Attorney General’s Review of the Privacy Act Report; Chapter 9, the Journalist exemption; analysis and review. The Report supports the core of the status quo but recommends amendments to require proper data security and compliance with the Data Breach Notification Scheme.

June 4, 2023 |

The Attorney General’s Report on the Privacy Act review considers the status of the of the journalistic exemption at chapter 9.  Unlike the small business exemption and the business records exemption the exemption for journalism has a strong public policy basis.  Notwithstanding the media being involved in very serious privacy breaches over the years there has always been an acknowledgment that that there should be some form of exemption.  The Report did not alter the core of the exemption but proposes bringing media organisations under the regulation of the Privacy Act regarding data security and data breach notification. 

There was never likely to be a significant change to the way in which the Privacy Act dealt with the journalism exemption.  In 2008 the Australian Law Reform Commission did not recommend a change to the exemption.  That does not mean that the current regime is without flaws and problems which will continue after the Act is amended. 

In the main the responses ranged from strongest supporters of retaining the exemption, primarily media companies,  to those who wanted reform but were not prepared to remove the exemption.  The rationale for the exemption is that it recognises the important and beneficial role of journalistic output in Australian society.  That is made clear from the Explanatory Memorandum which provides that it is to balance ‘the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.’

The exemption is set out in section 7B(4) of the Privacy Act.  It provides:

(4)  An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:

(a)     by the organisation in the course of journalism; and

(b)     at a time when the organisation is publicly committed to observe standards that:

(i)      deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and

 (ii)    have been published in writing by the organisation or a person or body representing a class of media organisations.

A media organisation may publish such standards itself, or be a member of an industry body which has a published code of conduct containing privacy standards.

The Report noted that media regulation is sector specific with:

  • Broadcast media primarily operates under a co-regulatory framework: broadcasters develop codes of practice which are registered by the ACMA if it is satisfied that the code provides appropriate community safeguards. These codes address privacy, although obligations differ between them.
  • the national broadcasters – ABC and SBS – develop their own codes of practice, under enabling legislation, which are notified to the ACMA. Each contain privacy standards
  • All broadcasting codes of practice provide that complaints can be made under the respective codes. The ACMA has the power to investigate potential breaches of registered codes and take a range of enforcement actions but has more limited enforcement options for national broadcasters.
  • the print media being self-regulated with many members of the Australian Press Council (APC). To that extent they subject to the APC’s Standards of Practice, which include privacy standards.
  • While the APC has a system for receiving, handling and adjudicating complaints membership is optional and can be withdrawn.
  • the Independent Media Council (IMC) also handles complaints against funding bodies. It publishes privacy standards to be observed by the print and print online publications which are subject to its oversight.
  • ‘Digital Native’ media services, including online-only news publishers and internet streaming services, are not captured by current media regulation
  • live streaming services (including television and radio) are specifically excluded from the definition of a ‘broadcasting service’ and the ACMA does not have authority to investigate journalism or privacy related complaints about them.
  • some prominent online publishers are not members of an oversight body, but may have their own standards and complaints procedure.
  • the Act does not contain a definition of ‘journalist’ or ‘journalism’ and journalists do not require professional accreditation or registration in order to work. Journalists who choose to become members of the MEAA are bound by its Code of Ethics and can be the subject of a complaint to the union.
  • despite the active participation of digital platforms in the online news ecosystem, virtually no media regulation applies to them.

Not surprisingly there is little support for a public interest requirement to attract the benefit of the journalism exemption.  Some proposed a narrower exemption that would cover only investigative and public interest journalism and the Commissioner submitted that the journalism exemption should be amended ‘to confine it to journalism that is, on balance, in the public interest, as recognised in existing journalism privacy standards.’  The key problem with such a threshold is that the Commissioner would, by definition, be the arbiter of ‘public interest journalism’.

A key weakness in the current structure is that:

  • the enforcement under self regulatory arrangements is spotty and ineffective. Not surprisingly some broadcasters regarded the current co-regulatory approach, in which they are overseen by the ACMA, is effective and deals with complaints adequately.
  • there are different minimum standards.
  • the sector-specific approach to media regulation has not adapted well to digitalisation with online content not subject to the same level of regulation.
  • the exemption removes certain journalistic acts and practices from the oversight of the Commissioner.

The Report opts to amend the Act to enhance the degree of accountability of media organisations under the self-regulation model. The amendments would be designed to:

  • require media organisations to be subject to:
    • privacy standards overseen by a recognised oversight body (the ACMA, APC, or IMC); or
    • standards that adequately deal with privacy.
  • ensure that If an organisation is subject to the oversight of a recognised regulatory body any complaint regarding interference with privacy would be made through its complaints process.
  • not require a media organisation to be subject to the oversight of one of those bodies to attract the exemption.
  • allow a media organisation to develop and publish its own privacy standards provided that they were ‘adequate’ which would mean that they would meet minimum criteria.
  • the Commissioner, in consultation with the ACMA, media representative bodies and media organisations, would develop and publish criteria for adequate media privacy standards as well as a template privacy standard.
  • In assessing whether a media organisation’s privacy standards are adequate, the Commissioner would consider, amongst other matters, its process for receiving and dealing with complaints.
  • where an organisation is not covered by the exemption, the Commissioner would have jurisdiction to deal with privacy complaints as it does presently.

This proposal bears similarities to one element of the ALRC’s recommendation in its Report 108 that the exemption for journalistic acts and practices was important and should be retained, but that media organisations should be committed to ‘adequate privacy standards’.

9.1 To benefit from the journalism exemption a media organisation must be subject to:

    • privacy standards overseen by a recognised oversight body (the ACMA, APC or IMC) or
    • standards that adequately deal with privacy.


9.2 In consultation with industry, and the ACMA, the OAIC should develop and publish criteria for adequate media privacy standards and a template privacy standard that a media organisation may choose to adopt.


There was strong support for applying the security and destruction obligations in APP 11 to acts or practices by media organisations in the course of journalism.  No surprises that media organisations opposed such a proposal.

The report proposes that APP 11 apply to all media organisations, including for acts and practices in the course of journalism. The Commissioner’s guidance should clarify that the destruction requirement should apply where information is no longer needed for the purposes of journalism.  Given journalists and media organisations keep vast troves of data because reporting often involves returning to archival material and it is impossible to say when a story has finally run its course it will be interesting to see what bright light line can be drawn to delineate where information is no longer needed for the purpose of journalism. 

The Report also proposes that a modified version of the NDB scheme should apply to acts and practices in the course of journalism but that it be modified in line with the UK approach, to take account of situations where directly reporting a breach to an individual is incompatible with journalism.

9.4 Require media organisations to comply with security and destruction obligations in line with the obligations set out in APP 11.


9.5 Require media organisations to comply with the reporting obligations in the NDB scheme. There will need to be some modifications so that a media organisation would not need to notify an affected individual if the public interest in journalism outweighs the interest of affected individuals in being notified.

The proposals are safe options.  The modification of the exemption to require media organisations to comply with the data security obligations is on its face quite sensible.  A serious issue will be the tension between media organisations keeping masses of material after a story is published as a resource for future stories and that material which no longer is need for the purpose of journalism.  Given the hotch potch of regulations across the various media platforms the Commissioner will be required to apply time and effort to determine which is adequate as well as developing guidelines and templates.  One of the most glaring deficiencies has not been tackled, even if acknowledged, the generally unsatisfactory complaints process and the derisory penalties in the event a complaint is upheld.  That has not been addressed. The Report suggests that adequate standards would include more effective enforcement which the Commissioner could review.  That is unlikely to achieve much.  Hence Press Council findings may continue to be slightly embarrassing but will continue to do little to change practices because there is no teeth to its findinngs.  Adverse findings by ACMA, which theoretically may be significant,  rarely result in anything more than a requirement to take administrative action. 

Part of the reason there are few complaints about breaches of privacy is that the mechanism is so obviously flawed. While this is a failure of public policy it may be remedied by greater focus on the use of the mooted tort of interference with privacy.  That may be the practical solution but it would be a shame to rely on this mooted reform when a meaningful and effective complaints process would be better suited to some complaints.  And would be a lot cheaper for both parties.   T

Leave a Reply

Verified by MonsterInsights