This article was written in response to a multitude of reader questions about two of our earlier articles, When photos break the law – your rights when taking photos and Photography and the law – when is it illegal to take a photo?

These questions are wide-ranging, but close to half of them aren't really about photography.

Can someone take a photo of me at the beach and then post it on Facebook without asking me?

Can my ex-husband take photos of dirty dishes my kitchen when he has his access to the kids?

Can I take and use a photo of a driver who crashed into me and wouldn't give his details?

Can a painter take photos of the painting job done on my house and use them in advertising material for the painting business?

Questions of this kind are framed as being about photography, photographs and videos, but the underlying concern is really privacy. Questions came from people who thought their privacy had been invaded by the use of a photographic image, or who thought they might face some legal sanction related to privacy by using a photographic image, even though the use was for some apparently legitimate purpose.

So, what do we mean when we talk about "privacy"?

What is privacy?

In the NSW Crimes Act there's no definition of "crime". That's OK: pretty much everyone would agree on whether a particular act amounted to a crime or not. In the Commonwealth Privacy Act, there's no definition of "privacy". But would there be the same general consensus about what privacy is?

The briefest dictionary definition of "privacy" is "the state of being free from public attention". Justice Louis Brandeis of the United States Supreme Court memorably called privacy "the right to be left alone".

Evolution of the concept of protection of privacy

It is hard to pinpoint the societal origins of the notion of protection of the privacy of an individual, or of "invasion of privacy". In primitive societies, it might be thought, personal privacy was pretty much non-existent, but the development of villages, towns, and cities gave most people who owned houses some general protection from unwanted scrutiny. "An Englishman's home is his castle" was a metaphor describing a homeowner's broad right to exclude others, and hence to ensure privacy.

The notion of deliberate invasion of privacy doubtless has a long history. The term "peeping tom" dates from the 13th century legend that Lady Godiva rode unclothed through the streets of Coventry to protest against a tax imposed by her husband. According to the legend, "Peeping Tom" was the only one who disobeyed the proclamation that the citizens should stay indoors during the ride, and was as a result struck blind.

Henry VIII was said to have ordered carved figures to be incorporated into the eaves to discourage "eavesdroppers" from overhearing palace secrets.

Right to privacy found in the US Constitution

In much more modern times, the United States Supreme Court has held that a right to privacy is to be found in the Constitution, notably because of the Fourth Amendment, but also deriving from a view that there is an underlying general intention in the Bill of Rights that citizens should not be subject to unwarranted interference by government in their private lives.

In Australia, there is no right to privacy comparable to the situation in America. Prior to the introduction of no-fault divorce in Australia by the Family Law Act, the tabloid press was full of (probably exaggerated) stories of private investigators, armed with cameras with large flashguns, jumping through bedroom windows to photograph couples in flagrante delicto.

Intrusions into privacy a feature of modern society

However these historical phenomena are mainly about deliberate invasions of privacy. The development of modern society has brought with it intrusions into privacy which do not have any deliberate or improper basis. The multi-storey residential block, dating from the latter part of the nineteenth century, has given its occupants in many situations a 24/7 opportunity for surveillance of the backyard of the next-door house.

In present-day Australia, however, there is no general right to be free from the unwanted scrutiny of the fourth-floor neighbour in the next-door unit block. In fact, the legal protection of privacy is both much different, and much narrower.

Commonwealth Privacy Act 1988

The Commonwealth Privacy Act is essentially concerned with personal information of various kinds which is collected or held by "APP entities" to which the Act applies.

Very broadly, APP entities are agencies with any kind of governmental character (Commonwealth, state, local government, universities, statutory or state-owned corporations) or businesses with annual turnover of $3 million or more.

The Australian Privacy Principles

At the heart of the Privacy Act are the Australian Privacy Principles, which are found in Schedule 1 of the Act. The Act obliges entities which collect or hold personal information to have published policies spelling out the ways in which they collect and manage personal information.

Clause 1.4 of the Schedule spells out what these policies must cover and, in so doing, provides a pretty good summary of the principles themselves. It's worth reading. Briefly, however, policies must state:

  • the kinds of personal information collected and held, and how it is collected
  • the purposes for which the information is collected and held
  • the ways in which the information is used and disclosed
  • how individuals can access the information held about them, check that it is accurate, and get the information corrected if it is not
  • how an individual can complain about a breach of the principles

What is personal information?

Just as with the concept of privacy itself, "personal information" doesn't have a really specific kind of definition, but has two defining characteristics. Personal information is information which first, relates to an individual; and secondly, is information from which that individual might be recognised or identified by others.

There is a not unimportant rider to the effect that the fact that information might turn out to be quite false does not mean that it does not fall under the protections given by the Act.

What kinds of information can be considered to be personal information?

Thus "personal information" can be of all kinds. Metadata – much in the news recently – such as URLs and related data used in internet searches, and transport system information derived from Opal (travel) cards, can qualify.

So does a huge field of everyday data – names, addresses, phone numbers, email addresses, Medicare and driver licence numbers, credit card numbers – which are volunteered by individuals or solicited by entities. And, harking back to the stimulus for this article, personal information includes, obviously, photographic and video images.

Five categories of personal information

Personal information has five subtypes, to which special rules apply:

  • sensitive information
  • health information
  • credit information
  • employee record information
  • tax file number information

What's covered by these subtypes is fairly obvious from their names, except perhaps "sensitive information", which includes information about an individual's gender, race, religious or political affiliation, membership of organisations, sexual orientation or criminal record.

This all sounds like a fairly thorough system to protect the privacy of individuals. The Act is quite prescriptive, and contains fairly strict requirements that entities collecting information should take all reasonable steps to ensure its accuracy, that it is kept securely, and not disclosed except in the way in which the individual has been told it will be disclosed.

There is, in addition, a "watchdog" – the Office of the Australian Information Commissioner (OAIC), which is the body to which complaints about privacy breaches can be made.

Limits of application of Privacy Act and privacy principles in Australia

It needs to be remembered that this regime applies only to entities to which the Privacy Act and the privacy principles apply.

As has been said, photographic and video images are certainly personal information, but unless they are collected by an entity to which the Act applies, neither the Act nor the OAIC is likely to be of much help. And, possibly much overshadowing even photos, videos and the internet, is social media.

Difficulty of protecting privacy in the age of social media

The social media term "going viral" is arguably an understatement: no virus spreads as quickly as a tweet. Recently, US President Donald Trump tweeted criticism of a witness giving evidence to the impeachment inquiry, while she was in the process of giving her testimony. Before she had finished speaking, the world was aware of some of the jobs she had had prior to being ambassador to the Ukraine – personal information.

Had this been done by an Australian Prime Minister, of course, it would have been unlikely to attract a sanction for various reasons, including the fact that ambassadorial postings are on the public record, and properly so. However it illustrates the impotence of old – and not-so-old – measures for protecting privacy. Whether we like it or not, the notion of privacy is now seriously challenged.

So the question is, are we doomed to a future where individuals are stripped of their privacy? What can the law, or individual people, do about this?

Privacy and the law

The Privacy Act was enacted in 1988 and, even had it been enacted in 2008, those who drafted it could not have foreseen Instagram, or Twitter or Facebook in their current forms. More to the point, the Act was never intended as a means of ensuring the privacy of individuals in the way described at the start of this item: being free from public attention, and left alone. We sometimes read that an individual is said to be "a very private person"; but is that now even possible?

This is not to say that, outside the Privacy Act, the law is bereft of avenues open to people whose privacy has been invaded. Defamation actions sometimes arise out of essentially private information being made public but, for a range of reasons, such actions can hardly be thought of as being a useful tool for privacy protection.

Covert sound and vision recording is in some circumstances in NSW prohibited by the Surveillance Devices Act 2007, and some capturing of visual images for improper purposes are offences under the Crimes Act.

Workplace surveillance, travel data, phone records, Siri and Alexa

In workplaces, surveillance is becoming increasingly common. Legislation requires employers to inform staff about the conduct of surveillance but, once that obligation is fulfilled, it is difficult for individuals to know exactly what information is held, and what is done with it.

Everywhere – not just in workplaces – the whereabouts of almost everyone is known by someone, on a real-time basis. If your whereabouts isn't known through your travel card data, the records of the place and time of your purchases at the supermarket, the tracking of taxis and ride share vehicles, your mobile records or the app on your own phone, then probably either Siri or Alexa still knows where you are and what you're doing.

The challenges facing greater legal protections arise not only from the difficulty of defining exactly what is meant by privacy, but also from the need to balance the interests of individuals in being free from unwanted scrutiny, against the interests of government and industry in collecting and using data essential for the conduct of day-to-day business in a digital world.

So the question which arises is what individuals Workplace surveillance, travel data, phone records, Siri and Alexa In workplaces, surveillance is becoming increasingly common. Legislation requires employers to inform staff about the conduct of surveillance but, once that obligation is fulfilled, it is difficult for individuals to know exactly what information is held, and what is done with it.

Everywhere – not just in workplaces – the whereabouts of almost everyone is known by someone, on a real-time basis. If your whereabouts isn't known through your travel card data, the records of the place and time of your purchases at the supermarket, the tracking of taxis and ride share vehicles, your mobile records or the app on your own phone, then probably either Siri or Alexa still knows where you are and what you're doing.

The challenges facing greater legal protections arise not only from the difficulty of defining exactly what is meant by privacy, but also from the need to balance the interests of individuals in being free from unwanted scrutiny, against the interests of government and industry in collecting and using data essential for the conduct of day-to-day business in a digital world.

So the question which arises is what individuals can do to protect their privacy.

Privacy and the individual

Awareness is a good start. It's useful for you to assume that, somewhere and in some way, a wide range of people and organisations know where you are, and know pretty much everything about you, including all your digital information: bank, credit card, phone and email details; and anything you do through the internet.

The harsh reality is that, at least in our society, just living requires exposure of our information (including metadata, which is a large chunk of this information) in this way. So the task is not to avoid any exposure at all, but to manage the risk. It's good to ask yourself, for example, if it's necessary to add to your exposure by giving your credit card details to yet another food delivery service, or whether you might not go to the restaurant and buy your meal.

Adopting caution in your approach to social media

Similarly, do you need to post the photo of you enjoying that meal on social media, accessible to everyone using that platform? Or just to your friends (however the platform describes a "friend")? Do you need to do it at all? Would anyone you know think less of you if you didn't?

This is risk management 101. What is the benefit of doing what I'm about to do? What is the likelihood that doing this will attract the wrong sort of attention from the wrong sort of people? What is the worst possible consequence if it does? If the worst possible consequence is pretty bad, should I do it in the first place?

In summary, the exponential growth of social media, the internet, and electronic and digital communication generally, means that our privacy is increasingly challenged. Even were there a more generally legally recognised right to privacy, the harsh reality may be that it would be nearly impossible to police and to enforce.

So it may be that our society needs to evolve, and to develop means of living with the new reality. Lawmakers are sometimes legitimately criticised for failing to keep pace with developments in society, but it's risky to anticipate these developments. And here, even a crystal ball might not have helped to predict our walls turning to glass.

Geoff Baldwin

Employment law

Stacks Champion

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.