Intentional or reckless invasions of privacy

Recommendation 7–1 The new tort should be confined to intentional or reckless invasions of privacy. It should not extend to negligent invasions of privacy, and should not attract strict liability.

7.7 The ALRC recommends that, in a cause of action for serious invasion of privacy, the defendant must be shown to have intended to invade the privacy of the plaintiff. This intention could encompass either:

  • a subjective desire or purpose to intrude or to misuse or disclose the plaintiff’s private information; or

  • circumstances where such an intent may be imputed to the defendant on the basis that the relevant consequences—the intrusion, misuse or disclosure—were, objectively assessed, obviously or substantially certain to follow.

7.8 This approach to intent is consistent with the principles set out in Fleming’s Law of Torts in relation to the tort of battery,[1] and with the Restatement (Third) of Torts: Liability for Physical & Emotional Harm.[2] As discussed further below, the defendant should also be liable if they were reckless.

7.9 It may be helpful for both intent and recklessness to be defined in the legislation. A definition of intent—including both subjective and imputed intent—could be modelled on the US Restatement definition, discussed below. The Commonwealth Criminal Code set out in the Schedule to the Criminal Code Act 1995 (Cth) contains a definition of recklessness that could serve as a model for a definition of recklessness in the new tort. Alternatively, the provision could state that a person is reckless if they are aware of a substantial risk that an invasion of privacy will occur, and acts regardless of, or with indifference to, that risk.

7.10 Previous law reform reports have diverged on the issue of fault. In 2008, the ALRC recommended that liability for invasions of privacy should be limited to intentional or reckless conduct, with ‘intentional’ defined as being where the defendant ‘deliberately or wilfully invades the plaintiff’s privacy’ and ‘reckless’ having the same meaning as in s 5.4 of the Criminal Code (Cth).[3] The ALRC said that ‘including liability for negligent or accidental acts in relation to all invasions of privacy would, arguably, go too far’.[4]

7.11 Neither the New South Wales Law Reform Commission (NSWLRC) nor the Victorian Law Reform Commission (VLRC) recommended a fault element as part of the recommended cause or causes of action, but the NSWLRC recommended a defence of innocent dissemination similar to that found in the Defamation Acts.[5] The NSWLRC explained why it had not suggested a fault element in its design:

We prefer not to lay down an absolute rule [as to whether conduct must be intentional (that is, deliberate or wilful)]. Submissions generally favoured extending liability beyond intentional conduct. While our view is that liability will generally arise under the legislation only where the defendant has acted intentionally there may be circumstances where the defendant ought to be liable for an invasion of privacy that is, for example, reckless or negligent, as where a doctor is grossly negligent in disclosing the medical records of a patient. This is a matter that is appropriately left to development in case law.[6]

7.12 Many stakeholders agreed that the cause of action should be confined to intentional or reckless invasions of privacy.[7]

7.13 Some stakeholders suggested that requiring the plaintiff to prove intent or recklessness sets too high a bar for liability or is too difficult for plaintiffs.[8] However, although the burden of proving fault will be on the plaintiff,[9] it will not always be difficult for the plaintiff to prove that the defendant’s conduct involves the first kind of intent above—that is, a subjective desire or purpose. A subjective intent may be obvious on the facts or readily inferred from the defendant’s behaviour or statements.

7.14 The second kind of intent—one where the defendant is taken to have intended to invade the plaintiff’s privacy—could be described as an ‘imputed intent’.[10] In the ALRC’s view, the notion of ‘imputed intent’ is consistent with the well-accepted principle that a person who acts with knowledge of a substantial certainty of a consequence will be taken to have intended that consequence. ‘Imputed intent’ is a short-hand term for this method of finding intent.

7.15 Therefore, a plaintiff would not necessarily have to prove that the defendant had a subjective intent (or purpose) to invade his or her privacy. An intent may be imputed from the circumstances: if an invasion of privacy is substantially or obviously certain to follow from certain conduct, then the defendant may be taken to have intended the invasion of privacy, even if the defendant in fact did not put his or her mind to invading the plaintiff’s privacy.

7.16 There is little argument against the proposition that, if a statutory tort of invasion of privacy is to be enacted (or a common law tort developed), it should be actionable where the defendant has intentionally invaded the privacy of the plaintiff. Deliberate and unjustifiable invasions of an individual’s privacy[11] are clearly culpable and beyond what any person should be expected to endure in the ordinary circumstances and exigencies of everyday life[12] or from their interactions with others in society.

7.17 Protection against intentional or reckless conduct is clearly within the protection intended by art 17 the International Covenant on Civil and Political Rights,whichprovides that: ‘no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence’. Intentional or reckless invasions of privacy would be likely to be considered ‘arbitrary interferences’ for the purposes of art 17.

7.18 It is sometimes said that the purpose of a tort is to remedy the harm that is suffered by a plaintiff, and that the harm in an invasion of privacy is the interference with the plaintiff’s dignity and autonomy, regardless of the type of conduct that causes that interference. However, it can also be argued that the purpose of a tort or statutory action is to remedy and prevent the wrong which the plaintiff suffers or may suffer, and that the nature of the conduct and the purpose or motives or state of mind of the actor are closely bound up with making that conduct wrongful.[13] ‘Intentional wrongdoers are the worst type of tortfeasor, worse than merely reckless or negligent actors.’[14] This notion is also reflected in the ‘seriousness’ element, discussed in Chapter 8.

7.19 Most jurisdictions that have a tort or torts of invasion of privacy require that the conduct be intentional or reckless. The statutory torts in four Canadian provinces— British Columbia, Saskatchewan, Newfoundland and Labrador—all apply to a violation of privacy done ‘wilfully’.[15] These statutory offences for violation of another’s privacy do not distinguish between different types of conduct or invasion.

7.20 Torts of intrusion upon seclusion in other jurisdictions generally require intentional or reckless conduct. In the American Law Institute’s Restatement (Second) of Tort (1977), which identifies four privacy torts,[16] only the formulation of the tort of ‘intrusion upon seclusion’, at s 652B includes the element of intention:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

7.21 In 2012, the Ontario Supreme Court adopted the elements set out in the Restatement (Second) of Tort, to recognise a common law tort of intrusion. Sharpe JA, with whom Winkler CJO and Cunningham ACJ agreed, noted:

the defendant’s conduct must be intentional, within which I would include reckless… A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy.[17]

7.22 Similarly, in a New Zealand case about intrusion upon seclusion, C v Holland, Whata J said that the plaintiff must show an intentional intrusion, where intentional ‘connotes an affirmative act, not an unwitting or simply careless intrusion’.[18]

7.23 The Restatement (Second) of Tort also identifies a tort relating to giving publicity to a matter concerning the private life of another person, in s 652D. There is no express reference in this tort to fault on the part of the actor.[19]

7.24 The ALRC considers that fault should be required for cases of invasion of privacy involving publication of private information. Intentional—or deliberate—or reckless publications are the primary mischief to which the tort should be directed, and there currently exists a gap in legal protection for such invasions of privacy. While fault is not a distinct element in the torts relating to invasion of privacy by wrongful use or disclosure of private information in other jurisdictions, most have involved deliberate disclosures,[20] either by the media or by individuals formerly in a personal relationship. Fault is rarely at issue, as the defendant’s intent to publish or communicate the information about the plaintiff has been obvious. For example, in Hosking v Runting, the publication of a photograph of the plaintiff’s infant children by the defendants, a photographer and media company, was clearly deliberate.

7.25 Some stakeholders have suggested that the ALRC should distinguish between the fault required for intrusions upon seclusion and the fault required for wrongful use or disclosure of private information.[21] Others have argued that differing fault requirements for different kinds of invasions of privacy justify having two separate torts.[22] However, conduct invading privacy will often involve both types of invasion and the ALRC considers that the creation of two separate statutory torts would be undesirable. Further, for the reasons set out below, the ALRC considers that any liability under the new tort should be confined to intentional or reckless conduct, regardless of the type of invasion.

7.26 Data breaches caused by or contributed to by negligent conduct, omissions or poor security systems are discussed below. In most cases, if within the jurisdiction, they will attract significant regulatory consequences, which may now include civil penalties, and will give rise to a range of other legal remedies.

Recklessness

7.27 It is the ALRC’s view that liability should be extended to situations where the defendant’s conduct invaded the plaintiff’s privacy recklessly: that is, where the defendant was aware of the risk of an invasion of privacy and was indifferent to whether or not an invasion of the plaintiff’s privacy would occur as a result of the conduct.[23]

7.28 Recklessness may be described as reckless indifference to a result. In a case involving workplace bullying and harassment, Spigelman CJ said:

Clearly something substantially more certain [than reasonable foreseeability] is required for the intentional tort … However, a test of reckless indifference to a result will, in this context, satisfy the requirement of intention.[24]

7.29 Many stakeholders supported the proposal that fault should include recklessness.[25] However, some stakeholders opposed this. For example, Free TV submitted that:

News and current affairs reporting takes place under strict time constraints that require rapid evaluation of material. In these circumstances, penalties for reckless breaches would be likely to introduce a level of conservatism that may prevent or delay the reporting of news, because the test for ‘recklessness’ in law carries with it a necessary value judgment about what is a reasonable or unreasonable risk.[26]

7.30 The ALRC agrees that there are important public interest considerations involved here. The new tort addresses these concerns by providing that the public interest in the reporting of news on matters of public importance and concern is a matter that a court may take into account, when determining whether there has been an actionable invasion of privacy.[27] These considerations are not best addressed by excluding any liability for reckless conduct.

What conduct must the fault relate to?

7.31 The ALRC considers that the new tort should only be actionable where the defendant intended to invade the plaintiff’s privacy in one of the ways set out in the legislation or was reckless as to that invasion. It should not be actionable where there is merely an intention to do an act that has the consequence of invading a person’s privacy. In some cases, this distinction will be difficult to draw, such that the consequences of an act will be so inextricably linked to the act, or so substantially certain to follow,[28] that an intention to do the act will strongly suggest an intention to bring about the consequences of the act. But this will not always be the case. Furthermore, it may be quite common to intend an action that will have the consequence of invading someone’s privacy, without intending to invade their privacy.

7.32 For example, if an absent-minded person walks into a neighbour’s home, thinking it is their own home, the person may have invaded the neighbour’s privacy. The action in walking through the front door may have been intended,[29] but the invasion of the neighbour’s privacy was not. It would merely have been done negligently.

7.33 To take a more common example, a media entity may publish a story that has the effect of invading a person’s privacy, but without any knowledge of the facts which would make it an invasion of that person’s privacy.[30] An example would be interviewing a person about the fact that they were adopted as a baby: unknown to the journalist, the person’s adoptive parents had not disclosed to their friends the fact that they had adopted their baby. The publishing of the story may have been intended, but not the consequences of the publication, namely, the invasion of the parents’ privacy by the publication of this information.

7.34 Some stakeholders said the relevant intent should be an intent to invade the privacy of the plaintiff and not merely an intent to do an act which invades the privacy of the plaintiff.[31] While Telstra considered current privacy protections sufficient, it submitted that, if there were a cause of action,

intent should be determined by reference to the invasion of privacy and the harm to the complainant, rather than the conduct of the defendant, in order to be as specific and targeted in its application as possible.[32]

7.35 There is much confusion over the use of the term ‘intention’. However, some points may clarify the ALRC’s recommendation. The requirement does not mean that the defendant needs to intend to commit a legal wrong, or that he or she intends to fulfil the other ingredients for liability (seriousness, lack of public interest justification or defence). This would be too stringent a hurdle for the plaintiff to overcome.[33] It does mean that the defendant needs to have been aware of the facts from which it can be objectively assessed whether or not the plaintiff had a reasonable expectation of privacy and of the facts that an intrusion or disclosure would (or in the case of recklessness, may) occur.

7.36 Two examples may explain this last point. First, in relation to private information: some information is obviously private so that there would be no doubt that the defendant would have knowledge of the facts that support a reasonable expectation of privacy. For example, secretly filming a person in the shower, as in C v Holland,[34] or surreptitiously prying into someone’s bank account, as in Jones v Tsige.[35]

7.37 However, in other cases, the defendant may have no knowledge of the facts that would make the disclosure an invasion of privacy. An example is a photographer who takes a photograph of a public event, without realising that the photograph captures a private activity, perhaps of people inside a building in the background to the event. The taking of the photograph in that case would not be an intentional or reckless intrusion into the privacy of the people involved.

Intend the harm?

7.38 Some may argue that requiring an intent to intrude into space or affairs that are private, or disclose information that is private, will remove liability for some conduct that results in a serious invasion of privacy. However, if it were sufficient merely to intend the act, and not the consequences of the act—being the invasion of privacy— then this would effectively impose either a negligence standard (in the sense that the defendant ought to have realised the invasion would occur and taken care that it not do so) or a strict liability standard as in defamation. In defamation, the publisher will be strictly liable if the publication defames the plaintiff, even if the defendant was unaware of the facts making it defamatory,[36] or even of the plaintiff’s existence or circumstances.[37] For reasons discussed below, the ALRC considers that negligence should not be sufficient fault for an action for breach of privacy, and strict liability would be unduly burdensome and discouraging to other worthwhile competing interests.

7.39 It is also clear, by reference to the existing law on other intentional torts, that if the defendant intended the invasion of privacy (that is, to intrude upon the plaintiff’s seclusion or to disclose private information), it would not be necessary, in order to prove intent, for the plaintiff to show that the defendant intended to offend, distress or harm the plaintiff by the conduct.[38] In an analogous tort, the tort of battery, the tort is made out by proof of an intent to touch, without the need to show an intent to inflict the actual personal injury that followed.[39] The question then becomes one of whether or not the particular damage claimed is too remote from the defendant’s tort. In intentional torts, the test is whether the damage claimed was a natural and probable consequence of the tort.[40]

7.40 In some cases, a person will have intent to inflict harm or cause distress to the plaintiff. In such cases, this may satisfy the intent element for the tort,[41] but also amount to ‘malice’ in law that would aggravate the damages that could be claimed.[42] However, many invasions of privacy will not be motivated by malice towards the victim. If a media organisation invades a person’s privacy, this may largely be motivated by a desire to inform the public, pursue a newsworthy story, attract more viewers or increase the sale of newspapers, rather than to harm the victim.

Fault and actionability per se

7.41 If the tort were not confined to intentional or reckless invasions of privacy, but was extended to include negligence or provide for strict liability, this would undermine an important justification for making the tort actionable without proof of damage. Rather, such an extension would require proof of actual damage to be consistent with other tort law.

7.42 It is not just the law of negligence that requires proof of actual damage. Usually the isolated remaining common law tort causes of action imposing strict liability also require damage, as in the case of liability for nuisance arising out of a positive conduct creating a nuisance.[43] Statutory strict liabilities, such as civil liability to pay compensation for misleading or deceptive conduct, or civil liability in relation to defective products, also only arise where the plaintiff proves loss.[44]

7.43 Defamation liability, which is strict, is a special case. It is actionableper se: there is no requirement that the plaintiff suffer ‘actual’ or ‘special’, that is, provable damage. However, it works slightly differently in that a presumption of ‘general’ damage to reputation is inherent in the tort itself.[45]

7.44 Overall, defamation is not a tort the ALRC considers should be used as a model for liability for invasions of privacy, even though some of its elements and defences provide a useful point of comparison.Although there will be no presumption of general damage where the new tort of invasion of privacy is made out—it will be for the plaintiff to persuade the court what emotional distress or other harm they have suffered—the ALRC considers that the combination of strict liability and actionability per se for a new tort of invasion of privacy would still be undesirably onerous on many organisations and individuals.