Recommendation 4–1 If a statutory cause of action for serious invasion of privacy is to be enacted, it should be enacted by the Commonwealth, in a Commonwealth Act (the Act).
4.5 This recommendation is about the location of a statutory cause of action in Australian law. There are two aspects to this recommendation: that the legislation should be enacted by the Commonwealth rather than by the states and territories; and that the statutory cause of action should preferably be located in a stand-alone Act, rather than the Privacy Act.
4.6 First, the ALRC considers that if a statutory cause of action is introduced, it should be in Commonwealth legislation, as this is the best way to ensure the action is available and consistent throughout Australia. Many stakeholders emphasised the need for and value of uniformity and consistency of law across Australia.
4.7 The Western Australian Attorney-General submitted that co-operative Commonwealth and state legislation would be preferable. However, it is demonstrably difficult to achieve consistency across state and territory legislation, and even where this has been achieved on certain legal issues, it has taken a very long time. Inconsistent statutory provisions in state and territory legislation would be highly confusing, and increase fragmentation and unnecessary complexity in the law. Complexity would result in poor protection of privacy generally and have a damaging effect on many other activities that are of significant public interest. Inconsistency and complexity of legislation substantially increases costs for businesses, particularly those operating across state and international boundaries. Difficult questions of jurisdiction and applicable law would arise. There would also be a risk of ‘forum shopping’ if the details of the cause of action differed between Australian jurisdictions.
4.8 On the second aspect of the recommendation, the ALRC considers that the better course is for the cause of action to be in a stand-alone Act to avoid confusion and to enhance clarity. The court-ordered remedial regime that would follow invasions of privacy under the statutory cause of action would be distinct from the regulatory regime which is the essence of the Privacy Act.
4.9 The essential purposes and scope of the two regimes are different. The Privacy Act sets up a regime for the security and privacy of personal information which is collected, stored or used by certain entities (often known as ‘data protection’ regulation). The statutory cause of action would relate not only to the privacy of information but also to other types of privacy, such as territorial, communications and bodily privacy.
4.10 The Privacy Act sets up a regime to ensure compliance with a number of Australian Privacy Principles (APPs). There is a complaints mechanism which may lead to compensation being paid for an interference with privacy by an act or practice relating to personal information in a manner set out in the Act. However, breaches of the requirements of the Privacy Act generally lead to regulatory responses by the Office of the Australian Information Commissioner (OAIC) including, from March 2014, the possible imposition of significant civil penalties on the relevant entity. By contrast, an invasion of privacy that is actionable under the Act would lead only to a range of civil remedies sought by and for the benefit of the plaintiff.
4.11 Importantly, the Privacy Act is limited in its application to certain entities across Australia. It does not apply to most individuals, or to state agencies. It also includes a number of exemptions, such as for small businesses (defined as having an annual turnover of less than $3 million) and media and other activities. The ALRC recommends that there be no limitations or exemptions under the statutory cause of action. Subject to jurisdictional limitations, any justification in the public interest or defences including lawful authority, the new statutory cause of action would apply to any person or entity that invades the privacy of a person in the manner and circumstances set out in the Act.
4.12 A number of stakeholders considered that the cause of action, if enacted, should be contained in the Privacy Act. Dr Normann Witzleb submitted that the cause of action is consistent with the objects of the Privacy Act, would make the name of that Act more appropriate, and would involve the Privacy Commissioner being given additional powers. The Media and Communications Committee of the Law Council of Australia submitted that, if it were enacted, a statutory cause of action should be in the Privacy Act andsubject to the existing media exemptions.
4.13 On balance, and particularly because it recommends that the statutory cause of action should not include the exemptions in the Privacy Act, the ALRC considers that it would be less confusing if the new cause of action were located in a new stand-alone Commonwealth Act. It would be appropriate for this Act to be called the Serious Invasions of Privacy Act.
4.14 If, however, an enhanced and broader model of complaints to the Australian Privacy Commissioner were to be introduced, as proposed by the OAIC, to provide complainants with an alternative to court proceedings in respect of invasions of privacy in general, there would be a stronger case for including the statutory cause of action in the Privacy Act. The OAIC’s proposal for a complaints model is discussed in Chapter 16.
Public Interest Advocacy Centre, Submission 105; South Australian Law Reform Institute, Submission 87; Australian Pork Ltd, Submission 83; Office of the Australian Information Commissioner, Submission 66. Australian Pork Ltd also noted that enacting a Commonwealth Act would be quicker than the time frame needed for uniform state and territory legislation.
Office of the Western Australian Attorney-General, Submission 25.
This is illustrated by the continuing variation in surveillance devices legislation discussed in Ch 14, but also in other regimes such as civil liability legislation.
See, eg, the Uniform Defamation Laws, finally introduced in 2005 after 150 years of inconsistency, and decades of discussion on reform. David Rolph, ‘A Critique of the National, Uniform Defamation Laws’ (2008) 16 Torts Law Journal 207.
In 2008, the ALRC also expressed this view, stating that ‘there may be significant confusion arising from the placement of the cause of action in that Act [the Privacy Act]. For example, whether the exemptions under the Privacy Act applied to the cause of action, and the interaction between the cause of action and other complaint mechanisms, may be unclear if the Privacy Act were amended to include the cause of action’: Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108 (2008) [74.195].
The existing complaints mechanism is discussed in Ch 15.
These responses are outlined in Ch 3.
As noted in Ch 3, the Privacy Act does apply to some individuals, including individuals who operate certain types of businesses and businesses that trade in personal information: see Privacy Act 1988 (Cth) ss 6C–6EA. Section 16 provides that the APPs do not apply to personal information that is collected, used, held or disclosed by an individual in connection with the individual’s family or household affairs.
Ibid ss 6C(1), 6D (small businesses); s 7B(4) (journalistic acts); and s 7C (political acts).
The defence of lawful authority provides a significant exemption to a wide range of government and other agencies. See Ch 11.
N Witzleb, Submission 116; Australian Bankers’ Association, Submission No 72 to DPM&C Issues Paper, 2011.
N Witzleb, Submission 116. See, also, Australian Bankers’ Association, Submission No 72 to DPM&C Issues Paper, 2011.
Media and Communications Committee of the Law Council of Australia, Submission 124.
‘If a new cause of action is actionable only in the courts, further consideration should be given as to whether the provisions are included in either the Privacy Act or in separate Commonwealth legislation. On the one hand, there is benefit in having all federal privacy regulation within the same piece of legislation. On the other hand, the Privacy Act largely pertains to the OAIC’s functions, so provisions unrelated to the OAIC may be better placed in other legislation’: Office of the Australian Information Commissioner, Submission 66.