The Tasmanian Law Reform Institute has released an issues paper regarding the state's privacy regime.
The paper states
This Inquiry was initiated by the Honourable Meg Webb, Independent member of the Tasmanian Legislative Council. The Reference was accepted by the Tasmanian Law Reform Institute (‘TLRI’) Board in December 2019. The TLRI applied for a grant from the Solicitors Guarantee Fund to undertake the Inquiry. In May 2020, the TLRI received advice that its application had been partially successful, with a lesser amount granted than requested.
The issue of privacy protection is topical in view of the matters raised in the Terms of Reference below and other developments, such as national data breaches relating to organisations such as Medicare and Optus.
The Terms of Reference were referred to the TLRI in view of:
• the rapid and extensive advances in information, communication, storage, surveillance and other relevant technologies;
• possible changing community perceptions of privacy and the extent to which it should be protected by legislation;
• the expansion of state and territory legislative activity in relevant areas; and
• emerging areas that may require privacy protection.
The Terms of Reference are for the TLRI to inquire into, review and report on:
1. the current protections of privacy and of the right to privacy in Tasmania and any need to enhance or extend protections for privacy in Tasmania;
2. the extent to which the Personal Information Protection Act 2004 (Tas) and related laws continue to provide an effective framework for the protection of privacy in Tasmania and the need for any reform to that Act; and
3. models that enhance and protect privacy in other jurisdictions (in Australia and overseas).
In undertaking this reference, the TLRI will consider and have regard to:
a) the United Nations International Convention on Civil and Political Rights and other relevant international instruments that protect the right to privacy;
b) relevant existing and proposed Commonwealth, state and territory laws and practices;
c) any recent reviews of the privacy laws in other jurisdictions;
d) current and emerging international law and obligations in this area;
e) privacy regimes, developments and trends in other jurisdictions;
f) the need of individuals for privacy protection in an evolving technological environment; and
g) any other related matter.
The TLRI will identify and consult with relevant stakeholders and ensure widespread public consultation on how privacy and obligations relating to protecting privacy can best be promoted and protected in Tasmania, and provide recommendations as to an appropriate model for Tasmania to protect and enhance privacy rights and protections.
The Institute comments
The content for this Issues Paper was finalised in January 2023. This preceded the release of a report on 16 February 2023 by the Commonwealth Attorney-General’s Department on its review of the Privacy Act 1988 (Cth) (‘Privacy Act’). Accordingly, this Issues Paper does not consider the findings of the report as to options for reforming the Privacy Act (particularly relevant to the contents of Part 2, noted below). However, the findings of the Commonwealth report will be considered in the drafting of the TLRI Final Report and the formulation of recommendations.
• Part 1 (pages 1 to 6) introduces readers to the concept of privacy protection and gives an overview of existing legal frameworks for privacy protection in Tasmania, Australia, and internationally.
• Part 2 (pages 7 to 45) discusses the scope, operation, and enforcement of privacy protection under the frameworks introduced in Part 1, focusing on information held by government agencies. It compares the protections in Tasmania under the Personal Information Protection Act 2004 (Tas) (‘PIPA’) with those in other Australian jurisdictions, particularly under the Privacy Act. Part 2 also considers possible future reforms of these frameworks and examines international developments, including the European Union’s General Data Protection Regulation 2016/679 (‘GDPR’).
• Part 3 (pages 47 to 51) explores different provisions in legislation other than the PIPA that affect how government-held information can be used and shared. It analyses how these provisions affect information privacy and draws comparisons with similar laws in other jurisdictions.
• Part 4 (pages 52 to 66) broadens the scope beyond government-held information to consider various types of privacy protections under legislation, as well as case law. It discusses legislation regulating information in the context of health services; legislation regulating surveillance (by government or otherwise); criminal laws which create offences relating to stalking and harassment and to the sharing of intimate images; and non-legislative protections in the general law. Part 4 concludes by considering the introduction of a comprehensive civil remedy for interference with privacy and sets out questions about the appropriate model for law reform.
On that basis the paper
provides background, context, and considerations regarding privacy laws in Tasmania. The aim is to facilitate informed discussion about how privacy can best be legally protected, given the rapid advances in information technology, changing community perceptions about the importance of privacy, and growing legislative regulation of various matters.
The Paper adopts a broad working definition of privacy ([1.1.2]) which covers the overlapping categories of information privacy, privacy of communications, bodily privacy, and territorial privacy. Bodily and territorial privacy are collectively known as ‘rights to seclusion’, which is the right to have one’s physical self and one’s environment free from intrusion.
Currently, there is no comprehensive privacy regulation in Tasmania. Rather, privacy protection is fragmented across different laws that protect different types of privacy in different specific circumstances ([1.2]). Different legislation may interact to affect privacy protections (Part 3). The applicability of regulations at the Australian federal level under the Privacy Act and the international level, for example under the European Union’s General Data Protection Regulation 2016/679 (‘GDPR’), create further complexity in the landscape of privacy protection. The primary privacy framework in Tasmania is the Personal Information Protection Act 2004 (Tas) (‘PIPA’) which binds government agencies and their contractors. It protects the information privacy of government-held information, primarily through prescribing ten ‘Personal Information Protection Principles’ by which the entities must abide. While a detailed piece of legislation, there are multiple gaps in its scope, operation, and enforcement that can jeopardise privacy.
Regarding scope, for example, the PIPA does not cover non-government organisations such as for-profit businesses ([¬2.2.3]); it does not contemplate the possibility of de-identified information being re-identified with the help of additional information ([2.2.22]–[2.2.28]); it does not protect unsolicited personal information—information that comes into the hands of government agencies or their contractors without a deliberate effort on their part to collect it ([2.3.51]); and it does not grant special protections for biometric information, unlike the Commonwealth law ([2.2.43]).
Advances in technology can exacerbate the impact of these gaps. For example, the lack of special protection for biometric information may pose a greater risk to individuals as technologies increase in sophistication, such as facial recognition.
This Paper suggests potential reforms to the PIPA aimed at improving privacy protection, such as by allowing individuals to have a right to object to their information being processed, and a right to request their information be erased ([2.3.60]–[2.3.90]).
However, some of the most important gaps relate to the enforcement of the PIPA, rather than its scope. In particular, there is limited ability for an aggrieved individual to seek review of decisions about whether or not there has been a breach ([2.4.7], [2.4.14]); there are no penalties imposed for breaching obligations ([2.4.10]); there is no mandatory data breach notification scheme that compels information handlers to notify an individual where a breach of their privacy has occurred ([2.4.21]); there is no ability for those handling complaints to order compensation ([2.4.8]); and there is no private right of action that allows an individual to go to court to seek damages for financial or non-financial harm suffered as a result of the breach.
These gaps, together with the fragmented landscape of protections under both legislation and general law, means that some circumstances that endanger privacy may fall between the cracks of legal regulation ([4.4.3]). This raises questions as to whether there may be a case for creating a civil statutory cause of action (and remedy) for interference with privacy ([4.4]). If such a remedy were to be created, consideration is given to whether it should be comprehensive (applying independently of the context in which the interference occurs), apply in place of or in addition to the existing suite of remedies, and allow individuals to seek redress in court when they have suffered harm.
In discussing the strengths and weaknesses of the PIPA and privacy laws more generally, this Paper seeks input from the community on several issues, including whether:
• certain entities should be covered by the PIPA;
• a greater range of remedies should be available for those affected by a breach of the PIPA;
• a data breach notification requirement should be introduced;
• new rights to object and to erasure should be introduced;
• there should be privacy regulation on specific technology such as drones;
• existing judicial recognition of privacy affords adequate protection; and
• there should be a civil cause of action for privacy and, if so, what its scope should be.