Most states and territories have enacted legislation to protect the privacy of personal information, but Australian law does not expressly protect the right to personal privacy in the broader sense, either through legislation or the common law. In addition, legislative protections of the privacy of personal information do not include breaches by individuals acting in a personal capacity.
The right to privacy in the Universal Declaration of Human Rights was mirrored in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) to which Australia is a signatory and agreed to be bound on 13 August 1980. The ICCPR is a schedule to the Australian Human Rights Commission Act 1986 (Cth) (“Human Rights Act”) and the Australian Human Rights Commission is responsible for monitoring Australia’s compliance with the ICCPR. However, although Australia has agreed to be bound by the ICCPR, it is not incorporated into the Human Rights Act to the extent that it has created enforceable rights.
On 25 September 1991, Australia agreed to be bound by the first optional protocol, which gives individuals whose countries are party to the ICCPR and the protocol and who have exhausted all domestic remedies (if any) to submit a written communication to the UN Human Rights Committee. Nicholas Toonen, a homosexual in Tasmania, sent a communication to the UN Human Rights Committee arguing that Tasmania’s law that criminalised homosexual sex between consenting adults was a breach of privacy under Article 17 of the ICCPR. The Human Rights Committee agreed that because of the Tasmanian law Australia was in breach of its obligations under the treaty and rejected the argument that the interference was not arbitrary (Human Rights Committee Communication No 488/1992 Toonen v Australia). In response to the committee’s view, the Commonwealth Government passed a law overriding the Tasmanian law. It should be noted that Toonen made his communication in 1991 and the Human Rights Committee responded in 1994. Also Australia is not bound by the response of the committee and could have chosen to take no action to remedy the breach.
Australian common law does provide some limited personal privacy protections, for example, through defamation and trespass laws (see Defamation and your rights, and Neighbours and noise). In Ettingshausen v Australian Consolidated Press Ltd (1991) 23b NSWLR 443 the plaintiff, a well-known rugby player, successfully took defamation action in relation to the publication of a photograph taken after a game, which was found to be capable of showing his genitals. This case was in reality a claim for breach of privacy.
In 2001, in the case of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 1999 (“the Lenah Game Meats case”) the High Court heard on appeal a claim of breach of privacy made by a corporation in relation to a secret filming by an animal rights group of an abattoir operation that processed possums. The footage had been given to the ABC, which planned to broadcast it. While ultimately rejecting the claim by the corporation of breach of privacy, on the ground that corporations have no rights of privacy – which is fundamentally about personal autonomy, the High Court invited the possibility of the development by courts of a cause of action for invasion of privacy. Since this decision Australian courts have been moving towards developing a cause of action for breach of privacy, although this has often been through findings of breach of confidence.
In the case of Grosse v Purvis (2003) QDC 751 the plaintiff brought an action for breach of privacy after years of stalking by the defendant and public and private statements by him to the effect that the plaintiff engaged in immoral sexual acts. The Queensland District Court noted that the High Court in the Lenah Game Meats case had removed the barrier to persons attempting to rely on a tort of privacy and awarded aggravated and exemplary damages to the plaintiff for breach of her privacy.
The Victorian Supreme Court in the case of Giller v Procopets  VSC 281 stated that the law had not developed to the point where the law in Australia recognised an action for breach of privacy. The facts of that case were that the defendant, while in a relationship with the plaintiff, had secretly and then with her consent, videotaped them having sex. After the breakdown of the relationship he had disclosed the recordings to family and friends. Ms Giller had brought an action for breach of privacy and breach of confidence among other actions. While the trial judge rejected the breach of privacy he found there had been a breach of confidence but since the distress she suffered fell short of mental illness found the was no grounds to award compensation. The Victorian Court of Appeal unanimously confirmed the finding of breach of confidence and as a result found it unnecessary to decide conclusively whether a tort of invasion of privacy should be recognised under Australian law. Importantly it rejected the decision that compensation could not be awarded and ordered damages against Mr Procopets (Giller v Procopets  VSCA 236). This case was an important step in the breach of confidence being used as a remedy for breach of privacy although it is limited in scope by the need for a confidential relationship between the plaintiff and defendant. In Doe v Australian Broadcasting Corporation  VCC 281 the ABC published information on two separate occasions that identified the plaintiff as a victim of rape by her husband contrary to section 41(1A) of the Judicial Proceedings Reports Act 1958 (Vic). In addition to finding a breach of statutory duty and breach of confidence Hempel J also found the defendants were liable in tort for invasion of privacy, relying on the High Courts comments in the Lenah Game Meats case. The decision was appealed but the appeal subsequently withdrawn.
In the light of the slow and piecemeal progress of the development of a right of privacy at common law there have been a number of recommendations by law reform commissions in Australia that there be a statutory cause of action for breach of privacy.
In 2009, the NSW Law Reform Commission released a report (Report 120: Invasion of Privacy). It recommended that the Civil Liability Act 2002 (NSW) be amended to provide a statutory cause of action for invasion of privacy. This report is available at www.lawreform.justice.nsw.gov.au. In 2008, the Australian Law Reform Commission recommended a statutory cause of action be developed for serious invasions of privacy (ALRC report 108). The Victorian Law Reform Commission made a similar recommendation (in Surveillance in Public Places: Final Report, released in 2010, available at www.lawreform.vic.gov.au). On 3 September 2014, the ALRC’s final report, Serious Invasions of Privacy in the Digital Era (ALRC report 123), was tabled. This report was in response to the then Attorney-General’s referral to the ALRC following the Australian Government’s release of its issues paper, A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy. The ALRC recommended that if there were to be a statutory cause of action for serious invasion of privacy it should be a Commonwealth Act and be an action in tort. It should be available only in circumstances where a person had a reasonable expectation of privacy and would cover (a) intrusion upon seclusion either by physically intruding into a persons private spaces by watching, listening, recording private activities or affairs or by misuse of private information such as by collecting or disclosing private information abut a person – including untrue information, but only if it would be private if true. For information on the development of a statutory tort of privacy and common law developments internationally, see the ALRC report 108 – Chapter 74 (Protecting a Right to Personal Privacy) of the report, provides a useful overview.
Privacy legislation: an overview
The Privacy Act 1988 (Cth) (“PA 1988”) sets minimum standards for how personal information (see “Personal information”, below) can be collected, used, held and disclosed. It gives individuals certain rights in respect of their personal information, including rights to access or seek the correction of the information an entity holds about them.
Under the PA 1988, “personal information” is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
•whether the information or opinion is true or not; and
•whether the information or opinion is in material form or not.
This definition extends to a wide range of information. For example, the APP Guidelines (see “Summary of the Australian Privacy Principles (APPs)”) state that a vocational reference that comments on an individual’s career or performance would be information “about” the individual. The opinions expressed in the reference may also be information about the author of the reference. Whether an individual is “reasonably identifiable” will depend on the circumstances, including the nature of the information and any other information that is available.
The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that was created by the Australian Information Commissioner Act 2010 (Cth) (“AICA 2010”) to administer the PA 1988 and the Freedom of Information Act 1982 (Cth). The office included the Privacy Commissioner who was delegated to carry out the functions of the Information Commissioner under the PA 1988. In the 2014–2015 budget the Australian Government announced that the OAIC was to be disbanded from 31 December 2014. The changes announced meant that the PA 1988 would once more be administered by the Privacy Commissioner and there would no longer be an FOI Commissioner or Information Commissioner. It was intended that the Privacy Commissioner would be an independent statutory office holder within the Australian Human Rights Commission. The announced changes required legislative amendment and have been incorporated in the Freedom of Information Amendment (New Arrangements) Bill 2014, which will also repeal the AICA 2010. At the time of writing (June 2015), the Bill is before the Senate. However, the FOI Commissioner and Information Commissioner have resigned and the Privacy Commissioner administers the PA 1988.
The Privacy Commissioner has broad powers to monitor privacy compliance, to investigate complaints and to impose sanctions (see “Complaints to the Australian Privacy Commissioner”).
In addition to the PA 1988, several other Commonwealth laws and guidelines deal with information privacy matters relating to tax file numbers, medical research, electronic health records, Medicare and PBS claims, spent criminal convictions, registered personal property security interests and telecommunications (see “Other Commonwealth legislation and guidelines”).
All states and territories except South Australia and Western Australia have enacted specific information privacy legislation that regulates how certain public and private sector organisations collect, handle and store personal information about individuals. Some jurisdictions, including Victoria, give health information specific or additional legislative protection.
Victoria and the Australian Capital Territory have human rights legislation that also recognises the broader right to privacy under the ICCPR and requires public sector organisations to act in a way that is compatible with privacy and other human rights (see “Victorian privacy legislation”).