Lawful authority

Recommendation 11–1 The Act should provide for a defence that the defendant’s conduct was required or authorised by law.

11.7 The defence of lawful authority protects a defendant from liability for serious invasions of privacy where the conduct was required or authorised by law.[1] This defence will be especially important for government authorities that are required to maintain law, order, safety and governance in a manner consistent with their statutory powers. The exercise of their responsibilities will often, necessarily, encroach on private rights.

11.8 Statutory bodies whose roles and responsibilities are prescribed by state, territory and federal legislation, include government agencies and departments, security and intelligence organisations and law enforcement agencies. This defence is necessary to protect organisations from civil liability for performing legitimate activities pursuant to statutory authority, such as law enforcement agencies intercepting telephone conversations under warrant.

11.9 This defence is consistent with the principle that any licence for public bodies or officials to pursue conduct that may infringe the fundamental rights or interests of an individual must be clearly and unambiguously authorised in legislation. In Coco v R, a majority of the High Court of Australia explained this so-called principle of legality:

Statutory authority to engage in what otherwise would be tortious conduct must be clearly expressed in unmistakeable and unambiguous language … The insistence on express authorisation of an abrogation or curtailment of a fundamental right, freedom or immunity must be understood as a requirement of some manifestation or indication that the legislature has not only directed its attention to the question of the abrogation or curtailment of such basic rights, freedoms and immunities, but also determined upon abrogation or curtailment of them.[2]

11.10 The defence of statutory authority to intentional torts provides that public bodies and officials do not have a licence to commit acts, which would otherwise be unlawful or tortious—unless authorised by statute.[3] This defence may protect individuals and agencies from civil suits where a defendant’s conduct was performed under statutory authority to prevent and detect crime; in exercise of powers of arrest; and in the provision of public utilities and services.[4]

11.11 Areas of the criminal law also provide defences for lawful authority. For example, s 10.5 of the Commonwealth Criminal Code 1995 provides that a person ‘is not criminally responsible for an offence if the conduct constituting the offence is justified or excused by or under law’.[5]

11.12 Previous law reform reports recommended a defence of lawful authority.[6] The New South Wales Law Reform Commission (NSWLRC) noted that the defence of statutory authority is necessary to enable agencies, such as the Australian Federal Police (AFP), to carry out their functions in a manner consistent with the protection of public interests such as security and public order.[7] Activities that may otherwise amount to an invasion of privacy have been shown to be very effective in the apprehension of offenders.[8]

11.13 The AFP provided examples of statutory obligations authorising the procurement of an individual’s private information.[9] For example, the Australian Federal Police Act 1979 (Cth) requires the AFP to safeguard the interests of the Commonwealth, prevent crime and protect persons from injury, death and property damage. The AFP stated that

undertaking these activities will inevitably involve interfering with an individual’s privacy on occasions. Where this does occur, every effort is made to respect an individual’s privacy by ensuring the information that is obtained is properly protected and dealt with whilst in the possession of the AFP. Indeed, the various Acts contain provisions which set out how the information can be used by law enforcement agencies and how it must be protected.[10]

11.14 The AFP submitted that its activities are already subject to a range of existing internal and independent ‘accountability frameworks’.[11] However, the ALRC considers it is appropriate for the statutory cause of action to provide civil redress for individuals whose privacy has been invaded, in the event that an agency acts outside any lawful authority.[12]

11.15 The AFP raised the concern that any unmeritorious litigation could divert resources away from important law enforcement and security operations.[13] However, the ALRC considers that the thresholds built into the statutory cause of action and the defence of lawful authority will prevent unmeritorious claims proceeding to trial.

11.16 Similarly, the AFP was concerned that the process of having to adduce evidence of intelligence-gathering methods may disclose the lawful, covert practices of law enforcement and intelligence organisations and may reveal the identity of individuals under surveillance or investigation.

11.17 The ALRC considers, however, that there are strong protections in the court system to mitigate this risk. These protections include closed court proceedings and other protective measures provided by federal, state and territory legislation.[14]

Required by law

11.18 In the Discussion Paper, the ALRC proposed ‘a defence of lawful authority’.[15] Several stakeholders submitted that any such defence should be extended to a defence for actions ‘required by law’,[16] in order to capture the activities of statutory agencies and their officers who are legally mandated to undertake certain activities. For example, the National Archives argued that including ‘required by law’ would broaden the defence to include the use and release of records pursuant to the Archives Act 1983 (Cth).

11.19 The term ‘authority’ includes circumstances where someone is empowered or has the discretion to pursue certain lawful conduct.[17] The term ‘requires’ indicates an imperative to take some specific action, without the exercise of discretion, and is narrower. Arguably, conduct which is ‘required by law’ will also fall within the term ‘authorised by law’. However it is important to ensure that government bodies and other entities and individuals are not sued for carrying out activities they are legally obliged to undertake. Therefore the ALRC recommends that the defence should include the phrase ‘required by law’.

Authorised by law

11.20 The term ‘lawful’ is intended to give effect to federal, state and territory legislative and non-legislative instruments. The defence should include authority given under: Commonwealth, state and territory acts and delegated legislation; an order of a court or tribunal; and documents that are given the force of law by an act, such as industrial awards.[18]

11.21 Under the defence, any act or course of conduct committed under statutory authority will be protected from liability. That authority, as canvassed by the High Court in Coco v R, must be ‘express’.[19]

11.22 ‘Lawful’ should also extend to documents which have the ‘force of the law’. A document may have the ‘force of law’ if it is an offence to breach its provisions, or if it is possible for a penalty lawfully to be imposed if its provisions are breached.[20]

11.23 Dr Normann Witzleb argued that the defence of lawful authority is unnecessary: where an authorised person exercises their statutory authority, they are necessarily authorised to commit that action.[21] However, the ALRC considers a clear defence will provide certainty to parties.

11.24 The AFP also suggested that law enforcement agencies should have a total exemption from liability, because liability may inhibit the legitimate activities of law enforcement and intelligences agencies, causing agencies to change established and efficient modes of operation.[22] In the digital era, there is increasing community concern and debate over the extent of surveillance and data collection carried out by public agencies. The ALRC considers that it is not appropriate that public agencies should be exempt or immune from liability for serious invasions of privacy. However, a defence for conduct required or authorised by law will give appropriate protection.[23]

11.25 The Human Rights Committee of the Law Society of NSW was concerned that agencies could rely on the defence of lawful authority for the gathering of metadata. The Committee noted that the defence would mean that the new cause of action would not protect individuals from the collection of metadata or surveillance by security or other government agencies authorised by legislation—‘which would appear to be the majority of such data collection and surveillance’.[24] Its concern was that legislation authorising the collection of metadata breaches Australia’s human rights obligations. Some of the legislation the Committee refered to is the subject of other current inquiries.[25]

11.26 Some stakeholders argued that a qualification that the conduct was just, reasonable[26] and/or necessary[27] should attach to the defence to curb excesses of power. The UNSW Cyberspace Law and Policy Community argued that the defence is too ‘broad’, suggesting it should be qualified by ‘elements of transparency, necessity, justification, effectiveness and proportionality’.[28] However, the ALRC considers that the only relevant question should be whether or not the conduct was authorised by law. In some cases, the legislation authorising the conduct will already build in qualifying matters such as that the conduct was reasonable or necessary, for it to be considered lawful.

11.27 It is also implicit in the defence that the conduct must have been for the purposes of the lawful authority and not for an ulterior purpose. This is illustrated by Donnelly v Amalgamated Television Services Pty Ltd, where Hodgson CJ in Eq said:

If police, in exercising powers under a search warrant or of arrest, were to enter into private property and thereby obtain documents containing valuable confidential information… I believe they could in a proper case be restrained, at the suit of the owner of the documents, from later using that information to their own advantage, or to the disadvantage of the owner, or passing the information on to other persons for them to use in that way.[29]

11.28 The Business Law Committee of the Law Society of NSW referred to the concern of insolvency practitioners who are often met with objections on ‘privacy’ grounds when carrying out their investigations.[30] Investigations or requests for, or disclosures of, information would generally be authorised by contractual rights underpinning the process or the defence of lawful authority. The latter would operate where legislation provided for the relevant process, such as the Corporations Act 2001 (Cth), in the case of corporate insolvency and administration, or the Bankruptcy Act 1966 (Cth) for personal insolvency, or pursuant to an order of a court—for example, for the appointment of a trustee, receiver or liquidator.

Consequential amendments to existing legislation

11.29 The enabling acts of all statutory bodies should not need to be amended to protect their actions from liability when done as required or authorised by those acts. In some circumstances, however, it may be appropriate to amend specific legislation so that existing exemptions from civil liability extend to the new tort.

11.30 For example, s 57(1) of the Archives Act 1983 (Cth) provides:

Where, in the ordinary course of the administration of this Act, access is given to a record as being a record required by this Part to be made available for public access:

(a) no action for defamation, breach of confidence or infringement of copyright lies, by reason of the authorizing or giving of the access, against the Commonwealth or any person concerned in the authorizing or giving of the access.

11.31 Although it may be unnecessary, given the defence of lawful authority, this provision could be amended by adding a reference to actions for serious invasion of privacy. While the defence that the conduct was authorised or required by law should be sufficient protection to authorised activities, consequential amendments to s 57 of the Archives Act may provide greater certainty and consistency.