This paper was published at Privacy Laws & Business International Report, Issue 115, February 2012. This paper may also be referenced as [2012]UNSWLRS 4.


This article is the first of a series surveying recent Asian and Australasian examples of significant enforcement of data privacy laws. If there are current examples of where privacy laws are achieving significant outcomes in a country, this should make us cautious of the oft-voiced suspicion that ‘privacy laws don't achieve anything’. On the other hand, if such examples are lacking, this raises serious questions. The main sources for such examples are court and tribunal decisions, and the databases of complaint summaries, and annual reports, of data protection authorities.

By ‘significant examples of privacy enforcement actions’ what we mean is as follows. Firstly, the action results from complaints to an independent authority, actions before any Court or Tribunal, or 'own motion' actions by an authority responding to a specific situation. General investigations or reform proposals by authorities are not included. Secondly, the authorities concerned could be Data Protection Authorities (DPAs) or Privacy Commissioners but they could also be telecommunications regulators, financial regulators, government agencies and so on. Independent industry self-regulatory bodies could be included. Thirdly, the result is a significant remedy for an individual or a group of people; or a significant change in (or confimation of) the interpretation of the law with potential remedial benefits; or a significant change in business or government practices.

At present there are well-established data privacy laws covering most aspects of the private sector in nine jurisdictions in Asia and Australasia. This article covers New Zealand and the three Australian jurisdictions. (An article in the next issue will cover the Asian jurisdictions.)

This survey of recent enforcement examples in New Zealand and Australia makes it clear that significant examples of enforcement of privacy laws continue to occur in all four jurisdictions considered, and some examples show the strengthening of particular remedies. However, the mechanisms through which signficant enforcement arises differs a great deal between jurisdictions. In these Australasian examples they include complainant-initiated injunctions, both awards of damages and mediations by Privacy Commissioners, orders by quasi-judicial Tribunals, and suppression orders by Tribunals. One overall factor shared by all four Australia and New Zealand jurisdictions is that payments of financial compensation to complainants are possible and do occur. A comprehensive assessment of enforcement effectiveness would also require statistical information to be considered. Such analysis of enforcement of privacy laws and its effectiveness (covering examples, statistics and mechanisms) is an important aspect of privacy research which is not yet fully developed.


Computer Law | Human Rights Law | Internet Law

Date of this Version

February 2012