Negligence

7.45 The ALRC does not recommend that negligent invasion of privacy be actionable under the new tort. Negligence depends on whether the actor’s conduct[46] measured up to an objective standard of what a reasonable person in the position of the defendant would or would not do in the circumstances. In this objective test, the intention of the defendant is not relevant, even if the defendant was well-meaning.[47]

7.46 A number of stakeholders submitted that liability for breach of privacy should be imposed for negligent invasions of privacy, in addition to reckless and intentional invasions of privacy.[48] As noted above, however, many stakeholders submitted or argued strongly that the requisite fault should not extend to negligence. Some argued that fault should be relevant only to damages, or that reasonable care should be a defence.[49]

7.47 There were two main arguments for extending liability to negligence: first the harm that may result from negligence; secondly, the deterrent or regulatory effect of negligence liability.

Harm caused by negligence

7.48 Some stakeholders who called for negligence-based liability stressed the harm that may be caused by unintentional invasions of privacy,[50] arguing that negligence can be just as damaging as, or even more damaging than, intentional or reckless conduct.[51]

7.49 Two possible types of harm need to be distinguished. First, where ‘actual damage’—in the form of physical injury, psychiatric illness, property damage or financial loss—has been suffered by the plaintiff from the defendant’s negligent invasion of privacy; and secondly, where the harm to the plaintiff is emotional distress only.

7.50 The first kind of harm may already be actionable under existing law. The ALRC considers that, because of this, the new cause of action should not extend to cover such situations. As the ALRC pointed out in the Discussion Paper, if actual damage is suffered beyond ‘mere’ emotional distress, it may well be the case that the plaintiff would already have a tort action in negligence because the defendant would be under a duty of care to the plaintiff.

7.51 Whether the defendant owed the plaintiff the necessary legal duty of care would depend on a range of factors, particularly the type of damage suffered by the plaintiff. It is straightforward to succeed in a negligence claim where a plaintiff has suffered physical injury or property damage due to another’s negligence. If the harm is in the form of psychiatric illness, civil liability statutes in most states and territories impose extra requirements for recovery.[52] If the claim is for pure economic loss, then the requirements for liability are specific, but Australian courts do recognise such claims in limited circumstances. Much will depend on whether the defendant knew of the plaintiff and the risk of financial loss to that plaintiff, whether the defendant had made a representation to the plaintiff and whether the plaintiff was able to protect themself from the effects of the defendant’s negligence.[53]

7.52 This kind of negligence may occur in the privacy context in situations involving data breaches. In many cases of data breach, the parties are already known to each other through a series of transactions or contractual or licensing arrangements—the plaintiff may, for example, be a customer of the defendant.

7.53 In addition, or alternatively to tort liability, the plaintiff who has suffered actual loss as a result of a negligent data breach is likely in many cases to have a claim for breach of contract. It would not, it is suggested, be difficult to find an implied term that private information about the plaintiff should not be disclosed except for the purposes of the contract or in compliance with terms of the contract. Liability in contract may be strict or negligence-based. In addition, the plaintiff may also have a claim under the Australian Consumer Law or an equitable claim for breach of confidence, if the information was collected in confidence, as would often be the case.

7.54 In the second, and probably more common,[54] type of scenario, where the plaintiff has suffered only emotional distress, negligence liability would provide no remedy, nor would consumer protection laws. Contract law will only remedy mental distress when protection or freedom from such distress is a major or important purpose of the contract.[55] Compensation for distress may be awarded in appropriate contractual breach of confidence cases.[56]

7.55 Negligence law would provide no remedy, because the well-entrenched policy of the common law—and now the clear legislative policy across most Australian states and territories—is that liability for negligence generally does not extend to ‘mere’ emotional distress.[57] PIAC argued that this is not a convincing reason of principle as to why liability for invasion of privacy should not do so, as ‘the nature of the breach is distinct and the facts are commonly if not invariably different from those involved in other forms of negligence’.[58] The Australian Privacy Foundation also argued that the new tort ‘is discrete and stands alone, being designed to address specific forms of harm’.[59]

7.56 However, there are very many distressing situations in society caused by another’s negligence, yet recovery is denied. If the new tort were to provide both that it should be actionableper se or should treat emotional distress as actual damage and that fault should extend to negligence, the coherence and overall consistency of the law in Australia would be undermined. Not only would the proposal conflict with clear legislative policy, but it is also difficult to see, as a matter of fairness, why a person should be able to recover for emotional distress caused by a negligent but unintentional invasion of privacy when another can recover nothing for emotional distress in a wide range of situations: the loss of a child’s or other family member’s life due to the negligence of another person; from closely witnessing a terrifying event caused by negligence; or even from malicious conduct specifically aimed at distressing the plaintiff.[60]

7.57 Some stakeholders submitted that it would be consistent with the tort of ‘negligent trespass’, which is still recognised in Australia,[61] if a tort of invasion of privacy was actionable per se even where committed negligently.[62] However, the analogy is arguably inapt. While there are many case authorities, including in the High Court of Australia, which support an action of negligent trespass for direct physical impact and injury,[63] there is no case authority which supports the view that a trespass comprising an assault or false imprisonment and without any physical damage is actionable as a trespass (per se) on the basis of negligence. In fact there are numerous cases which analyse the requirement of intention in assault cases and whether intention was made out on the facts.[64] The ALRC suggests that the correct view is that assault and false imprisonment—and their actionability per se—are torts of intention or recklessness. Being concerned with intangible and dignitary interests of the plaintiff, these are the torts that are most analogous to an invasion of privacy.[65]

Deterrence and regulation

7.58 The second main argument advanced by stakeholders for extending liability to negligence, was the potential deterrent or regulatory effect of liability. Excluding negligence, it was argued, would encourage indifference to invasions of privacy.[66] Some argue that data breaches are often the result of negligence, and if the cause of action included negligence it would encourage companies to take steps to prevent such breaches.[67] Bruce Arnold submitted that the action for negligence ‘provides a necessary and appropriate incentive for Australian organisations to move towards best practice in information management’.[68]

7.59 The Law Institute of Victoria argued that ‘[i]ntentional privacy breaches, ‘such as those alleged against News of the World in the United Kingdom, are not the norm’:

The larger threat comes from unintentional breaches caused by: a lack of understanding of privacy obligations; technological malfunction and human error; or systemic failures.[69]

7.60 PIAC also suggested that many systemic breaches of privacy may be due to negligence:

Restricting liability to reckless or intentional acts may also discourage organisations from taking steps to ensure that their privacy management systems are adequate, and may encourage indifference to privacy protection.[70]

7.61 However, at least in respect of data breaches by government agencies and organisations with a turnover of more than $3 million, there is already considerable regulation to protect private information. Such entities are required to take such steps under the Privacy Act (and to some extent the Telecommunications Act), or under state and territory legislation.[71] Although it could be argued that these Acts have significant gaps, due to exemptions for most small businesses, for the media, and for most individuals, the new tort cause of action should not be designed as a remedy for deliberate exemptions in existing legislation. Instead, it may be more appropriate for that legislation to be reviewed, amended or strengthened.

7.62 Further, entities subject to the Privacy Act whose activities result in data breaches, whether caused negligently, accidentally or by systemic problems, will be subject to a range of remedial responses by the Privacy Commissioner. Since March 2014, this includes the possibility of substantial civil penalties.[72] While the advent of these reforms and new regulatory powers is not a reason, of itself, to stall the introduction of a tort directed at intentional invasions of individual privacy, as argued by some stakeholders,[73] they do counteract the argument that the existing law encourages indifference and negligence in systems maintenance. The ALRC considers that, in general, regulatory responses are a better way to deal with data breaches than a civil action for invasion of privacy, but as noted above, in any event many entities may be subject to a range of other civil legal liabilities.

Too wide a liability

7.63 If the new tort extended to negligent invasions of privacy, there is a serious potential for a wide range of people to face liability for invading privacy by common human errors. While the ALRC agrees that human error is not synonymous with negligence,[74] and that negligence depends on an objective standard of the reasonable person, nevertheless the law of negligence does not consider degrees of negligence. A small degree of negligence, a momentary lapse of attention, may be adjudged to be negligence, and the extent of the harm is irrelevant to this issue. Further, in a negligence case, the defendant’s conduct is also a breach of a pre-existing legal duty owed to the plaintiff or to a class to whom the plaintiff belongs: what may be expected of a defendant depends on the nature and scope of the duty of care. The proposed liability would not depend on a pre-existing duty of care.

7.64 A tort based on negligent invasion of privacy could capture many accidental or unintended occurrences. It is entirely conceivable that many legitimate activities may involve the unintended invasion of the privacy of a person unknown to the defendant. Street photography, CCTV cameras, drone usage or media activities may inadvertently capture footage or images of private activities or intrude into private spheres. Private information may be posted online or disclosed or lost in circumstances that a court could find to be negligent, even though that was done accidentally. If negligence were a basis of liability, it would be open for a plaintiff to argue that the defendant should have taken more precautions to ensure that these consequences did not happen.

7.65 It was suggested in the Canadian case, Jones v Tsige, that confining the tort to intentional and reckless conduct will help ensure the new tort will not ‘open the floodgates’ to privacy claims.[75]

7.66 While data breaches by commercial and government entities should be treated seriously by the law, there is a real risk, in the ALRC’s view, that extending liability to negligence generally would lead to onerous and broad liability under the new tort, and in view of existing remedies and regulation outlined above, there is no compelling case to so extend it.

Chilling effect of negligence liability

7.67 Some stakeholders argued that extending liability to include negligence might lead people to be ‘unduly careful about disclosing information’.[76] It may lead to excessive self-censorship[77] or too great a chilling effect on everyday activities that carry even a remote risk of unintentionally invading someone’s privacy. The Arts Law Centre said that it would be concerned

that creating a cause of action for negligence has the potential to create a great deal of uncertainty and discourage artists from engaging in activities that could accidentally or inadvertently expose them to the risk of breaching the law. Inadvertent invasions will lead to self censorship, chilling effect.[78]

7.68 The Australian Privacy Foundation argues that a robust public interest defence, which protects freedom of speech, would obviate problems that negligence liability would chill or inhibit free expression or free speech.[79] However, it is implicit in the assertion of public interest that the conduct was deliberately done in the public interest.

Recklessness is a preferable standard to gross negligence

7.69 Some stakeholders, while accepting the argument that negligence may be too wide a liability, argued that ‘gross negligence’ should be sufficient fault to ground liability. The UNSW Cyberspace Law and Policy Community submitted that

excluding negligence entirely provides minimal incentive to put in place procedures to protect privacy. The inclusion of a ‘gross negligence’ standard would provide such incentives, while avoiding liability for the ‘absent-minded person’ who ‘walks into a neighbour’s home’…. A gross negligence standard will increase the reach of the proposed tort.[80]

7.70 However, Australian tort law does not recognise a concept of gross negligence[81] and it could be a source of uncertainty.

7.71 In the ALRC’s view, the inclusion of recklessness as a form of fault will come close to what some may have in mind when referring to ‘gross negligence’. While negligence refers to unreasonable inadvertence to a risk, a situation where the actor ought reasonably to have foreseen but did not foresee a risk, recklessness refers to a subjective state of mind where the actor was aware of the risk but did not care whether or not it occurred.[82] In many situations involving serious data breaches, for example, the risk may be well-known in the industry so that it may be obvious or provable that the defendant was aware of the risk, providing the basis for a finding of recklessness, or even intent on an imputed basis.