A new stand-alone Commonwealth Act

Proposal 4–1 A statutory cause of action for serious invasion of privacy should be contained in a new Commonwealth Act (the new Act).

4.6 The ALRC considers that if a statutory cause of action were to be introduced, it should be in Commonwealth legislation, as this is the best way to ensure the action is available and consistent throughout Australia. It is often difficult to achieve consistency across state and territory legislation. Inconsistent statutory provisions in state and territory legislation would be highly confusing and create unnecessary complexity in the law. This would also provide poor protection of privacy generally and have a damaging effect on many other activities that are of significant public interest. Inconsistency and complexity of legislation would increase costs for businesses, particularly those operating across state and international boundaries. Difficult questions of jurisdiction and applicable law would arise. There would also be a risk of ‘forum shopping’ if the details of the cause of action differed between Australian jurisdictions.

4.7 The ALRC considers that the cause of action should be in a stand-alone Act to avoid confusion and to enhance clarity.[1] The remedial response to invasions of privacy under the statutory cause of action would be distinct from the regulatory regime which is the essence of the Privacy Act.

4.8 The essential purposes and scope of the two regimes are different. The Privacy Act sets up a regime for the security and privacy of personal information which is collected, stored or used by certain entities (often known as ‘data protection’ regulation). The cause of action relates not only to the privacy of information but also to other types of privacy, such as physical privacy.

4.9 The Privacy Act sets up a regime to ensure compliance with a number of Australian Privacy Principles (APPs). There is a complaints mechanism which may lead to compensation being paid for an interference with privacy by an act or practice relating to personal information in a manner set out in the Act.[2] However, breaches of the requirements of the Privacy Act generally lead to regulatory responses by the Office of the Australian Information Commissioner (OAIC), including the possible imposition of civil penalties on the relevant entity.[3] An invasion of privacy that is actionable under the new Act would lead only to a range of civil remedies sought by and for the benefit of the plaintiff.

4.10 Lastly, the Privacy Act is limited in its application to certain entities across Australia. It does not apply to most individuals,[4] or to state agencies. It also includes a number of exemptions, such as for small businesses and media organisations, which would have no application to the new statutory cause of action. The new statutory cause of action would apply, subject to jurisdictional limitations and any defences, to any person or entity that seriously invades the privacy of a person in the circumstances set out in the Act.

4.11 Therefore, the ALRC considers that the new tort should be located in a new stand-alone Commonwealth Act. This new Act might be called the Serious Invasions of Privacy Act.

4.12 The location of a statutory cause of action in a separate Commonwealth Act would not prevent power being given to the OAIC to determine complaints concerning conduct that fell within the cause of action by relevant entities. The current complaints regime under the Privacy Act 1988 could be broadened to encompass such conduct by relevant entities, to provide complainants with an alternative to court proceedings in respect of the conduct.