Submission - Right to Sue for Serious Invasion of Personal Privacy - Australian Direct

Submission to the

ACommonwealth StatutoryCauseofAction for SeriousInvasion of Privacy

IssuesPaper

November 2011

1

1. ExecutiveSummary

TheAustralianDirectMarketingAssociation(ADMA)welcomestheopportunityto comment onthe ACommonwealthStatutoryCauseofActionforSerious

Invasion ofPrivacyIssuesPaper(theIssuesPaper).

On23September2011theGovernmentreleasedanIssuesPaperseekingviewsontheproposedintroductionoflegislationthatwouldpermitAustralianstotakecivil legalactioniftheir privacyhasbeenseriouslyinvaded.

Thisproposallaunched,insomepart,inresponsetothe NewsoftheWorldphonehackingscandalintheUnitedKingdomwillhavesignificant,far-reachingand seriousconsequencesforallAustralianindustries.

Theintroductionofastatutorycauseofactionfora breachofprivacyrepresentsamonumentalchangetotheAustralianprivacy legislativeframework.Ithasthe potentialtoaffectabroadrangeofeconomicand non-economicactivitiesby businessesandindividuals.

ThemainreasonsprovidedintheIssuesPapertojustifytheintroductionofa statutorycauseofactionforprivacyare:

a) Theintroductionofnewtechnologies(suchassmartphones)thatallow individualstotakeandinstantly sharephotographswithouttheknowledgeor consentofthesubject

b) Theabilitytoforwardprivate emailstothousandsofaddressesaroundthe

world

c) Theabilitytopostfootageonavideosharingwebsite;

d) Thepotentialforemailandsocialnetworkingsitestobehackedandpersonal detailsmine

e) Therequirementtoassurethesecurityofcloudcomputingservicewhichoffer

greatpotentialformoreeffectiveandefficientuseoftechnologyf)Highprofiledatabreaches

Industryisextremelyconcernedbytheproposedintroductionofastatutory cause ofactionforseriousinvasionsofprivacyforthefollowingreasons:

a) Theintroductionofastatutorycauseofactionisatoddswiththe National

Digital EconomyStrategy

b) thestatutorycauseofactionwill:

i.introducesignificantlegalrisk,increasecompliancecostsand uncertaintyforbusiness

ii.jeopardiseregulatorysettingsthatencourageinnovationinthe

Australianeconomy

iii.impedeAustralia’sabilitytocompeteontheglobalstage;

c) manyoftheissuesraisedintheIssuesPaperare:

i.alreadysubjecttoAustralianlaw;

ii.Addressedwithinproposedlegislationcurrentlybeingconsidered;oriii. simplycannot beaddressedbyAustralianlaw.

d) Manyoftheissuesraisedcanbeaddressedby:

2

i.ensuringsurveillanceandlisteningdevicelegislationisconsistent acrossallstates;or

ii.examinationofnon-blackletterlaw solutionsincludingextending existingcyber-safetyand digitalcitizenshipinitiatives.

ADMAsubmitsthattheinitiativesoutlinedinb),c)andd)aboveshouldbe examined beforereachingforsuchastronginterventionastheintroductionofa statutorycauseofactionforaseriousinvasionofprivacy.

InlightofthesignificantramificationsforbusinessADMAurgestheGovernmenttoreconsidertheproposedintroductionofastatutorycauseofactionandtoconduct aproperassessment oftheimpact ofsuchaninitiativebyconductingaRegulatoryImpactStatementinlinewithGovernmentGuidelinesforBestPracticeRegulation1

1 AustralianGovernment,BestPracticeRegulationHandbook,June2010whichcanbefoundat

3

2.AbouttheAustralian DirectMarketingAssociation

ADMAistheprincipalindustrybodyfordata-driven,customer-centric, measurablemarketinginAustralia.

ADMAwasformedin1966andhasduringits45yearsofoperationbeeninvolved intheformulationoflawrelevanttothemarketingindustry.PredominantlyourfocushasbeenthePrivacyAct1988,theSpamAct2003,theCompetitionandConsumerAct2010andtheDo NotCallRegisterAct2006.

Directmarketingincludesanymarketingcommunicationwhichusesdata-insights, includingpersonalinformation,toengagewithaconsumerwithaviewtoproducingatangibleandmeasurableresponse.Directmarketingischannel

agnosticandincludesanymarketingthatengagesanindividualatadistanceand includesmarketingvia:

a) mail b) email

c) telephonecall

d) mobilephonesandothermobiledevicese) onlineviatheweb

f)socialmedianetworks

ADMA’sprimaryobjectiveistohelpcompaniesachievebettermarketingresults throughtheenlighteneduse ofdirectmarketing.Consistentwiththisobjective, ADMA hasbeeninvolvedinco-regulatoryandself-regulatorysolutionsovermanyyears.

ADMAhasover500memberorganisationsincluding some ofAustralia’smostwellknownandtrustedbrands.Ourmemberscomefrommanyindustriesincludingmajorfinancialinstitutions,telecommunicationscompanies, energyproviders, informationandtechnologycompanies,digitalserviceproviders,travelservicecompanies,majorcharities,statutorycorporations,educational

institutionsandspecialist suppliersofdirectmarketingservices.

AlmosteveryAustraliancompanyandnot-for-profitorganisationdirectlymarketstoitscurrentandpotentialcustomersasanormal andlegitimatepartof itsbusinessactivitiesandtheabilitytocontinueto conductthisactivityunderpinsagoodproportionofAustralia’seconomicactivity.

4

3. OverallComments

ADMAisextremely concernedbytheproposedintroductionofstatutorycauseof action because:

a) TheintroductionofastatutorycauseofactionisatoddswiththeNational

DigitalEconomyStrategy

b) Therewillbesignificantimplicationsforsmallbusiness

c) Legislationwillintroduceuncertaintyandstifleinnovation

d) Theintroductionofaproposaltointroduceastatutorycauseofactionprior

thecompletionofthefirsttrancheoftheALRCrecommendationsunderminesthereviewofthePrivacyAct

e) Manyoftheissuesraisedcanalreadybedealtwithunderexistinglaw, areintheprocessofbeingconsideredorsimplycan’tbeaddressedbyAustralianlaw

3.1 Theintroductionofastatutorycauseofactionisatoddswiththe National

Digital EconomyStrategy

TheGovernmenthassetitsNationalDigitalEconomyStrategyas

Thegovernment’saim is,by2020,Australiawillbeamongthe world’sleading digital economiesbasedonkeyindicatorssuchasbroadbandpenetrationand usagerankings.

Yetbusinessesareincreasinglybecomingvictimsofcybercrimeandfearsofcyber- security ispreventingsometypesofbusinessesfromadoptingonlineservices.

TheGovernmentinits Connecting withConfidence–OptimisingAustralia’sDigital

Futurehasidentifiedthat

Businessesinmoderndigitaleconomiesareincreasinglybecomingvictimsof financiallymotivatedcybercrimes.….theAFPestimatedthattheoverallriskofcybercrimetotheAustralianeconomytobeinexcessofabilliondollarsayear.2

WhatthispotentiallymeansisthatorganisationscansimultaneouslybethevictimsofcrimeandsubjecttoaninvestigationbytheOfficeoftheAustralianInformation Commissionwhilst alsopotentiallybeingsubjecttomultiplecourtactionsorclass actionsunderthestatutorycauseofaction.

Organisationsthathaveadatabreachwill, ifthestatutorycauseofactionis introduced,faceexaminationastowhethertheyhavebreachedNationalPrivacy Principle4(datasecurity)aswellasseparateactionby courtsastowhetherthey havebreachedtheprivacyright.

2 AustralianGovernment ConnectingwithConfidence–OptimisingAustralia’sDigitalFuture,Apublicdiscussion paperPage13

5

Thiswillactasapositivedisincentivefororganisationsthatmayalreadybeuncertain aboutplacingbusinessonline.

Suchanoutcomewillhaveanetdetrimentalimpact.Analternativefocusontechnicalsolutionscoulddelivereconomywide improvementsinprivacyanddatasecurity.

Industryhasagoodtrackrecordofdeveloping technologicalsolutionstothese issues.

Anexampleoftechnologythathasbeendevelopedbyindustrythatprovidessignificant protectionforconsumersis HypertextTransferProtocolSecure(HTTPS).Thistechnology permitsconsumerstosecurelytransactonlineusing creditcardinformation.

Ontheissueofsecuringcloudcomputingservices,ADMAnotesthe workbeing done bytheDepartmentofPrimeMinisterandCabinetthroughtheCyberWhite PaperandhighlightsthefactthattheIssuesPaperisattemptingtocoveroffthe sameconcernsresultinginduplicationofGovernmenteffort.

3.2SignificantimplicationsforSmallBusiness

Therewillbesignificantconsequencesforsmallbusinessif astatutorycauseof action isintroduced.Smallbusinessesthatgeneratelessthan$3mrevenueper annum arecurrently exemptfromthePrivacyAct1988.

If astatutorycauseofactionisintroducedthensmallbusinesswilllosethis exemption.

ADMAnotesthattheGovernmentConnecting withConfidence–OptimisingAustralia’sDigitalFuturehasidentifiedthatsmall businessareespeciallyvulnerable.FurthertheGovernmenthasidentifiedthatoneofthekeydefencesagainst cyber-crimeisbuildingcitizens’andbusinesses’resiliencetocyber-attackandnotedthatthisisbestachievedby

Theremaybeaneedtoexploreanewsetofpartnershipsdesignedtofurther buildtrustamonggovernmentand privateactors.

ADMAurgestheGovernmenttoconsider:

a) Thecosttobusinessparticularly smallbusiness

b) Fresherandmorepositiveapproachestopreventingdatabreaches.

3.3The LegislationwillintroduceUncertaintyandStifleInnovation

The introductionofastatutorycauseofactionforaseriousinvasionofprivacywill introduceasignificantadditional andunwarrantedlevel ofriskanduncertaintyfor businessbecausetheterms“privacy”and“highlyoffensive” arenotdefined.

6

Significantuncertaintyarisesbecausethesetermsarehighlysubjective,meaning differentthingstodifferentpeople.

TheIssuesPaperhasnotsufficientlyoutlinedwhatwouldbeconsideredhighlyoffensive.ADMAstronglysupportsthatacleardelineationthatspecifiesthatonlyactionthatwould be“highlyoffensivetoapersonofordinarysensibilities”couldbeathresholdthatmustbe satisfiedbeforeastatutorycauseofaction canbelaunched.

Notwithstandingtheincorporationofareasonablenessstandardsuch as“highlyoffensivetoapersonofordinarysensibilities”theintroductionofastatutorycauseofactionwill haveachillingeffectoninnovation.

It willstifleAustralia’sabilitytocompeteontheglobalstageagainstcountriesthat haveregulatorysettingsthatarebettercalibratedtoencourageinnovation– particularlyintheonlineenvironment.

TheGovernmenthasaresponsibilitynottointroduceastatutorycauseofactionthatcallseverybusinesspractice,whetheritdealswithpersonalinformationoranonymousinformation,intoquestion.Todosowouldfundamentallyreshapeoureconomy andmustbesubjecttoafullRegulatoryImpactexamination.

Therehasbeenmuchdiscussionaboutthechillingeffectthatastatutorycauseofactionforaseriousinvasionofprivacywillhaveonthemedia,freedomofexpressionanddemocracy.

Howevertheeffectonbusinesscouldbeequallyaschilling.Whilsttherehasbeen discussionaboutthepublicationofinformationbythemedia,whichisinthepublic interestaboutpublicfiguresorprivatefigures,verylittleconsiderationhasbeengiventothefacthowharmfulanincreaseinbusinessriskanduncertaintyistoindustryandtheeconomyasawhole.

Inmanyinstancestechnologicaladvancementcomesfirstand communityunderstandingandacceptancefollowsafteraperiodofdiscovery,understanding,testingandthenacceptance.Yetunderthisproposedstatutorycauseofactionthereisarealriskthatnewtechnologiescouldbesubjecttocourtactionand verdictsdeliveredthatwilllimittheadoptionanduseofthesetechnologies.

Furtherifdeterminationof whataseriousbreachofprivacyisgivenovertothe

courtsthenthereisarealriskoftheAustralianprivacyregimebecomingsignificantlyout ofstepwithinternational privacyregimes. Australia’sfutureabilitytotakeadvantageof Web2.0andWeb3.0maybesignificantlyimpairedandjeopardisetheAustralian population’sabilitytotakefulladvantageofthedigitaleconomy aswellassignificantlydamageindustry asawhole.

AsaresultADMAstronglyurgesthatastatutorycauseofactionforaseriousinvasionof privacynotbefurtherconsideredbytheGovernmentintheabsenceofafullRegulatoryImpactStatement.

7

3.4Theintroductionofa proposaltointroduceastatutorycauseofactionpriortothecompletionof thefirsttrancheoftheALRCrecommendationsunderminesthereviewof thePrivacyAct

TheintroductionofthisIssuesPaperunderminesthecurrent,carefulconsiderationofthereviewofAustralianprivacylegislation.

Asaresult,therewillbeconsiderableconfusion,furtherdelaysandpurposeful,well considered, lastingreformwillbejeopardised.

Australianbusinesshasstoodreadytopositivelyengageinthesenatecommittee processtoreviewofthePrivacyActforthelast15months.

ThereviewofthePrivacyAct1988commencedin2006whentheAttorneyGeneral requestedtheAustralianLawReformCommissiontoreviewthePrivacyAct1988.TheGovernment’sresponsetothefirsttrancheoftheAustralianLawReformCommission (ALRC)Report108ForYourInformation:AustralianPrivacyLawandPracticewasreleasedon24June2010.

TheGovernmentproposedthatthefirsttranchewouldexamine197ofthe295 recommendationsputforwardbytheALRCreportwhichincluded:

a) ThePrivacyPrinciples

b) CreditReportingProvisions

c) HealthServicesandResearch

d) OfficeofthePrivacyCommissioner

Itwashopedthattheexposuredraftswouldbemadeavailableduringthecourseof

2011withtheexpectationthatthefirstsetofchangestothePrivacyAct1988wouldbeimplementedshortlyafter.

ItwasalsohopedthatAustralianGovernment,regulators,industry andconsumers wouldthenturntheirattentiontothesecondtrancheofrecommendationswhich includesthefollowingALRCrecommendations:

a) Proposalsforclarifyingorremoving certainexemptionsfromthePrivacyAct

(suchastheexemptionsforsmallbusinesses,individualsandemployeerecords)

b) Introductionofastatutorycause ofactionforseriousinvasionofprivacy(beyond

‘personalinformation’)

c) Seriousdatabreachnotification

d) HandlingofpersonalinformationundertheTelecommunicationsAct1997

TheclearlogicforthisapproachwasthatoncethefoundationsforthePrivacyAct

1988weresettledthatthemorecomplexrecommendationscouldbeconsidered againstthebackdropofthenewregime.

TodateonlytheexposuredraftandcompanionguidesforthePrivacyPrinciplesand Credit Reportingprovisionshavebeenreleased.Neithertheexposuredraftnorthe companionguidesforHealthServicesandResearchortheOfficeofthePrivacy Commissionerhavebeenreleased.

8

WhilsttheGovernment’sresponsetotheFinanceandPublicAdministrationLegislationCommittee ExposureDraftsofAustralianPrivacyAmendmentLegislationPart 2–CreditReportingwasreleasedonOctober2011asimilarresponsehasnotbeenreceivedtotheCommittee’sSenate Committee’s ExposureDrafts ofAustralianPrivacy AmendmentLegislationPart1–AustralianPrivacyPrincipleswhichwasreleasedinJune2010.

ADMAisconcerned thatsomeofthekeyissuesthathavebeenraisedintheIssues Paper areissueswhichcanbedealtthroughtheorderlyreviewoftheALRC recommendationsincluding:

a) Additionalprovisionsthatincreaseorganisations’accountabilitytoconsumersiftheorganisationdisclosesinformationoverseas

b) WhetherthePrivacyAct1988shouldapplyifinformationiscollectedinAustralia

ornot.

3.5ManyoftheissuesraisedintheIssuesPaper arealreadysubjecttolawsor proposedlegislationisintheprocessof beingconsideredorsimplycan’tbe addressedbyAustralianlaw

Consumerprotectionsalreadyexistformanyofthepotentialissuesoutlinedinthe IssuesPaperthatmayresultfromtheemergenceofnewtechnologies. Theseinclude:

a) PrivacyAct1988(Cth)

b) Telecommunications(InterceptionandAccess)Act1979(Cth)

c) Commonlawincludingbreachofconfidentiality,nuisance

d) Listeningdeviceslegislation(acrossalljurisdictions)

e) Surveillancedeviceslegislation(insomestates)

3.5.1AccessingPrivateVoicemails

Accessingaprivatevoicemailofacelebrity byajournalistisanoffenceinAustralia undertheTelecommunications(InterceptionandAccess)Act1979.

TheprimaryprohibitionofthisActis

ForthepurposesofthisAct,butsubjecttothissection,interception ofa communicationpassingoveratelecommunicationssystem consistsoflisteningtoor recording,byanymeans,suchacommunicationin itspassageoverthat telecommunicationssystemwithouttheknowledgeofthepersonmakingthe communication.

Section7

A personshallnot:

9

a) Intercept

b) Authorize,sufferorpermitanotherpersontointercept;or

c) Doanyactorthingthatwillenablehimorheroranotherpersontointercept

A contraventionoftheTelecommunications (InterceptionandAccess)Act1979is an indictableoffencecarryingamaximumpenaltyof2yearsimprisonment.

3.5.2SecuringCloudComputingServices

TheIssuesPaperhasidentifieddatabreachesofimproperlysecuredcloudcomputing servicesasareasonwhyastatutorycauseofactionforaseriousbreachof privacyshouldbeintroduced.

An examinationofthispotentialscenarioneedstooccurfromtheperspectiveofthe importanceofcorporatereputation,currentandfuturelegislation.

TheImportance ofCorporateReputationShouldNotbeUnderEstimated

Theimportanceofmaintainingcorporatereputationasamotivatingfactorfor organisationstoensurethattheysafeguardtheirconsumers’ datashouldnotbe under estimated.

Asignificantissuewithrespecttodatasecurity,especiallyiftheorganisation’sdata protectionpracticeswerefoundtobelacking, hasthepotentialtocausesignificant corporatereputationloss.

Manyorganisationsinvestsignificantamountsofresourcestobuildconsumertrustso thatconsumersaremorelikelytotransact withthemandalreadygotogreatlengthstoprotectdatafrommisuse,lossand unauthoriseddisclosure.

CurrentLegislation

AdatabreachthatentailsthedisclosureofpersonalinformationheldbyanAustralian organisationthathassecuredacloudcomputingserviceprovideror anyAustralian businessissubjecttothePrivacyAct1988.

IfanAustralianorganisationusesacloudcomputingserviceandthereisadatabreachbecauseinsufficientactionsweretakentosecuretheservicethentheindividualcanseekaremedyunderthePrivacyAct1988viatheorganisationitself,viaself-regulatory schemessuchastheADMACodeofPractice(iftheorganisationisanADMAmember)orviatheOfficeofAustralianInformationCommissionerforabreachofNationalPrivacyPrinciple4.

TheOfficeoftheAustralianInformationCommissionerhaspowersunderthe

PrivacyAct1988tofacilitateresolutionsincluding:

a) Apologies

b) Achangetotherespondent’spracticesorproceduresc) Staffcounseling

d) Takingstepstoaddressthematterincludingaccessingoramendingrecordse) Compensationforfinancialornon-financialloss

10

f)Othernon-financialoptions.

Similartothecauseofaction ifsuitablestepsweretakentosecurethecloud computing servicethennoactioncould betakenastheseriousinvasionofprivacy wasnottheresult ofa ‘recklessorintentionalact’.

Thereforethestatutorycauseofactionforaseriousinvasionofprivacyaddsno additional consumerbenefitinthecontextofdatabreachesbyeitherorganisationsor cloudcomputingserviceproviders.

FutureLegislation

TheexposuredraftoftheAustralianPrivacyPrinciplesenvisagedsignificantrestructuringandstrengtheningofobligationsthatapplytoorganisationsthatdiscloseinformationoverseas.Theexposuredraftincludesnewprovisionsthatmake organisationsthatdisclosepersonalinformationtooverseasentitiesaccountableforthisactionunless specialexceptionsapply.Specialexceptionssuchastheentitydisclosinginformationtoanoverseasrecipientthatissubjecttoalaw

orbindingschemethathastheeffectofprotectingtheinformationinawaythatis overallatleastsubstantiallysimilartothewayin whichAustralianprivacylawprotectsinformation.

ThenewdraftAustralianPrivacyPrinciplesalsoproposesthatorganisationsthatdo transferpersonalinformationoverseasshouldincludeaprominentnoticethattheydothis.TheseandotherkeyissuessuchaswhetherthePrivacyActapplieswhen informationiscollectedinAustraliaornotneedstobedebated,properly assessedandresolved.

In addition underthesecondtranche,whichwasexpectedtobestartednextyear,theproposedintroduction ofamandatorydatabreachnotificationschemefororganisationsandagenciestomandatorilyadviseconsumersiftherehasbeenabreachoftheirpersonalinformationistobeconsidered.

Thesecondtranchealsolooks attheimportantissuesofwhetherexemptionsuchasforindividualsusingpersonalinformationfornon-businesspurposesshouldapplyornot. Thisissue is clearlyrelevanttothestatedreasonsforintroducinga statutory cause ofaction.

Initiativessuchasmandatorydata breachnotificationarealsoworthyofconsiderationasthesehavethepotentialtoprovidepracticalmeasuresthatwillensurethatconsumersarenotifiedofpotentialissuesiftheirpersonalinformationisbreachedsothattheycantakeactiontolimitanyharmthatmayoccurasaresult ofabreach.Theyalsoresultingreaterconsumerbenefitswithoutneedingtoresorttosolutionsthatrelyonlitigation.

To bypassthesepotentandimportantreformsandmovestraighttotheintroduction of astatutorycauseofactionisprematureandunderminestheexcellentandconsideredworkperformedbytheAustralianLawReformCommissionaswellasallthosewhohave contributedtoit.

11

3.6OtherSituationsUsedtoSupporttheIntroductionofaStatutoryCauseof

ActionforaSeriousInvasionofPrivacy

3.6.1Theintroductionofnewtechnologies(suchas smartphones)thatallow individualstotakeandinstantlysharephotographswithouttheknowledgeorconsentofthesubject

Listeningdeviceslegislationacrossalljurisdictionsprohibitstherecordingof soundwithouttheindividual’sconsent.

Ininstanceswherephotosandvideo(whichdon’tinvolveaudiorecording)aretakenwithouttheknowledgeorconsentofthesubjecttheSurveillanceDevicesActappliesinsome statesbutunfortunatelynotall.

Asaresultthereisadeficiencyintheprotectionsaffordedtoconsumersif photographsorvideo imageswithoutsoundaretakenandshared.

ADMAsubmitsthattheGovernmentshould consider extendingtheSurveillance Devices legislationsuchthatitappliestoallstatesandshouldbereferredtothe Standing CommitteeofAttorney-Generalsforconsiderationtoresolvethisissue.

Notwithstandingtheaboveconsumerscancurrentlyrelyoncommonlaw protections,particularlyunderbreachofconfidence.Suchlawsthatprovideconsumerswithrecourse ifprivateor otherwisepersonalphotographs,videoandothermaterialsare sharedinamannerthatis damagingoroffensivetoanindividual.

ADMAnotesthatinthecaseofGillervProcopetstheSupremeCourtofVictoria CourtofAppealupheldon10December2008thatdamagesshouldbeawardedformentalharmnot amountingtomentalillnessforthepublicationofvideotapeofsexualactivityunderbreachofconfidence.

InitssummaryoffindingstheJudgesMaxwell,AshleyandNeaveconcludedthat

MrProcopetsbreachedhisdutyofconfidencewiththedeliberatepurpose–and having theeffect–of humiliating, embarrassinganddistressingMsGiller,itis appropriatetoincludeacomponentforaggravationintheawardofcompensation.IwouldawardMsGillerthesum of$40,000including$10,000foraggravateddamages.

3.6.2Theabilitytoforwardprivateemailstothousandsofaddressesaroundthe world

Individualscanaccessthe protectionsofthelaw,underbreachofconfidence,for emailsbeingforwardedtothousandsofaddressesunder commonlawwhereitcanbe establishedthat:

a)Informationwasconfidentialinnature

12

b)Informationwascommunicatedincircumstancesimportinganobligationofconfidence

c)Anactualorthreateneduseoftheconfidentialinformationtothe detrimentofthepersonwhoseinformationiscommunicated;

d)The informationisnotinthepublicdomain

Suchanactioncanresultinabreachofconfidentialitywhereitwasclearthatthe content ofanemailwereprivateorconfidentialinnature.Actionsthatprovide individualswithprotectionunderabreachofconfidenceincludetheindividualplacinganoticeatthefoot oftheir emailsstatingthatthecontentsareintended fortherecipientorotherwisemakingitclearthattheinformationisfortherecipient only.In suchinstances,iftheemailincludesprivateorconfidential

informationthatisnotinthepublicdomain it’sdisclosurecouldbeabreachofthe commonlawrighttoconfidentiality.

Inadditiontolegalresolutions,individualscanalsotaketechnologicalstepstoprotectprivateorconfidentialinformationincludingencryptingemailsorenablingthe‘’restrictforwardingfunction’.

A publiceducationawarenesscampaignabouthowindividualscantakesimple measurestoprotectthemselvesinthesesituationswouldbeastraightforwardandpracticalapproachtoaddressingtheseissues.

ADMAsubmitsthatconsiderationastowhethersimilarmessagesmightbe incorporatedintothe AustralianCommunicationsandMediaAuthority’sCyber- safetycampaignmayalsobebeneficialinthisinstance.Thesemessagescouldalsobeincorporatedintoabroaderdigitalcitizenshipcampaign.

Inaddition,theforwardingofemailsfor commercialpurposesaresubjecttothe SpamAct2003(Cth),equivalentinternationallegislationandinternational memorandumsofunderstanding.

3.6.3Theabilitytopostfootageonavideosharingwebsite

Similartothecaseexaminedinsection3.6.1abovesuchanactionwould entaila breachofconfidentiality,abreachof listeningdevicelegislationorotherwiseneeds tobeprotectedbyensuringthesurveillancedevicelegislationisconsistentacrossallstatesandterritories(dependentonwhetherthevideoincludessoundornot).

3.6.4EmailandSocialNetworkingSitescanbehacked andpersonaldetails mined.

The samelegalprotectionsapplyasoutlinedinsection3.5.2iftheseemailandsocial networkingsitesaremanagedbyAustraliancompaniesorcompanieswitha presenceinAustralia.

If emailandsocialnetworkingsitesarehostedintheUnited Statesthenthese sitesaresubjecttoUSlawandcourts.

13

ADMAnotesthatinthiscase,theintroductionofastatutorycauseofactionforaright toprivacyhavethesameeffectasAustralianprivacylawintermsofprovidingcoveragewherepersonal informationishacked.

WhilsttheIssuesPaperoutlinedconcernsaboutinformationheldoverseasa detailedexaminationofthedifferentlawsthatprotectinformationheldbyemailandsocialnetworkingsitesintheUnitedStatesof America wasnotoutlined.

ThereareanumberoflawsthatapplytocompaniesthatoperateintheUnited

Statesof America.Theseinclude:

a) TheChildren’sOnlinePrivacyProtectionAct(COPPA)whichisaUnited StatesofAmericaFederallawthatregulatesthecollectionanduseof personalinformationbelongingtochildrenaged13 andunder.COPPAis currently beingreviewed.

b) TheFederalTradeCommissionAct,Section5 whichempowerstheFederal Trade Commissiontoinvestigatemisleadinganddeceptivetradingpractices whichhasbeenusedtoprosecutecompanies whodon’tcomplywiththeir privacynotices

c) Mandatorydatabreachnotificationlawsthatapplyin46differentstates includingCaliforniaandWashingtonDC

d) TheMassachusettsStandardsfortheProtectionofPersonalInformationof

ResidentsoftheCommonwealth(datasecurity)

e) TheUnitedStatesofAmericalawalsoincludesabreachofconfidence.

14

4ResponsetoQuestionsPosed

1. Dorecentdevelopmentsintechnologymeanthatadditionalwaysof protectingindividuals’ privacyshouldbeconsideredinAustralia?

Overall,Australiansareaffordedasignificantlevelof protectionunderexisting privacy lawsincluding:

PrivacyAct1988(Cth)

Telecommunications(InterceptionandAccess)Act1979(Cth)

Commonlawincludingbreachofconfidentiality,nuisance

Listeningdeviceslegislation(acrossalljurisdictions)

Surveillancedeviceslegislation(insomestates)

TheselawsrenderastrongGovernmentintervention such astheintroduction ofastatutorycauseofactionforaseriousinvasionofprivacyunnecessary.

Thereishowever oneareaofthelawthatdoesappeartoneedsomeadditional strengtheningandthisisthepatchworkofvariousstatebasedsurveillancedevicelegislation.

As statedabove,ADMAsubmitsthattheGovernmentshouldreferthetaskof reachingconsistencyaroundsurveillancedevicelegislationinallStatesand TerritoriesofAustraliatotheStandingCommittee of AttorneyGenerals.

InadditionADMAsubmitsthatadditionalstepstoeducateindividualswith respecttoemailcommunicationsshouldbereferredtotheAustralian CommunicationsandMediaAuthorityforintegrationintoitsCyber-safety program.

2. Isthereaneedforacauseofactionforserious invasion ofprivacyin

Australia?

Asoutlined insection3aboveADMAsubmitsthattherearealreadysignificant consumerprotectionsinplacethatprovideadequateprivacyprotectionfor individuals.

Anydeficienciesinthecurrentlegalsystemcanbeadequatelyaddressedbymakingsurveillancedevicelegislationconsistentacrossall Australian StatesandTerritorieswithouthavingtoresorttotheintroductionofastatutorycauseofactioninAustralia.

15

In additiontoactionsthatcanbetakenwithrespecttosurveillancedevicelegislationtherearealsoaraft ofALRCrecommendationsotherthanacauseofactionthatwill providesubstantialadditionalprivacyprotectionstoAustralians.

Theseinclude:

a) Makingorganisationsthatdisclosepersonalinformationtooverseasentities accountableforthedatawhilstitisoutofAustraliaunlessspecialexceptions apply;

b) WhetherthePrivacyAct1988shouldapplytoinformationthatisnotcollected

in Australia;

c) Placingadditionalobligationsonorganisationstoinformindividualsifthey disclose informationoverseas;and

d) Considerationoftheintroductionofmandatorydatabreachnotification.

3. Shouldanycauseofactionforseriousinvasionofprivacybecreatedby statuteorbelefttodevelopmentofcommonlaw?

Shouldtherebeasignificantincreaseinactivityundercommonlawforbreachesofprivacy,itmaybeworthconsideringthecreationofastatutorycauseofaction.

There,however, doesnotappeartobeanyneedforthistooccuratthispointin time.

Itisalso importanttonotethatatthispointintimethereisscantevidence,either throughthecourtsorthroughthemedia,thatthereis strongpublicdemandfor additional protectionswithrespecttoprivacy.

4. Is‘highlyoffensive’anappropriatestandardforacauseofactionrelatingto seriousinvasionsofprivacy?

Theterm“highlyoffensive”isverysubjective.

Publicinterestorcommunitystandardbasedtestsaredifficultbecausethey evolvedynamicallyovertime.

Itisvitallyimportantthatastatutorycauseof action, should itproceed,onlybe possible foractionsthatare“highlyoffensivetoapersonofordinary sensibilities”.

Thisinclusionprovidesareasonablenesstestwhichwillsomewhatreducethelevelofbusinessuncertaintythatastatutorycauseofactionwillintroducebutitsinclusion willnotremovethevariabilitythatwillbeintroducedbygivingthecourtsresponsibilityforconcept ofprivacy.

16

ADMAsubmitsthatitisvitallyimportantthatfurtherworkisdonetodefine

‘privacy’beforetheintroductionofastatutorycauseofactionforabreachofprivacy isintroducedsoastoreducetheamountofbusinessuncertaintythatthislegislationwillcreate.

5. Shouldthebalancingofinterestsinanyproposedcauseofactionbe integratedintothecauseofaction(ALRCorNSWLRC)orconstitutea separatedefence(VLRC)?

6. Howbestcouldastatutorycauseofactionrecognizethepublicinterestin freedomofexpression?

ADMAdoesnotsupporttheintroductionofthestatutorycauseofaction atallbutifsuchadetrimentalandunnecessarychangewastobemadethenwenotethattheIssuesPaperdoesnotdiscusstheconceptoffreedomofexpressioninmuchdetail.

Freedomofspeech needstobeconsideredinmuchgreaterdetailbeforeany statutorycauseofactionforabreachofprivacyisintroduced.

ADMAnotesthatacodifiedguaranteeoffreedomofspeechorexpressiondoesnotexist,exceptinalimitedmannerregardingpoliticalfreedomofspeech,inthe Australianconstitution.

ADMAnotesthatthe othermajorjurisdictionswhererightstoprivacyexistalsohavefreedomofspeechorequivalentprotections.ADMAsubmitsthatAustraliashouldalsoenshrinefreedomofspeechasaseparaterightifarighttoprivacyisintroduced intoAustralianlawtoensuretheappropriate balancebetweenprivacyandfreedomofspeech.

Ataminimumfreedomofspeechshouldbeincorporatedasatestagainstwhicha statutorycause ofactionforaseriousinvasionofprivacymustbeassessedbeforeactionthroughthecourtscanbeinitiated.

7. Istheinclusionof‘intentional’or‘reckless’ asfaultelementsforanyproposed causeofactionappropriate,orshouldit containdifferentrequirementsastofault?

ADMAdoesnotsupporttheintroductionofthestatutorycauseofaction atallbutifsucha detrimentalandunnecessarychangewastobemadethen‘intentional’and ‘reckless’asfaultelementsmustbeincluded.

17

8. Shouldanylegislationallowfortheconsiderationofotherrelevantmatters,and,ifso,isthelistofmattersproposedbytheNSWLRCnecessaryand sufficient?

ADMAdoes notsupporttheintroductionofthestatutorycause of action at all however themattersforconsideration bythecourtproposed by theNSWLRC wouldbenecessaryif suchacauseofactionwereintroduced.

9. Shouldanon-exhaustivelistofactivitieswhichcouldconstituteaninvasionof privacybeincludedinthelegislationcreatingastatutorycauseofaction,orin otherexplanatorymaterial?Ifalistweretobeincluded,shouldanychangesbemadetothelistproposedbytheALRC?

ADMAdoesnotsupporttheintroductionofthestatutorycauseofaction atallbutifsuchadetrimentalandunnecessarychangewasmadethenanon-exhaustiveand extensivelistofactivitieswhichdonotconstituteaninvasionofprivacyshouldalsobe includedinthelegislation.

Thislist shouldinclude clarificationthatmanyexistingbusinesspracticesand procedures thatarelegalundertheexistingAustralianprivacyregimearenot consideredaseriousinvasionofprivacy.

Suchastepwouldgosomewaytoreducingbusinessuncertainty.It willstillnot addressthekeyconcernsheldbyADMAinrelationtothechillingeffectoninnovation andAustralia’sabilitytocompeteonaglobalstageespeciallyagainstcountrieswithregulatorysettingsdesignedtopromoteinnovationorpromoteeconomicgrowth.

10.Whatshouldbeincluded asdefencestoanyproposedcauseofaction?

ADMAdoesnotsupporttheintroductionofthestatutorycauseofaction atallbutifsuchadetrimentalandunnecessarychangewasmadethenthefollowingdefences shouldbeincluded:

a) Consent(bothexpressandimplied)

b) takedownuponnotification(whereanorganisationhascompliedwithnoticeandtakedownsimilartothesafeharbourthatappliesundertheCopyrightAct 1968)

18

11.Shouldparticularorganisationsortypesoforganisationsbeexcludedfromtheambitofanyproposedcauseofaction,orshoulddefencesbeusedtorestrict itsapplication?

TheGovernmentshouldaccommodatetheuniqueroleofonlineplatforms,email providersandmoretraditionalformsofcommunicationsservicesfromanyproposedcauseofaction.

Onlineplatformsfacilitatecommunicationbyothersandindoingthis

facilitateenormousvolumesofcommunicationsmakingitimpracticableforthese platformstomonitoror playany sortofeditorialrole.

A similarissue ariseswithrespecttoemailprovidersormoretraditionalformsof communication,postalandtelephoneservices.

AsaresultADMAsubmitsonlineplatforms,emailprovidersandmoretraditional forms ofcommunicationservicesshouldallappropriately accommodatedintermsoftheuniqueroletheyplayfromany proposedcauseofactionandadefenceoftakedownupon notification,withsafeharborforthosewhocomply withnoticeandtakedownprocedures(asdescribedabove)shouldbeincluded asafundamentalelementofthelegislationshould itproceed.

12.AretheremediesrecommendedbytheALRCnecessaryandsufficientfor,andappropriateto,theproposed causeofaction?

ADMAoffersno commentonthismatter.

13.Shouldthelegislationprescribeamaximumawardofdamagesfornon- economicloss,andifso,what shouldthatlimitbe?

ADMAdoesnotsupporttheintroductionofthestatutorycauseofaction atall iftheGovernmentshouldproceedwithsuchadetrimentalchangethenitshouldimposea cautiouslimitonthemaximumawardofdamages.

19

14.Shouldanyproposedcauseofactionrequireproofofdamage?Isso,how shoulddamagebedefinedforthepurposesofthe causeofaction?

ADMAsubmitsthatthesignificantissues thatcouldarisewithrespecttoallowing individualstotakeactionagainstcompanieswithouthavingtoshowdamagesfor sumsunder$150000.

ADMAisextremely concernedthatifa statutorycauseofactionforaserious breach ofprivacyisintroducedthatindustrywillbecomesubjecttosignificant increasesincosts.

Courtsaretaskedtoassessthemeritsofeachcasebutnottoassessthenet economicimpactoftheirdecisions.

AsaresultADMAurgestheGovernmenttoconductafullRegulatoryImpact StatementtoassessthenetbenefitforAustralians,especiallyinconsiderationofthesignificantexistingprotectionsthatAustralianscanreadilyaccessalreadyor willbeabletoactionshouldthePrivacyAct1988bereviewedandthesurveillancedeviceslegislationbeextendedtoallstates.

15.Shouldanyproposedcauseofactionalsoallowforanofferofamends process?

WhilstADMAdoesnot supporttheintroductionofastatutorycauseofactionfora seriousbreachofprivacy,shouldtheGovernmentproceedwiththisapproachADMA submitsthattheinclusionofanofferofamendsprocesswouldbeessentialtotheprocess.

Suchaninclusionwouldbeconsistentwiththeconciliatoryapproachwhichhas been adoptedtodatewithrespecttotheenforcementofthePrivacyAct1988.

16.Shouldanyproposedcauseofactionberestrictedtonaturalpersons?

Privacyisahumanright.Assuchtheconceptofprivacyshouldberestrictedto naturalpersonsonly.

20

17.Shouldanyproposedcauseofactionberestrictedtolivingpersons?

Theconcept ofprivacyappliestoanindividual.

ADMAnotesthattheGovernment initsresponsetothefirsttrancheofthe AustralianLawReformCommission’srecommendationnotedsignificant constitutionallimitationsontheCommonwealth’spowertolegislateinthisareaand submitsthatthesameissueswouldapplywithrespecttoastatutorycauseofaction.

18.Withinwhatperiod,andfrom whatdate,shouldanactionforseriousinvasionof privacyberequiredtobecommenced?

ADMAdoesnotsupporttheintroductionofastatutorycauseofactionfora seriousbreachofprivacyhowevershouldsuchastatutorycauseofactionbe introducedthenindividualsshouldhave12monthstotakeaction.

19.Whichforumsshouldhavejurisdictiontohearanddetermineclaimsmadefor seriousinvasionofprivacy?

ADMAoffersno commentonthismatter.

21