Proposal 4–1 A statutory cause of action for serious invasion of privacy should be contained in a new Commonwealth Act (the new Act).
4.6 The ALRC considers that if a statutory cause of action were to be introduced, it should be in Commonwealth legislation, as this is the best way to ensure the action is available and consistent throughout Australia. It is often difficult to achieve consistency across state and territory legislation. Inconsistent statutory provisions in state and territory legislation would be highly confusing and create unnecessary complexity in the law. This would also provide poor protection of privacy generally and have a damaging effect on many other activities that are of significant public interest. Inconsistency and complexity of legislation would increase costs for businesses, particularly those operating across state and international boundaries. Difficult questions of jurisdiction and applicable law would arise. There would also be a risk of ‘forum shopping’ if the details of the cause of action differed between Australian jurisdictions.
4.7 The ALRC considers that the cause of action should be in a stand-alone Act to avoid confusion and to enhance clarity. The remedial response to invasions of privacy under the statutory cause of action would be distinct from the regulatory regime which is the essence of the Privacy Act.
4.8 The essential purposes and scope of the two regimes are different. The Privacy Act sets up a regime for the security and privacy of personal information which is collected, stored or used by certain entities (often known as ‘data protection’ regulation). The cause of action relates not only to the privacy of information but also to other types of privacy, such as physical privacy.
4.9 The Privacy Act sets up a regime to ensure compliance with a number of Australian Privacy Principles (APPs). There is a complaints mechanism which may lead to compensation being paid for an interference with privacy by an act or practice relating to personal information in a manner set out in the Act. However, breaches of the requirements of the Privacy Act generally lead to regulatory responses by the Office of the Australian Information Commissioner (OAIC), including the possible imposition of civil penalties on the relevant entity. An invasion of privacy that is actionable under the new Act would lead only to a range of civil remedies sought by and for the benefit of the plaintiff.
4.10 Lastly, the Privacy Act is limited in its application to certain entities across Australia. It does not apply to most individuals, or to state agencies. It also includes a number of exemptions, such as for small businesses and media organisations, which would have no application to the new statutory cause of action. The new statutory cause of action would apply, subject to jurisdictional limitations and any defences, to any person or entity that seriously invades the privacy of a person in the circumstances set out in the Act.
4.11 Therefore, the ALRC considers that the new tort should be located in a new stand-alone Commonwealth Act. This new Act might be called the Serious Invasions of Privacy Act.
4.12 The location of a statutory cause of action in a separate Commonwealth Act would not prevent power being given to the OAIC to determine complaints concerning conduct that fell within the cause of action by relevant entities. The current complaints regime under the Privacy Act 1988 could be broadened to encompass such conduct by relevant entities, to provide complainants with an alternative to court proceedings in respect of the conduct.
This was also the view in ALRC Report 108, which stated that ‘there may be significant confusion arising from the placement of the cause of action in that Act [the Privacy Act]. For example, whether the exemptions under the Privacy Act applied to the cause of action, and the interaction between the cause of action and other complaint mechanisms, may be unclear if the Privacy Act were amended to include the cause of action’: ALRC, For Your Information: Australian Privacy Law and Practice, Report 108 (2008) [74.195].
The complaints mechanism is discussed in Ch 15.
These responses are outlined in Ch 3.
As noted in Ch 3, the Privacy Act does apply to some individuals, such as individuals who operate certain types of businesses, such as businesses that trade in personal information: see ss 6C–6EA of the Privacy Act. Section 16 of the Privacy Act provides that the APPs do not apply to personal information that is collected, used, held or disclosed by an individual in connection with the individual’s family or household affairs.