three proposed amendments to meet some of the criticisms by the EU. These would extend correction rights to non-Australians, extend the scope of the transborder data flow control (Principle 9) to data about non-Australians, and ensure that the Privacy Commissioner could approve Codes of Practice that voluntarily covered otherwise exempt acts and practices. The government hopes to make these amendments within the next year. But some of the key EU objections would remain and may prevent an "adequacy" assessment. As of September 2003, although Australia is non-compliant with the EU directive, trade between the countries has not been impacted nor have any EU companies refused to deal with Australian partners.[10] In April 2004, the Privacy Amendment Act of 2004 extended some privacy protections to non-Australian citizens.[11] These provisions extended data correction rights to non-Australians and granted protections under NPP 9 (transborder data flows).[12]

A promised review for privacy protection for employee records has yet to commence, although an inter-departmental committee has been looking into the need for specific privacy protection for childrens' personal information. The Office of Privacy Commissioner,[13] which enforces the Privacy Act, was initially established as a member of the Human Rights and Equal Opportunity Commission but has been operating as a separate statutory agency since July 1, 2000. The Office has wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters. The Privacy Commissioner in April 2004 urged a move away from the initial strategy of facilitative cooperation with the business sector towards greater enforcement, a transition that will likely be hampered by limited funding.[14]

The Commissioner has so far approved two Codes of Practice under the private sector regime for the General Insurance Industry, which has its own adjudicator for complaints, and for Licensed Clubs in the state of Queensland, which defaults to the Privacy Commissioner for complaints. In August 2003, the "Market and Social Research and Privacy Code" was approved[15]; as of June 2004, no complaints or enquiries have been made under this code.[16] This code governing market research provides some standards that are higher than the NPPs, including giving the data subject the right to choose whether to destroy or de-identify their information after use.[17]

The Commissioner's office, which had received cut backs in the late 90's, received additional resources to accompany its jurisdiction over the private sector, which has become one of its main focuses since 2001. However, these resources have proved inadequate to cope with a major increase in inquiries and complaints, leading to a growing backlog. Outgoing Privacy Commissioner Malcolm Crompton in March 2004 indicated that his office was forced to drastically scale back services, including auditing, in order to accomodate the rising level of complaints.[18] In fact, the auditing function ceased to exist as of June 2004, except when the Office received dedicated funding for such purposes.[19] The office was forced to employ a "triage approach," dealing with only the most serious issues first.[20] As of 2004, the Office has 36 full time staff divided into four sections: Compliance, Policy, Corporate and Public Affairs, and the Executive.[21]

The number of complaints received in the period from July 2003 to June 2004 totalled 1,158 with 1,183 matters raised (some complaints contained more than one matter) a more than five-fold increase since 2000-01[22] The Compliance section of the Office handles complaints.[23] The majority of matters raised – a total of 766 – concern application of the NPPs to the private sector; 207 matters concern credit reporting; and 173 matters concern information privacy principles.[24] Of the 766 matters concerning private sector NPP compliance, the largest category of matters concerned the financial industry (144); followed by health service providers (114); telecommunications and Internet service providers (69); landlords and real estate agents (51); insurance organizations (48); tenancy databases, credit reporting agencies and debt collectors (41); retail (36); and legal, accounting and management services.[25] (34). Out of the 1,158 complaints received since July 1, 2003, 826 had been finalized by June 11, 2004. The time to resolve these complaints varied; 47 percent within 10 days; 28 percent within 30 days; 19 percent within 90 days; 5 percent within 180 days; and 1 percent within 9 months.[26] Of those taking less than 10 days to resolve, the majority were declined investigation by the Office.[27] Section 40(2) allows the Commissioner to investigate privacy violations on its own in the absence of a complaint; as of June 11 2004, the Office has opened 45 matters under this provision.[28] As of June 2004, the Office has 450 open complaints, half of which have been allocated to an investigations officer.[29]

Section 52 of the Privacy Act provides that the Commissioner may make formal determinations in relation to complaints investigated. The determination by the Commissioner may dismiss the complaint, or may find the complaint substantiated and declare that the respondent should cease to breach the Act, take any reasonable steps to redress damage suffered by the complainant, or pay compensation to the complainant. Importantly, Section 52 determinations are not legally binding on the respondent. The Commissioner, the complainant, or the adjudicator for an approved privacy code can commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce a determination. As of June 2004, no parties have sought such enforcements of determinations made by the Commissioner.[30] Recently, the Commissioner has reviewed several complaints regarding the sharing of information among government agencies. One complaint in particular dealt with the disclosure of sensitive personal information by a Commonwealth agency, where the complainant was employed, to another Commonwealth agency where the complainant had applied for a position.[31] Of inquiries outside the Commissioner's jurisdiction, some of the most common concerns were workplace privacy, video surveillance, and disclosure of information from public registers.

The first class action brought under the Privacy Act was successful. A tenant class sued the largest Residential Tenancy Database (RTA) provider – a database used to identity "problem" renters – claiming that the data held on them was erroneous and that they were charged excessive fees to access their files, among other claims stemming from the service.[32] The database contains files on about 300,000 people.[33] The Privacy Commissioner determined that the defendant company violated NPP 3 "by failing to take reasonable steps to make sure the personal information it collects, uses and discloses is up-to-date"; and NPP 4.2 by "by failing to take reasonable steps to destroy or de-identify personal information that is no longer needed for any purpose."[34] The commissioner ordered the defendant to cease the violative practices.[35]

In May 2004, the first case successfully invoked section 98 of the Privacy Act, allowing anyone, not necessarily the victims of the alleged breach of privacy, to bring suit seeking an injunction against a party violating the NPPs.[36] The federal court in Seven Network Limited v. Media Entertainment and Arts Alliance case granted the injunction after finding that the defendant trade Union engaged in collection of personal data via telephone surveys in violation of the NPPs.[37]

There are two other federal privacy-related laws for which the federal Privacy Commissioner is also the supervisory and complaint handling agency. The first one is Part VIIC of the Crimes Act,[38] enacted in 1989, which provides some protection to individuals who have had criminal convictions in relation to so-called "spent" convictions (i.e.: convictions for relatively minor offenses which they are allowed to "deny" or have discounted after a set period of time). The second one is the Data-Matching Program (Assistance and Tax) Act 1990[39] that provides detailed procedural controls over the operation of a major program of information matching between federal tax and benefit agencies.

In 2001 the Privacy Commissioner released the results of a comprehensive research project into public attitudes towards privacy issues that was commissioned earlier in the year.[40] The research findings were incorporated into three separate reports: Privacy and the Community; Privacy and Business; and Privacy and Government. The results indicate overwhelming support for privacy protection. For example, 91 percent of the public said that they would like businesses to seek permission before engaging in direct marketing; 89 percent would like organizations to advise them who would have access to their personal information and 92 percent would like to be told how it would be used; 42 percent have refused to deal with organizations they felt did not adequately protect their privacy. When asked what kind of data they considered most sensitive 40 percent identified financial details, 11 percent identified income, seven percent identified medical or health information, four percent identified home address, three percent identified phone number and three percent identified genetic information.[41] The Privacy Commissioner is using the results of the survey in setting out a future work plan for the office including informing the marketing and communications strategy, and providing information for other areas of responsibility such as the development of industry codes and guidelines.

A complex mix of privacy standards applies to the telecommunications sector. The Telecommunications Act 1997[42] contains a detailed list of exceptions from a basic presumption of confidentiality of customer records.[43] These exceptions are similar to those in the use and disclosure principles of the federal Privacy Act. An Industry Forum prepares detailed Codes and Guidelines, some of which are binding.[44] A Code of Practice on the Protection of Customer Personal Information that was binding on all telecommunications carriers and service providers, was de-registered once the private sector amendments took effect. The enforcement position remains confusing, with the Australian Communications Authority (ACA); the Telecommunications Industry Ombudsman and the Privacy Commissioner all having overlapping jurisdictions. There is also a binding Code of Practice on Calling Number Display (CND),[45] which requires carriers to offer free per call and per line blocking (but only on an opt-out basis) and attempts to impose guidelines on telephone users' use of CND information. Other Codes deal incidentally with privacy issues such as directories, numbering and emergency calls. The ACA investigated the sale and marketing use of customer proprietary network information (CPNI) – data about incoming and outgoing calls – of customers by phone companies.[46] It found that industry practices probably violated current legislation, and proposed new industry standards to be instituted in 2004.[47]

The Telecommunications (Interception) Act of 1979[48] regulates the interception of telecommunications. A warrant is required under the Act and it also provides for detailed monitoring and reporting. However, the Interception Act safeguards need to be read alongside Part 15 of the Telecommunications Act 1997 that places obligations on telecommunications providers to provide an interception capability and positively assist law enforcement agencies in relation to interception. There have been several changes to the interception regime in recent years, including broadening the range of offenses for which warrants can be obtained; allowing more law enforcement agencies to apply for warrants and more of them to execute warrants themselves; and transferring the warrant issuing authority from federal court judges to designated members of the Administrative Appeals Tribunal (who are on term appointments rather than tenured and are arguably less independent). Significant loopholes exist within the legislation, and uncertainty in relation to allowable "participant monitoring."[49] There also remains considerable uncertainty as to the position of e-mail and other stored communications, under the telecommunications laws – it is not clear which communications are subject to the strict Interception Act safeguards and which only to the lesser controls of the Telecommunications Act. In April 2004, anti-terrorism legislation was proposed in Queensland that would grant law enforcement covert search warrant capabilities but would not extend wiretap capabilities to Queensland law enforcement organizations, as Opposition leaders wanted.[50] Changes to the federal law are also sought; in May 2004, legislation to amend the Telecommunications (Interception) Act was introduced.[51] The amendments would eliminate the warrant requirement for accessing stored communications – email, SMS, and voice mail – allowing non-law enforcement government organizations and even private investigators to access these communications without a court order.[52] Additional proposed federal legislation would further weaken surveillance protections. The Surveillance Devices Bill 2004[53] seeks to increase the number of offenses for which surveillance may be initiated by law enforcement.[54]

Interception activity continues to increase. In 2002 - 2003, the number of warrants issued increased to 2,514, with only 4 applications refused.[55] This excludes an undisclosed number of interception warrants issued to the Australian Security Intelligence Organisation by the Attorney General. In 2003-2004, warrants increased by 22 percent with 3,058 issued and nine refused.[56] In April 2003, the National Office for the Information Economy (NOIE) released a final report of its review of the spam problem and how it can be countered.[57] The NOIE report makes several recommendations, largely endorsing proposals by the Privacy Commissioner, including outlawing spam, urging ISPs and consumers to use anti-spam software, and committing to working internationally on this issue. One recommendation of the NOIE Report proposed that the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission and the Office of the Federal Privacy Commissioner should ensure that relevant legislation is fully applied to spam. Spam legislation (Spam Act 2003) became effective April 2004, outlawing unsolicited marketing messages on electronic mediums including email, SMS (short message service), MMS (multimedia messaging service), and instant messaging; requiring opt-out facilities and an accurate sender address.[58] Penalties range up to AUS 1.1 million for businesses that repeatedly violate the law. The complex law confused affected organizations, prompting the Australian Computer Society to release simplified guidelines for compliance.[59] Emailers must have prior consent of the recipient, although consent can be inferred from prior conduct and relationships.[60] The Australian Communications Authority will enforce the law, which has begun establishing enforcement capabilities, although early goals target compliance rather than prosecution.[61] Civil liberties organizations have criticized the Spam Act because the search and seizure provisions allow some government employees and police to seize an individual's computer without a search warrant.[62]

As of early 2004, legislation regulating spyware and "adware" (that tracks users' web visits to target advertising via pop-up ads) was expected to be introduced.[63] The Privacy Commissioner commented that the methods employed by both types of software violate the NPPs.[64]

Electronic Frontiers Australia[65] and the Australian Privacy Foundation[66] have both criticized the international proposal for ENUM (or "electronic numbering"), a protocol for translating telephone numbers into Internet domain names and mapping telephone numbers to other means of communication such as e-mail, fax and mobile numbers. ENUM poses serious risks to privacy due to its creation of a unique individual identifier and, also, the currently proposed system requires personal information about individuals, who have an ENUM address, to be made publicly-accessible in a database on the Internet. It is likely that marketers, spammers, and malicious actors will mine the database for personal contact information. Since there are no statutory protections in place regulating the use of ENUM contact information, marketers and spammers may use the contact information for junk mail, unsolicited commercial e-mail, and other forms of commercial solicitations. The system could facilitate an unprecedented amount of spam because programs could be designed to send solicitations to all of the registrant's communications devices. The ACA created a working group in September 2003 to study the privacy and security implications of ENUM.[67] ENUM trials will commence in 2004, although the ACA proposed mandatory requirements including opt-in user consent, NPP compliance as a minimum, and full disclosure of privacy risks.[68]

Public sector privacy issues continue to raise concerns. As part of reforms to the Australian tax system from July 2000, the Australian Taxation Office required all enterprises to obtain an Australian Business Number. The ATO collected registration details including address and e-mail contact, and planned to make this available to the public through the Australian Business Register and through selling it to database companies. A storm of protest occurred in June 2000 when it was realized that the register would include the home address and other details of almost 2 million individuals who were sole traders, contractors or even just had just a minor income from a hobby or some other activity. The Government agreed to amend the legislation, limit the content of the Australian Business Register and allow individuals to suppress their details. At the same time, the Government was forced into another back-down after receiving legal advice that the Australian Electoral Commission had illegally disclosed information on around 10 million registered Australian voters, after the Prime Minister had asked for this information in order to conduct a targeted direct mailing campaign outlining the benefits of the tax reform package.

During 2000, Commonwealth and State governments announced plans to move towards unique patient identifiers in the health sector, likely to be centered around a health smart card. Health services are primarily delivered by the public sector in Australia, with only around a third of the population having private health insurance. The responsibility for delivery of health services is shared between the Commonwealth Government, which is responsible for much of the funding of the health system, and the States, which operate hospitals and community health services. The Commonwealth's proposal, HealthConnect, is intended as a voluntary national health information network under which health-related information about an individual would be collected in a standard, electronic format at the point of care.[69] As a first phase of this system the Department of Health and Aged Care drafted the Better Management System Bill that would establish individual electronic medication records in order to improve access to information about drugs for doctors and patients. The system was widely criticized by consumers and doctors groups concerned about patient confidentiality and professional liability.[70] On July 30, 2001 the Department of Health announced that all negotiations on the implementation of this system and the introduction of the enabling legislation had been postponed due to "technical difficulties."[71] However, the plan was moving forward and as of September 2003, with the federal government expected national deployment of HealthConnect "within about five years." [72] It noted that technology – not privacy – presents the major hurdles, at least from the government health organization's perspective.[73] A pilot project was underway in Tasmania.[74]

A national registration scheme for doctors was introduced in April 2004 whereby doctors wanting to practice in more than one state or territory would only have to pay one national registration fee rather than face multiple fees per state.[75] Doctors' professional associations opposed the system – citing privacy concerns – because the system would provide a centralized and possibly Internet-accessible repository containing personal and professional details of all doctors.[76]

A major report on genetic privacy was issued in March 2003 by the Australian Law Reform Commission and the Australian Health Ethics Committee of the National Health and Medical Research Council. "Essentially Yours" makes 144 recommendations about the ethical, legal and social implications of genetic privacy.[77] The report recommends that privacy laws be harmonized and tailored to address the particular challenges of human genetic information, including extending protection to genetic samples, and acknowledging the familial dimension of genetic information. Employers should not be permitted to collect or use genetic information – except in those rare circumstances where this is necessary to protect the health and safety of workers or third parties, and the action complies with stringent standards set by a new Human Genetics Commission of Australia (HGCA). The insurance industry should be required to adopt a range of improved consumer protection policies and practices with respect to its use of genetic information (including family history) for underwriting purposes. A new criminal offense should be created to prohibit someone submitting another person's sample for genetic testing knowing that this is done without consent or other lawful authority. DNA parentage testing should be conducted only with the consent of each person sampled (or both parents in the case of young children), or pursuant to a court order.

In 2001 the Prime Minister announced the establishment of a national digital database of DNA and fingerprint samples in order to facilitate law enforcement.[78] The national DNA database system is coordinated by CrimTrac, a Commonwealth agency. The system when fully operational will enable the comparison of DNA profiles across all Australia's jurisdictions for law enforcement purposes. The system is underpinned by Commonwealth, State and Territory legislation. A Report of a Review of Part 1D of the Crimes Act 1914 (the relevant federal law) was tabled in Parliament on 15 May 2003. The Review found that the national system is not yet operational and only one jurisdiction (New South Wales) has loaded profiles onto the relevant CrimTrac database known as the National Criminal Investigation DNA Database (NCIDD). While there has been relatively little experience of the operation of Part 1D, the Review has recommended improved accountability arrangements both within and across Australia's jurisdictions. The Review sees effective accountability mechanisms as crucial to maintaining public confidence in the use of DNA analysis for law enforcement purposes. The Review recommends that the external scrutiny mechanisms be based upon existing cooperation between Australian Ombudsmen with involvement of Privacy Commissioners and other monitoring bodies. Under legislation proposed by the Victoria Law Reform Committee, suspected thieves would be required – if compelled by police via a court order – to submit DNA samples.[79] Currently only suspects of more serious crimes, such as rape and murder, can be required to submit DNA.[80]

Legislative amendments in 2002 and 2003 have given the Australian Security Intelligence Organization (ASIO) significant and highly controversial new powers, including the ability to detain and question individuals suspected of having information relevant to terrorism. Despite extracting many concessions and additional safeguards from the government, the Opposition allowed the final changes through in June 2003 without ruling out the possibility of indefinite detention without charges under repeated warrants. The amendments allow ASIO to detain and question a journalist who may have information regarding suspected terrorists gained through her interviews and contacts; refusing to cooperate could result in a five-year imprisonment.[81] The budget for ASIO has doubled since September 11, 2001, after receiving a AUS 131 million boost in 2004.[82]

In Novermber 2003, Australia introduced the "M-Series" tamper resistant passports.[83] In order to meet the requirements of the United States Visa Waiver Program, the Australian government fast-tracked proposed legislation amending the Australian Passports Act in order to provide facial biometric features in passports.[84] A Passports Legislation Consultation Group was established, including members from privacy and human rights groups as well as travel, financial and biometrics industries.[85]

The Crimes Act[86] also contains a range of other privacy related measures, such as offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications and the unauthorized disclosure of Commonwealth government information.[87] In late June 2001, the Government introduced draft legislation targeting online crime. A recent Federal Court of Australia decision marks one of the first Australian cases to deal with a clear case of cybersquatting. In CSR Limited v. Resource Capital Australia, the court ordered the transfer of the domain and ordered Melbourne IT to set conditions on any future registrations by the defendant.[88] The court relied on the Trade Practices Act to find that the registration was misleading.

Currently, the Government is considering an online censorship bill, allowing the Australian Broadcasting Authority and the Office of Film and Classic Literature to withhold information regarding what online information is being restricted.[89] The proposed amendments to the Freedom of Information (FOI) Act are designed to further prevent public scrutiny (and potential criticism) of the operation of the Federal Internet censorship regime that became operative on January 1, 2000. The bill is meant to restrict the details regarding the net blocking system which restricts access to material that is "objectionable" or "unsuitable for minors."[90] Under Australia's FOI law, the agencies may withhold information regarding their practices and the details of their agency operations. As of May 2003, the proposal has passed the House of Representatives, but is expected to meet resistance in the Senate. The EFA and other civil liberties groups have opposed the Internet content regime put in place under the Broadcasting Services Act, and have tracked the operation of the laws through FOI applications.[91]

The federal Freedom of Information Act of 1982[92] provides for access to government records, requiring agencies to respond within 30 days to requests.[93] The FOI Act is the mechanism through which the access right in the Privacy Act is implemented for public sector agencies. The Commonwealth Ombudsman promotes the FOI Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the Attorney General Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring. In 2002-2003, there were 41,481 requests, an 11 percent increase over the previous year; of those finalized, 71 percent were granted in full, 23 percent granted in part, and 6 percent refused.[94] Nearly 92 percent of the requests were for personal information, mostly to the Department of Veterans' Affairs, the Department of Immigration and Multicultural and Indigenous Affairs (DIMIA), and Centrelink (a government agency delivering a range of Commonwealth services).[95] In 2001, the Senate held an inquiry into whether to adopt changes recommended by a 1995 report critical of the FOI law, but no substantive changes have since been made to the law.[96]

At least one major retailer in Australia – a food and liquor chain – is planning RFID trials.[97] The Australian Privacy Commissioner cautioned against privacy invasive RFID plans, but no specific guidelines or legislative efforts are underway.[98]

In early 2004, mobile phone operators were considering adding location tracking features to their phones and networks.[99] The proposal was driven in part by an ACA report finding that over 80 percent of the more than 5 million calls to emergency services in 2002-2003 were hoaxes.[100] A concept car introduced at the 2004 Melbourne Motor Show unveiled another possible location-based service. Toyota's Sportivo Coupe – a prototype – featured a system whereby the driver inserts a smart card as a replacement for a key.[101] The car would communicate with traffic cameras designed to catch speeders, linking the citation to the driver instead of just the car.[102] Additionally, the car displays the driver's license number – instead of the license plate – on the front and back of the car.[103]

In February 2004, an Australian court granted an order giving the music industry – the copyright owners – rights of search and seizure against the makers of a popular peer to peer application, Kazaa.[104] The offices of the vendor of the application were raided, along with those of the chief executive, several universities, and other businesses.[105]

State and Territory Laws

The Australian States and Territories have varying privacy laws. New South Wales (NSW), the most populous State, passed the Privacy and Personal Information Protection Act 1998 which applies (since July 2000) to most state government agencies, although there are numerous and generous exemptions, and agencies can apply for Codes of Practice that can weaken the principles. The former Privacy Committee (which acted as an Ombudsman since 1975 and also issued several reports and guidelines on matters such as video surveillance and smart cards) has been replaced by a part time Privacy Commissioner with a very small staff.[106] The Act is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows for the development of Codes of Practice that weaken the Information Protection Principles, and several such Codes have already been made.[107]

NSW enacted a Workplace Video Surveillance Act[108] in 1998 (partly in response to the Privacy Committee report). In a report issued publicly in early 2002,[109] the NSW Law Reform Commission reviewed the laws governing surveillance more generally, including the operation of the existing Listening Devices Act 1984.[110] The NSW government indicated in 2001 that it was disposed to legislate on e-mail monitoring in the workplace but this has not progressed. A separate NSW Health Records and Information Privacy Act[111] was passed in 2002, and took effect in March 2004.

In July 2002, the Office of Information Technology (OIT), an agency of the state government of NSW, issued guidelines pursuant to the Privacy and Personal Information Protection Act of 1998. The guideline states that as a matter of good practice, each agency should have a designated privacy contact officer. It adds that the obligations of the chief information officer in each agency include ensuring there is a privacy management plan. The responsibilities of other staff, including librarians, web managers, human resources managers and records managers, are also described.[112]

NSW began work on a legislation prohibiting employers from monitoring employee email unless the employer can demonstrate a reasonable suspicion of employee wrongdoing.[113]

In 2002, NSW passed the Health Records and Information Privacy Act, which commenced in September 2004.[114]

The state of Victoria has enacted the Information Privacy Act 2000, which applies privacy principles (an almost exact copy of the NPPs in the federal Act) to most state government agencies. There are relatively few exemptions and while there is provision for Codes of Practice, they cannot weaken the principles. The Act created an office of Privacy Commissioner,[115] very active so far, with a monitoring, enforcement and education role and to conciliate complaints.

The Victorian Civil and Administrative Tribunal can determine unresolved complaints. Victoria has also passed the Health Records Act 2001 to complement the information privacy legislation by requiring Victorian health service providers to handle health information responsibly. The Health Records Act also gives patients a right of access to their records held by private practitioners. The Victorian Law Reform Commission[116] received a reference in April 2001 to review the coverage of privacy law in Victoria, and published an Issues Paper in 2002 on workplace privacy.[117]

The government of the Australian Capital Territory (ACT), which used to be a local authority under Commonwealth (federal) law, and was consequently covered by the federal Privacy Act, achieved self-government as a separate Territory in 1989. The Privacy Act was amended to continue coverage, intended as an interim measure, but this remains the position, with the Privacy Commissioner in effect serving also as the ACT's Commissioner, responsible to its own government. However, in 1997 the ACT government passed its own Health Records (Access and Privacy) Act,[118] which applies to personal health information held by anyone public or private sector. Its provisions are similar to those of the IPPs in the Privacy Act, and supercedes them for ACT government agencies in this area of data handling.

The self-governing Northern Territory has enacted a combined privacy and FOI law – the Information Act 2002,[119] which took effect in July 2003. The Office of the Information Commissioner was established in 2004.[120]

Queensland had a purely advisory Privacy Committee from 1984 to 1991[121] and has a limited privacy statute[122] covering the use of listening devices, credit reporting (operating alongside the 1989 amendments to the federal Privacy Act) and physical intrusions into private property. In April 1998, after a year-long review, a Parliamentary Committee recommended comprehensive privacy legislation for the public sector.[123] The government indicated that it intended to legislate but no timetable has been set, and in 2001 the government adopted privacy principles on a hopefully interim non-statutory basis.[124]

The other states, Tasmania, South Australia and Western Australia, also operate administrative schemes based on variations of the standard sets of privacy principles.[125] In May 2003, the Western Australian government released a discussion paper[126] proposing a public sector privacy law.

All of the States and Territories also have FOI laws that include rights for individuals to access and correct personal information about themselves.[127]

[1] The Commonwealth of Australia Constitution Act <http://www.aph.gov.au/senate/general/constitution/>.

[2] See <http://www.austlii.edu.au/au/cases/cth/high_ct/2001/63.html>.

[3] See <http://www.austlii.edu.au/au/cases/qld/QDC/2003/151.html>.

[4] Privacy Act 1988 (Cwth) <http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/longtitle.html>.

[5] The Data-matching program (Assistance and Tax) Act 1990. <http://www.austlii.edu.au/au/legis/cth/consol_act/dpata1990349/>.

[6] Siobhan Chapman, "Privacy Chief Calls for Identitiy Management Debate," iTnews, June 12, 2004 <http://www.itnews.com.au/storycontent.asp?ID=12&Art_ID=18953>.

[7] Outgoing Commissioner Urges Enforcement as Topic in Australian Privacy Law Review, Privacy and Security Law Report, Vol. 3, No. 17 at 507 (2004).

[8] See Patrick Gunning, Central Features of Australia's Private Sector Privacy Law, Privacy Law and Reporter, Vol. 7, No. 10 1 (2001). Back issues available at <www.austlii.edu.au/au/other/plpr>; Global Privacy Law Update, The Computer Lawyer Vol. 20 No. 6 (Privacy), June 2003, at 1.

[9] Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000 <http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm>.

[10] Simon Hayes, "EU Renews Attack on Privacy," The Australian, September 16, 2003.

[11] See <http://scaleplus.law.gov.au/html/comact/11/6805/top.htm>.

[12] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[13] See <http://www.privacy.gov.au>.

[14] Id.

[15] Id.

[16] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[17] Press Release, Office of the Federal Privacy Commissioner, Privacy Commissioner Approves Market Research Code (August 3, 2003) <http://www.privacy.gov.au/news/media/03_11.html>.

[18] Karen Dearne, "Little Progress on New Privacy Boss," AustralianIT, March 9, 2004 <http://australianit.news.com.au/articles/0,7204,8906964%5e15441%5e%5enbv%5e15306-15319,00.html>.

[19] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[20] Dearne, supra.

[21] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[22] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[23] Id.

[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[31] Office of the Privacy Commissioner, Case Note Number 1, available at <http://www.privacy.gov.au/act/casenotes/ccn2_03.html>.

[32] Office of the Privacy Commissioner, Case Note Number 3 of 2004, available at <http://www.privacy.gov.au/act/casenotes/comdeter0403.html>.

[33] Tenant Checking Company Breach Privacy Law; Australian Class Action Prevails, Privacy and Security Law Report, Vol. 3 No. 17, at 501 (2004).

[34] Office of the Privacy Commissioner, Case Note Number 3 of 2004, available at <http://www.privacy.gov.au/act/casenotes/comdeter0403.html>.

[35] Id.

[36] Letter from Timothy Pilgrim, Acting Federal Privacy Commissioner for Australia, to Patrick Mueller, Law Clerk, Electronic Privacy Information Center, June 18, 2004 (on file with EPIC).

[37] See <http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/637.html>.

[38] <http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s85zl.html>.

[39] <http://www.austlii.edu.au/au/legis/cth/consol_act/dpata1990349/>.

[40] Office of the Federal Privacy Commissioner, "The results of Research into Community, Business and Government attitudes towards Privacy in Australia." July 31, 2001 <http://www.privacy.gov.au/research/index.html#1.1>.

[41] "Privacy and the Community: Main Findings" <http://www.privacy.gov.au/publications/rcommunity.html#4>.

[42] <http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/>.

[43] Id. Part 13.

[44] See <http://www.acif.org.au>.

[45] Code C 522. See <http://www.acif.org.au>.

[46] Australian Communications Authority, "Who's Got Your Number? Regulating the Use of Telecommunications Customer Information," available at <http://www.aca.gov.au/telcomm/industry_standards/regulating_use_of_customer_information.htm>.

[47] Id.; see also Electronic Frontiers Australia, "Regulating the Use of Telecommunications Customer Information" (May 14, 2004), available at <http://www.efa.org.au/Publish/efasubm-aca-ipnd.html> (Comments submitted to ACA public comment invitation).

[48] Telecommunications (Interception) Act 1979 <http://www.austlii.edu.au/au/legis/cth/consol_act/ta1979350/>.

[49] Section 6 (2) of the Act is very unclear. An industry working party is currently reviewing Guidelines on 'participant monitoring'. See ACIF Guideline G516 <http://www.acif.org.au>.

[50] Johanna Leggatt, "QLD 'Needs Phone Tapping,'" AustralianIT, April 19, 2004 <http://australianit.news.com.au/articles/0,7204,9323562%5e15306%5e%5enbv%5e,00.html>.

[51] See <http://www.efa.org.au/Issues/Privacy/tia-bill2004-sc.html>.

[52] Electronic Frontiers Australia, "Briefings Paper:

Telecommunications (Interception) Amendment (Stored Communications) Bill 2004" (June 3, 2004), available at <http://www.efa.org.au/Issues/Privacy/tia-bill2004-sc.html>.

[53] See <http://www.aph.gov.au/library/pubs/bd/2003-04/04bd147.htm>.

[54] See Electronic Frontiers Australia, "Surveillance Devices Bill 2004" (June 4, 2004), available at <http://www.efa.org.au/Issues/Privacy/sd_bill2004.html>.

[55] See Telecommunications (Interception) Act 1979 Annual Report for Year Ending 30 June 2002 <http://law.gov.au/www/agdhome.nsf/Web+Pages/696D22E493C27350CA256D480027BCE7?OpenDocument>.

[56] See Telecommunications (Interception) Act of 1979 Annual Report for Year Ending 30 June 2003 <http://law.gov.au/www/agdHome.nsf/AllDocs/6EDC9CC0FC414ED6CA256E45000023F7?OpenDocument>.

[57] Office of the Federal Privacy Commissioner, "Privacy and the NOIE Spam Report," April 16, 2003 <http://www.privacy.gov.au/news/03_01.html>.

[58] Spam Act 2003 (2003) (Austl.) <http://scaleplus.law.gov.au/html/pasteact/3/3628/top.htm>.

[59] David Frith, "Five Basic Rules for Complying with Spam Act," Canberra Times, April 12, 2004, at A15.

[60] Edward Manda, "Act Won't Slam the Door on Spam, but It Will Help," The Australian, April 20, 2004, at 35.

[61] Australia Readies for New Spam Act as Official Releases Guide for Businesses, Privacy and Security Law Report, Vol. 3, No. 10 at 270 (2004); "Australia Spam Authorities Target Repeat Offenders," Precision Marketing, February 27, 2004, at 9.

[62] Electronic Frontiers Australia, "Analaysis of Spam Bills 2003" (November 1, 2003) available at <http://www.efa.org.au/Publish/spambills2003.html>.

[63] Mike Barton, "Security Fears Over 'Spyware,'" The Age, December 23, 2003 <http://www.theage.com.au/articles/2003/12/22/1071941668618.html>.

[64] Id.

[65] Homepage <http://www.efa.org.au/>.

[66] Homepage <http://www.privacy.org.au/>.

[67] James Pearce, "Privacy, Security on Aust Single-Identifier Group's List," ZDNet Australia, September 26, 2003 <http://tinyurl.com/32j52>.

[68] Id.

[69] <http://www.health.gov.au/healthconnect/index.html>

[70] Karen Dearne, "Medicos Oppose Data Bill," Australian IT, July 24, 2001 <http://australianit.news.com.au/common/storyPage/0,3811,2414429%5E442,00.html>.

[71] John Kerin, "Medical E-Files 'Delayed For Poll," Australian IT, July 30, 2001

<http://australianit.news.com.au/common/storyPage/0,3811,2460860%255E1286,00.html>.

[72] Mark Metherell, "Privacy Fear Rejected for Health Data," Sydney Morning Herald, September 27, 2003.

[73] Id.

[74] Id.

[75] Stephanie Kennedy, "National Registration Scheme for Doctors Gives Rise to Privacy Concerns," ABC Online, April 23, 2004 <http://www.abc.net.au/am/indexes/2004/am_archive_2004_Friday23April2004.htm>.

[76] Id.

[77] Essentially Yours: The Protection of Human Genetic Information in Australia, available at <http://www.alrc.gov.au/media/2003/mr2905.htm>.

[78] "Australia Launches DNA Database to Fight Crime," Reuters, June 20, 2001.

[79] Misha Ketchell, "Plan to Take DNA From Theft Suspects," The Age, March 4, 2004.

[80] Id.

[81] Simeon Beckett, "New Terrorism Law Raises Spectre of Agency Abuse," Sydney Morning Herald, June 26, 2003, at 13.

[82] Mark Forbes, Michelle Grattan, "PM Gives $232m For The 'Fight of Our Lives,'" The Age, May 6, 2004 <http://www.theage.com.au/articles/2004/05/05/1083635204653.html?oneclick=true>.

[83] James Pearce, "New AU High Security Passport Omits Biometrics," ZDNet Australia, November 28, 2003 <http://www.privacy.gov.au/news/media/03_17.html>.

[84] Karen Dearne, "Canberra Faces up to Security," AustralianIT, February 24, 2004 <http://australianit.news.com.au/articles/0,7204,8767093%5e15841%5e%5enbv%5e,00.html>.

[85] "New Law to Step up Australian Passport Security, Increase Penalties," BBC Monitoring International Reports, February 17, 2004.

[86] Crimes Act 1914 (as amended) available at: <http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/index.html#s85m>.Act, 1989 <http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s85zl.html>.

[87] See <http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/index.html#s85m>.

[88] <http://www.austlii.edu.au/au/cases/cth/federal_ct/2003/279.html>.

[89] <http://www.efa.org.au/FOI/clabill2002>.

[90] Electronic Frontiers Australia, "Internet Censorship in Australia" (December 20, 2002), available at <http://www.efa.org.au/Issues/Censor/cens1.html>.

[91] Simon Hayes, "Net anti-FOI bill set to fail," Australian IT, April 15, 2003 <http://australianit.news.com.au/articles/0,7204,6283083%5E15319%5E%5Enbv%5E15306,00.html>.

[92] Freedom of Information Act 1982 <http://www.austlii.edu.au/au/legis/cth/consol_act/foia1982222/>, Freedom of Information (Fees and Charges) Regulations 1982 <http://www.austlii.edu.au/au/legis/cth/consol_reg/foiacr432/index.html>, Freedom of Information (Miscellaneous Provisions) regulations 1982 <http://www.austlii.edu.au/au/legis/cth/consol_reg/foipr612/index.html>.

[93] David Banisar, The Freedominfo.org Global Survey: Freedom of Information and Access to Government Records Around the World (May 2004) at 11-12 <http://freedominfo.org/survey.htm>.

[94] Australia Attorney-General's Department, Freedom of Information Act 1982 Annual Report 2002-2003, October 24, 2003, available at <http://www.ag.gov.au/www/securitylawHome.nsf/AllDocs/RWPC99101F32A5A081CCA256DEE00760ED3?OpenDocument>.

[95] Id.

[96] Banisar, supra at 11.

[97] "Privacy Fears Could Stymie Tracking Chips," The Australian, May 4, 2004, at C05.

[98] Press Release, Office of the Federal Privacy Commissioner, World's Privacy Regulators Call for Privacy Friendly RFID Tags, September 12, 2003 <http://www.privacy.gov.au/news/media/03_17.html>.

[99] Sue Lowe, "Mobiles May Blow Whistle On Fake Sickies – Or Save Your Life," Sydney Morning Herald, January 23, 2004 <http://reg.smh.com.au/splash.do?site=SMH&server=http:%2f%2fwww.smh.com.au&retn=%2farticles%2f2004%2f01%2f22%2f1074732543954.html>.

[100] Id.

[101] Joshua Dowling, "Strange Concept: This Car Dobs You in to the Speed Camera," Sydney Morning Herald, February 27, 2004 <http://www.smh.com.au/articles/2004/02/26/1077676900598.html>.

[102] Id.

[103] Id.

[104] See <http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/183.html>.

[105] Patrick Gray, "Kazaa Tripped up in Aussie Court," Wired, March 4, 2004 <http://wired.com/news/print/0,1294,62532,00.html>.

[106] See <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index>.

[107] See <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index>.

[108] Workplace Video Surveillance Act 1998 <http://www.austlii.edu.au/au/legis/nsw/consol_act/lda1984181/index.html#s20>.

[109] Law Reform Commission, Report 98 (2001) - Surveillance: an interim report <http://www.lawlink.nsw.gov.au/lrc.nsf/pages/r98toc>.

[110] Listening Devices Act 1984 <http://www.austlii.edu.au/au/legis/nsw/consol_act/lda1984181/index.html>.

[111] <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index_hripa>.

[112] "Data Protection: Australian State Issues New Guidelines To Help Government Manage Private Data," Privacy Law Watch, August 6, 2002. The OIT Guidelines are available at <http://www.oit.nsw.gov.au/pages/4.3.20.S-IM-Privacy.htm>.

[113] "NSW Targets Employers' Email Snooping," ABC Online, March 30, 2004 <http://www.abc.net.au/news/newsitems/s1077250.htm>.

[114] See <http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_03_hripact>.

[115] Homepage <http://www.privacy.vic.gov.au/>.

[116] Homepage <http://www.lawreform.vic.gov.au/>.

[117] <http://www.lawreform.vic.gov.au/CA256A25002C7735/OrigDoc/~A83B0A7753C148D7CA256C0700197874?OpenDocument&1=30-Current+projects~&2=30-Privacy~&3=25-Issues+Paper~>.

[118] <http://www.austlii.edu.au/au/legis/act/consol_act/hraaa1997291/>.

[119] <http://notes.nt.gov.au/dcm/legislat/legislat.nsf/d989974724db65b1482561cf0017cbd2/33ef7122365a039e69256d55000a938c?OpenDocument>.

[120] See <http://www.privacy.nt.gov.au>.

[121] Privacy Committee Act 1984 (Qld).

[122] Invasion of Privacy Act 1971 (Qld).

[123] Privacy in Queensland, Report No 9, Legal Constitutional and Administrative Review Committee, April 1998, available at <http://www.parliament.qld.gov.au/comdocs/legalrev/lcarc9.PDF>.

[124] <http://www.justice.qld.gov.au/dept/privacy.htm>.

[125] <http://www.justice.tas.gov.au/legpol/privacy/index.htm> (Tasmania); <http://www.archives.sa.gov.au/services/public/privacy_index.html> (South Australia); and <http://www.ecc.online.wa.gov.au/matrix/priv-wa.htm> (Western Australia).

[126] <http://www.ministers.wa.gov.au/main.cfm?MinId=06&Section=0607>.

[127] For an overview of FOI laws in Australia and links to relevant government sites, see generally the University of Tasmania's FOI Review web page <http://www.comlaw.utas.edu.au/law/foi/>.