Government’s response to Digital Platform Inquiry brings a direct right of action for an interference with privacy one step closer but puts off yet again a statutory tort for interference with privacy to another review
December 12, 2019 |
Today the Federal Government released its response to a the ACCC Digital Platforms Inquiry.
In relation to the recommendations relating to improving privacy protections it has been cautiously supportive, with emphasis on caution. The positive outcome is that it supports giving individuals a direct right of action in court for interferences with privacy.
The overall response relevantly states, at page 6::
Consultation on the Privacy Act reforms announced in March 2019 will also seek input on amendingthe definition of ‘personal information’ in the Privacy Act to capture technical data and other online identifiers; strengthening existing notice and consent requirements to ensure entities meet best practice standards; and introducing a direct right of action for individuals to bring actions in court to seek compensation for an interference with their privacy under the Privacy Act.
(Emphasis added)
Regarding the Privacy Act revision the Government’s response states:
While consultation confirmed there is general satisfaction with the Privacy Act’s principles-based, technology neutral approach, itisalsoappropriate to consider howthescope of the Privacy Act applies and fits in the digital age and the adequacy of enforcement arrangements.
The Government will commence a review of the Privacy Actto ensure it empowers consumers, protects their dataand best serves the Australian economy. A review will identify any areas where consumer privacy protection can be improved, how to ensure our privacy regime operates effectively for all elements of the community and allows for innovation and growth of the digital economy. The review will also allow for further consultation on the ACCC’s reform proposals to enable consumers to request the erasure of their personal information.
The Governments commitment to introducing a direct right of action makes a distinction between a right of action under the Privacy Act and a statutory tort.
The recommendation for a direct right of action under the Privacy Act, recommendation 16(e), was:
Introduce direct rights of action for individuals
The response was:
Support in principle, subject to consultation and design of specific measures. The Government will consult further on this recommendation to identify the appropriate measures that can be taken to ensure individuals have adequate remedies for an interference with their privacy under the Privacy Act.
It is fair to say the Government is broadly supportive however what the specific and appropriate measures that it refers to will determine how effective it is. It is hoped that the Government was precise in its language and meant an action can be brought in the Federal or Federal Magistrates Court rather than the Administrative Appeals Tribunal. If it is a cause of action in the Administrative Appeals Tribunal, that would not bode well. The AAT has adopted a very constrained highly process driven administrative law approach to privacy complaints which has almost invariably resulted in individuals failing. The Federal Court is better placed to understand the rights issues over the administrative process palaver that Government lawyers enjoy using to scupper privacy actions.
The there are two significant limitations to this cause of action; the first is that it only relates to an interference with information rights and the second is that it only covers entities covered by the Privacy Act. There are a significant number of organisations outside its remit. And there are illogical statutory exemptions in the Act which will limit a person’s ability to bring an action.
The response to a statutory tort for a serious invasion of privacy is very disappointing.
At recommendation 19 the ACCC recommended:
Statutory tort for serious invasions of privacy
The Government has chosen to conduct yet another review stating:
Note.This recommendation would need to be considered through the review of the Privacy Act at recommendation 17.
That response is tied in with the ACCC’s recommendation 17 which provides:
Broader reform of Australian privacy law
To which the Government has responded:
Support.The Government will conduct a review of the Privacy Act and related laws to consider whether broader reform of the Australian privacy law framework is necessary in the medium-to long-term to empower consumers, protect their data and best serve the Australian economy. The review will complement the amendments to the Privacy Act announced in March 2019 to increase penalties, strengthen enforcement and introduce a binding online privacy code. The review will also consider the matters in recommendations 16(d) aboveand recommendation 19 below.
So whether there is a need for a statutory tort for a serious invasion of privacy will undergo yet another review. To put it into context, this recommendation was made by the Victorian Law Reform Commission, the New South Wales Law Reform Commission, twice by the Australian Law Reform Commission in 2008 and 2014, many Commonwealth Parliamentary Reports including the Inquiry into drones and regulation of air safety and privacy in 2014 (the Eye in the sky report). What more needs be said? What will be covered that has not been covered in these reports? What has changed to make a fresh inquiry necessary?
So here we go again. Another discussion paper, another round of consultations, another draft report and another report to the Government. And then who knows what. If I was to be cynical I would suggest the process is a whole lot of kabuki, process over action. Kicking the can down the road for another 12 months at least, if not much longer with the possibility of no statutory tort.
So in 2020 there will be a lot of privacy practitioners writing submissions, probably making liberal use of their many drafts from earlier submissions. It is enough to make a cat smile.
The other specific reponses to recommendations regarding the Privacy Act are generalised support in principle, with the exception of increased penalties which it supports, with the caveat of more consultation :
Update ‘personal information definition’
Support in principle, subject to consultation and design of specific measures. The Government will consult further on this recommendation to ensure that the definition of ‘personal information’ captures technical data and other online identifiers that raises privacy concerns and that any amendments to the definition do not impose an unreasonable regulatory burden on industry.
Strengthen notification requirements
Support in principle, subject to consultation and design of specific measures. The Government will consult further on this recommendation to identify the appropriate measures that can be taken to improve notification to individuals without imposing significant regulatory burden and ensuring individuals do not suffer from ‘notification fatigue’. Reforms to the Privacy Act the Government announced in March 2019 will require social media platforms and other online platforms that trade in personal information to meet best practice standards when notifying individuals of the collection of personal information, and to be more transparent about how they share data with third parties. Further consultation will provide the opportunity to consider how similar measures could be adopted economy-wide.
Strengthen consent requirements and pro-consumer defaults
Support in principle, subject to consultation and design of specific measures.The Government will consult further on this recommendation to identify the appropriate measures that can be taken to improve consent requirements and pro-consumer defaults, without imposing significant regulatory burden and ensuring individuals do not suffer from ‘consent fatigue’. Reforms to the Privacy Act the Government announced in March 2019 will require social media platforms and other online platforms that trade in personal information to meet best practice standards when seeking consent for the collection, use or disclosure of personal information, and to be more transparent about how they share data with third parties. Further consultation will provide the opportunity to consider how similar measures could be adopted economy-wide.
Higher penalties for breach of the Privacy Act
Support.The Government announced in March 2019 that it would consult on draft legislation to amend the Privacy Act, including to increase maximum civil penalties to match penalties under the Australian Consumer Law. The draft legislation will be introduced to Parliament in 2020.
OAIC privacy code for digital platforms
Support in principle. The Government announced in March 2019 that it would consult on draft legislation to amend the Privacy Act, including to introduce a binding privacy code that would apply to social media platforms and other online platforms that trade in personal information. The legislation will be introduced in Parliament in 2020.The code would require these entities to be more transparent about data sharing; to meet best practice consent requirements when collecting, using and disclosing personal information; to stop using or disclosing personal information upon request; and include specific rules to protect personal information of children and vulnerable groups. The Government expects the review of the Privacy Act at recommendation 17 will also provide an opportunity to consider whether this approach is sufficient to safeguard online consumer privacy or whether further action is needed.
Overall there are grounds for two (restrained) cheers for the response. It all depends on how real the support is at the end of the consultation, review and drafting process in 2020. There is many a slip betwixt cup and lip.
What also must always be borne in mind is that no matter how many amendments to there are to the Privacy Act when the regulator is poorly resourced and, additionally and especially, is a timid regulator those new or enhanced powers will mean very little. The Information Commissioner has been scandalously underfunded. But that is only part of the story. As a regulator it has been a wretched failure, when well funded as well as when poorly resourced. The regulator has been timid, slow to act and a spectacularly poor litigator when in court. The Commissioner’s determinations, usually made 2 or more years after a complaint is made, are model of otherworldly behaviour. Awards are risible and the analysis is a decade behind the rest of the world.
The Information Commissioner’s Office, and that of the Privacy Commissioner before it, has always had a poor culture. It is an office that needs a major clean out. The Government should put people who are not afraid to bring proceedings against large organisations and government agencies and take action instead of constantly seeking to educate those who engage in eggregious privacy practices. There is every appearance of state capture in the way the regulator engages with the organisations and agencies. That problem seems to be recognised and the ACCC has stepped in to fill the gap left by the Information Commissioners abrogation of her responsbilities.