Written by Darcy Forrester-Sach
On 7 February 2022 the Office of the Australian Information Commissioner (OAIC) won a major battle against Facebook after the Full Federal Court dismissed the tech giant’s claim that it was not breaching privacy by collecting information from users in Australia. Concerns about our privacy have continuously arisen in response to technological developments. In particular, the rapid technological development of society in the 21st century opens up questions about the risks posed by accessing digital platforms and the security of the information we put online. In today’s post, we will discuss our right to privacy and the legal framework upholding privacy law in Australia.
Privacy in the 21st Century
A demonstration of how these privacy practices manifest themselves as an invasion of privacy is the ‘Cambridge Analytica’ Scandal. During the 2010s Cambridge Analytica harvested personal information from Facebook users by obtaining ‘informed consent’ from a personality quiz. Through the consent process the app gained access to the profiles of the quiz users and their Facebook friends. As a result of the 270,000 people who took the quiz, the dataset contained 87 million profiles. This was sufficient to construct models of the personalities of the subjects of the data, allowing Cambridge Analytica to apply psychological analysis techniques to the data and identify the most effective targeted ads to persuade specific individuals.
The High Court’s Response
The High Court of Australia has been receptive to recognising a common law right to privacy in Australia. In Australian Broadcasting Corp v Lenah Game Meats Pty Ltd (2001) 208 CLR the HC declared that there is no obstacle to declaring a privacy right in Australia, although the court set aside developing this any further. Twenty years onward, the HC reaffirmed this decision in Smethurst v Commissioner of Police (2020) 94 ALJR 502. However, Ms Smethurst avoided arguing for a common law right to privacy and the court cast the issue aside. As Smethurst illustrates, Australian plaintiffs prefer to rely on existing actions that protect privacy indirectly. The court seems willing to explore a common law privacy right, however, with reluctance from plaintiffs to plead the right directly any development in a common law privacy right has stagnated. The answer to the slow development of a common law right to privacy may be in the operation of the Privacy Act 1988 (‘The Act’), which is Australia’s primary piece of legislation protecting the personal information of individuals in relation to digital platforms.
The efficacy of the Privacy Act
The Privacy Act regulates the collection and application of an individual’s data. The protections conferred by the Act are known as “Australian Privacy Principles” (APPs). However, these APPs only apply to “APP entities”, which are confined to agencies and private organisations. The Act’s effectiveness at protecting privacy and ensuring digital platforms adhere to the APPs has been criticised in the ACCC’s Digital Platforms Inquiry and is currently being reviewed by the Attorney-General’s Department.
The Attorney General’s discussion paper particularly focuses on the issue of consumer consent. Consent is currently needed for the collection and use of sensitive information unless an exception applies. However, the threshold for consent under the Act is low, defined as “express consent or implied consent”, leaving uncertainty about when consent is implied. Additionally, the ACCC’s Digital Platforms Inquiry outlined the weakness of the Act’s protection of personal information. The definition of “personal information” under the act is given an extremely narrow interpretation. In Privacy Commissioner v Telstra Corp (2017) 249 FCR 24, it was held that an individual must be the subject matter of the information for it to be within the ambit of the definition. Thus, “technical information” such as IP addresses, device identifiers, location information and other technical data may not be captured by this narrow definition.
Future Developments: Testing the Privacy Act against Digital Platforms
The Cambridge Analytica scandal was the catalyst for the OAIC to launch proceedings against Facebook in 2020. An Interlocutory application made by Facebook attempting to set aside the proceedings was dismissed after Justice Thawley ruled that a prima facie case was established by Facebook Inc collecting data in Australia. On the 7th of February, the Full Bench of the Federal Court threw out Facebook Inc’s appeal, and determined that the case proper will be heard at a later date. Perhaps the case will explore the limitations of the Privacy Act and clarify issues regarding the definition of ‘consent’ and ‘personal information’ as discussed in the Attorney Generals and ACCC’s review. Regardless, the case comes at a time when Australia is on the brink of privacy law reform, with the incoming introduction of the Online Privacy Bill.
It is difficult to establish that Australians do have a direct right to privacy within the current framework of Australian law. Perhaps implementing the recommendations of the ACCC, and the Attorney General’s department in the upcoming privacy law reform package will resolve the apparent lack of privacy protection in Australia.
Harris Gomez Group opened its doors in 1997 as an Australian legal and commercial firm. In 2001, we expanded our practice to the international market with the establishment of our office in Santiago, Chile. This international expansion meant we could provide an essential bridge for Australian companies with interests and activities in Latin America, and in so doing, became the first Australian law firm with an office in Latin America.
We provide innovative technology and resources businesses with legal and commercial expertise to realise their global potential. Our goal is to see innovative businesses establish and thrive in the global market. We are proud members of Austmine.
To better understand how we can support your management team in the Region, please contact firstname.lastname@example.org