In March 2014, the Australian Law Reform Commission (ALRC) published the Serious Invasions of Privacy in the Digital Era Discussion Paper (Discussion Paper) which proposes the introduction of a new tort for serious invasions of privacy.
Australia does not currently recognise a tort or cause of action for invasion of privacy. There are a number of civil causes of action (such as trespass and breach of confidence), criminal offences (such as the use of surveillance devices), regulatory and self regulatory codes of practice which operate in a patchwork way to provide protection for privacy for individuals in Australia.
A number of law reforms have previously recommended the introduction of a cause of action and the Australian High Court has also indicated that it might be appropriate to recognise such a cause of action.
Key proposals outlined in the Discussion Paper consist of:
- enacting a tort for serious invasion of privacy;
- amending the surveillance device laws and work surveillance laws for uniformity;
- the expansion of regulatory mechanisms in relation to private information;
- introduction of an additional Australian Privacy Principle to require entities to remove or de-identify personal information;
- amending the cause of action for harassment (should a tort of serious invasion of privacy not be enacted); and
- amending the cause of action for breach of confidence (should a tort of serious invasion of privacy not be enacted).
The ALRC proposes the following elements:
- The invasion of privacy must occur by:
- intrusion into the plaintiff's seclusion or private affairs (including by unlawful surveillance); or
- misuse or disclosure of private information about the plaintiff (whether true or not);
- The invasion of privacy must be either intentional or reckless;
- A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
- The court must consider that the invasion of privacy was serious, in all the circumstances, having regard to, among other things, whether the invasion was likely to be highly offensive, distressing or harmful to a person of ordinary sensibilities in the position of the plaintiff; and
- The court must be satisfied that the plaintiff's privacy outweighs the defendant's interest in freedom of expression and any broader public interest in the defendant's conduct.
The ALRC proposes that only natural, living persons will be able to bring a cause action for serious invasions of privacy.
The ALRC recommends that the threshold for the tort should be set high. For a plaintiff to be successful in his or her cause of action, there must be a "serious" invasion of privacy and that invasion must be either intentional or reckless. The ALRC proposes that the test of "seriousness" is an objective test which the courts could measure by asking whether the invasion of privacy was likely to have a serious effect on a person of ordinary sensibilities in the position of the plaintiff.
Disclosure of private information to the public?
The ALRC proposes that disclosure of private information need not be public, in the sense of wide publicity, to satisfy the requirements of the proposed tort. The ALRC proposes that the tort may be actionable where the personal information was disclosed to only one other person if the circumstances were adjudged to be serious.
Reasonable expectation of privacy?
The ALRC proposes that, to have an action, a plaintiff must prove that a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances. This would be an objective test.
The ALRC suggests that the following non-exhaustive list of factors which the court may consider when determining whether a person would have had a reasonable expectation of privacy be provided in the new Act:
- nature of the private information, including whether it relates to intimate or family matters, health or medical matters, or financial matters;
- the means used to obtain the private information or to intrude upon seclusion, including the use of any device or technology;
- the place where the intrusion occurred;
- the purpose of the misuse, disclosure or intrusion;
- how the private information was held or communicated, such as in private correspondence or a personal diary;
- whether and to what extent the private information was already in the public domain;
- the relevant attributes of the plaintiff, including the plaintiff's age and occupation;
- whether the plaintiff consented to the conduct of the defendant; and
- the extent to which the plaintiff had manifested a desire not to have his or her privacy invaded.
Public interest considerations
The ALRC proposes to integrate the consideration of the public interest as a hurdle that the plaintiff must overcome (rather than as a defence). The plaintiff must establish that his or her privacy interest outweighs the public interest.
Instead of expressly defining "public interest", the ALRC proposes that the following non-exhaustive list of matters be included in the new Act which a court may consider:
- freedom of expression, including political communication;
- freedom of the media to investigate, and inform and comment on matters of public concern and importance;
- the proper administration of government;
- open justice;
- public health and safety;
- national security;
- the prevention and detection of crime and fraud; and
- the economic wellbeing of the country.
A range of defences are proposed by the ALRC, including absolute and qualified privilege, a defence for fair reports of proceedings (based on the uniform defamation laws) and the publication of public documents. The ALRC also recommends the inclusion of a defence for lawful authority protecting law enforcement agencies against liability when acting within the scope of their authority.
Further, the ALRC proposes a defence for conduct incidental to the exercise of a lawful right of defence and a safe harbour scheme to protect internet intermediaries from liability for serious invasions of privacy committed by third party users of their services. The term "internet intermediaries" was not defined in the Discussion Paper, but it is likely to refer to carriage service providers, content hosts, social media, search and application service providers.
The ALRC seeks comments on whether a defence of necessity is required and whether the qualified privilege defence should reflect defamation legislation.
The ALRC proposes that the court may order damages, including damages for the plaintiff's emotional distress. A range of other remedies have also been proposed, such as apology orders, correction orders, account of profits and, interestingly, damages based on a notional licence fee.
In the event that a tort of privacy is not introduced, the ALRC proposes that legislation should be amended to allow for the recovery of damages for emotional distress in actions for breach of confidence for serious invasions of privacy.
If the proposed tort of serious invasion of privacy is not introduced into legislature, the ALRC proposes the enactment of federal harassment legislation, making existing criminal offences for harassment uniform.
The ALRC recommends that surveillance device law and workplace surveillance laws should be made uniform throughout Australia. The ALRC has requested comments from stakeholders about whether this should be achieved through amendments to state based laws or whether the Commonwealth should introduce legislation to cover the field.
The ALRC recommends that any definition of "surveillance device" should be technology- neutral to ensure that the definition can be adopted to a wide range of surveillance devices, including devices that may emerge in the future. The ALRC suggests that any definition of surveillance device should extend to forms of surveillance that are not "devices" (e.g. data surveillance by software installed on a computer).
The ALRC suggests uniform offences for the use of surveillance devices to monitor "private activities". Notably, the ALRC proposes that an exception be given for responsible journalism involving the investigation of matters of public concern and importance. An example provided is that of corruption.
The ALRC proposes to empower the Australian Communications and Media Authority (ACMA), where there has been a privacy complaint under a broadcasting code of practice and where the ACMA determine that a broadcaster's act or conduct is a serious invasion of the complainant's privacy, to make a declaration that the complainant is entitled to a specified amount of compensation.
Whilst the ACMA have always been able to provide recommendations regarding compensatory matters, there is a serious question as to whether the ACMA can lawfully possess this extended power.
In response to submissions from stakeholders, the ALRC recommends the introduction of a new Australian Privacy Principle (APP) that would:
- require an entity to provide a simple mechanism for an individual to request destruction or de-identification of personal information that was provided to the entity by the individual; and
- require an entity to take reasonable steps in a reasonable time, to comply with such a request, subject to suitable exceptions, or provide the individual with reasons for its non-compliance.
The ALRC requests submissions from stakeholders on whether the regulator should be empowered to order an organisation to remove private information about an individual, whether requested by that individual or a third party from the website or online service, provided that the individual has previously made a request to the organisation and that request was rejected or the organisation failed to respond within a reasonable time. The regulator must be satisfied that the posting of the information constitutes a serious invasion of privacy, having regard to freedom of expression and other public interests.
Attorney-General Brandis has stated to the media that "the government has made it clear on numerous occasions that it does not support a tort of privacy". Accordingly, it appears unlikely that the proposed tort will be enacted in the near future.
This does not rule out the other changes recommended by the Discussion Paper. A review of surveillance laws is long overdue, the introduction of a right to be forgotten could have significant implications for business. New regulatory powers for the ACMA would not be supported by industry.
The ALRC has requested written submissions by stakeholders which are due on 12 May 2014.
The ALRC is expected to release its Final Report by 30 June 2014.