We can never have more than a patchwork legal framework for dealing with serious invasions of privacy online, according to Australian's Information Commissioner, Professor John McMillan. The answer, he says, is to stop personal information getting out in the first place through better information security practices and better privacy procedures.
McMillan was speaking at a Privacy Awareness Week debate in Sydney on Tuesday morning, covering Australia's possible responses to serious invasions of privacy in the digital age. The event was organised by the Australia and New Zealand chapter of the International Association of Privacy Professionals (iappANZ).
More of our personal information is digitised and stored online, and more of our media operates online — not just the traditional handful of broadcasters and publishers, but a vast number of new and smaller players, all the way down to individuals. All of them effectively operate globally.
That creates jurisdictional problems. In most cases, Australian laws and regulators can only deal with material published in Australia. And while traditional media operators might be seen as being more responsive to complaints, individuals in vast numbers can easily spread privacy-invading material via social media and social networking sites.
Combine these factors, and the Streisand Effect, where the very fact of complaining about embarrassing material online only encourages people to spread it, and you've got a difficult legislative problem.
"The pressures to deal with [serious invasions of privacy] are coming from multiple directions, but the issue keeps moving, and can't be contained, and so at the end of the day, there is no easy or readily available solution," McMillan said.
"In the area that I deal with, FOI [Freedom of Information] and privacy, the suggested solution is stop the information getting out in the first place — so that it's not released under the FoI Act, it's not published on the web, it's not accessible as a spreadsheet or something that's attached to somebody's [email or website]. Now we're fighting against the lock-it-down mentality, because that undermines out other public interest objectives, but the reality is that once it's out there, then in the regulatory space that I'm moving, we have no capacity or role, really, in trying to control how it's being sprayed around."
Do we therefore need better information security, and for people to have a better understanding of how their personal information might end up becoming public?
"We need all of those things, and together it'll be a patchwork" McMillan said. "You will still keep referring to incidents and case studies that demonstrate the need for something else that works."
The head of the Australian Law Reform Commission (ALRC), Professor Barbara McDonald, agrees that there will always be jurisdictional limits to what any regulator or court can do.
"There's very little power, as Max Mosely [disgraced former president of the Fédération Internationale de l'Automobile] has found. He's spent hundreds of thousands of pounds going round to different jurisdictions, to try and get different jurisdictions to take things down, and he's now taken in Google search engines, and good luck to him doing that in California. But I don't know if that's an argument for saying that you shouldn't attempt it" she said.
"Many blogs are hosted on a blog site, where there is power... I think there's nothing wrong with the idea that Australia should either forge ahead with some protections, or keep up with protection that other jurisdictions provide, because then there may be some global consistency."
The Australian Communications and Media Authority already operates a takedown procedure for dealing with cases of prohibited online content. The ACMA's deputy chair Richard Bean says that process is "extremely effective in relation to Australian-hosted content. So that's something."
Bean acknowledged that in invasion of privacy cases, the "evil" isn't as clear as with, say, child abuse material — there are freedom of speech issues, for a start — but thinks that a similar approach could be of value.
"If you are going to take on the challenge of defining what could be subject to such a [takedown] notice, and all of the things that would go with it, and to establish us or somebody else — courts or somebody — the power to make such an order, then if the material can be traced and it can be found [to be] Australian hosted, Australian hosts have proven to be very responsive."
Bean also noted that the ACMA's cyber safety and security program have a "strong emphasis" on the need for people arm themselves with knowledge and to guard their privacy online. "If you can do that, it is possible to take some steps to safeguard your own information and to protect yourself from those intrusions to an extent."
The ALRC is currently conducting an inquiry into possible legislative reforms to cover invasion of privacy, including a statutory cause of action for serious invasions of privacy. "We have been asked to be innovative," McDonald told the debate. "Privacy law is not just for celebrities."
The ALRC's discussion paper recommends two causes of action: "intrusion on seclusion", which would include issues of surveillance, and misuse or disclosure of personal information. It recommends a stand-alone Act, rather than bundling it with the existing Privacy Act, some sort of public interest test — which McDonald says is the most controversial recommendation — and language to limit actions to "serious" invasions. The international consensus seems to be moving towards a "non-trivial" threshold, McDonald said.
Information Commissioner McMillan acknowledges the ALRC's "erudite" work, but said there's three reasons why the ALRC's proposed reforms won't happen.
"We don't have any disagreement, essentially, with the thrust of what has been recommended," McMillan said, but sees "three big problems" with proposing a court-based approach.
"First is that that current Attorney-General has said quite strongly that the government does not support a tort of privacy, so as a law reform exercise, a tort of privacy is going nowhere in the present political climate. Beyond that, secondly, I can't see it going ahead in the political climate generally. It runs against the trend of how governments are heading. For example there's a strong deregulation agenda in government, and a new cause of action against big business and so on does not easily find support in a deregulation agenda."
The Productivity Commission has also noted, McMillan said, that many unmet legal needs could be addressed by providing better visibility and resourcing to existing ombudsmen and commissioners, rather than trying to create new processes from scratch.
Submissions on the ALRC discussion paper close next Monday 12 May 2014.