Published: 28 March 2024
The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Attorney-General’s Department’s (the Department) consultation on doxing. We understand this consultation will help to inform potential reforms to civil law, including the Privacy Act 1988 (Privacy Act), in relation to the practice of doxing.
The publication of an individual’s personal information online without their permission can have privacy impacts, particularly where the publication is intended to cause harm. Doxing raises both privacy and online safety issues and requires a multifaceted regulatory approach.
While the Privacy Act protects the privacy of individuals by regulating the handling of personal information by Australian Privacy Principle (APP) entities, the Online Safety Act 2021 (Cth) (Online Safety Act) focusses on protecting Australians from online harms resulting from exposure to illegal or harmful online content or behaviour.
The eSafety Commissioner currently supports Australian adults and children that may be affected by doxing under the Adult Cyber Abuse and Cyberbullying Schemes in the Online Safety Act.[1] Situating these redress mechanisms in one regulatory framework provides clarity for individuals as to the appropriate body to seek assistance from. The Online Safety Act enables the eSafety Commissioner to act quickly to protect victims of online abuse across these reporting schemes.[2]
Both the privacy and online safety regulatory frameworks are essential components in the ring of defence that is being built to address the risks and harms faced by Australians in the online environment and have distinct but complementary roles to play. We note there are existing processes and proposals underway to ensure both regulatory frameworks can effectively address current and emerging online harms.
We are supportive of the Government’s response to the Privacy Act Review, which seeks to enhance existing privacy protections and provide additional avenues of redress for serious invasions of privacy. This submission highlights the Government’s proposed measures, which we consider would help to address privacy harms such as doxing.
We also note the Government is currently undertaking a statutory review of the Online Safety Act, which will include a review of the effectiveness of the Adult Cyber Abuse Scheme and Cyberbullying Schemes.[3] The statutory review provides an opportunity for Government to consider whether additional protections are needed under the Online Safety Act to address harmful online material and behaviour.
Defining doxing
There is not a clear or accepted definition of the term ‘doxing’ under Australian law. Doxing has been defined by the eSafety Commissioner as the practice of ‘revealing personal information to deliberately make someone feel unsafe.’[4] However, this is not a defined term in the Online Safety Act but rather a working definition developed by the eSafety Commissioner which is intended to capture conduct that may fall within the Adult Cyber Abuse scheme.
We are supportive of the existing approach under the Online Safety Act, which does not provide a specific definition of doxing. Rather, the Adult Cyber Abuse Scheme adopts a harms-based approach and seeks to address cyber abuse that is intended to cause serious harm and that is menacing, harassing or offensive in all the circumstances.[5]
The current approach under the Online Safety Act operates to target harmful and malicious behaviour, which may include doxing, and avoids potential issues associated with trying to separately define the term.
Government response to Privacy Act Review
We take this opportunity to highlight privacy law reform proposals in the Government response to the Privacy Act Review that would operate to improve privacy protections, and which may assist to address doxing.
Statutory tort for serious invasions of privacy
The Government has agreed-in-principle to the introduction of a statutory tort for serious invasions of privacy,[6] based on the model cause of action designed by the Australian Law Reform Commission (ALRC).[7]
The proposed statutory tort for serious invasions of privacy would likely allow individuals to seek redress in relation to serious instances of doxing under the ‘misuse of private information’ limb of the tort. Doxing may meet the proposed elements for the statutory tort if it is proven that:
- A person in the position of the individual would have had a reasonable expectation of privacy in all of the circumstances
- The invasion was committed intentionally or recklessly
- The invasion was serious, and
- The court is satisfied that the public interest in privacy outweighs any countervailing public interests (including freedom of expression and the public interest in media reporting on matters of public concern and importance).
The statutory tort would help to address gaps in the existing privacy protection framework and current and emerging privacy harms such as doxing.
It would also play a complementary role alongside the Online Safety Act, as it would enable individuals to seek compensation through the courts (among other remedies), which is not available under the Online Safety Act. By contrast, the eSafety Commissioner would be able to provide timely assistance to affected individuals via their takedown powers.
The proposed statutory tort would also effectively balance competing interests, including between privacy, freedom of expression and the public interest in media reporting on matters of public concern and importance. The right to privacy is not absolute and may need to give way to other rights and public interests in certain circumstances. Whether this is appropriate will depend on whether any impacts to privacy rights are reasonable, necessary, and proportionate for pursuit of a legitimate objective or public interest.
Under the ALRC’s proposed model, the cause of action would be subject to a ‘balancing exercise’ whereby the court must be satisfied that the public interest in privacy outweighs any countervailing public interest. Countervailing public interests could include freedom of expression or the public interest in media reporting. The ALRC’s model also provides a defence for ‘fair reporting of proceedings of public concern,’ among other defences.
Individual rights
The Government response to the Privacy Act Review also agreed in-principle to the introduction of both:
- A ‘right to erasure' of personal information; and
- The ability to ‘require search engines to de-index certain online search results.’[8]
These proposed rights could be exercised by the subject of doxing to remove published personal information in certain circumstances. The rights could only be exercised in relation to an APP entity[9] and not the individual who has chosen to publish the personal information.
Furthermore, the Privacy Act Review Report indicated that the operation of a right to de-index search results would ‘be jurisdictionally limited to Australia.’[10] The Department cited the 2019 decision of the Google LLP v CNIL[11] and suggested that the equivalent European right cannot be used to de-index search results on all of a search engine’s domain name extensions, but only those which are associated with a European jurisdiction.[12] It also noted that a search engine must take measures to discourage searches which defeat de-indexing, which may include making parallel de-indexing available under the GDPR and Australian law and defaulting a search engine to the local country domain.[13]
The OAIC considers that all reforms in the Government response to the Privacy Act Review should progress as soon as possible. The Privacy Act Review reforms have been the subject of extensive consultation since 2020 and are essential to bring the Privacy Act into the digital age, uplift protections, and raise awareness of obligations for responsible personal information handling.
If we are able to be of further assistance to the Department, please contact Rebecca Brown (Director, Law Reform & Digital Platforms) on 02 9942 4117 or rebecca.brown@oaic.gov.au.
Yours sincerely,
Carly Kind
Australian Privacy Commissioner
[1] See, eSafety Commissioner, Doxing trends and challenges - position statement, 23 January 2022.
[2] eSafety Commissioner, Our legislative functions, 22 December 2023.
[3] Department of Infrastructure, Transport, Regional Development, Communications and the Arts, Terms of Reference – Statutory Review of the Online Safety Act 2021, February 2024.
[4] eSafety Commissioner, Adult Cyber Abuse Scheme: Regulatory Guidance, December 2023, p 4.
[5] Ibid p 3.
[6] Attorney General’s Department, Government response to the Privacy Act Review Report, 28 September 2023.
[7] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), 3 September 2014.
[8] Attorney General’s Department, Government response to the Privacy Act Review Report, 28 September 2023.
[9] An ‘APP entity’ is defined under the Privacy Act as an agency or organisation (s 6(1)). Organisations include sole traders, body corporates, partnerships, any other unincorporated association, or trusts, unless they are a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State. See, Privacy Act 1988 (Cth) ss 6(1), 6C.
[10] Attorney General’s Department, Privacy Act Review Report, 16 February 2023, p 179.
[11] Google LLC v Commission nationale de l’informatique et des libertés (CNIL) (C-507/17) [2019] EU:C:2019:772.
[12] Attorney General’s Department, Privacy Act Review Report, 16 February 2023, p 179.
[13] Ibid.