INSIGHT

ALRC Final Report: 'Serious Invasions of Privacy in the Digital Era'

By Gavin Smith
Cyber Data & Privacy Technology & Outsourcing

In brief

The Australian Law Reform Commission has released its long-anticipated final report on serious invasions of privacy. The report proposes that a new statutory cause of action be implemented in a new stand-alone Commonwealth Act. If adopted, the proposal would have far reaching ramifications for investigative journalism in Australia and could also raise the spectre of class actions being brought against companies that have deliberately or recklessly mishandled their customers' personal information. Partner Gavin Smith, and Lawyers William Coote and Brydon Wang assess the proposal and its consequences.

How does it affect you?

  • If the cause of action is introduced, individuals will be able to bring an action against entities that intentionally or recklessly, seriously invade their privacy.
  • Where proven, entities would be liable for damages (including exemplary damages) even if no physical or financial loss was suffered by the individual.
  • Although the proposals are significant, it is highly unlikely that the proposed cause of action will be introduced by the current Coalition Government.

Background

On 3 September 2014, the Australian Law Reform Commission (ALRC) released its final report on Serious Invasions of Privacy in the Digital Era (the Report). The Report follows on from the Terms of Reference (released on 12 June 2013) and the Discussion Paper (released on 31 March 2014).

The proposed cause of action has been designed to complement the existing privacy legal framework, including the Privacy Act 1988 (Cth), civil and criminal laws relating to harassment, unlawful surveillance and common law duties of confidence.

Elements of the cause of action

The proposed statutory action for serious invasion of privacy is conceived as an action in tort. This provides certainty with respect to a number of ancillary matters, such as vicarious liability, and a level of consistency that allows the action to operate in concert with existing tort law. The proposed cause of action also aligns Australia with a number of other jurisdictions (notably New Zealand and a number of Canadian provinces), allowing courts to draw on analogous case law.

The Report sets out five primary elements of the proposed tort:

  • The invasion of privacy must occur by intrusion into the plaintiff's seclusion or private affairs (including by unlawful surveillance) or by misuse or disclosure of private information about the plaintiff.
  • The invasion of privacy must be either intentional or reckless. In relation to what should constitute reckless, the ALRC recommended that a statutory definition be included in the Act, which could be based on the current definition in the Commonwealth Criminal Code.1
  • A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances. In determining this, the court may take into consideration:
    • the nature of the private information;
    • the means used to obtain the information;
    • the purpose of the misuse, disclosure or intrusion;
    • how the private information was held/communicated;
    • the relevant attributes of the plaintiff (eg age, occupation); and
    • whether they displayed a desire to have their privacy invaded.
  • The court must consider the invasion of privacy to be 'serious', having regard to, amongst other things, whether the invasion was likely to be highly offensive, distressing or harmful to a person of ordinary sensibilities in the position of the plaintiff.
  • The court must be satisfied that the public interest in privacy outweighs any countervailing public interest. Public interest matters which a court may consider include:
    • freedom of expression and political communication;
    • freedom of the media to investigate;
    • the proper administration of government;
    • public health and safety; and
    • national and domestic security.

Remedies

The Report outlines a number of remedies which should be available to plaintiffs where a serious breach of privacy has been proven. These include, where appropriate:

  • compensatory damages, including damages for the plaintiff's emotional distress;
  • exemplary damages where exceptional circumstances have been proven;
  • account of profits;
  • injunction; and
  • an enforceable undertaking (including a public apology).

A critical element of the Report's proposal is the recommendation that the tort be actionable per se, that is, a plaintiff should not have to prove that they suffered actual damage in order to bring an action. The Report also recommends that any damages awarded for a serious breach of privacy (other than those for economic loss) should be capped at the same amount for damages for non-economic loss in defamation.

Key implications

Broad scope

As noted above, for the elements of the proposed tort to be met, an individual or entity will have had to either intentionally, or recklessly, seriously invaded an individual's privacy. The concept of recklessness sets a higher level of proof than the concept of negligence. It would, however, be triggered in circumstances where a person or company was aware of the consequences of their actions or omissions, but failed to act to avert those consequences. The obligations of organisations under the Privacy Act, and the Office of the Australian Information Commissioner's Guide to Information Security, may provide a useful reference guide for companies as to what positive actions would mitigate against any claim of recklessness. However, it is noted that the scope of the proposed legislation is significantly wider than under the Privacy Act, as are the potential consequences for the offending entity.

Primary among these is the right, under the proposed legislation, for an individual to take direct action against the offending entity where there has been a serious breach of privacy. This contrasts with the rights currently available to individuals which are limited to lodging a complaint with the Office of the Australian Information Commissioner (OAIC). Additionally, the penalties which would be able to be enforced against defendants under the proposed legislation (as described above) are significantly wider than those currently available under the Privacy Act.

Sword not a shield

Although the proposed tort is designed to shield individuals' 'right' to privacy, there is a significant risk that the tort could be used as a sword by those who wish to conceal information that should legitimately be in the public domain. For example, an individual could seek to use the proposed action to bring an injunction against a media organisation seeking to publish information regarding that person. Any application for a permanent injunction would likely be preceded by an application for an interlocutory injunction to ensure the plaintiff is immediately protected from any imminent disclosure.

The Report acknowledges the difficulty of this issue and states that the public interest will be sufficiently protected because the legislation requires the court to weigh an individual's right to privacy against the public interest (which includes the freedom of the media to investigate matters of public concern). Notwithstanding this, it is conceivable that, in ruling on an interlocutory injunction, a court might err on the side of the plaintiff who stands to lose the most in the event that the application is dismissed. Once an interlocutory injunction is granted, it may then be some time before a full hearing can be completed and the matter ruled on by the court. This could have a chilling effect on legitimate investigative journalism.

Representative proceedings

In providing individuals with a right of direct action against offending entities, the proposed legislation also gives rise to the possibility for class action type claims being brought in situations where there has been a serious breach in relation to a large group of people. Although the Report did not make a specific proposal on this issue, it acknowledged the fact that the proposed legislation would be subject to the current law on representative actions (e.g. Part IVA of the Federal Court Act 1976 (Cth)). The effect of this is that it is likely that entities that intentionally or recklessly breach their privacy obligations could be subject to class actions where the personal information of numerous individuals is disclosed. This would provide further fuel to the burgeoning class action industry in Australia.

Key differences between the Discussion Paper and the Report

Safe harbour

One of the key differences between the Discussion Paper and the Report is in respect of the original proposal to introduce a safe harbour scheme. The scheme, as outlined in the Discussion Paper, would have protected internet intermediaries (eg carriage service providers, search engines and social media platforms) from liability for serious invasions of privacy committed by third-party users of their services.
In rejecting the introduction of a safe harbour scheme in the Report, the ALRC noted that the proposed tort only targets positive conduct and is not aimed at omissions. On the basis that the intermediary would often be unaware that their service had been used to invade an individual's privacy, a failure to act by the intermediary would not constitute an invasion of privacy under the proposed tort as it lacks the requisite intention or recklessness. However, the intermediary may be found to have the requisite fault/recklessness where it can be proven that they had knowledge of the invasion of privacy and were reasonably able to stop it but chose not to.

Right to be forgotten

The Discussion Paper had also advocated the introduction of a new Australian Privacy Principle (APP) in the Privacy Act that would require APP entities to provide a simple mechanism for entities to destroy/de-identify personal information on an individual's request. Although the ALRC states in the Report that it is concerned that there is currently no simple mechanism for the destruction/de-identification of information, it has decided not to recommend the introduction of a new APP. The Report cites the submission from the OAIC that the introduction of such an APP would be inconsistent with the Archives Act 1983 (Cth) and therefore would not apply to Commonwealth agencies as the reason for not pursuing this further. Additionally, the OAIC pointed to the current obligations that the APPs impose on entities and that a better approach may be for the OAIC to issue additional guidelines in relation to entities' obligations to destroy or de-identify information.

The position taken by the ALRC in the Report runs counter to the current position in other jurisdictions, most notably Europe, where the recent Google decision2 has reinforced individuals' right to direct entities that hold the individual's personal information to remove or de-identify that information.

Next steps

The Report has been presented to the Commonwealth Attorney-General for his consideration. The Attorney-General has already noted his position that he is not in favour of the introduction of a new cause of action for the serious invasion of privacy (and it should be noted that the Report was commissioned by the previous Labor government). On the basis that the Report does not substantially differ from the position put forward in the Discussion Paper, it is highly unlikely that the current government will implement any of the Report's recommendations. This is the second occasion in six years that the ALRC has made similar recommendations. This latest proposal looks destined for the same fate as the last.

Footnotes

  1. Section 5.4 of the Commonwealth Criminal Code set out in the Schedule to the Criminal Code Act 1995 (Cth).
  2. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014).