A new stand-alone Commonwealth Act

Recommendation 4–1 If a statutory cause of action for serious invasion of privacy is to be enacted, it should be enacted by the Commonwealth, in a Commonwealth Act (the Act).

4.5 This recommendation is about the location of a statutory cause of action in Australian law. There are two aspects to this recommendation: that the legislation should be enacted by the Commonwealth rather than by the states and territories; and that the statutory cause of action should preferably be located in a stand-alone Act, rather than the Privacy Act.

4.6 First, the ALRC considers that if a statutory cause of action is introduced, it should be in Commonwealth legislation, as this is the best way to ensure the action is available and consistent throughout Australia. Many stakeholders emphasised the need for and value of uniformity and consistency of law across Australia.[1]

4.7 The Western Australian Attorney-General submitted that co-operative Commonwealth and state legislation would be preferable.[2] However, it is demonstrably difficult to achieve consistency across state and territory legislation,[3] and even where this has been achieved on certain legal issues, it has taken a very long time.[4] Inconsistent statutory provisions in state and territory legislation would be highly confusing, and increase fragmentation and unnecessary complexity in the law. Complexity would result in poor protection of privacy generally and have a damaging effect on many other activities that are of significant public interest. Inconsistency and complexity of legislation substantially increases costs for businesses, particularly those operating across state and international boundaries. Difficult questions of jurisdiction and applicable law would arise. There would also be a risk of ‘forum shopping’ if the details of the cause of action differed between Australian jurisdictions.

4.8 On the second aspect of the recommendation, the ALRC considers that the better course is for the cause of action to be in a stand-alone Act to avoid confusion and to enhance clarity.[5] The court-ordered remedial regime that would follow invasions of privacy under the statutory cause of action would be distinct from the regulatory regime which is the essence of the Privacy Act.

4.9 The essential purposes and scope of the two regimes are different. The Privacy Act sets up a regime for the security and privacy of personal information which is collected, stored or used by certain entities (often known as ‘data protection’ regulation). The statutory cause of action would relate not only to the privacy of information but also to other types of privacy, such as territorial, communications and bodily privacy.

4.10 The Privacy Act sets up a regime to ensure compliance with a number of Australian Privacy Principles (APPs). There is a complaints mechanism which may lead to compensation being paid for an interference with privacy by an act or practice relating to personal information in a manner set out in the Act.[6] However, breaches of the requirements of the Privacy Act generally lead to regulatory responses by the Office of the Australian Information Commissioner (OAIC) including, from March 2014, the possible imposition of significant civil penalties on the relevant entity.[7] By contrast, an invasion of privacy that is actionable under the Act would lead only to a range of civil remedies sought by and for the benefit of the plaintiff.

4.11 Importantly, the Privacy Act is limited in its application to certain entities across Australia. It does not apply to most individuals,[8] or to state agencies. It also includes a number of exemptions, such as for small businesses (defined as having an annual turnover of less than $3 million) and media and other activities.[9] The ALRC recommends that there be no limitations or exemptions under the statutory cause of action. Subject to jurisdictional limitations, any justification in the public interest or defences including lawful authority,[10] the new statutory cause of action would apply to any person or entity that invades the privacy of a person in the manner and circumstances set out in the Act.

4.12 A number of stakeholders considered that the cause of action, if enacted, should be contained in the Privacy Act.[11] Dr Normann Witzleb submitted that the cause of action is consistent with the objects of the Privacy Act, would make the name of that Act more appropriate, and would involve the Privacy Commissioner being given additional powers.[12] The Media and Communications Committee of the Law Council of Australia submitted that, if it were enacted, a statutory cause of action should be in the Privacy Act andsubject to the existing media exemptions.[13]

4.13 On balance, and particularly because it recommends that the statutory cause of action should not include the exemptions in the Privacy Act, the ALRC considers that it would be less confusing if the new cause of action were located in a new stand-alone Commonwealth Act. It would be appropriate for this Act to be called the Serious Invasions of Privacy Act.

4.14 If, however, an enhanced and broader model of complaints to the Australian Privacy Commissioner were to be introduced, as proposed by the OAIC, to provide complainants with an alternative to court proceedings in respect of invasions of privacy in general, there would be a stronger case for including the statutory cause of action in the Privacy Act.[14] The OAIC’s proposal for a complaints model is discussed in Chapter 16.