Back in 2015, we learned that the police had demanded (and received) Nicky Hager's bank records from Westpac bank during their political investigation of an embarrassing anti-government leak. They had done this without a warrant, production order, or any statutory grounds at all.
Today, the Privacy Commissioner ruled that Westpac had breached Hager's privacy by complying with the police request:
Nicky Hager’s complaint against Westpac has been upheld by the Privacy Commissioner. The Privacy Commissioner found that Westpac had breached Mr Hager’s privacy by releasing his personal information to the Police without a warrant. This is part of the continuing fallout from the Police’s unlawful raid on Mr Hager’s home in 2014.
Under the Privacy Act, Westpac may release personal information if it reasonably believes it is necessary to assist the Police investigation. When releasing this information, the Police and Westpac asserted that this exception applied. However, the Police provided Westpac with no information to support the claim that this information was needed and Westpac did not ask for any. Westpac conducted no inquiry of its own.
Westpac tried to argue that its terms and conditions allowed it to release Mr Hager’s personal information. This relied on a different exception to the Privacy Act than the one asserted at the time of release.
The Privacy Commissioner rejected Westpac’s arguments. He found that a reasonable person would not have understood those terms to have authorised this release. He also rejected an argument that the Police investigation exception applied.
While the case was about Westpac, it affects a hell of a lot more. The police make thousands of warrantless requests for information a year to banks alone, and major companies - banks and phone providers among them - have cut secret deals with police to turn over your private personal information on request, no questions asked. The Privacy Commissioner has basicly just said that those deals are illegal. Absent actual evidence from police, companies can not rely on the law enforcement exception when providing data. The result is that companies will have to start demanding production orders. And that's a good thing - because police shouldn't just be able to get your private information just by "asking". As shown in this case, that simply invites them to abuse their power.
But the ruling isn't enough. The big problem with both warrantless "requests" and production orders is that they happen in total secrecy. Companies aren't required to report on them, and neither are police. This has to change. For companies, we've seen how annual transparency reports improve privacy outcomes by creating customer pressure against disclosure, and it would be a simple matter to legislate to require them to publish. As for the police, they're required to publish annual statistics on search and interception warrants and how effective they are as a way of providing oversight. Production orders should also be included in this. That way we'll at least be able to see whether this really is a vital investigative tool, or a giant fishing expedition.
As for Westpac, hopefully Hager will take them to the Human Rights Review Tribunal and extract damages for their abuse of his privacy. And doing so should hopefully encourage other companies to be more careful about complying with police requests in future.