Few areas of law incite great passions and media controversy. Information privacy and the activities of the Australian Privacy Commissioner generally fly under the public radar. Not so discussions as to a prospective cause of action for serious invasions of privacy.
The current Rebekah Brooks trial in the United Kingdom reminds us of the phone hacking controversy centred upon the now defunct British tabloid News of the World. It was this controversy that became the catalyst for renewed discussion in Australia about whether we need a new private right of action for invasion of privacy protection and ultimately led to the Federal Government's reference to the Australian Law Reform Commission to report on that topic - again.
We then encounter the great privacy divides.
In one corner, the privacy and consumer advocates and tort law barristers point to intrusive and sometimes prurient media reporting of what might be considered private activities, including ‘outing’ of gender preferences and social and sexual peccadillos of allegedly public figures.
In another corner, providers of social networking sites point to the impossibility of patrolling user content and working out what is an invasion of an individual’s privacy and what is not. Social networking increasingly conflates public and private space: users of social networking sites have complex and nuanced views about acceptable limits upon reuse or repurposing of images or information that they elect to make available in semi-public places such as their Facebook pages.
In yet another corner, the professional print and electronic media point to a relatively low level of privacy related complaints under existing media codes of practice and the availability of low cost remedies for affected individuals through the Australian Press Council and the Australian Media and Communications Authority. More colourfully, the professional media decry a ‘chilling effect upon freedom of speech’ that is said to arise from any addition of a right of privacy to existing restrictions upon media reporting such as laws of defamation, contempt, closed courts, suppression orders and non-publication orders.
And finally, the de-regulation corner. Creation of any new cause of action might be said to run directly counter to the professed ‘anti red tape’ agenda of the Federal Government and Attorney General George Brandis.
It is worth pausing for a second to note where Australian privacy law is today. There is at present no common law right of action in Australia for intrusion upon an individual’s seclusion or private affairs or for misuse or disclosure of private information. The Federal Privacy Act 1988 and some State and Territory Acts regulate the use by government agencies and many businesses of personal information as embodied in particular records. This is really a sub-category of private information that is personal information collected into a material form, such as a record, for use by regulated businesses and government. There is however a general carve out in the Federal Privacy Act for journalism by media organisations that self-regulate privacy compliance in their reporting, such as through the Statement of Privacy Principles administered by the Australian Press Council. There is a ragbag of Federal, State and Territory laws addressing various aspects of surveillance, tracking and recording technologies. These laws are inconsistent and not well understood. They do not provide nationally coherent coverage or comprehensive rights of individual seclusion.
Any national ‘privacy solution’ is constitutionally complex once the Federal Government strays outside the exercise of its communications and corporations powers. And any ‘privacy solution’ must balance freedom of speech, fair but vigorous media reporting, robustness of private speech, and accommodate the semi-public world of social networking, the rapidly developing fields of geo-location based services, data analytics and predictive technologies based upon anonymised information, as well as
the industrial internet (or as it is sometimes called ‘the internet of things’) such as sensors talking to other things such as monitoring software.
As soon as we move beyond the regulation of ‘personal information’ as used in its technical sense in the Federal Privacy Act and many similar privacy laws overseas, the proper scope of privacy
protection becomes highly contentious, with limited overseas examples.
Into this morass bravely ventures Professor Barbara McDonald and her team at the Australian Law Reform Commission. The ALRC’s Discussion Paper on Serious Invasions of Privacy in the Digital Era was released on Monday 31 March. The Discussion Paper sets out a series of draft proposals, coupled with questions. The questions solicit submissions and make further comments that might inform final proposals. The closing date for submissions to the Discussion Paper is 12 May 2014.
The ALRC proposes draft principles to guide development of a new cause of action that seeks to balance on the one hand, an individual’s right to seclusion and maintain the privacy of private information (such as information about intimate and family matters, health or medical matters, or financial matters) and on the other, freedom of expression and a broader public interest.
The Discussion Paper is divided into the following parts.
Part 1 deals with the background to the Inquiry and includes an overview of the current law and what the ALRC has identified as gaps and deficiencies in coverage of current law. Chapter 2 sets out the ALRC’s suggested principles guiding its proposals. These Guiding Principles have been expanded from earlier draft principles detailed in the previous Issues Paper and now include the interesting concept of shared responsibility: specifically, that capable adults with the power and means to do so should exercise control over private information, using tools made available to them by service providers to protect that information. The ALRC also refers to the important role of education in helping people to protect their privacy.
Part 2 sets out the detailed legal design of the statutory cause of action. This is the heart of the ALRC’s new work. It includes the elements for actionability:
- what conduct could amount to an invasion of privacy (intrusion upon the plaintiff’s seclusion or private affairs (including by unlawful surveillance) or misuse or disclosure of private information about the plaintiff;
- the fault requirement (being intent or recklessness);
- the requirement of a reasonable expectation of privacy in all the circumstances;
- the ‘seriousness’ threshold (likely to be highly offensive, distressing or harmful to a person of ordinary sensibilities in the position of the plaintiff); and
- the balancing of the defendant’s interests and matters of public interest including freedom of the media to investigate, and inform and comment on matters of public concern and importance.
The ALRC proposes defences, including a possible safe harbour scheme to protect internet intermediaries from liability for serious invasions of privacy committed by third party users of their services.
Proposed remedies include compensatory damages for a plaintiff’s emotional distress as determined by the Court.
Part 3 deals with other existing and proposed remedies and legislative regimes. Some of the proposals in this Part are possible alternatives to the statutory cause of action, if the ALRC’s proposed recommendations are not accepted by the Federal Government. They include:
- possible expansion of the right to bring breach of confidence actions to include a right to recover damages for emotional distress arising from disclosure of private information;
- new, uniform harassment legislation;
- badly needed reform of surveillance devices legislation across Australia with the ALRC suggesting that this reform occur regardless of whether the statutory cause of action is enacted.
Finally, the Discussion Paper concludes with proposals for new regulatory mechanisms to counter serious invasions of privacy, including:
- a power for the ACMA similar to that of the OIAC in respect of complaints;
- a power for the OAIC to act as ‘amicus curiae’ (friend of the court) or intervener in court proceedings between an individual and a defendant;
- a new Australian Privacy Principle (APP) in the Federal Privacy Act: this would require an APP entity to (i) provide a simple mechanism for an individual to request destruction or deidentification of personal information that was provided to the entity by the individual and (ii) take reasonable steps in a reasonable time, to comply with such a request, subject to suitable exceptions, or provide the individual with reasons for its non-compliance; and and a question as to whether a regulator should have a power to order takedown of online content.
The Discussion Paper continues the ALRC’s recent practice of limited length, clear Guiding Principles and settling recommendations by reference to those principles. The ALRC engages with the mechanics of designing a new cause of action and endeavours to ensure that there are practical, cost effective remedies for individuals. Like the draft recommendations or not, the Discussion Paper will no doubt incite sound and fury on all sides of the great privacy divide over the next few months.