The impact of a statutory cause of action
25. Calls for a statutory cause of action for serious invasion of privacy are often made on the basis that there are gaps in existing privacy protection. These gaps may leave people who experience serious invasions of privacy with no or limited legal redress. At the same time, reservations exist about the effect of the introduction of a statutory cause of action for serious invasion of privacy. There are concerns among some stakeholders that certain worthwhile or important activities may be unduly hampered by its enactment.
26. The careful design of a statutory cause of action for serious invasion of privacy may be able to address both the expectations for, and concerns about, its impact. To begin, the ALRC is interested in hearing from stakeholders about the specific kinds of activities that a statutory cause of action for serious invasion of privacy should prevent or redress. The ALRC is particularly interested in examples of activities that the law may not already adequately prevent or redress, particularly in light of rapid technological change. The ALRC also seeks stakeholder comment on the specific activities or types of activities that the design of a statutory cause of action should be careful not to unduly hamper. The ALRC is particularly interested in specific examples of activities that may be affected in a range of business, health, community and creative sectors.
Question 2 What specific types of activities should a statutory cause of action for serious invasion of privacy prevent or redress? The ALRC is particularly interested in examples of activities that the law may not already adequately prevent or redress.
Question 3 What specific types of activities should the ALRC ensure are not unduly restricted by a statutory cause of action for serious invasion of privacy?
Invasion of privacy
27. In 2008, the ALRC recommended that legislation creating a statutory cause of action should include a non-exhaustive list of examples of the types of invasions that fall within the cause of action. The ALRC considered that a serious invasion of privacy may occur where:
there has been an interference with an individual’s home or family life;
an individual has been subjected to unauthorised surveillance;
an individual’s correspondence or private, written, oral or electronic communication has been interfered with, misused, or disclosed; or
sensitive facts relating to an individual’s private life have been disclosed.
28. The ALRC seeks comment on whether such a list should be included in any Act providing for a cause of action for serious invasion of privacy, and if so, whether the list should be exhaustive or non-exhaustive. It is also interested in comment on the appropriateness of the above examples, as well as any additional examples that might be included. One issue may be whether invasions of privacy should be limited to positive conduct, and not include a failure to act.
29. An alternative approach to identifying the kinds of invasions of privacy that should be subject to legal regulation has been to develop separate causes of action relating to specific categories of invasions of privacy—principally, the torts of misuse of private information and intrusion upon seclusion.
30. The VLRC took this course in recommending that two causes of action for invasion of privacy be enacted. The two causes of action were to deal with misuse of private information and intrusion upon seclusion—or interference with spatial privacy—respectively. The VLRC argued that enacting two causes of action, rather than a general cause of action for invasion of privacy, was ‘likely to promote greater clarity about the precise nature of legal rights and obligations that have been created’.
31. Disadvantages of multiple causes of action may be that there could be overlap between them, and that some invasions of privacy may not be captured by either cause of action. The ALRC is interested in hearing from stakeholders about the desirability of separate causes of action for the two different types of invasion of privacy.
Question 4 Should an Act that provides for a cause of action for serious invasion of privacy (the Act) include a list of examples of invasions of privacy that may fall within the cause of action? If so, what should the list include?
Question 5 What, if any, benefit would there be in enacting separate causes of action for:
misuse of private information; and
intrusion upon seclusion?
Privacy and the threshold of seriousness
32. Two main issues arise for consideration when developing the test for serious invasion of privacy. The first is the circumstances in which the privacy violation is said to have occurred. The second is determining the degree of seriousness of an invasion of privacy.
What is ‘private’?
33. For an invasion of privacy to occur, there must be a violation of circumstances that can be considered ‘private’. In ABC v Lenah Game Meats, Gleeson CJ observed that there is no ‘bright line’ between what may be considered legitimately private and public, noting that:
there is a large area in between what is necessarily public and what is necessarily private. An activity is not private simply because it is not done in public … Certain kinds of information about a person, such as information relating to health, personal relationships, or finances, may be easy to identify as private; as may certain kinds of activity, which a reasonable person, applying contemporary standards of morals and behaviour, would understand to be meant to be unobserved.
34. The ALRC, NSWLRC and VLRC have all previously recommended that the test of whether a matter is private is that there exists a reasonable expectation of privacy in the circumstances. This test is also used in a number of other jurisdictions.
Threshold of seriousness
35. It may be appropriate to qualify the ‘reasonable expectation’ test by including an additional threshold test of ‘seriousness’ before an invasion of privacy is actionable. An additional test of seriousness may be appropriate to discourage litigation of trivial or minor matters. For example, the ALRC and VLRC recommended that, in addition to establishing a reasonable expectation of privacy, a plaintiff also be required to show that the act or conduct complained of was highly offensive to a reasonable person of ordinary sensibilities. It is recognised that the highly offensive test is more stringent than the reasonable expectation of privacy test alone.
36. A ‘highly offensive’ test may not be the most appropriate way to identify seriousness for the purposes of a statutory cause of action for serious invasion of privacy. It may be that this test sets the threshold too high for an actionable serious invasion of privacy, discouraging otherwise meritorious claims. Possible alternatives include that the invasion ‘caused substantial offence’, or was ‘sufficiently serious to cause substantial offence’ to a reasonable person of ordinary sensibilities.
37. It may also be argued that ‘offensiveness’ is not an appropriate test of seriousness. Possible alternatives to offensiveness as a test of seriousness include that the act or conduct was likely to cause substantial or serious ‘distress’ or ‘harm’. It is also arguable that simply requiring that the invasion was ‘serious’ would be sufficient.
38. Others suggest that the invasion of the privacy a person is reasonably entitled to expect is alone a sufficient test for an actionable invasion.
Question 6 What should be the test for actionability of a serious invasion of privacy? For example, should an invasion be actionable only where there exists a ‘reasonable expectation of privacy’? What, if any, additional test should there be to establish a serious invasion of privacy?
Privacy and public interest
39. A key question for this Inquiry will be how best to balance the public interest in the protection of privacy with competing public interests, including, but not limited to, freedom of expression.
40. Privacy may be balanced with other public interests by requiring that other interests must be considered as part of the cause of action. Alternatively, the balancing may be achieved by including a public interest defence to the cause of action.
41. If the balancing between privacy and other public interests is to be integrated with the cause of action, there is a further question of precisely whenand how the balancing is to occur.
42. The NSWLRC has argued that the consideration of competing public interests will often occur as part of the inquiry into whether or not a plaintiff had a reasonable expectation of privacy in the circumstances. It argued that the two issues of whether or not a matter is legitimately private, and the significance of competing interests,
are not always clearly separable. Thus, a competing public interest may be of such force in the circumstances that the case will focus principally on it in reaching a conclusion that no reasonable expectation of privacy arises.
43. A different approach to the balancing of interests is taken in the United Kingdom (UK). There, a two-stage approach is required in determining whether the cause of action for misuse of private information has been established:
First, is the information private in the sense that it is in principle protected by article 8? If no that is the end of the case. If yes, the second question arises: in all the circumstances, must the interest of the owner of the private information yield to the right of freedom of expression conferred on the publisher by article 10?
44. Alternatively, it may be more appropriate for public interest to be a defence than to be considered as part of establishing the cause of action. New Zealand provides a defence of ‘legitimate public concern’ to invasions of privacy. Where the act of invasion was a publication, the four Canadian provinces that have enacted statutory causes of action for invasion of privacy provide a defence where the publication was in the public interest. The VLRC also recommended that public interest should properly be considered as a defence to invasions of privacy.
The onus of proof
45. The location of the public interest balancing exercise will have an impact on the onus of proof. The VLRC based its recommendation that public interest should be a defence to an invasion of privacy largely upon its assessment that the burden of proving the existence of a countervailing public interest should lie with the defendant. It argued that a plaintiff ‘should not have to prove a negative, such as the lack of a countervailing public interest’.
46. In contrast, the NSWLRC considered that the onus of proof in relation to public interest should lie with the plaintiff. It contended that ‘it is appropriate … that, as part of establishing an invasion of privacy, plaintiffs should demonstrate at the outset that their claim to privacy is not outweighed by a competing public interest’.
47. Dr Normann Witzleb has suggested that the question of who bears the onus of proof may not have significant practical implications. Where public interest considerations are considered as part of establishing the cause of action, Witzleb considers that this
will, in many cases, prompt the plaintiff to provide evidence that is relevant to the public interest considerations in the balancing process. In practice, however, the defendant will often be in a better position, and have the greater interest, to adduce the evidence necessary for establishing the weight of the public interest in his or her conduct.
How should public interest be understood?
48. The ALRC is interested in stakeholder comment as to whether any guidance should be provided on the meaning of ‘public interest’ for the purposes of a statutory cause of action. Such guidance might include, for example, a definition of public interest, or a list of examples of relevant matters of public interest. Guidance may assist in providing clarity and certainty about what is meant by ‘public interest’. Matters of public interest may include those identified in the guiding principles for the Inquiry.
49. On the other hand, it may be more appropriate to leave public interest undefined. In the UK, the Joint Committee on Privacy and Injunctions concluded that there should not be a statutory definition of the public interest, ‘as the decision of where the public interest lies in a particular case is a matter of judgment, and is best taken by the courts in privacy cases’. In Hogan v Hinch, French CJ stated that, when ‘used in a statute, the term [public interest] derives its content from “the subject matter and the scope and purpose” of the enactment in which it appears’.
Question 7 How should competing public interests be taken into account in a statutory cause of action? For example, should the Act provide that:
competing public interests must be considered when determining whether there has been a serious invasion of privacy; or
public interest is a defence to the statutory cause of action?
Question 8 What guidance, if any, should the Act provide on the meaning of ‘public interest’?
50. A key element in any cause of action leading to a personal liability to pay compensation for loss or damage caused to another person is the fault element, or in the absence of a fault element, a strict liability.
51. The term ‘fault’ in a civil cause of action refers to either the state of mind of the relevant actor or the culpability of the actor’s conduct on an objective measure. Torts, or other bases of liability, such as statutory liabilities or liabilities for breaches of equitable duties, tend to be divided into actions imposing fault-based liability or actions imposing strict liability. Fault is generally comprised of either an actor’s intent to bring about the relevant interference with the plaintiff or the plaintiff’s interests, or the actor’s negligence in causing that interference. Conduct may be considered as intentional or satisfying the requirement for intention where it involves a high degree of recklessness. Negligence depends on whether the actor’s conduct measured up to an objective standard of what a reasonable person would do or not do in the circumstances.
52. Strict liability is liability that is imposed without the need for the claimant to prove any fault on the part of the defendant. Instances of strict liability are now relatively rare in Australian common law outside contractual obligations and fiduciary obligations, both of which rest on relationships that, ordinarily, have been voluntarily entered into by the parties. In Northern Territory v Mengel, a majority of the High Court remarked that
the recent trend of legal development, here and in other common law countries, has been to the effect that liability in tort depends on either the intentional or the negligent infliction of harm. That is not a statement of law but a description of the general trend.
53. Defamation is one of the rare examples of a common law tort liability that is strict, and is complete on proof of publication of defamatory material identifying the claimant. The uniform Defamation Acts enacted in the Australian states in 2005 provide for a defence of innocent dissemination. Another example is the tort action for breach of a statutory duty where the duty imposed by the statute is strict. Most strict liabilities now arise by statute. Important examples in Australian law are:
the statutory liability for losses caused by breach of the prohibition of misleading or deceptive conduct in trade or commerce imposed by the Australian Consumer Law and state Fair Trading Acts;
statutory liabilities for damage caused by defective products; and
the liability imposed by legislation for damage caused by aircraft.
54. Previous law reform reports have diverged on the issue of fault. The ALRC recommended that liability should be limited to intentional or reckless conduct, with ‘intentional’ defined as being where the defendant ‘deliberately or wilfully invades the plaintiff’s privacy’ and ‘reckless’ having the same meaning as in s 5.4 of the Criminal Code (Cth). The ALRC agreed with what had been said in the NSWLRC Consultation Paper in 2007, that ‘including liability for negligent or accidental acts in relation to all invasions of privacy would, arguably, go too far’. Neither the NSWLRC nor the VLRC recommended a fault element as part of the recommended cause or causes of action, but the NSWLRC recommended a defence of innocent dissemination similar to that found in the Defamation Acts.
55. Submissions to the DPM&C Issues Paper show a range of views on the issue of whether, and what, degree of fault should be required for an invasion of privacy to be actionable. Only a very small number favoured strict liability, arguing that fault should be relevant only to damages or that reasonable care should be a defence.
56. A number of submissions favoured requiring at least a degree of intent or recklessness. Some of these further noted that the relevant intent should be the intent to invade the privacy of the plaintiff and not merely an intent to do an act which invades the privacy of the plaintiff.
57. Other submissions argued that negligent invasion of privacy should be sufficient fault, some noting that an invasion of privacy may arise out of a systemic failure, but most arguing that liability should be imposed only where the negligence was gross or serious.
58. A number of submissions linked the fault requirement with the issue of whether damage is required. It can be inferred that they were concerned that a person could be strictly liable even if the action were actionable per se, that is, without proof of damage.
Question 9 Should the cause of action be confined to intentional or reckless invasions of privacy, or should it also be available for negligent invasions of privacy?
59. The ALRC has previously recommended that a statutory cause of action for invasions of privacy should be actionable without proof of damage. The NSWLRC and VLRC proposals also did not require proof of damage for an invasion of privacy to be actionable.
60. Such an approach would make invasions of privacy akin to intentional torts such as trespass and would be ‘recognition that the cause of action protects a fundamental human right’. It also recognises that invasions of privacy are often non-financial in consequence or may result in distress, humiliation and insult that fall short of provable damage. It would also allow the court to award a wider range of remedies to redress the invasion of privacy, such as an order requiring the defendant to apologise to the plaintiff.
61. However there is a concern that making the statutory cause of action actionable per se would encourage a proliferation of claims and may lead to significant extra costs to industry.
62. A middle ground between making the cause of action actionable per se and making it depend on proof of damage may be found by including the suffering of humiliation or emotional distress within the definition of ‘damage’ for the purposes of the cause of action. This would be consistent with s 52 of the Privacy Act 1988 (Cth), which currently provides that the loss or damage resulting from an interference with the privacy of an individual, as to which the Privacy Commissioner may make a determination of an entitlement to compensation or other remedy, ‘includes injury to the complainant’s feelings or humiliation suffered by the complainant’.
63. As is noted below, at paragraph 162, the inability of the common law to award damages in tort for emotional distress, even where it is intentionally inflicted, unless the circumstances amount to a trespass or defamation, is one of the key gaps in the common law’s redress for conduct invading privacy. The position in the equitable action for breach of confidence in Australia could still be regarded as somewhat uncertain, given the paucity of authority.
Question 10 Should a statutory cause of action for serious invasion of privacy require proof of damage or be actionable per se?
Question 11 How should damage be defined for the purpose of a statutory cause of action for serious invasion of privacy? Should the definition of damage include emotional distress (not amounting to a recognised psychiatric illness)?
Defences and exemptions
64. To some extent, the appropriate defences to a serious invasion of privacy will depend on the elements of the statutory cause of action. For example, if a consideration of public interest occurs as one of the elements of the cause of action, then a defence of public interest is unnecessary. Similarly, it is arguable that consent should be relevant to considering whether the threshold for a serious invasion of privacy has been established, rather than as a defence.
65. A defence to the statutory cause of action that the act or conduct was required or authorised by or under law was uniformly recommended by the ALRC, NSWLRC and VLRC.
66. Another defence might be that the act or conduct was ‘incidental to the exercise’, or ‘for the purpose’ of, a lawful right of defence of person or property. The VLRC suggested that such a defence may be relevant to conduct including ‘an employer taking privacy invasive action to prevent employee pilferage of stock … [and] conduct undertaken for the purpose of prosecuting or defending civil or criminal proceedings, such as private investigations’.
67. The ALRC seeks stakeholder comment as to whether this is an appropriate defence to the statutory cause of action and, if so, whether it should be qualified by a requirement that the act or conduct was proportionate, or necessary and reasonable. Without this qualification, such a defence may provide protection for conduct that goes beyond what might be appropriate to safeguard persons or property in a particular instance.
Question 12 In any defence to a statutory cause of action that the conduct was authorised or required by law or incidental to the exercise of a lawful right of defence of persons or property,should there be a requirement that the act or conduct was proportionate, or necessary and reasonable?
68. It may also be appropriate that defences similar to those available for defamation should be included as defences to a statutory cause of action for serious invasion of privacy. Such defences would be relevant where the invasion of privacy involved the publication of private facts or information. In particular, the defences to defamation of absolute or qualified privilege may be considered to be suitable defences to a statutory cause of action for serious invasion of privacy.
69. Absolute privilege will attach to any statement made on a ‘privileged occasion’: principally, where a matter is published in the course of the proceedings of a parliamentary body, or of an Australian court or Australian tribunal.
70. Qualified privilege, in state and territory defamation legislation, will apply where:
the recipient of the information has an interest, or apparent interest, in having information on some subject; and
the matter is published to the recipient in the course of giving to the recipient information on that subject; and
the conduct of the defendant in publishing that matter is reasonable in the circumstances.
71. Qualified privilege is also a common law defence to defamation. The common law has recognised four broad categories protected by qualified privilege:
publication of material in the performance of a duty or to protect an interest;
communications concerning government and political matters;
fair reports of judicial and parliamentary proceedings; and
extracts from public records, if they are part of a register kept pursuant to legislation that, by the legislation, is open to public inspection.
72. The defence of qualified privilege concerning government and political matters may be particularly relevant to ensuring that a statutory cause of action for serious invasion of privacy does not infringe upon the implied constitutional freedom of political communication.
Question 13 What, if any, defences similar to those to defamation should be available for a statutory cause of action for serious invasion of privacy?
73. Other appropriate defences to a statutory cause of action for serious invasion of privacy may include defences that:
there is another remedy available in respect of the invasion of privacy;
the information was already in the public domain;
the disclosure of information was made for the purpose of rebutting an untruth;
the circumstances justified the conduct as a matter of necessity;
there was a contractual waiver;
for online material, that the material has been taken down upon notification.
74. The ALRC seeks stakeholder comment on what defences should be available to a statutory cause of action for serious invasion of privacy. It is particularly interested in defences that may be appropriate for internet intermediaries or internet sites hosting material posted by third parties.
Question 14 What, if any, other defences should there be to a statutory cause of action for serious invasion of privacy?
75. It may be appropriate for certain activities or functions to be exempt from the ambit of a statutory cause of action. On the other hand, it may be argued that the defences to the statutory cause of action provide sufficient protection for persons ‘engaged in legitimate activities from unmeritorious actions for serious invasion of privacy’.
76. The DPM&C Issues Paper suggested that there may be a need for national security and law enforcement agencies to be exempted from the ambit of a statutory cause of action for serious invasion of privacy. A number of factors may justify such an exemption, including that:
such agencies are already subject to internal or legislative oversight and integrity mechanisms;
law enforcement and intelligence gathering activities have particular characteristics that make exposure to liability for a statutory cause of action inappropriate; and
a public interest exists in enforcement of criminal law and national security.
77. Other organisations, services or functions that stakeholders have proposed to be exempted included emergency services and social support services; journalists; banks; Commissions of Inquiry; and the exercise of judicial functions.
78. It has also been argued that there should be an exemption for providers of social networking platforms or other internet sites with respect to material posted by third parties.
Question 15 What, if any, activities or types of activities should be exempt from a statutory cause of action for serious invasion of privacy?
79. The main monetary remedies that are likely to be available for a breach of the statutory cause of action for serious invasion of privacy are damages and an account of profits.
80. The ALRC seeks stakeholder comment on the kinds of damages that should be available for serious invasion of privacy, as well as any restrictions on such damages.
81. In tort, the object of damages is to compensate the plaintiff. The award of damages seeks to place plaintiffs, as far as possible, in the position they would have been in had the wrong not been committed. Aggravated damages may be awarded to further compensate the plaintiff where the defendant’s conduct aggravates or intensifies the injury done to the plaintiff, causing, for example, particular insult or humiliation.
82. Exemplary damages are punitive in nature and may be awarded to mark the court’s disapproval of the defendant’s actions. Previous reports have recommended that damages awarded for serious invasions of privacy should include compensatory damages, but not include exemplary damages. However, it may be argued that exemplary damages should be available for malicious or egregious invasions of privacy.
83. In certain circumstances it may be appropriate for the defendant who has invaded the privacy of an individual to pay damages based on the assessment of a ‘notional licence fee’. This fee would compensate the individual whose privacy has been seriously invaded for any income that the individual would have received if the defendant had been required to pay a fee to carry out the activity that invaded the plaintiff’s privacy.
84. In the context of serious invasions of privacy, a notional licence fee may be an appropriate remedy where, for example, there has been publication of privacy-invasive photographs. The plaintiff in such a case might receive a ‘notional licence fee’ equal to the amount that would have been received had the plaintiff sold the photograph. While a notional licence fee generally arises due to commercial interests rather than privacy interests, it may nevertheless be an appropriate remedy in cases where both privacy and commercial interests are concerned. It may also provide an appropriate remedy where the laws of passing off would not be available to the plaintiff because the plaintiff lacked goodwill or a commercial reputation.
85. It may be considered appropriate to place a cap on the maximum award of damages—either in total, or for non-economic loss—that can be made for a serious invasion of privacy. For example, a cap could be set in line with, or lower than, that for defamation. Some stakeholders have argued that such a limit would discourage ‘forum shopping’ between causes of action. Others contend that no cap is necessary, citing the likelihood that modest sums will be awarded for serious invasions of privacy; and the risk that, if set too low, damages would not act as an effective deterrent for serious invasions of privacy.
Accounts of profit
86. An account of profits is an equitable remedy that may be granted in cases where a defendant has profited from a wrongful action. It is distinct from an award of damages in that it responds to the gain of the wrongdoer rather than the loss of the party wronged. An account of profits is a possible remedy for breaches of confidence and breaches of fiduciary duty. It is also available for infringement of copyright.
87. Although there may be many serious invasions of privacy that do not lead to profits for the wrongdoer, there may be many other serious invasions that do. An unauthorised photograph of a celebrity in their home that is sold to a magazine is one obvious example; another is an employee of a company who accesses a customer’s personal information without authorisation for personal gain.
88. An account of profits was recommended as a remedy for a serious invasion of privacy by the ALRC and NSWLRC. Both Commissions noted the concerns of some stakeholders that in many cases it would be difficult to determine the profits arising from a serious invasion of privacy, but neither considered that this should preclude an account of profits being available.
Question 16 Should the Act provide for any or all of the following for a serious invasion of privacy:
a maximum award of damages;
a maximum award of damages for non-economic loss;
assessment of damages based on a calculation of a notional licence fee;
an account of profits?
89. An interlocutory injunction is the most significant remedy to prevent a threatened invasion of privacy, such as the in-print, broadcast or online publication of private information. As with all court orders, its efficacy will depend on the jurisdiction of the court over the apprehended conduct and the location of the respondent. The court will not grant an injunction where it would be futile to do so.
90. Of all remedies, an interlocutory injunction restraining publication is also the most significant restriction on freedom of speech and freedom of the media to report on matters of public interest and concern. By the time the basis for the interlocutory injunction is adjudicated in a final hearing, the opportunity to reveal the relevant information at the appropriate time may have been lost or overtaken by other events.
91. The Terms of Reference of this Inquiry direct the ALRC to make recommendations as to the necessity to balance the value of privacy with other fundamental values including freedom of expression and open justice. One way the ALRC might do this is by making specific recommendations with regard to the matters that a court should take into account when considering the award of an injunction. Such a recommendation might be made with respect to both a statutory cause of action and existing causes of action.
92. According to equitable principles, before the court will exercise its discretion to award an injunction, an applicant for an interlocutory injunction has to satisfy the court that:
there is a serious question to be tried as to the plaintiff’s entitlement to relief;
the plaintiff is likely to suffer injury for which damages will not be an adequate remedy; and
the balance of convenience favours the granting of an injunction.
93. In actions for defamation, an applicant faces additional hurdles when seeking an interlocutory injunction. In ABC v O’Neill, Gleeson CJ and Crennan J noted that, in defamation cases, particular attention will be given to the public interest in free speech when considering whether an interlocutory injunction should be granted.
94. Privacy cases raise somewhat different issues from defamation cases, because, in a privacy case, a defendant cannot depend on the truth of the disclosed information as a defence. Nevertheless, there is a similar concern with undue restriction of freedom of speech in privacy cases, particularly in the context of disclosure of information.
95. In the UK, this is reflected in the requirement that, in privacy cases, the European Convention on Human Rights right to privacy (art 8) be balanced with the right to freedom of expression (art 10) when determining whether there has been an actionable invasion of privacy. Additionally, s 12 of the Human Rights Act 1998 (UK) makes special provision for considering the impact on freedom of expression in the grant of injunctions to restrain publication:
s 12 Freedom of expression
(1) This section applies if a court is considering whether to grant any relief which, if granted, might affect the exercise of the Convention right to freedom of expression.
(4) The court must have particular regard to the importance of the Convention right to freedom of expression and, where the proceedings relate to material which the respondent claims, or which appears to the court, to be journalistic, literary or artistic material (or to conduct connected with such material), to—
(a) the extent to which—
(i) the material has, or is about to, become available to the public; or
(ii) it is, or would be, in the public interest for the material to be published;
(b) any relevant privacy code.
96. The ALRC is interested in submissions on whether a similar provision would be desirable in Australian legislation enacting a statutory cause of action or relating to other existing causes of action.
Question 17 What, if any, specific provisions should the Act include as to matters a court must consider when determining whether to grant an injunction to protect an individual from a serious invasion of privacy? For example, should there be a provision requiring particular regard to be given to freedom of expression, as in s 12 of the Human Rights Act 1998 (UK)?
97. As an alternative (or in addition) to monetary remedies and injunctions, there may be other remedies that are more appropriate where the statutory cause of action is made out.
98. The following remedies may be appropriate:
an order requiring the defendant to apologise to the plaintiff;
a correction order;
an order for the delivery up, destruction or removal of material;
a declaration; and
an order that the defendant rectify its business or information technology practices.
99. Each of these remedies may be appropriate in different circumstances. For some plaintiffs, all that will be sought is a formal acknowledgement that their privacy has been seriously invaded. For others, a serious invasion of privacy may have resulted in false information being published, which should be corrected. Where documents or other information have been published about the individual whose privacy has been seriously invaded, it may be appropriate to order that the documents or information be delivered to the individual, destroyed, or taken down from the internet. A declaration as to entitlements or the lawfulness or unlawfulness of certain conduct may be appropriate in some cases.
100. Serious invasions of privacy may also arise due to systemic problems with business processes or information technology systems, for instance, when a large company has inadequate controls to prevent staff from accessing customers’ personal information without authorisation. Whether or not a systemic practice or failure amounts to an invasion of privacy for the purposes of a statutory cause of action would depend on the detailed design of the cause of action. If it did give rise to a cause of action, an appropriate remedy might be an order that the defendant rectify its business or information technology practices. It may however be more appropriate for such systemic breaches to be addressed by regulatory schemes where compliance can be monitored.
Question 18 Other than monetary remedies and injunctions, what remedies should be available for serious invasion of privacy under a statutory cause of action?
Who may bring a cause of action
101. There appears to be significant agreement that a cause of action for invasion of privacy should only be able to be brought by, or in respect of, natural persons. Such a limitation has been considered appropriate because of the nature of the interest that a privacy cause of action is intended to protect. According to Sedley LJ, the protection of privacy is ‘a legal principle drawn from the fundamental value of personal autonomy’.
102. In ABC v Lenah Game Meats, Gummow and Hayne JJ observed that artificial persons could not invoke any such fundamental value to justify legal protection of their privacy. They noted that, ‘of necessity, this artificial legal person lacks the sensibilities, offence and injury to which provide a staple value for any developing law of privacy’.
103. In 2008, the ALRC recommended that a statutory cause of action for serious invasion of privacy should be limited to natural persons, ‘on the basis that the desire to protect privacy is founded on notions of individual autonomy, dignity and freedom’. Restriction to natural persons was uncontested in submissions to the DPM&C Issues Paper.
104. Given that the restriction to natural persons appears to be uncontentious, the ALRC does not ask a question about this issue.
105. The ALRC considers here the question of whether, if a serious invasion of an individual’s privacy occurs while that individual is alive, a cause of action should survive for the benefit of the estate.
106. This issue has been considered in previous law reform inquiries into privacy. The VLRC and NSWLRC recommended that a cause of action be restricted to living persons, with no action surviving for the benefit of an estate of an individual and no cause of action in respect of deceased persons whose privacy is invaded after their death.
107. The ALRC does not consider at this stage of the Inquiry what further provisions the law should make about privacy-related matters in respect of deceased persons, such as about control of, access to or disclosure of information about deceased persons or their communications, or about physical interferences with the body or remains of a deceased person. The ALRC is interested however in receiving submissions that comment on particular problems that arise in the digital era with regard to control of or access, after death, to the private information or communications of individuals.
108. Traditionally at common law the rule actio personalis moritur cum persona meant that personal actions ‘died’ with the plaintiff so that no cause of action survived the plaintiff and that the estate of the plaintiff or victim could not sue with respect to wrongs suffered before death. This position has been reversed in state and territory statutes so that some causes of action survive the death of the plaintiff, although the damages that may be awarded are limited after death in significant respects. The limitation period for a survival action for serious invasion of privacy would be the same as the limitation period for the existing cause of action pursued during the plaintiff’s lifetime. This position is consistent with limitation periods for negligence, nuisance and breach of duty survival claims in state Acts.
109. However, an action analogous to a cause of action for invasion of privacy, the action for defamation, generally does not survive for the benefit of the defamed person’s estate. The rationale for this restriction is that a reputation is personal. Family members may only sue in defamation if they have been personally defamed.
110. Providing for the survival of the cause of action for the benefit of the estate of the person whose privacy was invaded before his or her death would provide acknowledgement of the harm caused by a serious invasion of privacy. This position would be consistent with existing survival legislation in relation to actions such as trespass to the person. However, if it were subject to existing restrictions—which generally prevent the estate recovering damages for non-pecuniary losses—there may be little point in the estate bringing the action (unless exemplary damages were available). It would be advisable for the legislation to specify what damages were available. In addition, a short limitation period in respect of the person’s cause of action would limit the availability of a survival action.
Question 19 Should a statutory cause of action for a serious invasion of privacy of a living person survive for the benefit of the estate? If so, should damages be limited to pecuniary losses suffered by the deceased person?
Proceedings in respect of other persons
111. It may also be appropriate to allow an independent regulator, such as the Australian Privacy Commissioner, to bring proceedings on behalf of living, natural persons. This approach may better enable access to justice for those with limited means, or in cases where systematic breaches of privacy affect a large number of individuals.
112. The ALRC is interested in stakeholder response to such a proposal. It also seeks stakeholder views about who the most appropriate person or body would be to bring an action in respect of the serious invasion of privacy of one or more individuals.
113. Depending on which court or courts have jurisdiction, it is also possible that representative proceedings may be brought for serious invasion of privacy. For example, Part IVA of the Federal Court of Australia Act 1976 (Cth) makes provision for representative proceedings, where the claims of several individuals can be combined and heard as a single proceeding.
Question 20 Should the Privacy Commissioner, or some other independent body, be able to bring an action in respect of the serious invasion of privacy of an individual or individuals?
114. Two important issues arise for the limitation period for a statutory cause of action for serious invasion of privacy: the length of any period; and the date from which the limitation period starts to run.
115. Should the limitation period be consistent with that of similar or related causes of action? For example, in defamation, the limitation period is one year, with a possible extension to three years if it was not reasonable in the circumstances to have commenced proceedings within one year. For personal injury, the limitation period is three years.
116. It may also be appropriate to start the limitation period from the date upon which the plaintiff became aware of the act or conduct constituting the invasion, rather than the date upon which the act or conduct occurred. The NSWLRC rejected the former approach, arguing that it was inconsistent with the general approach in Australia to the law of limitations.
117. If the limitation period runs from the date the plaintiff first became aware of the invasion, the ALRC seeks stakeholder comment on whether there should be a maximum limitation period beyond which a cause of action could not be brought.
Question 21 What limitation period should apply to a statutory cause of action for a serious invasion of privacy? When should the limitation period start?
Location and forum
118. The appropriate forums to hear a claim based on the statutory cause of action will depend on where the action is located—in Commonwealth, or in state and territory legislation.
119. The Terms of Reference require the ALRC to make recommendations concerning jurisdiction and access to justice. When considering these issues, a range of matters will need to be addressed including: minimising confusion or inconsistency in the application of legislation across Australian jurisdictions; the scope of available remedies; and any relevant constitutional issues.
Inclusion of a statutory cause of action in Commonwealth legislation
120. The ALRC has previously recommended that a statutory cause of action be contained in Commonwealth legislation, separate to the Privacy Act, which would also cover state and territory agencies. Depending on the specific design of a statutory cause of action, the constitutional power which the ALRC has previously identified as underpinning Commonwealth privacy legislation is the Australian Government’s external affairs power.
121. Enshrining a statutory cause of action in Commonwealth legislation would grant jurisdiction to the Federal Court and Federal Circuit Court to hear actions. State courts may be empowered to hear federal matters by ss 71 and 77(ii) of the Australian Constitution.
122. The alternative approach, of having mirror legislation throughout the states and territories as well as in Commonwealth legislation, would depend for its efficacy on co-operation between the Commonwealth, states and territories to avoid inconsistency.
Inclusion in the Privacy Act
123. Another approach is to place a statutory cause of action in the Privacy Act. This wouldrequire review of the scope of the Act and of the Australian Privacy Commissioner’s powers. The Australian Privacy Commissioner’s current remit is to investigate interferences with privacy which disclose personal information. A statutory cause of action would probably involve a wider range of invasive conduct.
124. Currently, the Australian Privacy Commissioner may investigate complaints and make non-binding determinations. Where a Commonwealth agency has not complied with a determination, the Commissioner or the complainant may pursue the matter in the Federal Court or Federal Circuit Court. An individual who has lodged a complaint with the Privacy Commissioner may appeal a determination or a decision not to investigate a complaint through three alternate channels: the federal courts; the Administrative Appeals Tribunal (AAT); or the Commonwealth Ombudsman.
125. Other models include granting jurisdiction to state or Commonwealth administrative review tribunals. This may be in addition to the jurisdiction of the federal courts. These forums offer litigants relatively lower costs in legal representation and court costs, informality in proceedings and alternative dispute resolution paths. These factors may minimise the chance of high adverse costs orders which may result from court proceedings. This approach may be appealing to enable broader access to justice for claimants. Decisions from state-based administrative review tribunals may be appealed on questions of law to state supreme courts.
Question 22 Should a statutory cause of action for serious invasion of privacy be located in Commonwealth legislation? If so, should it be located in the Privacy Act 1988 (Cth) or in separate legislation?
Question 23 Which forums would be appropriate to hear a statutory cause of action for serious invasion of privacy?
Alternative dispute resolution
126. While a statutory cause of action would provide individuals with a mechanism to seek redress for serious invasions of privacy in a court, judicial proceedings are likely to be expensive, with no guarantee of a favourable outcome. Alternative dispute resolution (ADR) can provide a faster, cheaper and low-risk alternative to judicial proceedings.
127. Common ADR options include mediation, conciliation and arbitration. In mediation, the parties to the dispute attempt to reconcile their disagreement themselves, with a neutral mediator present to assist the parties in reaching an agreement, but not to provide advice. In conciliation, a neutral third party provides advice, but does not make a determination. In arbitration, the parties present their arguments to a neutral arbitrator, who makes a determination. ADR services are usually provided by specialist mediators, conciliators and arbitrators.
128. Some court rules already require parties to attempt mediation in the early stages of proceedings or a court may have the power to direct parties to engage in a mediation process.
129. While ADR has significant advantages, it may also have disadvantages. The most significant disadvantage is that the outcomes of ADR are generally not binding on the parties. As a result, there is potential for ADR to be misused by some parties as a delaying tactic, which may add to the final time and costs if the dispute proceeds to court. There may also be a public interest in having certain cases heard in court—for example, where it would be helpful to have a judicial ruling on certain conduct involving new technologies.
Question 24 What provision, if any, should be made for voluntary or mandatory alternative dispute resolution of complaints about serious invasion of privacy?
Interaction with existing complaints processes
130. The ALRC is interested in submissions on the overlap and interaction of a statutory cause of action with the existing regulatory and remedial regime governing information privacy.
131. A number of existing statutory bodies have the power to respond to complaints about certain categories of invasion of privacy. These include, for example:
the Australian Privacy Commissioner;
the privacy and information commissioners in each state and territory;
other regulators, such as the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACCC); and
industry bodies such as the Australian Press Council and the Telecommunications Industry Ombudsman.
132. Some of these bodies (the privacy and information commissioners) have a particular focus on data protection. Others have more general functions, with privacy complaints being one among many types of complaints handled. The possible outcomes of the complaints processes also vary between these bodies, ranging from non-binding recommendations to enforceable determinations.
133. The Australian Privacy Commissioner, in particular, may have the power to handle many complaints that could also be the basis for a statutory cause of action—for example, complaints about improper use or disclosure of personal information. The Privacy Commissioner’s powers extend to Australian Government and private sector organisations (with some specific exemptions).
134. In dealing with complaints under the Privacy Act, the Privacy Commissioner may make a range of determinations, from dismissing the complaint to a declaration that the complainant is entitled to monetary compensation for loss or damage suffered, or that the respondent must take specified steps to ensure that the conduct is not repeated or continued.
135. It may be appropriate to limit judicial actions where a non-judicial process has been used to resolve a complaint. This would reduce the possibility of complainants ‘double-dipping’ to take advantage of multiple avenues of dispute resolution.
Question 25 Should a person who has received a determination in response to a complaint relating to an invasion of privacy under existing legislation be permitted to bring or continue a claim based on the statutory cause of action?