Lawful authority

10.8 The defence of lawful authority provides government agencies, security and intelligence organisations, and law enforcement agencies with protection from liability for serious invasions of privacy where that conduct was consistent with their statutory powers.^[1]

10.9 This defence is consistent with the principle that any licence for public bodies or officials to pursue conduct which may infringe the rights or interests of an individual must be clearly and unambiguously justified in legislation. In Coco v R a majority of the High Court of Australia explained this so-called principle of legality:

Statutory authority to engage in what otherwise would be tortious conduct must be clearly expressed in unmistakeable and unambiguous language…The insistence on express authorisation of an abrogation or curtailment of a fundamental right, freedom or immunity must be understood as a requirement of some manifestation or indication that the legislature has not only directed its attention to the question of the abrogation or curtailment of such basic rights, freedoms and immunities, but also determined upon abrogation or curtailment of them.^[2]

10.10 The analogous defence of statutory authority to intentional torts protects individuals and agencies from civil suits where a defendant’s conduct was committed in order to prevent and detect crime; in exercise of powers of arrest; and in the provision of public utilities and services.^[3]

10.11 The NSWLRC noted that this defence is necessary to enable state agencies, such as the Australian Federal Police (AFP), to carry out their functions in a manner consistent with the protection of public interests such as security and public order.^[4] The ALRC recognises that activities that may otherwise amount to an invasion of privacy may be justified where the invasion was necessary for law enforcement purposes.^[5]

10.12 The AFP provided examples of legal requirements which may involve the authorised procurement of an individual’s private information.^[6] For example, the Australian Federal Police Act 1979 (Cth)^[7] requires the AFP to safeguard the interests of the Commonwealth, prevent crime and protect persons from injury, death and property damage. The AFP stated that

undertaking these activities will inevitably involve interfering with an individual’s privacy on occasions. Where this does occur every effort is made to respect an individual’s privacy by ensuring the information that is obtained is properly protected and dealt with whilst in the possession of the AFP. Indeed, the various Acts contain provisions which set out how the information can be used by law enforcement agencies and how it must be protected.^[8]

10.13 The AFP submitted that their activities are already subject to a range of existing internal and independent ‘accountability frameworks’.^[9]

10.14 However, the ALRC considers the statutory cause of action would provide personal redress for individuals whose privacy has been invaded, where an agency acts outside their lawful authority.

10.15 The AFP raised the concern that the risk of liability may lead to unmeritorious litigation which could divert resources away from important law enforcement and security operations.^[10] However, the ALRC considers that the thresholds built into the design of the statutory cause of action, including the requirement that the conduct was serious, will prevent unmeritorious claims proceeding to trial.

10.16 The AFP also raised the concern that not exempting law enforcement from liability may inhibit the legitimate and lawful activities of law enforcement and intelligences agencies, causing agencies to change established and efficient modes of operation.^[11] Similarly, the process of having to adduce evidence of intelligence gathering methods may disclose the lawful, covert practices of law enforcement and intelligence organisations and may reveal the identity of individuals under surveillance or investigation. The ALRC considers however, there are strong protections at current law to mitigate this risk. These protections include closed court proceedings and other measures provided by federal, state and territory court acts.^[12]

Meaning of ‘lawful authority’

10.17 The ALRC has not provided guidance on the meaning of ‘lawful authority’, as this may well be a drafting issue. However, the ALRC welcomes stakeholder responses on the wording of this defence, with consideration to whether the exception should be clarified.

10.18 When considering the meaning of the phrase ‘required or authorised by or under law’ in its previous privacy Inquiry, the ALRC recommended that the defence include authority under Commonwealth, state and territory acts and delegated legislation; a duty of confidentiality under common law or equity; an order of a court or tribunal; and documents that are given the force of law by an Act, such as industrial awards’.^[13]

10.19 In this Inquiry, the ALRC considers that ‘lawful’ should give effect to the above legislative and non-legislative instruments. ‘Lawful’ should also extend to documents which have the ‘force of the law’. The ALRC’s previous Inquiry found that a document may have the ‘force of law’ if it is an offence to breach its provisions, or it is possible for a penalty lawfully to be imposed if its provisions are breached.^[14] This would include warrants obtained by law enforcement pursuant to a relevant act.

10.20 The term ‘authority’ implies discretion to pursue certain lawful conduct, and may apply to a wide range of acts or practices.^[15]

10.21 Dr Normann Witzleb argued that the defence of lawful authority is unnecessary as where an authorised person exercises their statutory authority, they are necessarily authorised to commit that action.^[16] However the ALRC considers clear legislative direction as to the interaction of a statutory cause of action for serious invasion of privacy with the activities of law enforcement agencies will provide certainty to parties.

10.22 The availability of a defence of lawful authority is consistent with previous law reform inquiries.^[17]

10.23 In light of new technologies and recent revelations of surveillance and data sharing by public agencies, there is a strong community expectation that public agencies should not be exempt or immune from liability for serious invasions of privacy.