Want to listen to the full episode and all our other episodes?
Hearsay allows you to fulfill your legal CPD requirements every year.
Our yearly subscription is only $299/year.
With a yearly subscription, you can access all of our episodes AND every episode we release over the next year.
Mind Your Own Data: The Future of Privacy Law in Australia
Substantive Law| What area(s) of law does this episode consider? | Privacy law. |
| Why is this topic relevant? | Privacy is, without a doubt, one of the defining legal issues of the 21st century. Our personal data is being collected, analysed, shared and, occasionally, unlawfully accessed and disseminated, in ways that we could scarcely imagine even a decade ago. In response, governments worldwide, including our own, are grappling with how to update laws that often lag behind the realities of modern technology. In fact, the recent passing of the Privacy and Other Legislation Amendment Act 2024 (Cth) marks the most significant reform to the Privacy Act 1988 (Cth) since the private sector amendments back in 2001. These new amendments to the Act introduce some major changes, like a new cause of action for serious invasions of privacy, expanded powers for the privacy watchdog, and new transparency requirements for automated decision-making. But what do these changes mean in practice? For individuals, they signal a greater ability to understand, manage and prosecute how their data is used, potentially curbing the overreach of large technology companies. For businesses, these reforms may be a wake-up call to invest in stronger compliance frameworks and rethink their data and privacy practices. |
| What legislation is considered in this episode? | Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act) Privacy Act 1988 (Cth) (Privacy Act) Defamation Act 2005 (NSW) (Defamation Act) Online Safety Act 2021 (Cth) (Online Safety Act) Communications Decency Act, 47 U.S.C. § 230 European Convention of Human Rights Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) Spam Act 2003 (Cth) (Spam Act) Cybersecurity Act 2024 (Cth) (Cybersecurity Act) |
| What cases are considered in this episode? | Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479
Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199
Jane Doe v Australian Broadcasting Corporation [2007] VCC 281
Kalaba v Commonwealth [2004] FCA 763
|
| What are the main points? |
|
| What are the practical takeaways? |
|
| Show notes | Australian Government Response to the Privacy Act Review Report, published 28 September, 2023. OIAC, Overview of the Australian Privacy Principles. Serious Invasions of Privacy in the Digital Era (ALRC Report 123), tabled on 3 September, 2024. |
DT = David Turner; SD = Sophie Dawson; HL = Hamish Lennon; TH = Taylor Harding
| 00:00:00 | DT: | Hello and welcome to Hearsay the Legal Podcast, a CPD podcast that allows Australian lawyers to earn their CPD points on the go and at a time that suits them. I’m your host, David Turner. Hearsay the Legal Podcast is proudly supported by Lext Australia. Lext’s mission is to improve user experiences in the law and legal services, and Hearsay the Legal Podcast is how we’re improving the experience of CPD. Privacy is, without a doubt, one of the defining legal issues of the 21st century. Our personal data is being collected, analysed, shared and, occasionally, unlawfully accessed and disseminated, in ways that we could scarcely imagine even a decade ago. In response, governments worldwide, including our own, are grappling with how to update laws that often lag behind the realities of modern technology. In fact, the recent passing of the Privacy and Other Legislation Amendment Act 2024 (Cth) marks the most significant reform to the Privacy Act 1988 (Cth) since the private sector amendments back in 2001. These new amendments to the Act introduce some major changes, like a new cause of action for serious invasions of privacy, expanded powers for the privacy watchdog, and new transparency requirements for automated decision-making. But what do these changes mean in practice? For individuals, they signal a greater ability to understand, manage and prosecute how their data is used, potentially curbing the overreach of large technology companies. For businesses, these reforms may be a wake-up call to invest in stronger compliance frameworks and rethink their data and privacy practices. To talk us through these reforms and the ongoing transformation of privacy law in Australia, we’re lucky enough to be joined today, not by one, but two amazing privacy law voices from Johnson Winter Slattery – Senior Partner, Sophie Dawson, and Hamish Lennon, Associate. Sophie and Hamish, thank you both so much for joining me today on Hearsay. |
| 00:01:59 | SD: | Thank you very much for having us, David. We’re delighted to be talking about this interesting topic with you. |
| 00:02:03 | DT: | Yeah, we’ve been following this legislation on the show since our last season, actually. We’ve been following it from, law reform report to the proposed bill – or hypothetical bill before that – and now we’re excited to talk about it in its concluded form. But before we get to that, I wanted to hear a little bit about your backgrounds in the law, how you came to start practicing in this space, and the kind of work that you’re doing at JWS. |
| 00:02:25 | SD: | I’ve been practicing in this area for a long time. In fact, my first privacy tort related litigation matter was in the 1990s, and I’ve had the great pleasure to advise not only on the 2001 amendments to the Act when the private sector provisions came in, but on pretty much all of the rounds of changes since then. So it’s been fascinating to watch this area of law develop. I’m a partner at Johnson Winters Slattery. Before that, I was a partner at two other law firms, international practices, for a considerable period. So I’m lucky because I’ve also had that global visibility and at JWS, we’re lucky actually, because we work with some of the top global firms, so we retain that visibility in our current roles. |
| 00:03:15 | DT: | Having that experience of advising on the Privacy Act for so long, I’ll be interested to hear from you about some of the things that probably have been called for by practitioners like yourself since 2001, like a cause of action for privacy. So it’ll be interesting to talk about that. And Hamish, tell us a bit about your practice. |
| 00:03:32 | HL: | Yes, so not as extensive, experience wise, but at uni my other degree was music, and I’ve always been interested in the IP space and how creators are able to protect their rights. And while at uni I volunteered at Arts Law Australia and really enjoyed getting exposure to more broader media law issues. And then I did a clerkship at JWS, and now a few years on from that, I’ve mainly been working in the TMT IP privacy space, a lot with Sophie as well, which has been really great, and I think coming in at a time where there’s been a lot of change as well has been really interesting. Keeping up with all the reforms, especially this year, has been really interesting. |
| 00:04:07 | DT: | Absolutely. Well, so fantastic to have you both here. As I said, we’ve been following the legislation on the show, but let’s give our listeners a bit of a primer. I want to start off with a quick snapshot of the current state of play, where the legislation is up to, what’s in force and what’s not. Hamish, where’s the legislation sitting now? |
| 00:04:22 | HL: | So we’ve just seen the first major tranche of reforms coming out of the digital platforms review process, and these reforms have received royal assent on the 10th of December, 2024, and they implement a number of proposals agreed by the government in its Response to the Privacy Act Review. The key changes which came into effect from the 11th of December include new powers for the OAIC to issue infringement notices and compliance notices, updated civil penalties, and the Governor General has new powers to whitelist overseas jurisdictions for the purposes of overseas disclosure of personal information, as well as there are new information security obligations that have been clarified, and a new regime under which, following notifiable data breaches, the Minister can omit by way of declaration certain collections, uses and disclosures of PI for the purposes of reducing the risk of harm to individuals affected by the data breach. |
| 00:05:08 | DT: | So these amendments that received royal assent last year, are they now in force, and are Australian businesses required to comply with them? |
| 00:05:15 | HL: | Yes, so these changes have come in from the 11th of December, and there are a few other key changes that will come into effect later, and those include requirements for privacy policies to include information about how personal information is used in automated decision making, and that’s scheduled to commence next year on the 10th of December in 2026. And there’s also the kind of crown jewel of the reforms, being the new cause of action in tort for serious invasions of privacy, and the commencement date for those reforms is to be confirmed by proclamation, but is anticipated to commence the 10th of June, 2025. |
| 00:05:47 | DT: | I’m excited to talk to you about that cause of action a little bit later in the show. I know since I was at uni, we’d been talking about the prospect of a cause of action for breach of privacy. So, excited to hear about how that’s turned out. Sophie, as an experienced privacy lawyer, you would have been following this from the digital platforms inquiry all the way through to now and probably making a few predictions or bets about how this might turn out. Are you surprised? Unsurprised? How closely does this match your expectations? |
| 00:06:13 | SD: | I think, David, that there are both surprising and unsurprising aspects of these changes. There’s been a very long run up to some of them. In fact, perhaps if I take a couple of examples, I mean, the white list idea has been around for a long time and that’s something I’ve certainly had the pleasure of advocating for at various times. It’s common sense that if the government prescribes countries as having laws that give adequate protection for the purpose of Australian Privacy Principle 8, then it saves organisations having to pay for advice to get that position for themselves under the existing provision. So it makes sense in terms of facilitating the digital economy where people may choose to have redundant data sets in different jurisdictions, they might have global systems, and it makes sense as a country for us to make ourselves easy to deal with. So I think that’s a really common sense change that’s been considered for quite a long time and a lot of privacy practitioners have advocated for. Actually, it’s funny because in the introduction you said that we’d probably been pressing for the tort over many years. Funnily enough, because my clients have traditionally been media and technology companies, I have been opposing it regularly for many, many years. And for good reason, actually. And we’ve got a journalism exemption that I’ll come to in a second, which addresses this issue. But it is very important for the media, and this has been one of the themes in the whole digital platforms review. This process is very important to have professional journalists who are engaging in investigative journalism and uncovering wrongdoing in our society, particularly when it comes to politicians and in the courts, because people have referred to them as the fourth estate. They are the only people watching a lot of these institutions, and the fact that they do so means that it’s a real disincentive for people to engage in misconduct and that has a real impact on not only the efficacy of our institutions but also through them on our economy. So it’s really critical to ensure that journalists can do their job. And the digital platforms review has considered multiple aspects of that, including the funding aspect, which is also important, but in relation to the tort, the media made submissions in the latest round, and also in every previous round, we’ve had multiple reviews in the past to consider introduction of a tort to the effect that, firstly, there’s already extensive regulation of privacy in a media context. There are a whole lot of statutory restrictions on publication, which the media spend a lot of money adhering to. They have teams of specialist lawyers who are across literally hundreds of different restrictions on things like identification of a victim of sexual assault, which preclude identification, to ensure that they comply with those laws. Obviously in the wild west of the internet, there are lots of people who are blissfully ignorant of those laws and may not be as compliant. But that may be a challenge for education to some extent, rather than additional law, and obviously platform moderation is something that has extensively addressed that issue. |
| 00:09:36 | DT: | Something I was actually going to say, just coming off your last point, I was going to link it to a conversation we had on the show a couple of weeks ago around the defamation law amendments. This all sort of ties into digital platform moderation. |
| 00:09:48 | SD: | It does. And I think there are two key themes to regulation over the last 20 years really building into this current process, which is increasing regulation of the internet and also increasing privacy protection and adjustment of laws like defamation laws to have mechanisms which are more suited to an internet context, so that you’re requiring people to essentially respond sensibly to take down requests but not imposing excessive costs when they act responsibly. So it’s really a theme of the government adjusting regulation to suit the new reality. It always takes longer than people think. You know, I mean obviously the internet has been around for 20 years now, and it’s taken that length of time for this legislation to come to the fore. But you’ll see similar mechanisms across the Defamation Act and Online Safety Act and others, and also copyright safe harbour. And it’s all around essentially for the digital platforms, assuring they’ve got appropriate safeguards and moderation practices, so there’s an air of reality about them rather than creating a situation in which ad hoc claims can result in disproportionate outcomes. |
| 00:11:03 | DT: | Yeah, and I suppose in all three of those contexts, in privacy, defamation and copyright, we also have this dynamic of interacting with digital platforms operated by U.S. technology companies, some of whom enjoy statutory protection in the U.S. |
| 00:11:18 | SD: | Section 230 of the Communications Decency Act. |
| 00:11:21 | DT: | Yes. Yeah, that’s the one. The Australian legislative context, is this kind of dynamic of working with these enormous platforms that sit somewhere between public infrastructure and a quasi nation state is to have a mechanism that they’re capable of complying with on a sort of voluntary basis, right? |
| 00:11:36 | SD: | Exactly. The tort’s actually an exception to this, but the most common legislative structure we’re seeing in regulation of platforms on the internet, which we’ve now got in a defamation context, is essentially that if platforms take material down within a stipulated time after receiving a complaint, then they don’t face a subsequent claim, which obviously adheres to common sense in that they can’t possibly be checking everything in advance. And that brings us to the tort really. TIP: So Sophie’s just mentioned that defamation law allows platforms a grace period to take down potentially defamatory material when they’re made aware of it. These actually come from some recent changes to defamation law across Australia, which we spoke about recently on the show with Scott Traeger, partner at Lander and Rogers. That one’s episode 148 and it’s called ‘Rebuilding the Town Square: Innocent Dissemination and the New Defamation Regime.’ Check that one out if you’re interested in learning more about how Australian law regulates the moderation of content by online platforms. However, we should say that Sophie will make an important distinction between defamation and privacy later in the episode. So in terms of the tort, it’s had a very long run up. I’ve talked to you about the whitelisting and how that is common sense. So the second point is in relation to the tort. The run up to the tort has been very long indeed. I don’t know whether you’re across this but there’s a fantastic article called ‘The Right to Privacy’ by Samuel Warren and Louis Brandeis, which was written in 1890 in the Harvard Law Review. |
| 00:13:03 | DT: | A little earlier than I thought. |
| 00:13:05 | SD: | And it’s a great read actually for anyone who enjoys privacy law, in that when you read it, they’re talking about the sort of prurient interests of readers of the press. And so when you read it, you’ll see that actually very little has changed in terms of the discussion around these issues over a very long time. And so that resulted in a talk in the US some time ago, and then, of course, in the UK they’ve developed a cause of action based on the equitable confidentiality principles and also the European Convention of Human Rights. TIP: So Sophie’s just mentioned Samuel Warren and Louis Brandeis’ seminal article published in the Harvard Law Review in 1890 called ‘The Right to Privacy.’ This was a ground breaking essay and is widely credited as the first formal advocacy for a legal right to privacy in the US. Brandeis, who was primarily credited with the authorship of the article, expanded on Warren’s concerns over the invasive coverage of personal lives in the press, famously defining privacy as the right to be let alone. The article traces the evolution of common law protections, noting how legal concepts expanded from physical and tangible protections to intangible rights like emotions and intellectual property. Now, Warren and Brandeis argued that rapid advances in technology, such as instant photos and mass circulation newspapers, made it necessary to adapt our legal principles to safeguard personal privacy. They proposed privacy as a distinct legal principle, asserting its foundations in property law and contractual obligations, whilst emphasising that existing laws on defamation and intellectual property were insufficient. There’s been discussion in Australia for a long time about whether or not a tort of privacy exists and our case law is mixed. The case of Victoria Park Racing v Taylor (1937) was thought to stand in the way of a tort, and then of course, the High Court in Lenah Game Meats (2001) said that no, Victoria Park Racing doesn’t stand in the way of a tort, but they did not tell us whether or not there is one. |
| 00:15:04 | DT: | Cited on the grounds. Yep. |
| 00:15:06 | SD: | Yes, and it’s been a particular area of focus since the public interest component of the New South Wales defamation defence was removed in 2005. TIP: Now we’ve just mentioned the Lenah Game Meats case. The full citation for that one is Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, and that case marked a pivotal moment in Australia’s privacy law history, particularly when it comes to corporations and the potential recognition of a tort of privacy. The case also revisited another case, Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479. That one is often cited as denying the existence of a common law right to privacy. However, the court in Lenah Game Meats clarified that Victoria Park was not about privacy, but rather the allocation of rights to control information dissemination. Now, additionally, in Lenah Game Meats, the Court left open the possibility of developing a tort of unjustified invasion of privacy, and they emphasised that this kind of a development could only apply to natural persons and not corporations. This suggestion went beyond using equitable principles like unconscionability or property rights extensions to broadly establish privacy protections and uphold the human dignity approach to viewing privacy. The dispute in Lenah Game Meats arose when the ABC broadcast footage of possum slaughter at Lenah Game Meats abattoir, which was filmed covertly through trespass. The judgment highlighted three key issues. The first, whether privacy could form a legal basis for action. Second, whether such protections extended to corporations and how these fit in with the implied constitutional right to political communication, and lastly, the majority concluded that privacy concerns must be rooted in the nature of the information itself, not solely in the method of its acquisition or its value to the possessor. The judgment also explored existing characteristics of privacy law in Australia. So, Chief Justice Gleeson noted that not all actions conducted on private property are inherently private, and privacy must involve a degree of offensiveness to a reasonable person of ordinary sensibilities. In a similar vein, Justices Gummow and Hayne said that privacy protections derive from personal autonomy and dignity, values which are irrelevant to corporations. However, Justice Callinan suggested that privacy could align with property rights, allowing corporations some measure of protection under specific circumstances. However, even he acknowledged that this extension was tentative and contingent on recognising privacy as a property-based right. Now, the High Court’s reasoning seems to reflect a bit of caution in adopting privacy principles from other jurisdictions, such as the US, where privacy is categorised into distinct forms of interference. The Court avoided committing to any specific approach, acknowledging the tension between protecting private information and upholding freedom of political communication. Now, the oft-cited obiter dicta test for determining whether something was a breach of privacy that came from Lenah Game Meats is whether the disclosure of the information would be “highly offensive to a reasonable person.” TIP: So, Sophie has also just mentioned a few other cases. The first one, Jane Doe v Australian Broadcasting Corporation [2007] VCC 281. In that case, ABC Radio had broadcast the identity of a victim of sexual assault, which violated a statutory disclosure. Judge Felicity Hampel, in the Victorian County Court, took the bold step of declaring that a tort of invasion of privacy exists in Australian law. Although arguably, this wasn’t strictly necessary. There were already other legal grounds to hold the ABC accountable. The plaintiff in that case was then awarded damages for breach of statutory duty, breach of confidence, and an unusual finding that the ABC owed a duty of care. The other case that Sophie mentioned was Kalaba v Commonwealth [2004] FCA 763. In that case, Mr. Kalaba alleged that the Commonwealth had breached his privacy by requesting records about his wartime confinement without consent. He sought damages, claiming this and other acts of negligence led to his imprisonment following a protest. However, Justice Heerey in the Federal Court summarily dismissed the case, ruling that Australian law does not recognise a tort of privacy. He noted precedent against such a tort, Giller v Procopets, criticised the contrary stance in Grosse v Purvis, and concluded the Commonwealth’s actions, even if erroneous, were at most a gratuitous effort to assist. Professor Barbara McDonald published her report for the ALRC in 2014 recommending a tort. So for all those reasons, it’s not surprising. At the same time, the reason that it is a little surprising is that on each of those previous occasions where it’s been considered, and it has been considered at length, governments have ultimately decided not to enact a statutory tort. So this is the first time that it’s actually resulted in law, and there are good reasons why it hasn’t resulted in law in the past because there is a multitude of statutory restrictions on publication which protect private information, such as the identity of sexual assault victims and the identities of children involved in criminal proceedings. It’s an offence to breach them. And there are also surveillance laws and the law of trespass, which protect against intrusion upon seclusion, which is the other aspect of the tort. Professor McDonald argued that the tort would cover any gaps between these laws, but there are many people who have argued that there’s no demonstrated need for a gap filler of that type. In fact, if you go back to her 2014 report, she says, “oh look, perhaps our media doesn’t publish as intrusive material as their UK counterparts, that maybe there are complaints in the background that are being settled or something.’ The media have said, “oh look, there’s just no demonstrated need for this in the past.” But the outcome that has resulted on this occasion, is that we’ve ended up with a tort. It includes a journalism exemption, which is really important to protect freedom of expression. TIP: The Australian Law Reform Commission, spearheaded by Professor Barbara McDonald as the Commissioner for the Inquiry, published a report in 2014, titled ‘Serious Invasions of Privacy in the Digital Era.’ The report recommends the creation of a statutory tort for serious invasions of privacy through a new Commonwealth Act. The tort is designed to address intentional or reckless invasions that can’t be justified as being in the public interest. An example of this would be sharing private medical records or explicit images without consent. The ALRC stressed that while privacy is a fundamental right, it must be balanced with freedom of expression and press freedoms. The report outlined the need for statutory action, noting gaps in the protections at the time, reluctance to litigate novel claims under common law and the advantages of legislative clarity and consistency over case law. In making its report, the ALRC also considered international privacy protections and past Australian inquiries, which showed support for a statutory cause of action. Statutory reform, the ALRC argued in its report, provides clarity, faster resolution, and flexibility to address privacy issues arising from changes in technology. In the UK, the cause of action’s had a big impact on the media, which is regularly being prevented, by way of injunctions, from publishing information about matters such as the identity of suspects in criminal cases, which can be useful to bring forward witnesses. Changes to the exemption made in the Senate process made sure that the distributors of material published by journalists are covered by the exemption. So there’s still going to be some uncertainty about the edges of that exemption, which we can talk about in a little while. So there are surprising and less surprising aspects of this reform. |
| 00:23:23 | DT: | Yeah. And this isn’t an unfettered cause of action for breach of privacy. It covers serious breaches of privacy, if I’m understanding that right. Hamish, what kind of breaches of privacy might be considered serious enough to be actionable? |
| 00:23:38 | HL: | So as a quick overview, an individual will have a cause of action in tort against another person where there’s an intrusion upon seclusion or a misuse of private information where it’s sufficiently serious, intentional, or reckless, and the public interest in the plaintiff’s privacy outweighs any counterfeiting public interest points. And also, so long as the plaintiff has a reasonable expectation of privacy in the circumstances, then that will give rise to a cause of action under the new tort. |
| 00:24:06 | DT: | You know, it strikes me that a lot of the public interest concerns that you articulated, Sophie, are clear in the language that the legislature has used in articulating the tort, right? We’ve got a general public interest element that needs to be satisfied. We have a sort of intentionality or recklessness requirement. There’s a harm element. So there’s a lot of fetters on this right of action. Just to draw out, maybe some examples, because on the one hand we’re talking about matters of public interest that are reported on by a responsible journalistic institution, which we would expect not to be actionable, based on both the elements you’ve described and what we would hope to happen in a fair and just society, what kind of examples of conduct does Parliament hope this tort of privacy will protect against? |
| 00:24:55 | HL: | So some examples of what might qualify as a serious invasion of privacy in relation to a misuse of private information could be the publication of the fact that someone is the subject of criminal investigation, and this fact is published prior to charges being brought against them. There’s also publication of details about someone’s physical or mental health. So, in the UK, we’ve had examples where footage of someone having a nervous breakdown or some form of panic attack has been deemed sufficient as private information, so to restrict the publication of that footage. There’s also been cases where publication of financial and tax information, as well as the publication of information about personal and family relationships, so things like cheating and affairs, those kinds of things. Obviously, in the Australian context, this would be considered alongside the journalism exemption, which will extend protection specifically to news, current affairs, and documentary content. And so we’ll have to see how that interacts and where the line’s drawn on particularly entertainment content, to see whether these sorts of examples would actually qualify as a serious invasion of privacy in the context of the journalism exemption. And then, in the context of intrusion upon seclusion, there’s the taking of footage of intimate acts or nudity. The example that was given by Chief Justice Gleeson in Lenah Game Meats was footage of a person getting changed in their bedroom where that’s visible from the street would be an example of a serious invasion of privacy through the intrusion upon seclusion limb. And then in the UK we’ve also seen things like the taking of unauthorised wedding photos. There was an example, I think we were just talking about this on the way here actually. |
| 00:26:32 | SD: | It was the Catherine Zeta-Jones, Michael Douglas wedding in fact, and they’d prohibited photographs and somebody took a photograph and that was one of the early privacy cases in the UK that was successful. We’ve also seen, for example, Naomi Campbell going to Narcotics Anonymous. That was an early successful decision, a privacy claim in the UK, but it’ll be interesting really to see the extent to which Australian courts follow UK authority and the extent to which they follow previous Australian case law. So, for example, there’s a huge overlap here between defamation and privacy because a lot of the time, it’s a big investment for someone to decide to pay for a lawyer to put together evidence and pleadings and go up to the court and risk an adverse costs order to seek an injunction or take action of this nature. And it most often happens when there’s a negative allegation against them that they don’t want being made public. So there’s a huge overlap between privacy and defamation, and of course, the key difference is that in privacy, you don’t have to show that it’s false. |
| 00:27:38 | DT: | Yes. |
| 00:27:39 | SD: | You only have to show that it’s private. And in Australian law, courts have traditionally been very reluctant to injunct defamatory material, because of the overriding free speech considerations. It’s called the rule in Bonnard v Perryman. And that’s also been picked up by the High Court, for example, in the ABC v O’Neill case. And so it’ll be interesting when courts come to apply this public interest balancing test as part of the cause of action, whether they look to the UK, where, for example, in relation to photos of children, and they’re really applying a test of what’s in the best interests of the child. So unless you’ve got the child’s and parents’ consent, then there’s likely to be an issue, or whether they look to the Australian tradition. Of course, you can take a photo in a public place, and of course you can publish material and people can sue you for damages afterwards, but we are going to be very reluctant to injunct it. So those early cases are going to be very informative as to the direction that our courts take. |
| 00:28:47 | DT: | Yeah, absolutely. Certainly, as you say, in that early interlocutory stage where many of these concerns around free speech and press freedom are in practice resolved at that stage, right? There is a cause of action in damages to resolve down the track, but if we’re talking about the freedom to publish information, it’s really what happens at that interlocutory stage that matters so far as the public interest. I think you also made a really good point there, Sophie, which we just put up in headlights, which is a lot of the examples you described Hamish, we’re all publishers in a sense. We all have the capacity to collect information and publish it about people known to us or not known to us, right? And so we could all engage in a breach of privacy, or a serious invasion of privacy in the language of the tort, but as you say, in practice where someone’s suffering sufficient harm to engage a solicitor, engage council draft and file pleadings and bring that to finality, it’s likely to be the case that they’re a public figure of some kind and the defendant is likely to be a publisher in some professional capacity. So although the cause of action isn’t framed in that way, the commercial or practical circumstances around when these causes of action are likely to be brought and litigated, it’s probably, again, we’re talking about press freedom and publication by the media. |
| 00:30:06 | SD: | And of course, here we’ve got an interesting situation because unlike the UK, we’ve got a journalism exemption, which is fantastic. So it means that professional journalists’ content can be distributed without a cause for concern around the tort. And it’ll be interesting to see, I think, the courts are likely to say, “look, if the media has published it, then there’s no longer reasonable expectation of privacy.” But we’ll just wait and see, because they may not apply it in that way. Because of course, for example, if you want to publish something – well, you are a professional journalist, so you’re a bad example – perhaps if I do, in my personal capacity, or if a normal member of the public who’s not a professional journalist wants to publish something, then they don’t have the media exemption, generally, and so that’s where the rubber’s going to hit the road on what people can and can’t publish consistently with this tort, and obviously for platforms, they’ll need to make decisions about their moderation practices when they receive complaints based on the tort. So, we’ll just have to wait and see how that unfolds, because it’s a completely unique situation to both have the tort and have the journalism exemption. So, we know that whatever happens, it’s going to be different to what’s happened, for example, in the UK. |
| 00:31:26 | DT | Absolutely. |
| 00:31:27 | SD: | And it’s funny, I’m thinking through all my cases, because of course, like every media lawyer, I’ve defended plenty of injunction applications in the past, and one of the things Hamish and I are doing is to make sure that we’re ready for this tort. You know, we’re preparing all of our submissions and things in advance because the way these things unfold is somebody calls the duty judge – |
| 00:31:47 | DT: | And you’ll need to be there in two hours. |
| 00:31:48 | SD: | Yeah. Exactly. And ready to fend off that initial interlocutory application in a way that gives the court confidence in making a decision, hopefully, given our client mix, which is mainly media and internet companies and technology companies, permitting publication, but ensuring that the judges who – it’s obviously a heavy responsibility for them having to make decisions on these important issues, often on very short time frames – and to ensure that they have the law and the evidence that they need to make a decision quickly. But yeah, I was just thinking about some of those and of course, a number of them have been the subject of successful injunction applications in the past because the courts have to’d and fro’d about whether or not there’s a cause of action. So some of the more entertaining ones, there’s very little I can say about them, but it is interesting because it is often when people have done the wrong thing and they want to avoid that being published. And of course, there’s a tradition in Australia, in New South Wales, for example, the Ettinghausen decision many years ago, and sort of kiss and tell defamation actions when public interest was an element, and I guess that’s likely to be one area where outside of journalism – and there’ll be debates no doubt about where news and current affairs starts and finishes and interesting issues – about where the line for that sort of content will now be drawn. |
| 00:33:15 | DT: | Absolutely. I suppose, and I’ll direct this one to you, Sophie, there’s the design of the tort that parliament informed by consultation with experts has arrived at, and then there’s the gritty, messy reality of litigating that tort, and I expect in much the same way as defamation actions are often at relatively short notice, at least insofar as the interlocutory stage is concerned. Appreciating that in your time you will have acted both at interlocutory and final hearings on versions of the common law or equitable tort and on actions like it, how easy do you think – or maybe difficult is more accurate – how easy or difficult do you think it is for a plaintiff to bring this tort for serious invasion of privacy in practice? |
| 00:33:58 | SD: | Well, that’s a very good question. People have brought claims in the past, as I’ve said, the courts have to’d and fro’d about whether or not there’s already a cause of action, either a common law or an equity in Australia. So, people like us, Johnson Winter Slattery, we’ve got quite a big media practice with lots of people who’ve had experience in dealing with those injunction applications. It all moves very quickly. We see them in a sort of media law space and also in the IP law space and so you have to be quick on your feet and part of our job as an external law firm is to ensure that we’re prepared to be not just quick on our feet but also effective. So how it would typically happen is the claimant’s lawyers would do some preparation work, preparing some affidavits and preparing an application to the court. When they’re ready to go, they’d be contacting the duty judge’s associates in the relevant court – both Federal and State and Territory Courts have jurisdiction in relation to this tort – and then for injunction applications you can be heard quite quickly and they would normally be writing it in parallel to the respondent and so everyone would be up at court quite quickly arguing it and the court would decide whether or not to make an interim injunction to maintain the status quo while it decides. The tradition in Australia in a defamation context has been shaped by what’s called the rule in Bonnard v Perryman. Which was affirmed by the High Court in the ABC v O’Neill case, which is to the effect that in general, injunctions are not given in matters affecting freedom of speech. It’s the opposite of IP law. In IP law, sort of, injunctions are a common remedy. In defamation and media law, there’s this overriding concern about freedom of speech, and that’s made injunctions almost impossible to get in the defamation space over the last 20 years in Australia. So people do get injunctions, for example, to restrain a breach of confidence. So they move quickly. There are a lot of risks for claimants deciding to go ahead because, I mean, they have to invest in a lawyer, particularly at the moment where we don’t know how courts are going to approach things like the public interest balancing test in Australia, where at the moment our jurisprudence is quite different to that in the UK. There’s uncertainty as to outcome, and of course in any litigation, if you sue and you lose, then you usually have to pay the other side’s costs. |
| 00:36:26 | DT: | And then I suppose, this is certainly not my area, but when you think about whether an injunction is an appropriate remedy, especially on an interlocutory basis, you think about things like, yes, preserving the status quo, but also whether damages might be an adequate remedy for the publication, and of course we have in defamation a rich tradition of valuing the publication of defamatory material. That’s why the cause of action exists. And I imagine the same is true of tort of privacy, or the newly created tort of serious invasion of privacy. So you would have a challenge as a plaintiff establishing that damages was not an adequate remedy for the publication of that material. And then I suppose you also have on the other side of that, an undertaking as to damages to protect the defendant who proposes to publish that material. It might be very difficult to value what that damage to the defendant might be. |
| 00:37:15 | SD: | That’s exactly right. So there’s going to be a lot of risk for plaintiffs deciding to take that course, though no doubt some people will. |
| 00:37:22 | DT: | Yeah. |
| 00:37:22 | SD: | And I think in addition to the injunction applications, we’re quite likely to see the privacy tort being added to cases. So for example, trespass cases we’ve seen in the past, you’d recall trespass cases involving the media. In fact, Lenah Game Meats was one of them. And I think we’ll see the tort thrown into those ones. |
| 00:37:42 | DT: | And while Lenah Game Meats, just pausing there, would be an interesting one to litigate today with the tort because it had this interesting characteristic where the person who recorded the footage was not, I suppose, a journalist, was not from the ABC, was a whistleblower, an activist who became a whistleblower by virtue of getting a job there, but was not in that category of a journalist invading the privacy of Lenah Game Meats and obtaining that footage in that capacity, right? So there’s that additional confounding factor, I suppose, between collecting that material and publishing it. |
| 00:38:15 | SD: | That’s exactly right. And actually, you’ve hit the nail on the head, David, because one of the things that the media argued for in relation to the tort was that there should be protection for sources. The Senate Committee recommended and the Parliament made some changes to protect distributors of journalist material, which is so important given the way in which things are distributed in modern times, obviously, a lot of it is informal sharing beyond the media organisation, but the protection for sources hasn’t ended up in the legislation. So one of the live issues is going to be, well, will there be any actions involving the sources either at the injunction stage or at the later damages stage? And we’re just going to have to wait and see. So there are some really interesting aspects of this that I think we’ll see play out really over the next five to ten years as not only cases test different fact circumstances, but also the different courts come to develop their jurisprudence and ultimately some of them no doubt will go to the High Court for clarification. Because there are two aspects of the tort. There’s publication of private information, which is, I think, the one that really comes to mind for people, you know, celebrities going to drug and alcohol clinics, kiss and tell stories, that sort of thing. And in the UK, as I said, it’s extended to police investigations and arrests. So, for example, the Cliff Richard case you’re probably familiar with, police raided his home. The media reported on that and it was found to have breached privacy by doing so. He was successful in establishing a course of action. It’s important to note that Sir Cliff was never charged and the police were satisfied that they didn’t need to take it any further, so everyone should assume that Sir Cliff is well and truly innocent – not wanting to defame anyone on the show. |
| 00:40:07 | DT: | That’s the media lawyer in you. |
| 00:40:09 | SD: | Yeah, a bit of bane and antidote there. Yeah. Just gonna make it very clear that we should all assume Sir Cliff is innocent. But it does raise interesting issues, because obviously police wield a lot of power. It’s important that media report on police activities, because that’s a discipline for police to ensure that they’re acting properly. And so, as I said, it’ll be interesting to see whether Australian courts take a different approach to their UK counterparts, and time will tell. TIP: Now, Sophie has just mentioned the Sir Cliff Richard case. Now, Sophie has just mentioned the Sir Cliff Richard case. If you’re interested, the full citation for that one is Sir Cliff Richard OBE v The British Broadcasting Corporation and The Chief Constable of South Yorkshire Police [2018] EWHC 1837 (Ch). In that case, the UK High Court addressed important issues related to privacy, and in particular, how media outlets report on criminal investigations before charges are brought. This case arose from the BBC’s live coverage of a police search at Sir Cliff Richard’s home in connection with historical sexual abuse allegations under Operation Yewtree. Richard was never arrested or charged, but he brought a privacy claim against both the BBC and the police. In that case, Justice Mann ruled that individuals under police investigation have a reasonable expectation of privacy, particularly when they have not been charged with a crime. This expectation is based on the stigma attached to being investigated and the subsequent potential harm to one’s reputation. Even though a search warrant had been executed and the police action was visible, this did not automatically override individual privacy rights. In considering these factors, the court found that while the investigation itself, as it dealt with sexual abuse allegations, was of public interest, the specific identity of Richard as the subject of the investigation did not necessarily contribute to public debate. The judge noted that Richard’s public figure status did not diminish his privacy expectations during a criminal investigation, and especially before charges were filed. The BBC’s sensationalised reporting and the manner in which the information was obtained, which was via a journalist’s implied threats, also weighed against the media’s defense. TIP: Now, Sophie’s just mentioned Justice Spigelman’s keynote address called ‘Seen to be Done: The Principle of Open Justice’. In that address, Spigelman discusses the principle of open justice, especially in relation to media coverage of judicial proceedings. Open justice is the idea that not only should justice be done, but it should be seen to be done, promoting transparency and public confidence in the judicial system. Justice Spigelman asserted that the media plays a critical role in the principle of open justice. By reporting on court proceedings, the media ensures that justice is conducted transparently, providing a check on judicial power and maintaining public confidence in the system. However, Justice Spigelman also notes that the media’s power is not without limits. Media outlets may sometimes act irresponsibly, motivated by commercial gain rather than public good, which can undermine the principle of open justice. Because of this, courts must navigate the tension between open justice and the protection of other rights, such as the right to a fair trial and the right to privacy. And although the media’s role in ensuring transparency is vital, it does have to be weighed against those other rights, particularly where there is a risk that the media’s actions can harm individual reputations or compromise the fairness of a trial. |
| 00:44:58 | DT: | That framing of public interest, that sunlight is the best disinfectant kind of role of the media in mitigating the power of the legislature, executive and judiciary, seems like a strong and persuasive version of public interest. It’ll be interesting to see just how broad beyond that public interest may be framed. |
| 00:45:17 | SD: | That’s right. And how that will work in the sort of modern citizens journalism context where people are publishing stories through the internet and that can go viral through their social media, people who are not professional journalists. So it’ll be very interesting to see how that plays out. And I can’t resist noting, I love that you use the “sunlight is the best disinfectant” quote, because you know that that is a quote from the guy who wrote the Right to Privacy article. |
| 00:45:43 | DT: | Is that right? |
| 00:45:43 | SD: | Yeah. “Sunlight is the best disinfectant” and “electric light; the best policeman.” |
| 00:45:49 | DT: | Wow. |
| 00:45:49 | SD: | That’s from, I think it’s called ‘Other People’s Money,’ which is a later article by the same guy. Okay. So there we go. It was entirely unintentional. His thinking is pervasive. |
| 00:46:00 | DT: | Clearly. More pervasive than I realised. Let’s talk about some of the other changes in this recent Amending Act. One of the other changes in the amending legislation involves the powers of the OAIC, the Office of the Australian Information Commissioner. There have been criticisms of the powers granted to the OAIC in the past, that it’s a bit of a paper tiger, relatively limited in its capacity to enforce the Privacy Act. Hamish, what are some of these new powers that are coming to the OAIC? |
| 00:46:28 | HL: | So there’s a couple of new interesting powers, the first of which being the public inquiry mechanism, which is under the new section 33B, which will allow the minister to direct the commissioner to conduct a public inquiry into specific privacy matters. As an example, the minister might direct the commissioner to examine the processes ABP entities have in place in particular industries of concern, specifically where there might be greater privacy risks or vulnerabilities. And this sort of inquiry is distinct from any existing investigatory power under section 40. There’s also no requirement for the inquiry to relate to a particular incident or suspected interference with privacy, and so in that way, they’ll be able to invite submissions on matters which are the subject of the inquiry and to hear what the public thinks might be of concern in these particular industries to kind of bring issues to light and so that they can be looked at independent of whether there’s actually been a breach or anything of that nature. |
| 00:47:19 | DT: | A structural approach to privacy issues rather than an incident based approach. |
| 00:47:24 | HL: | A bit more proactive than reactive looking to get to the bottom of what new technologies might be causing particular issues or looking at stories coming out of people being at risk, but not having a particular incident to draw upon to take action, giving an opportunity for the commissioners to take a proactive approach to Weeding out how they might deal with particular privacy issues before harms actually suffered in the best case scenario. |
| 00:47:48 | DT: | And at the same time, the OAIC has given additional powers to enforce compliance in specific instances. Can you tell us a bit about those? |
| 00:47:55 | HL: | Yes, so on the enforcement side, there’s two new powers for the OAIC being the infringement notices and the compliance notices. The infringement notices mainly look at particularly enforcing APP obligations that are a bit more administrative in nature. And so these relate to things like having an APP privacy policy, the content of the privacy policy, whether individuals are able to choose to identify themselves in dealing with entities – those kinds of more black and white issues where the commissioner can more easily enforce breaches. And so these infringement notices for each contravention of the provisions can be up to $19,800 for a body corporate, which is other than a publicly listed corporation and up to $66,000 for a publicly listed company. And so these sorts of infringement notice powers will allow the commissioner to take action without having to engage in more protracted litigation. Similar to what we’ve seen with the Spam Act. I know, Sophie, you mentioned the other day, I think it’s been a lot more active in terms of issuing infringement notices and releasing spam issues because of the infringement notices power. |
| 00:49:00 | SD: | You’re absolutely right, Hamish. So what we’ve seen is the pattern of enforcement of the Spam Act has changed radically since those powers have come into play. Because obviously penalty proceedings for civil penalties are expensive to take and regulators have limited budgets and have to spend them wisely. And so we’ve seen the pattern of enforcement change from maybe one or two actions a year to being a couple of infringement notices every month. |
| 00:49:27 | DT: | Yeah, right. |
| 00:49:28 | SD: | So a million dollars there. 3 million here. So the risk of being the subject of enforcement action is much higher with those sorts of powers. Because whilst we’re seeing the OAIC investing in some big actions, we’ve got three big civil penalty actions in play at the moment. The frequency of those actions is low, so now we’ve got a combination of infrequent big matters in the Medibank proceedings, as you probably know, that the penalties sought add up to literally trillions of dollars, and that will obviously be a big and hard fought piece of litigation and then these smaller matters so people will now have to face a high probability of a smaller action as well as a low probability of a devastatingly large action. |
| 00:50:21 | DT: | There’s more tools in the toolkit for ACMA and I suppose now for the OAIC in the sense that you have the infringement notice for enforcing compliance and as your kind of deterrent effect and then you have your sort of opportunity for strategic litigation as well. |
| 00:50:34 | SD: | That’s exactly right. That’s exactly right. |
| 00:50:36 | DT: | At the top of the show, I made reference to some of the large scale data breaches that have occurred in the last few years. Sophie, you just mentioned the Medibank one. There are some new obligations in the privacy law amendments directed to cybersecurity and compliance when it comes to a cyber breach. Tell us a little bit about these new cybersecurity obligations. |
| 00:50:57 | SD: | So really there’ve been two developments. The two significant developments over the last few years in cyber are the Security of Critical Infrastructure Act 2018 (Cth) (“SOCI”) and the sort of lifting bar in relation to the SOCI Act, whereas everyone’s now carrying risk management programs and ensuring that they’re SOCI compliant. And obviously SOCI Act – the Security of Critical Infrastructure Act – imposes much shorter reporting deadlines of 12 or 72 hours than the deadlines that we currently see under the Privacy Act, though there’s certainly a proposal to bring in the Privacy Act reporting deadlines. And the second really significant development is these big enforcement actions that we mentioned before. So previously, until about 2017, the OAIC took a very conciliatory approach and that was their public facing Approach and then in about 2017, 2018, the Privacy Commissioner said the gloves are off now that everyone should have the hang of privacy compliance and cyber compliance and we’re actually going into enforcement mode and they’ve now very much put their money where their mouth is on that side and so I think those combined with the increasingly common nature of cyber attacks have meant that cyber is now really on the top of the agenda for most major companies, ensuring appropriate cyber response policies, risk management programs, business continuity, war gaming, training, relationships with regulators for a lot of them. So the bar has risen massively in that area. The immediate law reforms that Hamish will talk about in a second really focus on those ransomware attacks, so extortion. |
| 00:52:40 | HL: | So I think the other one that came out was the standalone Cybersecurity Act 2024 (Cth), which is the first of its kind in Australia, and so far it currently contains some minimum standards for smart devices, which will assist with preventing cyber breaches relating to Google Home, sorts of products you could have around the house where you might have access to more personal information than just your laptop or something to that effect. There’s also mandatory ransomware and cyber extortion reporting requirements, and so a reporting business entity under the Act will need to make a report within 72 hours of making a ransomware payment, or becoming aware that a ransomware payment’s been made, and that’s to avoid any disconnect between having a third party make a ransomware payment on the entity’s behalf, making sure that all of that data is captured. Interestingly, the legislation only captures instances where the ransomware payment is actually paid rather than tracking when a cyber extortion attack has been launched against an entity. So we won’t have a full picture necessarily of what sorts of activity is out there, but we’ll have a much greater understanding of the sorts of payments that are being made just to get more of a scale of the risk coming out of these cyber extortion attacks. |
| 00:53:52 | SD: | So that’ll be one of the factors for companies to bear in mind when they decide how to respond to a ransomware attack. Most companies would be getting advice on things like risks that can arise under sanctions legislation. There are specific cyber related sanctions. |
| 00:54:10 | DT: | Yes. Well, I suppose if the threat actor is located in a jurisdiction subject to sanctions, then paying that ransom can be far more legally significant than paying it to an actor in a jurisdiction not affected by sanctions. Like for example, Russia or Iran. |
| 00:54:25 | SD: | Yeah, exactly. And the same thing arises in relation to potential payments to terrorism organisations. There are due diligence defences probably beyond the scope of today, but they’re things that people will be getting advice on when they decide how to respond to those sorts of attacks. And we’ve got a specialist team that deals with those issues within JWS, but people will also need to think about that reporting obligation and take that into account in their response. |
| 00:54:54 | DT: | Now, one of the interesting proposed changes – I say proposed change, because I think it’s in the Amending Act, but is yet to come into force, I think this one’s coming in a couple of years, actually – is the Children’s Online Privacy Code. I read this statistic and I was floored by the sheer volume of it and then started to come around to its plausibility. It’s been said that by the time a child in Australia turns 13, about 72 million pieces of data will be collected about them beginning before they’re born. And I suppose when you think about pregnancy tracking apps and things like that, that might collect a date of birth and name before you are born, that starts to sound plausible. I want to talk about what this code is, its enforceability, its status as law, when it’s coming in and what it contains. But before I do that, you know, we’ve got an interesting opportunity in that, Sophie and Hamish, you’re from different generations, you’ve experienced the digital world and privacy in it from different perspectives. When you were growing up as children, what were your big privacy concerns? |
| 00:55:52 | SD: | Well, I think it’s really interesting actually, David, because I think there’s been a real evolution in privacy. When I was young, the worst thing you had to worry about was someone taking a photo of you, and then of course it was just a single photo. It wasn’t going anywhere. |
| 00:56:04 | DT: | Yeah. |
| 00:56:05 | SD: | Or gossiping about you, but there weren’t these sort of mass publication concerns that people have now. And I think it would be really interesting to see what Hamish says on this topic, because I think he’s grown up in what I would describe as the Wild West of the Internet, like when the internet has grown and been relatively unregulated. |
| 00:56:23 | DT: | Yeah. |
| 00:56:23 | SD: | And I think the next generation will have a different experience again, which maybe we can reflect on. |
| 00:56:28 | DT: | Yeah. And I suppose it’s been variously said about your generation, Hamish, and the one that comes after it, that there’s a diluted or even an absent concern about privacy, which I’d be interested to hear either be confirmed or debunked. |
| 00:56:39 | HL: | Definitely. So I think while you describe it as the Wild West, I definitely, growing up, had a lot of presentations and sorts of information given to me about how to lock down your online presence and how to avoid scams and those kinds of things. So from my perspective, it didn’t necessarily feel like the Wild West. I felt like we were given the tools to navigate the space in a way that enabled us to have a bit more control over our data, or at least to be more conscious over how our data was collected online. And to your point, I think there has been a large trend in the past 5 to 10 years of just, a bit of data breach fatigue and a little bit of privacy ambivalence where the trend is that people view that these large multinational corporations have all the data on people that they want anyways, and so they’re less concerned about mitigating the negative effects of their data being breached, and there’s also so many reports in the news of various data breaches occurring that you get a bit, “oh yep, there’s another one,” which is a bit cynical of a take, but I think it’s definitely the emerging look towards it. It’s just that there’s only so much that one individual can do to control how their data is shared, and so there’s a large wave of ambivalence towards privacy concerns coming out, which I think it’s quite in contrast to the large wave of privacy reforms that we’re seeing. |
| 00:57:57 | DT: | Yeah, it’s sort of at odds, aren’t they? And I can completely understand what you’re describing as this ambivalence. I mean, I had a personal experience recently. I got a call from an unfamiliar number. It was apparent that because they were using a very out of date address that they had obtained my information from a data breach. I checked, have I been pwned? And I realized it was from this particular data breach when I was living at that address, and I think there would have been a time where that would have been disconcerting and a little scary and a little anxiety inducing, but I just sort of thought, “oh, it can’t be too serious. It’s really old.” As an Optus customer, a Medibank customer, and the customer of this other company that this hacker got my information from, you do get a bit fatigued by responding to it all. So I think that’s interesting. |
| 00:58:39 | SD: | So do you think there’s a question then as to whether the regulation is fit for the purpose that we’re seeing now of creating this much more regulated environment for the next generation in which it will be less self guided and potentially that things can change in both directions, so it’ll be really interesting to see for the next generation how they respond to this new regulation, and whether they consider it’s fit for purpose for their generation, or whether they consider it’s overkill, and to see which way it goes from there. |
| 00:59:08 | HL: | Yeah, and I think while obviously there’s an emerging wave of ambivalence, it’s still very important to have these kinds of checks and balances in place. But I think it’s just the prevalence of these data breach stories coming out. And even when you’re logging into your web browser, you can see what passwords you’ve got that have been compromised. You go – you said yourself – “oh, yep, that one’s been involved in six data breaches. I’ve probably got to stop using that. And that information is pretty out of date, and I don’t think they’d have any of my payment card details, so it’s probably low risk.” But it just becomes very everyday. It’s just that your data is not necessarily entirely within your control. And so I think it’s definitely important to have these kinds of checks and balances in place, but in terms of public sentiment, I think it might be harder to find the support to increase these privacy controls going forward. Well, it may be harder. I think there’s definitely still a desire for a level of control over privacy, but yeah, we’ll just have to see what this new world of data breaches being the usual becomes. |
| 01:00:03 | DT: | I think as adults we often think about our credit card details or our tax information or something being involved in a data breach. I suppose thinking about the Children’s Online Privacy Code and some of the data that’s probably out there from my childhood. I was a teenager in the pre Facebook social media era so there’s probably some really cringeworthy MySpace posts that someone could dig up. I wonder if that’s the kind of privacy we’re concerned about for our children and for the next generation in the sense of this kind of European right to be forgotten, right? This right to move on from some of the things that we’ve written or had written about us in the past. Is that something that the new Children’s Privacy Code might be directed to? |
| 01:00:43 | SD: | Well, it’ll be really interesting to see what actually does go into the Children’s Online Privacy code as the OAIC is developing that code and they’ll be required to consult the industry will get at least 60 days to consider the proposed code before it goes forward and it’ll be an enforceable code under the Act. It’s highly likely that the UK age appropriate online standards are going to be very influential in relation to the contents of the code. So the age appropriate design code, which has got 15 core principles, and they’re things like having privacy by default settings, not tracking the location of children, and really, they’re informed by trying to put the best interests of the child first. And we see that too in the agreed in principle law reform recommendations that we’ve seen, which haven’t gone forward in the first tranche of reforms, but are still on the agenda for the second round of reforms. I think a lot of them may actually end up in this Online Code. For example, one of them was not targeting a child unless it’s in the child’s best interests. So obviously some of the things people will be thinking about then there is making sure that what goes to children is age appropriate. And that dovetails with a lot of what we’re seeing happening in the online safety space, actually. Because under the Online Safety Act, as you probably know, it’s that framework of having enforceable codes and standards where there is not a sufficient Code. And over the last 12 months, we’ve seen the codes and standards start to come into effect. And essentially, they require platforms to take steps to prevent exposure of people to inappropriate content. So it started with the most serious in phase one types of content like ProTerra material and child exploitation material, and then it’s now going into sort of serious porn and the next stage. But you can see there might be a bit of a meeting in the middle of all of this that essentially there’s going to be this requirement to control to a much greater extent than has been in the past, what children see online. So perhaps future generations may not enjoy the autonomy that Hamish was talking about, that he enjoyed being educated about how to curate the internet and then doing that, and also the collection of information about children and the use of disclosure of it will be minimised to a greater extent than in relation to adults. |
| 01:03:11 | DT: | I’m also thinking about this in the context of the social media ban for children. I can’t decide whether they’re at odds or complementary in the sense that there is, plainly, the platforms subject to the ban are the most likely places to collect, retain, store data about young people. At the same time, The Prime Minister has acknowledged in public comment about the ban that it’s a bit more like a prohibition on underage drinking that might be from time to time breached in the course of a normal childhood that nevertheless sets a social or moral expectation and it is sort of a tool for parents. I wonder how our code might differ from some of the codes in the rest of the common law world like the ones you described, Sophie, because they are influenced by this prima facie absence of a really even a right to sign up for services like these? |
| 01:04:01 | SD: | Well, there’s going to be an element to wait and see. I suppose at the moment, it’s in the hands of the OAIC. I think that there’s every chance and we know that they advocate a protective stance in relation to children. And I would imagine that if they do try to address matters such as what content child will receive, it would be by reference to those sorts of principles that have already been supported and approved in principle as part of the reform process, like targeting only in the best interests of the child and not direct marketing to children. That sort of thing. It’s interesting, actually, because in relation to children, obviously, with adults, a lot of targeting is to give people what they want. And there are interesting issues with children, of course, because what they want and what’s in their best interests may not be the same. |
| 01:04:55 | DT: | Often do not coincide. |
| 01:04:56 | SD: | Exactly like, so the child who doesn’t want to watch the program designed to enhance their literacy may well be the very child who should be watching the program to enhance their literacy. |
| 01:05:08 | DT: | Yeah. |
| 01:05:08 | SD: | So it’s a really interesting and developing space. And I certainly have encountered clients over the last few years who had been looking at things like ethical algorithms, policies, just voluntarily in terms of being thoughtful about those things. So what is going to the front of the feed for. children of different ages and what do they want to see and what should they be seeing and are they the same thing? |
| 01:05:32 | DT: | Very interesting questions. Yeah, absolutely. Now we can’t talk about changes to the Privacy Act without talking about privacy policies. One change that isn’t in this first tranche of amendments but that we expect to come is a change to the threshold for consent to the collection, storage and potential third party disclosure of personal information from an implied form of consent to a voluntary, informed, specific, current and unambiguous form of consent. Now we don’t have that in the current trench of legislation so we’re left to crystal ball gaze a little bit but do we have any examples from overseas or do we have any sort of heuristics or frameworks models for how this might look when these changes do come into play? The proposed |
| 01:06:14 | HL: | The proposed change aligns closer to the GDPR’s voluntary element. Firstly, for the voluntary element, I think that that will be especially in relation to increasing regulations surrounding dark patterns and having user interfaces that are designed to enable the consumer to more easily. |
| 01:06:33 | DT: | Those make decisions about their personal information. I suppose when we think about the GDPR, everyone has experienced the, we collect cookies kind of notification data collection notice, I believe it’s called under the GDPR, that sort of puts that up in the headlights as a conscious decision for the user to make on their first visit to the website. |
| 01:06:52 | SD: | And of course we could have an entirely different session just on cookies because of course that’s the e-commerce directive and the personal information definition something. Which is on the agenda for the next tranche of reforms, but in relation to the consent question that you asked, the OARC’s current guidance requires those four things, so we’re already seeing a focus amongst our clients on ensuring that they’re adhering to those sorts of principles. It’s about, as you’ve said, making sure the disclosures up front are very clear. And current is actually quite critical because in a marketing context – and it’s relevant for the Spam Act as well as the Privacy Act. You may have given me your consent today. to send you marketing emails. But how long does that consent last? Particularly if we haven’t heard from you, for example. But people are making judgment calls about that. And my observation over the last 10 years of practice is that people have become more and more conservative in their approach. |
| 01:07:55 | DT: | Yeah. |
| 01:07:56 | SD: | And that has reflected two things, the increasing layer of regulation in this area, and as we move towards guidance becoming law. And secondly, that enforcement environment is changing. |
| 01:08:07 | DT: | I want to ask a practical question about privacy policies, even ones that are applying, as you say, a voluntary, informed, specific, current, unambiguous approach to consent. We had a guest on the show, academic Katharine Kemp, who estimated that it would take six working weeks a year to read all of the privacy policies to which you are subject. I’ll happily admit it, even as a lawyer myself, I do not read a privacy policy or website terms and conditions. I tend to subscribe to the view that There’s something in them that would prevent me from signing up to the service I’m about to sign up for. There’s not a great deal of point in reading them. There’s a sense of unreality, I suppose, about taking a more unambiguous and active approach to consent in a world where no one reads these documents or cares to talk to me a little bit about the disconnect there, I suppose, between the practical reality of having a conversation with your users about your privacy practices and that being a kind of one sided conversation. |
| 01:09:07 | SD: | Yeah, look, there are a whole lot of judgment calls that need to be made. When GDPR came in, I worked quite a lot as part of an international team on people revising their consents to make them just granular enough, because obviously if they’re too granular, people aren’t going to read them. So that utility goes, if they’re not granular enough, they may not meet the requirement. And so most of them would unfold into, say, between three and six dot points. Yeah. So. Careful and pragmatic decisions need to be made around that. It’s important to bear in mind, both in relation to consents and disclosures, that you have not only the lens of the Privacy Commissioner, bearing in mind sort of APP5 and APP1, but you’ve also got the lens of the ACCC, which has shown that it’s happy to litigate against people who they think are misleading consumers. So it’s really that there is a risk of overload and that may actually become worse with the automated decision disclosure requirement, which requires a disclosure in the privacy policy in relation to decisions essentially, which are assisted in any way by software, involve the use of personal information. and have a significant potential impact on people. So that will be another layer of disclosure for organisations coming in. It’s really important for people, not just to make sure they address everything, but also to exercise some common sense, and and you’ll see that best practice includes not just having a long form policy, but also having the things that people might find surprising in a short form summary that’s readily accessible. And that’s the sort of approach which regulators are likely to be supportive of, because it minimises the chance that people will be misled. As well as meeting the privacy obligations. |
| 01:10:52 | DT: | Absolutely. There’s so much more an entity can be doing than publishing their privacy policy and leaving people to read it, right? There’s these product design decisions that go into being responsible and active and unambiguous about the consent to collect information. We’re nearly out of time. Before I let you go, I want to ask a question on behalf of students who might be listening or perhaps listeners who’ve recently joined the profession. This is a fascinating area of law, that I can understand why you want to practice in it, Hamish, I can understand why you have practiced in it for so long, Sophie. For any of our listeners who want to practice in this area, what’s one bit of advice you’d give them? Maybe starting with you, Sophie. |
| 01:11:28 | SD: | I think, just be curious. In an area that’s changing quickly, read deeply, be curious, think critically, and if you’re in practice, ask questions as well. Because by being curious and kind, basically, you’ll find that you learn and make friends. And I think actually those two things are the key to a successful practice. |
| 01:11:48 | DT: | Couldn’t agree more. Watchwords for practice, I think. |
| 01:11:50 | SD: | Yes. |
| 01:11:51 | HL: | Following on from Sophie’s, I think something that drew me to this area of law was just how fast it was evolving, and so I think it’s important that you’re a student, try to get exposure to as many different areas of law as you can, and find what makes you excited so that when you go into practice and you’re working in these areas every day, You’ve got something to look forward to knowing that your career is a marathon and you’ve got something that you’re passionate about. If you’re able to find that at uni, that’s a great way to get started. |
| 01:12:16 | DT: | Absolutely. Well, Sophie, Hamish, thank you so much for joining me today on Hearsay. |
| 01:12:19 | SD: | Absolute pleasure. Thank you. |
| 01:12:20 | HL: | Thanks for having us. |
| 01:12:31 | TH: | As always, you’ve been listening to Hearsay the Legal Podcast. We’d like to thank both of our guests, Sophie Dawson and Hamish Lennon, for coming on the show today. Now, if you’re interested in privacy law, why not check out either of our 2 past episodes with Alec Christie, Partner at Clyde & Co? His first one with us was episode 83. That one’s called is called ‘The Privacy Parables: Understanding Australia’s Privacy Act in the GDPR Age’ and is episode 83. The newer one is episode 91; ‘The Privacy Parables II: The AG’s Privacy Report and the Future of Privacy in Australia’. If you’re an Australian legal practitioner, you can claim one continuing professional development point for listening to this episode. Whether an activity entitles you to claim a CPD unit is self assessed, as you know, but we suggest this episode entitles you to claim a substantive law point. If you would like more information on claiming and tracking your points, head on over to the Hearsay website. Hearsay the Legal Podcast is brought to you by Lext Australia, a legal technology company that makes the law easier to access and easier to practise, and that includes your CPD. Now, before you go listeners, we’d like to ask you a favour. If you’re enjoying Hearsay the Legal Podcast, please leave us a Google review. It helps other listeners to find us, and that ultimately keeps us in business. Thanks for listening, and we’ll see you on the next episode of Hearsay. |
You must be a subscriber to access this content.