University of New South Wales Law Journal

TIM DIXON^[*]

[1] The information society of the 21^st century will grapple with privacy issues on many levels. Privacy issues will frequently form part of wider social and political dilemmas about the role of public and private institutions and the use of various technologies. How our society resolves these privacy dilemmas will depend on the extent of the trust that we are willing to place in governments, corporations, technology, and in each other as individuals. In the process of dealing with these issues we will not just be shaping how we use particular technologies but redrawing the boundaries of the state, corporations and the individual, and shaping the balance between the interests of freedom, human dignity, justice, public order and economic efficiency.

[2] These will clearly not be easy issues to resolve. They will often involve powerful interests ranged against the powerless. They will involve tangible economic benefits competing with intangible notions of human dignity and fairness. And, in many cases, they will involve legitimate but competing claims on public policy and on institutions, corporations and governments.

[3] This issue of the University of New South Wales Law Journal Forum contemplates the place of privacy protection in the context of early 21^st century Australian law. As with many areas of law, what emerges is something of a jumble. While it is possible to see threads of reason in the stunted development of common law recognition of privacy rights over time, the new statutory privacy regime in Australia, which will come into effect from December 2001, while generally extending privacy rights, is weakened by wide exemptions and deep inadequacies. At best, it is a step towards establishing a consistent legal framework for protecting individual privacy; however, many of the contributors to this issue contemplate far more negative interpretations of its role in the evolving recognition of privacy rights in Australia.

[4] Tensions over individual privacy are becoming increasingly common in a range of contexts in modern life. The commercial value of personal information for profiling, risk assessment, marketing and other purposes, is creating an irresistible craving on the part of organisations for more personal information, and for greater access to that data. Government agencies are always eager for more data on individuals to assist in allocating resources efficiently and assessing the outcomes of current programs. The push to contain the massive and spiralling costs of public health, for example, is propelling us towards centralised health records, with far-reaching implications both for the nature of medical treatment and for how we handle the most sensitive and confidential personal information recorded about individuals. In particular, genetic information (and its potential uses) creates a new layer of vexing ethical issues, the nature of which societies have not been forced to confront before now.

[5] In the workplace, employers are constantly collecting more information and putting their employees under ever more intense levels of surveillance. Further, the blurring of the boundaries between work and private life is extending surveillance into previously secluded zones of private life. Information and communication technologies are making possible levels of surveillance and information processing that once seemed unimaginable, and the imperatives of national security and law enforcement are wearing away traditional expectations of a right to privacy. The sophistication of modern technology now means that little can be forgotten or lost, and the best hope for the privacy of communications may lie not in the lack of data trails but in their proliferation, making it harder to extract meaningful information from the endless trails of purely mundane data.

[6] One of the strange features of what is described as the concept of privacy is that it is at once both everything and nothing. It is a universally recognised human right; a fundamental feature of a free society; a central element in the checks and balances which a democratic society places on the authority of institutions and individuals, and a critical component of any society which allows people to start afresh without being forever shadowed by the mistakes in their past.

[7] Yet even as we recognise these characteristics of privacy, the old catchcry from the Australia Card debate of 1987 echoes through the years: if you have nothing to hide, you have nothing to fear. Not only should you ‘not worry’ about privacy, so the argument goes, but those that do (ie, privacy advocates) must necessarily be the friends of criminals, deviants and the paranoid. Some argue that the whole concept of privacy is a mirage: it doesn’t exist, it doesn’t matter, and attempts to protect privacy impose unnecessary burdens on organisations and governments alike.

[8] But despite such critics, the public does seem to continue to regard privacy issues as a fundamental right, and we should therefore expect to see further development in how the law protects privacy in the coming decades.

[9] A considerable amount of research into privacy attitudes throughout different countries has been conducted in recent years, and it points consistently to increasing levels of privacy concern.[1] There is a very high level of general concern about privacy issues amongst the Australian public. A 1999 Roy Morgan survey reported 56 per cent of people agreeing with the statement, ‘I’m worried about invasion of my privacy through new technology’, with 18 per cent agreeing strongly. Research by Ernst & Young has shown a higher level of concern about online privacy and security issues in Australia than in either the United States (‘US’) or Europe.[2]

[10] Privacy concerns have proved to be particularly strong in the online environment. A major opinion research project conducted by IBM in the US, the United Kingdom (‘UK’) and Germany in 1999 showed that concern about threats to personal privacy are greatest on the Internet, and range from 73 per cent in the UK to 92 per cent in the US, where 72 per cent of people were ‘very concerned’.[3] The IBM survey also highlights the importance of trust to privacy issues. Consumers recorded the lowest confidence in the privacy practices of companies which sell over the Internet, ranging from 10 per cent confidence to 21 per cent across the three countries.

[11] It is not surprising then that privacy concerns affect the commercial behaviour of consumers. The IBM research shows that 50 per cent of consumers in Germany, the UK and the US had refused to give information on websites because of privacy concerns, and between 39 per cent and 47 per cent of people stated that privacy issues had stopped them from making online purchases. In addition, around one third of Internet users demonstrate ‘privacy assertive behaviour’, such as giving false information when asked to register online.

[12] These and other surveys indicate that privacy is the highest-ranking issue affecting whether or not people are willing to use the Internet and for what purposes. The role of legal safeguards in establishing a framework for fostering electronic commerce is demonstrated by the high proportion of people – some 70 per cent of respondents in a Business Week-Harris poll in March 2000 – who say that they would use the Internet more often, register personal information, or purchase online, if there were explicit guarantees about the use of their personal information. Furthermore, 80 per cent of respondents consistently wanted an ‘opt in’ approach for the collection of personal information, demonstrating the importance of privacy protection for personal autonomy in an information age.

[13] Why are there such consistently high levels of concern? The privacy risks of the 21^st century are varied and highly complex. Sometimes they relate to simple fair information practices, such as being able to find out what organisations know about you, and to correct information which is wrong or misleading. Sometimes they are concerned with surveillance and the chilling effect of a person’s movements or communications being constantly monitored. Sometimes they are about stopping unwanted intrusions, whether by marketing initiatives or forms of bodily intrusion. Finally, and perhaps often hardest to identify, is the broader sense of unease which people feel when information about them is being collected, stored and possibly matched with other records.

[14] Jeffrey Rosen captures this concept eloquently in his recent book on the state of privacy in the US.[4] Rosen argues that there is such deep unease over privacy issues and the collection and use of personal information because such activities ultimately concern issues of identity. As people, we are always far more than the sum of the information which is stored about us. In fact, often too little information is recorded about us to do anything other than create a misleading impression of the kinds of people we are. Rosen takes up the issue in the context of the new technologies which have the potential to track

[15] Internet usage, television viewing, and other aspects of our lives.

[16] In other words, as individuals, we want to be able to retain control of our personal information, because when we lose that control, we can lose control of our identity.

[17] The contributors to this issue of Forum draw the reader through the development of the recognition of privacy rights in Australian law from their early consideration in the 1930s through to the recent extension of privacy law to encompass the private sector generally.[6] Along the way, insights are offered into both the role and the shortcomings of laws relating to privacy and data protection, their global context, and the specific application of the principles underpinning these laws to, for example, the areas of health information and cyberspace.

[18] Justice Michael Kirby begins by tracing the development of common law recognition of privacy rights over the past century. Although the High Court determined in 1937 (in the famous case of Victoria Park Racing and Recreation Grounds Co Ltd v Taylor)[7] that there was no common law right to privacy, a dissenting judge at the time remarked insightfully that with the development of new technologies, privacy had the potential to become recognised as ‘a right indispensable to the enjoyment of life’.[8] The legal recognition of privacy rights has indeed evolved over time, first protecting the bodily privacy of individuals from threats such as assault, then addressing property interests (such as protection from trespass), and, most recently, recognising interests in information privacy through the law of confidentiality and defamation.

[19] Justice Kirby’s reflections on the development of privacy law are enlivened by his experience in overseeing the Australian Law Reform Commission inquiry into privacy law reform, and in chairing the Organisation for Economic Co-operation and Development committee that produced the 1980 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which remain the closest to a global privacy standard that has been achieved. After acknowledging the scope for development of privacy rights through the common law, Kirby J concludes that ‘most future laws on privacy in Australia will be made by legislatures. They will concern entirely new privacy questions, such as the privacy of genetic data. Lawmaking by legislators in such novel fields is how it usually should be’.

[20] The reflective theme of Justice Kirby’s contribution is picked up in Judge Kevin O’Connor’s review of the role of the Federal Privacy Commissioner, the Commonwealth Government appointee responsible for overseeing the application of the Privacy Act 1988 (Cth) (‘Privacy Act’). Judge O’Connor was the first Privacy Commissioner appointed in Australia, and served in the role from 1989 to 1996. He notes that the Federal Privacy Commissioner plays an ‘unusual if not unique’ mix of roles, which include ‘the power to issue binding statutory instruments, to issue binding and non-binding guidelines, to make policy submissions to government and parliamentary inquiries, to engage in community education and public comment ... and to receive complaints, investigate them and then make final determinations’. Thus the Privacy Commissioner’s responsibilities ‘fall across all parts of the “legislative”, “executive” and “judicial” spectrum’. An impressive list of responsibilities for an agency which receives less than AUD$4 million in its annual Budget appropriations!

[21] Judge O’Connor reflects positively on what the Commissioner has achieved to date, with limited resources, by maintaining a focus on systemic issues and not relying on specific cases to force privacy compliance on government agencies. He urges that the same approach be adopted in the exercise of the Commissioner’s new powers under the private sector privacy provisions.[9] He nevertheless concludes that while the Commissioner has an important role to play, other specific privacy issues, which fall outside the scope of ‘personal information’, need to be addressed as wider public policy concerns.

[22] It will come as no surprise to seasoned observers of privacy debates that Professor Graham Greenleaf’s perspective clashes with the former Commissioner’s. Professor Greenleaf’s article chronicles the inadequacy of almost every aspect of privacy law in Australia. He bemoans, inter alia, the failure of the courts to develop the general law of privacy, the ineffectiveness of international instruments, the inadequate scope of (and broad exemptions to) existing privacy legislation, the weak enforcement regime under the Privacy Act and the failure of Privacy Commissioners to exercise what power they have, and the lack of any development of precedents from the handling of individual privacy complaints. According to Greenleaf, in 2001, Australia ‘has nothing worth describing as a body of privacy law’ from amongst the mix of different measures available to ensure that the right of privacy is recognised in our community.

[23] The article by the Head of the Delegation of the European Commission to Australia and New Zealand, Aneurin Hughes, adds further detail to the broader canvas of criticisms provided by Professor Greenleaf. In the context of the European Union’s 1995 Directive on privacy and data protection,[10] Australia’s privacy legislation appears clearly inadequate. Mr Hughes’ article is a valuable contribution to an often poorly informed debate about the impact of the European Union (‘EU’) Directive on Australia. Its discussion of the Article 29 Working Party’s recently issued Opinion on the adequacy (or otherwise) of the new Australian legislation highlights areas of particular concern to the EU in Australia’s privacy framework. Given the reservations expressed in the Opinion, without additional legal safeguards to address the areas of concern mentioned, there is a danger that data transfers from European companies to Australian organisations may be regarded as breaching the EU Directive.

[24] Lee Bygrave conducts a more forensic examination of current privacy and data protection laws, and questions whether they really are primarily concerned with ‘privacy’, or rather with a set of fair information practices or data protection rules. Bygrave argues that data protection laws in fact serve many interests in addition to privacy, including ensuring civility, stability, pluralism and democracy. He therefore argues that a better understanding of the wider public interests served by data protection laws would strengthen the case for their support.

[25] Veteran privacy advocate Simon Davies takes up a similar point but adopts a different angle, arguing that data protection laws do not adequately protect privacy because so many critical privacy issues are outside their scope. According to Davies, ‘in every country, privacy and, more specifically, data protection laws have failed at several fundamental levels to protect individuals’. Pervasive surveillance systems have proliferated, unchecked by data protection laws, which to some extent offer only ‘the illusion’ of privacy protection. The problem, he suggests, may not be ‘the nature of data protection principles, but ... the manner of their enforcement’, which has left the laws ‘corrupted and compromised through timidity and neglect’. Like Greenleaf, Davies urges privacy regulators to adopt a more aggressive (and, he argues, more conservative) approach. After a long break from the Australian privacy debate, which he led in the late 1980s as the coordinator of the Australian Privacy Foundation’s campaign against the Australia Card, Davies provides a ‘reality check’ on recent discussions about the impact of changes in Australian privacy law.

[26] Roger Clarke provides another perspective on the adequacy of privacy laws in the specific context of cyberspace transactions. He argues that the slow pace of development of electronic commerce is a direct result of the lack of trust between consumers and businesses, and of consumers’ fears about privacy risks. Information privacy laws have proved ‘utterly inadequate, with inadequate scope, manifold exemptions and exceptions, and missing control mechanisms’. Clarke derides the failures of the ‘fair information practices’ movement, arguing that trust in cyberspace cannot be built without comprehensive laws which are systematically enforced.

[27] Professor John Kaldor and Doctor Andrew Grulich conclude this issue of Forum by providing a case study into the process of balancing privacy rights and other interests in the context of observational health research. Wider interests in the benefits of medical research generally and in controlling infectious diseases may require some compromise to individual privacy rights, and, as a result, mechanisms have been developed to safeguard any such compromise, including obtaining informed consent, specific legal authorisation for the collection of information without consent, and review of research proposals by institutional ethics committees. The importance of ethics committees in this area reflects the fact that the law is only one mechanism through which these conflicting interests must be balanced with the right to privacy.

[28] It would be naive to expect that either the development of the common law or statutory law reform can single-handedly resolve the range of privacy dilemmas that we are currently facing. They cannot. However, they can establish processes whereby competing claims between privacy and other interests can be considered objectively. The law can impose some absolute boundaries which protect human rights; the law can also influence the behaviour of organisations in the private sector and in government, making them more accountable. But the law needs to be considered as part of the wider interaction of technology, institutions and community attitudes that will shape the relationships between individuals and organisations in the future and the contexts in which privacy issues arise.

[29] The discussion in this Forum leaves a strong impression that while the law may be progressing in its developing recognition of privacy rights, the threats and incursions are developing more quickly, and in many areas our privacy may be slipping away. There is some convincing evidence for this view, particularly in the disorderly and politicised development of recent amendments to Australian privacy law. But are these criticisms only the bleatings of idealists, who see the merits in strong privacy safeguards but not the costs? Or has the balancing act actually been as one-sided as they suggest? The debate will certainly go on, particularly while such a large gap exists between the law’s recognition of privacy rights and public expectations of how personal privacy should be protected. The Editors of the University of New South Wales Law Journal are to be congratulated for their timely work to elevate the discussion from the hurly-burly of day-to-day privacy issues and provide a forum for thoughtful consideration. It is a debate of which we will be hearing much more in the years ahead.