If the unlamented Privacy Bill, 2006 were to make an unwelcome return from limbo, the Oireachtas could do worse than to revise it in the light of a recent Australian example.
First, the balanced and detailed Privacy Act, 1998 (Cth) (as amended and consolidated) is an excellent starting point for any legislative development of Irish privacy law. The range and detail of its coverage, and its focus on protecting against invasions of privacy across the board, and not merely by media, make it a far more compelling protection of privacy than the flawed Irish Bill.
Second, that Act created a strong and independent Office of the Privacy Commissioner for Australia, similar to the Office of the Privacy Commissioner of Canada (see also Michael Geists‘s privacyinfo.ca site); and an important lesson which these offices teach us is that it the proper protection of privacy in modern society requires just such an office. The Office of the Data Protection Commissioner is a good starting point, but its remit is far less extensive than its Australian and Canadian cousins.
And third, the Australian Law Reform Commission has just completed a two-year assessment of the operation of the Act. Its report For Your Information: Australian Privacy Law and Practice (ALRC 108), was launched last week by the Attorney General. The three-volume, 2700 page report is the culmination of a prodigious research and consultation exercise: an Issues Paper in late 2006 led to the formal commencement of the review in January 2007 and Discussion Paper later that year (noted here by TJ). Though there are gaps in its analysis, the final report recommends nearly 300 changes to privacy laws and practices, including:
- a basic restructuring of the Act, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting;
- a uniform set of Privacy Principles, developed in the report, to be embodied in the Act, and to apply to all government agencies and the private sector;
- a rationalisation of exemptions and exceptions from the Act, which only should be permitted where there is a compelling reason;
- a duty on government agencies and business organisations to notify individuals – and the Privacy Commissioner – where there is a real risk of serious harm occurring as a result of a data breach (a matter much in the news nowadays, as this week’s story of the theft of a Department of Social Welfare laptop shows; update: on which see the Leader in today’s Irish Times, written by Karlin); and
- a cause of action for a serious invasion of privacy, in circumstances where the person had a reasonable expectation of privacy and where the publication was grossly offensive. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.
It is unlikely that this report will be left to gather dust, as so many of its predecessors the world over have been, as the Australian Government has undertaken to review the ALRC’s recommendations in two phases over the next 12 to 18 months, and to legislate on each of these as necessary. The Irish Bill really only covers this last point (as difficult a line to draw, and as contentious, controversial, and overstated a proposal, in Australia as it is in Ireland), and then in a far less balanced fashion. If we are to have a Privacy Act in Ireland, then why can we not follow the Australian example? By all means, then, let there be an Irish Privacy Act; but let it be balanced, let it be the result of a proper consultation process, and let there be a Privacy Commissioner with teeth. Is this too much to ask?