Office of the Victorian Privacy Commissioner

Submission to the Department of Prime Minister and Cabinet (Cth)

on

A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy

November 2011

Office of the Victorian Privacy Commissioner (Privacy Victoria)

GPO Box 5057

10-16 Queen Street

MelbourneVictoria 3000

Australia

Phone: 1300-666-444

Fax: +61-3-8619-8700

Email:

Website:

1.Introduction

  1. The release of this issues paper, and the public focus on the possibility of a statutory cause of action for breach of privacy, is both welcomed and long overdue. The New South Wales Law Reform Commission, the Victorian Law Reform Commission and the Australian Law Reform Commission previously all identified and supported the broad issue of a statutory right to privacy.
  2. However, the present discussion paper appears to have arisen in the shadow of the egregious breaches of privacy by News Limited in the United Kingdom. It is unfortunate that this has occurred, but it is important that the debate surrounding a statutory cause of action does not overly concentrate on freedom of the press (although it is an important consideration) nor that the cause of action be characterised as an attack on the media. While freedom of the press and expression are important concepts that will need to be considered, it would be a shame if debate and discussion focussed solely on those concepts to the exclusion of other important considerations.
  1. Do recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia?
  1. In the last several decades, the privacy landscape has changed fundamentally. The almost universal and increasing use of the internet and mobile communication devices present both enormous opportunities and enormous risks.
  2. Social networking platforms and the development of “Web 2.0” also enable images and information to be widely shared and individuals to potentially be tracked and profiled via their activities: both on and off line.
  3. Tracking and surveillance devices are no longer restricted to law enforcement organisations (as in previous times). The decreasing cost, increasing availability and increasing ease of use make such devices readily available to individuals. Global Positioning System (GPS) devices, surveillance cameras, radio-frequency identification devices (RFID), and smart phone applications which allow location tracking as well as instant video and camera photography have exploded onto the scene. Such devices can be efficient, helpful and enjoyable. However, such devices can be used to invade the privacy of others and with far greater consequences than in previous times. Where once only the media had the power of mass dissemination of information, individuals can now instantaneouslyshare information with millions online. This allows for significant damage to occur – information can be disclosed about an individual by an individual and published to the world. It may be almost impossible to retrieve or remove this information.
  4. The Office of the Victorian Privacy Commissioner receives hundreds of enquiries each year from individual members of the public concerned about interferences with their spatial privacy and personal information by other individuals.
  5. Currently, the scope for legal redress for such interferences with privacy is extremely limited and unclear.In Victoria, the Surveillance Devices Act1999 (Vic) offers some protection against unauthorised surveillance of individuals. However, the Act contains only offences for prohibited conduct and does not provide remedies to individuals who have suffered breaches of their privacy. Additionally, prosecutions for offences under the Surveillance Devices Act are relatively rare and require an individual satisfying the relevant authority (Victoria Police) to take action. Reliance on other legal actions are possibilities (as discussed below) but will generally require individuals to obtain legal assistance.
  1. Is there a need for a cause of action for serious invasion of privacy in Australia?

Existing privacy laws are inadequate and contain gaps

  1. Commonwealth and State/Territory privacy legislation seeks to protect personal information held and handled by public and private sector organisations. The Privacy Act1998 (Cth) was enacted more than two decades ago, since when there has been a technological revolution. The Privacy Actregulates information held by the Commonwealth public sector, as well as some private sector organisations and credit providers.[1]
  2. In Victoria, in the absence of any conflicting laws, the Information Privacy Act 2000 (Vic)regulates all Victorian public sector organisations as well as service providers acting under a Victorian public sector contract.[2] Additionally, the Victorian Charter of Human Rights and Responsibilities Act 2006 (Vic) requires public authorities to act in ways compatible with the rights contained in the charter, which includes a right to privacy.[3]Most other Australian jurisdictions have similar privacy obligations enshrined in legislation or an administrative system of privacy protection.[4]
  3. Laws relating to defamation, telecommunications, breach of confidence, nuisance and trespass offer some privacy protections. However, significant gaps remain – in both the scope and coverage of privacy protection. Of most significance are exemptions for employee records and ‘small’ businesses in the private sector.
  4. The Victorian Law Reform Commission (VLRC) found ‘significant’ gaps in the protection of privacy in the workplace.[5] Employee records are specifically excluded from the private sector provisions in the federal Privacy Act.[6]Such records, particularly of large corporate employers, contain vast amounts of employee personal information, oftensensitive, and such information remains unprotected under privacy legislation.[7]There appears to be no rationale to justify this lack of protection.
  5. ‘Small’ businesses, defined as businesses with an annual turnover of less than $3 million, are exempt from the application of the Privacy Act.[8] This means smaller businesses (which may hold significant personal information) need not comply with privacy principles, and the protection of personal information collected and held is at the whim of each small business.
  6. The Australian Law Reform Commission(ALRC) estimated that 94% of Australian businesses fall under the ‘small business’ definition, meaning the exemption provides a significant gap in the protection of privacy within Australia.[9]The ALRC has recommended closure of both of the above gaps and the adoption of consistent, uniform privacy regulation.[10] I support this recommendation.
  7. Technological developments (such as those discussed above) mean that even a fairly “minor” breach by way of disclosure or failure to secure personal information by employers or small businesses can have major consequences for the individuals affected. Conversely, the development of sophisticated and relatively inexpensive technology to secure information and control access to it has reduced the compliance burden, which the small business exemption in particular was expressed to be intended to avoid.
  8. Enhancement and expansion of existing privacy laws, to close exemptions and to ensure more organisations and individuals are covered, will substantially reduce the threats to personal privacy posed by technological change.

Privacy laws only deal with ‘information privacy’

  1. It should be remembered, however, that existing privacy laws (such as the Privacy Act 1998 (Cth) and Information Privacy Act 2000 (Vic)) deal only with ‘information privacy’ – the control of the collection and handling of personal information about an individual. Privacy, as a concept, is far wider encompassing matters such as bodily, locational, territorial and communications privacy. Even extension and expansion of existing privacy laws will be inadequate as their information focus does not allow for protection of other types of privacy. Breaches of these ‘other’ types of privacy can occur by an organisation even if they are subject to privacy laws, such as excessive search powers. A clear example of this point can be found inWainwright v the United Kingdom[11]. In that case, the applicants (the Wainwrights) were strip-searched when seeking to visit their son in prison. The search of the Wainwrights was incredibly invasive, including examination of sexual organs. It left both feeling threatened by searching officers and concerned they would not be permitted to visit their son, and was found to cause post-traumatic stress disorder. The UK House of Lords dismissed appeals made by the Applicants.[12]The ECHR found a violation of Article 8 (Respect for private life) of the Convention for the Protection of Human Rights and Fundamental Freedoms and awarded compensation on that basis.
  2. It is important to craft a statutory cause of action which would conceivably cover such cases which fall outside the operation of existing privacy laws.

Inadequacy of existing causes of action

  1. Whilst the current legislative provisions provide limited protection of privacy with respect to the public sector and large corporations, individuals acting in their own capacity have no obligations under any Australian privacy legislation. Other common law actions (defamation, breach of confidence, nuisance and trespass)[13] and some criminal actions (stalking, harassment) may be used to partially protect privacy rights, but the ability of the common law or equity to address such action is limited.[14]
  2. There may be an argument that these other causes of action already ‘cover the field’ and therefore there is little need for a separate statutory tort. However, there are significant problems with relying on the existing legal actions. Use of other common law and criminal actions are often an awkward fit, predominantly attempting to protect and preserve other interests and protecting privacy as a side benefit. Also, existing torts may be rendered ineffective due to technological developments; the Court of Appeal of New Zealand acknowledged the limitations of trespass in protecting privacy, arguing:

‘Trespass may be of limited value as an action to protect against information obtained surreptitiously...long lens photography, auto surveillance and video surveillance now mean that intrusion is possible without a trespass being committed’.[15]

  1. Criminal laws may provide some assistance in telecommunications and surveillance-type privacy invasions, but will fail to compensate those who have suffered damage or loss due to the conduct. There is a significant problem of accessibility - attempting to use existing actions hampers access to the law. It requires an individual retaining a lawyer who is able and willing to try and ‘fit’ existing causes of action to the conduct in question.
  2. Often this attempted ‘fit’ may result in odd outcomes. For example, in Giller v Procopets [2004] VSC 113, Gillard J found a breach of confidence (where a Defendant videotaped sexual encounters with the Plaintiff and subsequently distributed the video) but then declined to award damages (mainly due to issues about the jurisdictional basis for awarding damages).[16] This can be contrasted with the outcome in Grosse v Purvis [2003] QDC 151 where a Queensland judge awarded $178,000.00 after finding a breach of privacy (and formulating a test for it). However, this proposition remains untested at higher courts.
  3. The ALRC, VLRC and the New South Wales Law Reform Commission (NSWLRC) have all recommended establishment of a statutory cause of action for breach of privacy. A statutory cause of action would confer privacy obligations on individuals and expand the protection of privacy within Australia, giving certainty to all.
  4. The Office of the Victorian Privacy Commissioner often receives enquiries from individual members of the public concerned about invasions of their privacy by other individuals. Very often, there are simply no legal or other remedies to address their concerns.
  1. Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law?
  1. Relying on the courts to recognise a cause of action for privacy may not be the best approach, given the inherent limitations associated with the courts only being able to consider particular matters brought before them by parties resourced to access justice at the requisite level. In addition, the courts would be limited by existing remedies developed within the common law or equity.[17]
  2. Legislators have a better opportunity to craft a cause of action that is more precisely targeted and which takes into account competing public interests. Moreover, protection of a fundamental human right such as privacy should not be dependent on the efforts of a particularly persistent and well resourced plaintiff to definitively establish the existence of a cause of action.
  1. The creation of a statutory cause of action would be the best way of providing redress for these types of interferences with personal privacy.
  2. One of the most significant points of difference between other jurisdictions and Australia in this area is that there is an inbuilt balance between the right to privacy and the right to freedom of expression, by virtue of the existence of enforceable human rights charters or bills in these other countries.
  3. This means that, were enforceable privacy rights to be recognised by Australian courts in Australia in isolation, there would be no countervailing right to freedom of expression or communication to balance them against.
  4. This is one of the most compelling reasons for choosing a statutory cause of action over one that is developed solely by the courts. In the absence of any express recognition of other human rights and freedoms, it will be open to the Australian courts to develop a new cause of action which remedies any harm caused by an invasion of privacy as a tort, an extension of the law of confidence or under some other branch of law or equity, with little, if any, consideration of freedom of expression.
  5. The media in Australia is already subject to laws limiting the collection and publication of personal information. It is not surprising that media organisations are alarmed at another proposed law which they see as limiting freedom of expression, and in particular fettering the media’s ability to report. However, Australian courts have already shown a readinessto acknowledge the development of a need for a common law action for breach of privacy, and in some cases, as in Jane Doe v ABC[18]found such a cause of action to exist. They are supported in this by persuasive authority in other jurisdictions.
  6. The current common law development is extremely slow, piecemeal and is likely to vary from State to State. It is now over 10 years since the High Court inLenah Game Meats[19]made obiter comments surrounding the establishment of a tort of privacy and yet little progress has been made. Waiting on the courts to be presented with a case which permits a sufficiently senior court to make binding comments could take some time.
  7. If it is inevitable that the law will continue to develop in the direction of a common law right of action for privacy (which appears to be occurring), it would be better for there to be a federal statutory cause of action, to provide clarity and consistency.
  8. Any legislation creating an actionable right to privacy should also expressly require courts to balance privacy rights with freedom of expression and communication.
  1. Is ‘highly offensive’ an appropriate standard for a cause of action relating to serious invasions of privacy?
  2. Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?

Highly offensive to a person of reasonable sensibilities

  1. I agree that, in order to establish liability, a plaintiff should be required to show that in all the circumstances, there is a reasonable expectation of privacy. In addition, there needs to be some threshold level of seriousness, to ensure that trivial matters are not pursued unnecessarily.
  2. In my view, the formulation used by Gleeson CJ in Lenah Game Meats and recommended by the ALRC, being‘highly offensive to a reasonable person of ordinary sensibilities’[20]is a good starting point. However, I question whether the requirement of ‘highly’ is overly restrictive and a high bar for a plaintiff to prove, given the nature of any proposed cause of action. A statutory cause of action should protect against offensive behavior. Questions as to the degree and level of intrusion and whether the intrusion was highly offensive or simply offensive may be better considered in terms of the damaged suffered and whether exemplary damages could be warranted.

The question of harm

  1. I note that the New Zealand Privacy Act1993 (NZ) requires individuals to provide some loss, detriment or damage or injury before making a complaint under the Act.[21] One potential option would be to reduce the requirement that an intrusion be ‘highly offensive’ (down to simply ‘offensive’) but require a potential plaintiff to show some type of damage or distress as a result of the conduct.
  2. I note that the ALRC was concerned that the cause of action should only ‘succeed where the defendant’s conduct is thoroughly inappropriate and the complainant suffered serious harm as a result.’[22] The potential option (of removing ‘highly’ from the offensive test) but introducing a requirement to show loss or damage may be a better method of approach. It wouldreduce the potential for frivolous claims but would not eliminate a cause of action for individuals who have suffered offensive conduct and suffered loss and damage. It would seem a strange situation in law that a court may find a reasonable expectation of privacy, offensive conduct to have occurred and loss and damage to have been suffered but declined to find a breach as the offensiveness was not ‘high enough’.
  3. However, I would recommend that humiliation and injury to feelings should be recognised as a legitimate grounding for complaint, as it is a common reaction to a privacy intrusion and would be consistent with existing privacy legislation.[23]

Balancing other interests against privacy – element or defence?

  1. Privacy naturally requires balancing against other and potentially competing public interests. The issues paper questions whether this should be ‘integrated with the cause of action’ or a ‘public interest defence’. I would strongly support the approach of the VLRC. This approach would not impose a negative onus of proof on a complainant or plaintiff, to prove that there is no countervailing public interestto justify the “seriously offensive” invasion of his or her “reasonably expected” privacy. Rather, the onus should fall on the respondent to show that his or her conduct is justified by the public interest.
  2. It would seem peculiar for a plaintiff to be required to plead not only the elements of a cause of action, but also to negate a public interest argument at that stage.