Go to the profile of Georgia Douglas
Georgia Douglas
Barrister-at-Law, Victoria, Australia

Will #Censusfail reignite the calls for a right to sue for breaches of privacy in Australia?

On Tuesday 9 August 2016, Australians everywhere went online in an attempt to complete the mandatory household Census. This Census was remarkable in two ways: it was the first online Census and the first Census to require Australians to provide their name along with the survey information.

The ABS no doubt anticipated the public to voice privacy concerns. It was billed as ‘the fastest, easiest and most secure Census in its 105-year history’.[1] The Australian Bureau of Statistics’ (ABS) Census boss, Chris Liberi, even went so far as tell media outlets that ‘the digital snapshot [Census] of 2016 would not fail’ and noting ‘we couldn’t do it unless we were able to safely do it, we have evolved it and we are confident’.

Yet, as this year’s #censusfail has shown, the modern online security conditions rendered these assertions of security redundant. Four cyber attacks throughout Census day brought the Census website to its knees by dinner time. The website was shutdown by the ABS around 7:45pm on Tuesday night and restored on Wednesday.

The information collected in this year’s Census included your date of birth, address, total earnings, your religious persuasion, marital status, whether you have been searching for a job recently, how many cars you have and even how you travelled to work that day.

The combination of this information is undoubtedly inherently private and confidential. In the wrong hands such information could be used for phishing or catfishing scams, to engage in identity theft, target advertising, corporate profiling of individuals and many other forms of fraud/nefarious activities. Despite the risks, refusing to complete the Census is not an affordable option for most people. It is a strict liability offence if you do not complete the Census ($180 fine) or if you make a false or misleading statement in response to a Census question ($1800 fine).[2]

Since Tuesday night, the ABS has repeatedly claimed that there was no breach of the data already collected. Rather, the ABS claims, that the cyber attacks were ‘denial of service’, overload attacks aimed at bringing down the website by giving the appearance that millions of users were hitting the website at one time. On 11 August 2016, the Prime Minister Malcolm Turnbull reassured the public that the source of the cyber attacks would be investigated; no doubt with time we will learn more whether any private data was taken.

The collection and potential theft of all this private and sensitive information has sparked uproar in Australia and will hopefully be the catalyst for more debate about the introduction of a tort[3] of privacy in Australia.

In Australia there is currently no private right for a tort of privacy. Put simply, if you believe that your privacy has been invaded or your private information wrongfully released by an individual, you are generally not able to go to court to seek damages or an injunction to stop the release of the information, unless you meet the requirements for a breach of ‘confidential information’.

The Federal Privacy Act 1988 (Cth) provides that all companies and government organisations must adhere to the ‘Australian Privacy Principles’, which mandate how your private information is collected, stored and communicated. You are able to make a complaint to the Information Commissioner if you consider a government body or a company has interfered with your privacy. The Information Commissioner has a variety of powers to investigate and make a determination about your complaint. The Information Commissioner may make a declaration that a person is entitled to a financial compensation for the breach of privacy, but this is not in itself binding, and must be enforced through the Federal Courts.

The common recommendations made by the Information Commissioner are for an apology; amendments to the agencies information handling policy; and undertaking staff training. Compensation declarations are not particularly generous and are unlikely to compensate a complainant’s true loss; for example recent awards include:

a. $5,000 against the Great Barrier Reef Marine Park Authority for disclosure of personal information;[4]

b. $5,000 against the Department of Defence for unauthorised disclose of information;[5] and

c. $7,500 against the Anglican Church for misuse of personal information.[6]

The biggest problem with the Privacy Act and the Information Commissioner complaint process is that it does not apply to any individuals who have misused your information, only to federal government bodies and companies.

So, where does that leave you when you learn that a particular individual has misused or stolen your private information? In 2014, the Australian Law Reform Commission (ALRC) released a Discussion Paper recommending that the Federal Government introduce a tortious statutory cause of action for serious invasions of privacy.[7] The recommended tort of privacy would have entitled a plaintiff to an award of damages, and would have brought Australia in line with New Zealand, four of the Canadian provinces, and the United Kingdom, which all recognise a tort of privacy.

The ALRC recommended that the new tort of privacy have the following elements:

a. The invasion of privacy must occur by:

i. Intrusion into the plaintiff’s seclusion or private affairs (including unlawful surveillance); or

ii. Misuse or disclosure of private information about the plaintiff.

b. The invasion of privacy must be either intentional or reckless.

c. A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances.

d. The invasion of privacy was ‘serious’ in all the circumstances, examining whether it was highly offensive, distressing or harmful to a person of ordinary sensibilities in the plaintiff’s position.

e. The court must be satisfied that the plaintiff’s interest in privacy outweighs the defendant’s interest in freedom of expression and any broader public interest in the defendant’s conduct.

The ALRC Privacy report (commissioned by the Gillard Government) was dismissed by the Abbott Government upon its release in 2014 and remains unimplemented. Yet, in our ever changing and increasingly digital world, the protection of the proposed tort of privacy in Australia makes abundant sense. Hopefully #censusfail will spur a few more people to demand better legal protections for their privacy.

[1] Australian Bureau of Statistics Media Release ‘Get ready to pause and make a difference in Australia’s biggest online event’, 23 July 2016, CO/96

[2] Sections 14 and 15, Census and Statistics Act 1905 (Cth).

[3] For the non-lawyers: A tort is a wrongful act that enables the victim to sue in a court of law.

[4] ‘EQ’ and Great Barrier Reef Marine Park Authority [2015] AICmr 11 (2 February 2015)

[5] ‘CP’ and Department of Defence [2014] AICmr 88 (2 September 2014)

[6] ‘CM’ and Corporation of the Synod of the Diocese of Brisbane [2014] AICmr 86 (2 September 2014)

[7] Australian Law Reform Commission, ‘Serious Invasions of Privacy in the Digital Era’ (ALRC Report 123), 3 September 2014.