Fault—intentional or reckless

Proposal 5–2 Second element of action: The new tort should be confined to intentional or reckless invasions of privacy. It should not extend to negligent invasions of privacy, and should not attract strict liability.

5.59 The ALRC proposes that the cause of action be confined to intentional or reckless invasions of privacy, even though this will mean that a person whose privacy has been invaded may in some cases have no remedy under the new tort. If the new tort attracted strict liability, or extended to negligent invasions of privacy, this might expose a wide range of people to liability for common human errors. It might also inhibit expression in those who fear incurring liability for unintentionally invading someone’s privacy.

5.60 Fault is a key element in any cause of action leading to personal liability to pay compensation for loss or damage caused to another person. Legislating to protect these broadly recognised sub-categories of privacy is likely to promote greater clarity about the precise nature of the legal rights and obligations that have been created than by creating a broad enforceable right to privacy.

5.61 The term ‘fault’ in a civil cause of action refers to either the state of mind of the relevant actor or the culpability of the actor’s conduct on an objective measure. Torts, or other bases of liability, such as statutory liabilities or liabilities for breaches of equitable duties, tend to be divided into actions imposing fault-based liability or actions imposing strict liability.

5.62 There are essentially three types of fault to consider when designing a statutory cause of action for serious invasion of privacy:

  • Intentional or reckless: The defendant must be shown to have intended to invade the privacy of the plaintiff. Intent may also be inferred if the defendant’s actions were reckless.[64]

  • Negligent: Negligence depends on whether the actor’s conduct measured up to an objective standard of what a reasonable person in the position of the defendant would or would not do in the circumstances. This is an objective test, in which the intentions of the defendant are not relevant.[65]

  • Strict liability: If the cause of action is one of strict liability, then the defendant may be liable even though the defendant’s actions were not intentional, reckless or negligent.

5.63 Strict liability is now relatively rare in Australian common law outside contractual obligations and fiduciary obligations, both of which rest on relationships that, ordinarily, have been voluntarily entered into by the parties. In Northern Territory v Mengel, a majority of the High Court remarked that

the recent trend of legal development, here and in other common law countries, has been to the effect that liability in tort depends on either the intentional or the negligent infliction of harm. That is not a statement of law but a description of the general trend.[66]

5.64 Defamation is one of the rare examples of a common law tort liability that is strict, and is complete on proof of publication of defamatory material. It is the fact of defamation, not the intention of the defendant, that generates liability. Fleming’s The Law of Torts states that the

justification for this stringent liability is presumably that it is more equitable to protect the innocent defamed rather than the innocent defamer (who, after all, chose to publish); another is that the publication, not the composition of the libel, is the actionable wrong, making the state of mind of the publisher, not the writer, relevant. On the other hand, since one does not as a rule act at one’s peril, why should the law demand that one publish at one’s peril, especially when what one says is not defamatory on its face? Does reputation deserve a higher level of protection than personal safety?[67]

5.65 However, the uniform Defamation Acts that came into force in the Australian states and territories in 2006 provide for a defence of innocent dissemination,[68] which makes liability for defamation somewhat less strict. This defence is available where the defendant proves, among other things, that he or she ‘neither knew, nor ought reasonably to have known, that the matter was defamatory’.[69]

5.66 Another example is the action in tort for breach of a statutory duty where the duty imposed by the statute is strict. Most strict liabilities now arise by statute. Important examples in Australian law are:

  • the statutory liability for losses caused by breach of the prohibition of misleading or deceptive conduct in trade or commerce imposed by the Australian Consumer Law and state and territory Fair Trading Acts;[70]

  • statutory liabilities for damage caused by defective products;[71] and

  • statutory liability for damage caused by aircraft.[72]

5.67 Previous law reform reports have diverged on the issue of fault. In 2008, the ALRC recommended that liability should be limited to intentional or reckless conduct, with ‘intentional’ defined as being where the defendant ‘deliberately or wilfully invades the plaintiff’s privacy’ and ‘reckless’ having the same meaning as in s 5.4 of the Criminal Code (Cth).[73] The ALRC said that ‘including liability for negligent or accidental acts in relation to all invasions of privacy would, arguably, go too far’.[74]

5.68 Neither the NSWLRC nor the VLRC recommended a fault element as part of the recommended cause or causes of action, but the NSWLRC recommended a defence of innocent dissemination similar to that found in the Defamation Acts.[75]

5.69 In a New Zealand case about intrusion upon seclusion, C v Holland, Whata J said that the plaintiff must show an intentional intrusion, where intentional ‘connotes an affirmative act, not an unwitting or simply careless intrusion’.[76]

Negligent invasions

5.70 A number of stakeholders argue that liability for breach of privacy should be imposed either without proof of fault (strict liability), or at least for negligent invasions of privacy, in addition to reckless and intentional invasions of privacy.[77] Some argue that fault should be relevant only to damages, or that reasonable care should be a defence.[78]

5.71 Many stakeholders who called for strict liability or negligence stressed the harm that may be caused by unintentional invasions of privacy.[79] For example, Electronic Frontiers Australia submitted that negligent invasions ‘are likely to be as damaging to the affected persons as intentional or reckless invasions, and in many cases may be more damaging’.[80]

5.72 The ALRC points out however, that if actual damage is suffered beyond emotional distress, it may well be the case that the plaintiff would have a tort action in negligence. Whether the defendant owed the plaintiff the necessary legal duty of care would depend on a range of factors, particularly the type of damage suffered by the plaintiff. It is much more straightforward to succeed in a negligence claim where a plaintiff has suffered physical injury or property damage due to another’s negligence than where the harm is in the form of psychiatric illness or pure economic loss. However, Australian courts do recognise claims for negligently caused economic loss. Much will depend on whether the defendant knew of the plaintiff and the risk of loss, whether the defendant had made a representation to the plaintiff and whether the plaintiff was able to protect him or herself from the effects of the defendant’s negligence.[81]

5.73 The plaintiff who has suffered as a result of a negligent data breach may also have a claim for breach of contract in which liability will be strict or negligence based, a claim under the Australian Consumer Law or a claim for breach of confidence.

5.74 Some argue that data breaches are often the result of negligence, and if the cause of action included negligence it would encourage companies to take steps to prevent such breaches.[82] Arnold submitted that action for negligence ‘provides a necessary and appropriate incentive for Australian organisations to move towards best practice in information management’.[83] PIAC submitted:

Many systemic breaches of privacy may be due to negligence, rather than to reckless or intentional acts. … Restricting liability to reckless or intentional acts may also discourage organisations from taking steps to ensure that their privacy management systems are adequate, and may encourage indifference to privacy protection.[84]

5.75 However, under the Privacy Act (and to some extent the Telecommunications Act) organisations are required to take such steps. Although it could be argued that these Acts have weaknesses, the cause of action should not be designed as a remedy for existing legislation where it would be better for that legislation to be amended or strengthened.

5.76 The Law Institute of Victoria submitted:

Intentional privacy breaches, such as those alleged against News of the World in the United Kingdom, are not the norm. The larger threat comes from unintentional breaches caused by: a lack of understanding of privacy obligations; technological malfunction and human error; or systemic failures. … Furthermore, requiring intention, rather than negligence, may be difficult to prove against companies.[85]

5.77 If, on the other hand, the new tort were to provide both that the damage for the new tort should include emotional distress and that fault should include negligence, the coherence of the law would be undermined. The proposal would conflict with a clear legislative policy. As outlined above, the primary and most common form of harm suffered from an invasion of privacy is emotional distress. The well-entrenched policy of the common law, reflected in legislation across most Australian states and territories, is that liability for negligence should not extend to emotional distress.[86] If the key type of harm that the new tort aims to avoid or redress is emotional distress, the new tort should be restricted to intentional or reckless conduct.

5.78 Further, entities subject to the Privacy Act whose activities result in data breaches, whether caused negligently, accidentally or by systemic problems, will be subject to a range of remedial responses by the Office of the Australian Information Commissioner. From March 2014, this includes the possibility of substantial civil penalties.[87] The ALRC considers that regulatory responses are a better way to deal with data breaches than a civil action for invasion of privacy, but as noted above, in any event many entities may be subject to a range of other civil legal liabilities.

Strict liability

5.79 Some have argued that one reason why liability for invasions of privacy should be strict is that this would be consistent with actions in defamation and breach of confidence.[88] Witzleb has written that the ‘majority of torts intended to protect personality interests do not set the bar at reckless or intentional conduct’.[89]

5.80 However, the analogy between these causes of action is imperfect. Breach of confidence arises where there was a pre-existing obligation which informs and binds the defendant’s conscience, or knowledge that the information was imparted under that obligation.[90] Defamation is about a narrower range of conduct than the new tort of invasion of privacy and has a wide range of defences including, by statute, the defence of innocent dissemination.

5.81 The OAIC also noted that ‘no fault element is required for complaints made to the OAIC for an interference with privacy under the Privacy Act. A finding of an interference with privacy can be made in relation to negligent and accidental acts, as well as those which are intentional or reckless’.[91] However, the Privacy Act regulates government agencies and corporations which have the resources to take precautions to avoid negligent data breaches; an action under the new tort, on the other hand, could be taken against natural persons, who will usually not have such resources. Further, liability and costs may potentially be greater under the new tort than as a result of the complaints process under the Privacy Act. The statutory cause of action potentially applies to a wider range of activities than the Privacy Act.

Intentional and reckless only

5.82 Other stakeholders, however, argued that the cause of action should be confined to intentional or reckless invasions of privacy.[92] The Australian Bankers Association, for example, submitted, the ‘the trend in legislation to more strict liability provisions associated with the imposition of civil penalties continues to be a major concern for the private sector…’

The cause of action given its likely scope and imprecision should not be cast in the tortious framework of negligence. Rather it should apply only to an intent to seriously interfere with a person’s privacy or to do so with reckless indifference to that result and this has occurred. [93]

5.83 Other stakeholders suggested that some invasions of privacy should not attract liability because the conduct is not blameworthy. The Arts Law Centre of Australia submitted the example of a documentary maker ‘filming in a public place which looks onto a private apartment where someone is getting undressed’ and so accidentally invading someone’s privacy.[94] Similarly, SBS submitted:

There are many ways in which footage, images or other material may breach someone’s privacy in a way which is unintentional. A common example would be the kind of footage filmed for use in news broadcasts, often wide angle shots of crowds, or footage of incidental comings and goings out of buildings relevant to a news story. It is very possible that in such a story, a person or incident might be captured that the person considered a breach of their privacy.[95]

5.84 Extending liability to include negligence might lead people to be ‘unduly careful about disclosing information’.[96] It may lead to excessive self-censorship or too great a chilling effect on everyday activities that carry even a remote risk of invading privacy.

Intending the act, or intending to invade privacy?

5.85 An intention to invade a person’s privacy may be distinguished from an intention to do an act that has the perhaps unintended consequence of invading a person’s privacy. In some cases, the consequences of an act will be so inextricably linked to the act, or so substantially certain to follow,[97] that an intention to do the act will strongly suggest an intention to bring about the consequences of the act. But this will not always be the case. Furthermore, it may be quite common to intend an action that will have the consequence of invading someone’s privacy, without intending to invade their privacy.

5.86 For example, if an absent-minded person walks into a neighbour’s home, thinking it is his or her own home, then the person may have invaded the neighbour’s privacy. The action in walking through the front door may have been intended,[98] but the invasion of his neighbour’s privacy was not.

5.87 To take a more common example, a media entity may publish a story that in fact invades a person’s privacy, but without any knowledge of the facts which would make it an invasion of that person’s privacy. The publishing of the story may have been intended, but not the consequences of the publication, namely, the invasion of the person’s privacy.

5.88 Some stakeholders said the relevant intent should be an intent to invade the privacy of the plaintiff and not merely an intent to do an act which invades the privacy of the plaintiff.[99] Telstra submitted that, given it considers current privacy protections sufficient, if there were a cause of action,

intent should be determined by reference to the invasion of privacy and the harm to the complainant, rather than the conduct of the defendant, in order to be as specific and targeted in its application as possible.[100]

5.89 In the ALRC’s view, the new tort should only be actionable where the defendant intended to invade the plaintiff’s privacy. Some will argue that this will too often remove liability for serious breaches of privacy. However, if it were sufficient merely to intend the act, and not the consequences of the act in the sense of the invasion of privacy, then this would effectively impose a negligence or strict liability standard as in defamation. For reasons discussed above, the ALRC considers that negligence should not be sufficient fault for an action for breach of privacy, and strict liability would be unduly burdensome and discouraging to other worthwhile competing interests.

5.90 If the defendant intended the invasion of privacy, it would not be necessary, in addition, to show that the defendant intended to offend, distress or harm the plaintiff, for the plaintiff to have a cause of action. The question then becomes one of whether or not the particular damage claimed is too remote from the defendant’s tort. In intentional torts, the test is whether the damage claimed was a natural and probable consequence of the tort.[101] If the defendant had an intent to inflict harm, this would amount to malice in law and would aggravate the damages that could be claimed. Many invasions of privacy will not be motivated by malice towards the victim. If a media organisation invades a person’s privacy, presumably this will be largely motivated by a desire to attract more viewers or increase the sale of newspapers, rather than to harm the victim.

5.91 It would not necessarily be the case that the plaintiff would have to prove that the defendant had a subjective intent to invade his or her privacy. Such an intent may be imputed.[102] If an invasion of privacy is substantially or obviously certain to follow from certain conduct, then the defendant may be taken to have intended the invasion of privacy, even if the defendant in fact did not put his or her mind to invading the plaintiff’s privacy. This may also amount to recklessness.[103]

Effect of apology on liability

Proposal 5–3 The new Act should provide that an apology made by or on behalf of a person in connection with any invasion of privacy alleged to have been committed by the person:

(a) does not constitute an express or implied admission of fault or liability by the person in connection with that matter; and

(b) is not relevant to the determination of fault or liability in connection with that matter.

Proposal 5–4 Evidence of an apology made by or on behalf of a person in connection with any conduct by the person should not be admissible in any civil proceedings under the new Act as evidence of the fault or liability of the person in connection with that matter.

5.92 Any apology or correction of published material by a defendant should not be treated in evidence as an admission of fault.[104] This proposal is not intended to limit the operation of the proposals in Chapter 11 on the consideration of mitigating and aggravating factors in a court’s assessment of damages.

5.93 This proposal is intended to encourage the early resolution of disputes without recourse to litigation. In many circumstances, an apology that something has occurred may provide a sufficient response to appease someone whose privacy has been invaded and people should feel free to make an apology without it affecting their ultimate or potential liability.