This article was written by John Swinson, Kai Nash and Linus Schibler.
What is the Review about?
Surveillance law is a rapidly evolving area due to the everchanging landscape of surveillance technology. The Queensland Law Reform Commission (QLRC) recently released its report detailing the findings from its review of Queensland’s laws relating to civil surveillance and the protection of privacy (Report).
The Report is long and detailed and has been anticipated for a long time. The recommendations in the Report as to substantive law changes are sensible. However, in respect of procedure, the Report recommends creation of a new Queensland regulator and adds complexity to the already complex system of privacy regulation in Australia.
The purpose of the Report is to recommend whether Queensland should consider new legislation to appropriately protect the privacy of individuals in the context of current and emerging surveillance technologies. The Report considers the need to regulate the use of surveillance devices and technologies to protect individuals against interferences with their privacy. Ultimately, the QLRC recognises that any regulation must be balanced against the legitimate uses of surveillance technologies.
The QLRC have included a draft bill within the Report which contains a series of further recommended legislative changes. The QLRC has recommended that the existing Invasion of Privacy Act 1971 (Qld) be repealed and replaced by the new Surveillance Devices Bill 2020 (Qld) (Draft Bill).
The scope of the Draft Bill is to protect an individual’s privacy, namely, from an unjustified interference due to the use of surveillance devices. A ‘surveillance device’ is defined broadly as a listening device, an optical surveillance device, a tracking device, a data surveillance device or a device that is a combination of two or more of those categories.
Why is it necessary?
Queensland currently has very limited regulation on the use of surveillance devices. Compared to other Australian States and Territories, Queensland’s legislation does not impose as many restrictions and obligations on the users of such technology.
The Invasion of Privacy Act 1971 (Qld) regulates the use of listening devices to monitor, overhear or record private conversations but does not regulate the use of any optical, tracking or data surveillance device. An aggrieved person would have to rely on offences contained in the Criminal Code Act 1899 (Qld) or common law actions such as trespass and nuisance.
What is the ambit of ‘current and emerging technologies’?
The drive for innovation and the increased use of new technologies has led to many individuals and employers adopting a variety of new surveillance methods, such as smartphones, drones, tracking apps and data surveillance devices.
The Queensland Government has recognised that there are many benefits that new technologies can bring. On the other hand, there is recognition of the new issues that arise from the use of these types of new technologies. The privacy law review was originally suggested through Objective 4 from the Queensland Drones Strategy released by the Queensland Government in June 2018. The context being that the Government recognised that existing privacy laws were not sufficient to provide adequate protection to individuals from the use of drones both commercially and privately, particularly drones with video camera capabilities. Other recent issues have arisen that have led to the increased discussion of privacy protection in the context of emerging technologies, particularly in the context of COVID-19 and remote working arrangements. Some examples being:
- The use of software to monitor students sitting exams.
- The increased use of vehicle dash cameras (inward and outward facing).
- The use of computer software to monitor computer and application usage.
- The use of optical devices to monitor vehicle driver safety and fatigue.
- The use of tracking devices to monitor personal equipment or personal devices.
Terms of reference
The terms of reference required the QLRC to recommend whether Queensland should consider legislation to appropriately protect the privacy of individuals in the context of civil surveillance technologies, including to:
- regulate the use of surveillance devices and the use of emerging surveillance device technologies to appropriately protect the privacy of individuals;
- regulate the communication or publication of information derived from surveillance devices;
- provide for offences relating to the unlawful use of surveillance devices and the unlawful communication or publication of information derived from a surveillance device;
- provide appropriate regulatory powers and enforcement mechanisms in relation to the use of surveillance devices;
- provide appropriate penalties and remedies; and
- otherwise appropriately protect the privacy of individuals in relation to the use of surveillance devices.
How does the Draft Bill compare to other surveillance legislation?
The State legislation that regulates the use of surveillance devices in Australia is complex. The types of devices that are regulated, the manner in which the surveillance can be conducted, when it is considered unlawful and the exceptions to unlawful surveillance vary from jurisdiction to jurisdiction. The QLRC has conducted a comparative analysis of the difference between the legislation in each of these jurisdictions.
In Queensland, the current (but to be repealed) Invasion of Privacy Act 1971 (Qld) regulates the use of listening devices but only to the extent that it is used in relation to a private conversation. The Act makes it an offence for a person to use a listening device to overhear, record, monitor or listen to a private conversation unless that person is a party to the conversation.
Similar regulations around the use of surveillance devices exist in Tasmania and the Australian Capital Territory. In contrast, New South Wales, the Northern Territory, South Australia, Victoria and Western Australia have more extensive definitions of surveillance devices including listening, optical, tracking and data surveillance devices. The various types of devices used to conduct surveillance are limited in their use in relation to ‘private conversations’ and ‘private activities’, the ‘primary purpose’ of tracking devices, and installation of data surveillance devices on computers without the express or implied consent of the owner of the computer.
New approach to regulation
The Commission has made a number of recommendations in relation to reforming the regulation of surveillance in Queensland. If adopted, the recommendations will significantly change the regulatory landscape in Queensland and bring Queensland in line with the type of regulation that exists in other States and Territories.
The Draft Bill
The QLRC Draft bill contains a number of significant recommended changes to Queensland’s surveillance laws. These include:
- Creating criminal prohibitions on the use, installation and maintenance of various types of surveillance devices (with some exceptions). This continues and extends the approach taken in the Invasion of Privacy Act 1971 (Qld) by creating a new offence which would implicate anyone who conducts these types of surveillance without consent, or in the case of tracking and data surveillance, ownership or control of the device.
- Creating criminal prohibitions on the communication, publication and, in some instances, the possession of surveillance information. The Draft Bill creates an offence to communicate or publish surveillance information without consent, regardless of whether it is obtained through lawful or unlawful surveillance methods. Surveillance information is defined as “information obtained, directly or indirectly, using a surveillance device”.
- Imposing general obligations at civil law not to interfere with “surveillance privacy” of individuals. This includes restrictions on conducting surveillance where the individual has a reasonable expectation of surveillance privacy and has not consented to such use. A similar general obligation applies in relation to the communication or publication of surveillance information.
- Creating a civil mechanism for resolving complaints about contraventions to the surveillance laws. The Draft Bill stipulates that the Commissioner’s functions include receiving complaints and dealing with them under this Act. Detailed guidance is set out in relation to the Commissioner’s functions, as described above.
- Establishing the SDC. As described above, the new Commissioner and regulatory body will be established as a statutory body under the new legislation if the Draft Bill is passed.
Concept of surveillance privacy
The concept of “surveillance privacy” is one of the more significant conceptual updates to the proposed regime. Under the Draft Bill, surveillance privacy of an individual, means:
- in relation to a particular use of a surveillance device, that the individual should have a reasonable expectation that they will not be the subject of surveillance from that use of a surveillance device; or
- in relation to surveillance information obtained when the individual was the subject of surveillance, the individual should have a reasonable expectation that the surveillance information is not communicated or published.
The Draft Bill contemplates that these circumstances apply when the individual has a reasonable expectation of surveillance privacy. The Draft Bill outlines a number of factors that are relevant to deciding whether an individual has a reasonable expectation of surveillance privacy, including but not limited to:
- the individual’s location;
- the subject matter of the surveillance information (for example, whether the information is sensitive);
- the type of surveillance device used; or
- whether the individual has an opportunity to avoid the surveillance.
A new regulator
The Commission recommends the establishment of a new independent regulator, the Surveillance Devices Commissioner, and a Surveillance Devices Commission (SDC). In addition to dealing with complaints relating to surveillance devices, the SDC will provide an avenue for education, expert advice and best practice guidance to promote community understanding and encourage compliance with the legislation. Queensland already operates on a two-tier privacy regulator model with the OAIC and the Queensland Office of the Information Commissioner existing in tandem to govern the Commonwealth and State systems respectively. It is also important to note that in recent years, the Australia Competition and Consumer Commission has taken a greater interest in the regulation of personal information as a result of recent developments and attitudes towards technology.
The Draft Bill provides scope for the referral of surveillance complaints to other bodies. Section 51 gives the SDC the power to refer surveillance device complaints to its counterparts where relevant and with consent of the complainant (including the human rights commissioner, ombudsman and health ombudsman). Additionally the Draft Bill provides for referral to the Queensland Civil and Administrative Tribunal under section 62.
The addition of an SDC will add another regulatory body to the current landscape responsible for:
- receiving and responding to surveillance device complaints;
- providing best practice guidance on the use of surveillance devices and the communication or publication of surveillance information, in a way that respects individuals’ privacy;
- undertaking research, providing advice and monitoring particular matters, the efficacy of the legislation, particularly as surveillance technology develops and evolves; and
- examining the practices of relevant of organisations and who regularly or routinely use or publish information from surveillance devices to monitor their compliance with the legislation.
What is next for Queensland’s surveillance laws?
There is still ongoing work and reviews to be done in this area. This is to be expected considering the rate at which surveillance technology is advancing year on year. The QLRC is conducting a second review specifically into workplace surveillance, the findings of which are due on 30 April 2021. This review will also guide the development of the new legislation.
The Attorney-General has said the government will consult with stakeholders on the QLRC recommendations before finalising the draft legislation.
 QRLC Report Appendix A – Terms of Reference
 For completeness, we note that there are additional privacy protections and obligations on those collecting certain types of personal information within the Privacy Act 1988 (Cth).
 For example: section 227A Criminal Code Act 1899 (Qld)
 See Queensland Drones Strategy (2019) pg. 31-33.
 Each State and Territory operates under varying levels of regulation. See for example, Listening Devices Act 1992 (ACT); Surveillance Devices Act 2007 (NSW); Surveillance Devices Act (NT); Invasion of Privacy Act 1971 (Qld); Surveillance Devices Act 2016 (SA); Listening Devices Act 1991 (Tas); Surveillance Devices Act 1999 (Vic); Surveillance Devices Act 1998 (WA).
 The Western Australian legislation does not include data surveillance devices.
 In Queensland, like other States, the Office of the Australian Information Commissioner (OAIC) governs the Commonwealth Privacy Act 1988 (Cth) and the Queensland Office of the Information Commissioner (OIC Queensland) enforcing the State-based Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld).
 For example, the recent Digital Platforms Inquiry and introduction of a Consumer Data Right.