University of New South Wales Law Journal
 These will clearly not be easy issues to resolve. They will often involve powerful interests ranged against the powerless. They will involve tangible economic benefits competing with intangible notions of human dignity and fairness. And, in many cases, they will involve legitimate but competing claims on public policy and on institutions, corporations and governments.
 This issue of the University of New South Wales Law Journal Forum
contemplates the place of privacy protection in the context of early
21st century Australian law. As with many areas of law, what emerges
is something of a jumble. While it is possible to see threads of
reason in the
stunted development of common law recognition of privacy rights over time, the
new statutory privacy regime in Australia,
which will come into effect from
December 2001, while generally extending privacy rights, is weakened by wide
exemptions and deep
inadequacies. At best, it is a step towards establishing a
consistent legal framework for protecting individual privacy; however,
the contributors to this issue contemplate far more negative interpretations of
its role in the evolving recognition of privacy
 In the workplace, employers are constantly collecting more information and putting their employees under ever more intense levels of surveillance. Further, the blurring of the boundaries between work and private life is extending surveillance into previously secluded zones of private life. Information and communication technologies are making possible levels of surveillance and information processing that once seemed unimaginable, and the imperatives of national security and law enforcement are wearing away traditional expectations of a right to privacy. The sophistication of modern technology now means that little can be forgotten or lost, and the best hope for the privacy of communications may lie not in the lack of data trails but in their proliferation, making it harder to extract meaningful information from the endless trails of purely mundane data.
 One of the strange features of what is described as the concept of privacy is that it is at once both everything and nothing. It is a universally recognised human right; a fundamental feature of a free society; a central element in the checks and balances which a democratic society places on the authority of institutions and individuals, and a critical component of any society which allows people to start afresh without being forever shadowed by the mistakes in their past.
 Yet even as we recognise these characteristics of privacy, the old catchcry from the Australia Card debate of 1987 echoes through the years: if you have nothing to hide, you have nothing to fear. Not only should you ‘not worry’ about privacy, so the argument goes, but those that do (ie, privacy advocates) must necessarily be the friends of criminals, deviants and the paranoid. Some argue that the whole concept of privacy is a mirage: it doesn’t exist, it doesn’t matter, and attempts to protect privacy impose unnecessary burdens on organisations and governments alike.
despite such critics, the public does seem to continue to regard privacy issues
as a fundamental right, and we should therefore
expect to see further
development in how the law protects privacy in the coming decades.
 Privacy concerns have proved to be particularly strong in the online environment. A major opinion research project conducted by IBM in the US, the United Kingdom (‘UK’) and Germany in 1999 showed that concern about threats to personal privacy are greatest on the Internet, and range from 73 per cent in the UK to 92 per cent in the US, where 72 per cent of people were ‘very concerned’. The IBM survey also highlights the importance of trust to privacy issues. Consumers recorded the lowest confidence in the privacy practices of companies which sell over the Internet, ranging from 10 per cent confidence to 21 per cent across the three countries.
 It is not surprising then that privacy concerns affect the commercial behaviour of consumers. The IBM research shows that 50 per cent of consumers in Germany, the UK and the US had refused to give information on websites because of privacy concerns, and between 39 per cent and 47 per cent of people stated that privacy issues had stopped them from making online purchases. In addition, around one third of Internet users demonstrate ‘privacy assertive behaviour’, such as giving false information when asked to register online.
 These and other surveys indicate that privacy is the
highest-ranking issue affecting whether or not people are willing to use
Internet and for what purposes. The role of legal safeguards in establishing a
framework for fostering electronic commerce is
demonstrated by the high
proportion of people – some 70 per cent of respondents in a Business
Week-Harris poll in March 2000
– who say that they would use the Internet
more often, register personal information, or purchase online, if there were
guarantees about the use of their personal information. Furthermore, 80
per cent of respondents consistently wanted an ‘opt
in’ approach for
the collection of personal information, demonstrating the importance of privacy
protection for personal autonomy
in an information age.
 Jeffrey Rosen captures this concept eloquently in his recent book on the state of privacy in the US. Rosen argues that there is such deep unease over privacy issues and the collection and use of personal information because such activities ultimately concern issues of identity. As people, we are always far more than the sum of the information which is stored about us. In fact, often too little information is recorded about us to do anything other than create a misleading impression of the kinds of people we are. Rosen takes up the issue in the context of the new technologies which have the potential to track
 Internet usage, television viewing, and other
aspects of our lives.
The monitoring of reading, listening, and viewing habits is something that we are reluctant to tolerate outside of cyberspace. But why? The usual answer is that our freedom of thought is violated when our reading habits are monitored, but this isn’t entirely convincing. I’m free to think whatever I like even if the State or the phone company knows what I read. Instead, people are reluctant to have their reading and viewing habits exposed because we correctly fear that when isolated bits of personal information are confused with general knowledge, they may create an inaccurate picture of the full range of our interests and complicated personalities.
 Justice Michael Kirby begins by tracing the development of common law recognition of privacy rights over the past century. Although the High Court determined in 1937 (in the famous case of Victoria Park Racing and Recreation Grounds Co Ltd v Taylor) that there was no common law right to privacy, a dissenting judge at the time remarked insightfully that with the development of new technologies, privacy had the potential to become recognised as ‘a right indispensable to the enjoyment of life’. The legal recognition of privacy rights has indeed evolved over time, first protecting the bodily privacy of individuals from threats such as assault, then addressing property interests (such as protection from trespass), and, most recently, recognising interests in information privacy through the law of confidentiality and defamation.
 Justice Kirby’s reflections on the development of privacy law are enlivened by his experience in overseeing the Australian Law Reform Commission inquiry into privacy law reform, and in chairing the Organisation for Economic Co-operation and Development committee that produced the 1980 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which remain the closest to a global privacy standard that has been achieved. After acknowledging the scope for development of privacy rights through the common law, Kirby J concludes that ‘most future laws on privacy in Australia will be made by legislatures. They will concern entirely new privacy questions, such as the privacy of genetic data. Lawmaking by legislators in such novel fields is how it usually should be’.
 The reflective theme of Justice Kirby’s contribution is picked up in Judge Kevin O’Connor’s review of the role of the Federal Privacy Commissioner, the Commonwealth Government appointee responsible for overseeing the application of the Privacy Act 1988 (Cth) (‘Privacy Act’). Judge O’Connor was the first Privacy Commissioner appointed in Australia, and served in the role from 1989 to 1996. He notes that the Federal Privacy Commissioner plays an ‘unusual if not unique’ mix of roles, which include ‘the power to issue binding statutory instruments, to issue binding and non-binding guidelines, to make policy submissions to government and parliamentary inquiries, to engage in community education and public comment ... and to receive complaints, investigate them and then make final determinations’. Thus the Privacy Commissioner’s responsibilities ‘fall across all parts of the “legislative”, “executive” and “judicial” spectrum’. An impressive list of responsibilities for an agency which receives less than AUD$4 million in its annual Budget appropriations!
 Judge O’Connor reflects positively on what the Commissioner has achieved to date, with limited resources, by maintaining a focus on systemic issues and not relying on specific cases to force privacy compliance on government agencies. He urges that the same approach be adopted in the exercise of the Commissioner’s new powers under the private sector privacy provisions. He nevertheless concludes that while the Commissioner has an important role to play, other specific privacy issues, which fall outside the scope of ‘personal information’, need to be addressed as wider public policy concerns.
 It will come as no surprise to seasoned observers of privacy debates that Professor Graham Greenleaf’s perspective clashes with the former Commissioner’s. Professor Greenleaf’s article chronicles the inadequacy of almost every aspect of privacy law in Australia. He bemoans, inter alia, the failure of the courts to develop the general law of privacy, the ineffectiveness of international instruments, the inadequate scope of (and broad exemptions to) existing privacy legislation, the weak enforcement regime under the Privacy Act and the failure of Privacy Commissioners to exercise what power they have, and the lack of any development of precedents from the handling of individual privacy complaints. According to Greenleaf, in 2001, Australia ‘has nothing worth describing as a body of privacy law’ from amongst the mix of different measures available to ensure that the right of privacy is recognised in our community.
 The article by the Head of the Delegation of the European Commission to Australia and New Zealand, Aneurin Hughes, adds further detail to the broader canvas of criticisms provided by Professor Greenleaf. In the context of the European Union’s 1995 Directive on privacy and data protection, Australia’s privacy legislation appears clearly inadequate. Mr Hughes’ article is a valuable contribution to an often poorly informed debate about the impact of the European Union (‘EU’) Directive on Australia. Its discussion of the Article 29 Working Party’s recently issued Opinion on the adequacy (or otherwise) of the new Australian legislation highlights areas of particular concern to the EU in Australia’s privacy framework. Given the reservations expressed in the Opinion, without additional legal safeguards to address the areas of concern mentioned, there is a danger that data transfers from European companies to Australian organisations may be regarded as breaching the EU Directive.
 Lee Bygrave conducts a more forensic examination of current privacy and data protection laws, and questions whether they really are primarily concerned with ‘privacy’, or rather with a set of fair information practices or data protection rules. Bygrave argues that data protection laws in fact serve many interests in addition to privacy, including ensuring civility, stability, pluralism and democracy. He therefore argues that a better understanding of the wider public interests served by data protection laws would strengthen the case for their support.
 Veteran privacy advocate Simon Davies takes up a similar point but adopts a different angle, arguing that data protection laws do not adequately protect privacy because so many critical privacy issues are outside their scope. According to Davies, ‘in every country, privacy and, more specifically, data protection laws have failed at several fundamental levels to protect individuals’. Pervasive surveillance systems have proliferated, unchecked by data protection laws, which to some extent offer only ‘the illusion’ of privacy protection. The problem, he suggests, may not be ‘the nature of data protection principles, but ... the manner of their enforcement’, which has left the laws ‘corrupted and compromised through timidity and neglect’. Like Greenleaf, Davies urges privacy regulators to adopt a more aggressive (and, he argues, more conservative) approach. After a long break from the Australian privacy debate, which he led in the late 1980s as the coordinator of the Australian Privacy Foundation’s campaign against the Australia Card, Davies provides a ‘reality check’ on recent discussions about the impact of changes in Australian privacy law.
 Roger Clarke provides another perspective on the adequacy of privacy laws in the specific context of cyberspace transactions. He argues that the slow pace of development of electronic commerce is a direct result of the lack of trust between consumers and businesses, and of consumers’ fears about privacy risks. Information privacy laws have proved ‘utterly inadequate, with inadequate scope, manifold exemptions and exceptions, and missing control mechanisms’. Clarke derides the failures of the ‘fair information practices’ movement, arguing that trust in cyberspace cannot be built without comprehensive laws which are systematically enforced.
 Professor John Kaldor and Doctor Andrew Grulich conclude this
issue of Forum by providing a case study into the process of balancing
privacy rights and other interests in the context of observational health
research. Wider interests in the benefits of medical research generally and in
controlling infectious diseases may require some compromise
privacy rights, and, as a result, mechanisms have been developed to safeguard
any such compromise, including obtaining
informed consent, specific legal
authorisation for the collection of information without consent, and review of
by institutional ethics committees. The importance of ethics
committees in this area reflects the fact that the law is only one mechanism
through which these conflicting interests must be balanced with the right to
 The discussion in this Forum leaves a strong
impression that while the law may be progressing in its developing recognition
of privacy rights, the threats and
incursions are developing more quickly, and
in many areas our privacy may be slipping away. There is some convincing
this view, particularly in the disorderly and politicised
development of recent amendments to Australian privacy law. But are these
criticisms only the bleatings of idealists, who see the merits in strong privacy
safeguards but not the costs? Or has the balancing
act actually been as
one-sided as they suggest? The debate will certainly go on, particularly while
such a large gap exists between
the law’s recognition of privacy rights
and public expectations of how personal privacy should be protected. The Editors
the University of New South Wales Law Journal are to be congratulated
for their timely work to elevate the discussion from the hurly-burly of
day-to-day privacy issues and provide
a forum for thoughtful consideration. It
is a debate of which we will be hearing much more in the years