About the Inquiry

1. On 12 June 2013, the Attorney-General of Australia asked the Australian Law Reform Commission (ALRC) to conduct an Inquiry into ways in which the law might prevent and redress serious invasions of privacy in the digital era.

Getting involved in the reform process

2. The ALRC will engage in widespread community and industry consultation at two stages of the Inquiry. First, the ALRC is seeking submissions addressing the questions raised in this Issues Paper (IP 43) and any other issues that stakeholders want to draw to our attention. The closing date for submissions is 11 November 2013.

3. The ALRC will then conduct consultations around the country that, along with community submissions and our own research, will assist the ALRC to formulate draft proposals for reform. These will be outlined in a Discussion Paper to be released in late February 2014. The ALRC will call for submissions on these proposals before finalising its recommendations for reform. These recommendations will be outlined in the Final Report, due at the end of June 2014.

4. Further information about ALRC consultation and submission processes—including how the ALRC uses submissions in its research and policy development work—is available on the ALRC website, along with how to subscribe to the Inquiry e-news.

Why this Inquiry

5. The ubiquitous commercial and personal use of digital and affordable mobile technology, across all social and economic strata of society, has been world changing. New technologies allow unprecedented levels of surveillance and tracking of the activities of individuals, of recording and communication of personal information, and of intrusion into physical space. Both aspects of personal privacy that law reform commissions have previously investigated—unauthorised use of personal information and intrusion on personal privacy or seclusion—are significantly affected by the digital era and the capacities that digital technology provides.

6. This Inquiry builds on four other inquiries into privacy law or related issues conducted in Australia since 2006,^[1] three of which recommended the enactment of a statutory cause of action. The divergence in these recommendations, developments in other jurisdictions, and the ever-increasing use of new technologies, makes it appropriate for further consideration to be given to the detailed legal design of a statutory cause of action in this Inquiry.

7. In For Your Information; Privacy Law and Practice, (ALRC Report 108, 2008), the ALRC recommended that Commonwealth legislation, separate from the Privacy Act 1988 (Cth) (Privacy Act), should provide for a statutory cause of action for serious invasion of privacy.^[2] The recommendations set out the elements of the proposed cause of action, a range of defences, and a range of possible remedies. The section dealing with a statutory cause of action was a relatively small part of Report 108, which had a primary focus on information privacy: information collection, access or use.

8. In 2009, the New South Wales Law Reform Commission(NSWLRC) recommended that a general cause of action for invasion of privacy was required to provide a ‘basis for the ongoing development of the law of privacy in a climate of dynamic societal and technological change’.^[3] It also considered that the cause of action would operate to fill gaps in existing law. The NSWLRC Report included a Draft Bill.

9. In 2010, the Victorian Law Reform Commission (VLRC) issued its Report, Surveillance in Public Places (Report No 18), which followed a decade-long inquiry into workplace privacy and privacy in public places. The VLRC recommended separate causes of action: one for misuse of private information; and another for intrusion upon seclusion, or interference with spatial privacy.

10. Then, in September 2011, the Department of the Prime Minister and Cabinet (DPM&C) released an Issues Paper, prompted by a number of ‘high profile privacy breaches’ in Australia and overseas.^[4] Noting the three law reform commission reports recommending an action, that Issues Paper asked a number of questions on the desirability of a statutory cause of action and on the possible elements of such an action. Approximately 80 submissions were received, from a wide range of public and private organisations and individuals, providing a very useful resource for the ALRC when deciding what issues need further consideration and what questions should be asked in this Issues Paper.

11. One factor that affects the need for, or desirability of, a statutory cause of action for invasion of privacy is the state of development of the common law protection of privacy. In Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, the High Court of Australia left open the possibility that a tort of invasion of privacy may develop at common law.^[5] Subsequently, a tort of invasion of privacy has been recognised by two lower court decisions,^[6] but no appellate court has confirmed the existence of this tort.^[7]

12. While the common law in Australia has not developed as quickly as some might have expected after ABC v Lenah Game Meats, litigants have continued to use other causes of action, such as trespass, to protect themselves from physical intrusions or the equitable action for breach of confidence to prevent unauthorised disclosure of private information.^[8]

The scope of the Inquiry

13. The Terms of Reference set out and limit the scope of the ALRC’s Inquiry. In addition to making recommendations on a statutory cause of action, the ALRC is asked to make recommendations about other legal remedies and innovative ways in which the law could prevent or redress serious invasions of privacy. This will require the ALRC to consider a range of existing common law causes of action and remedies and statutory provisions, and how they might be strengthened or amended, as well as proposals for new ways in which the law could reduce or prevent invasions of privacy.

14. Submissions to previous inquiries, most recently the DPM&C Issues Paper, gave a number of reasons why the respondents favoured or opposed a statutory cause of action. The ALRC takes the view that it is not useful to ask again, in this Issues Paper, whether respondents support or oppose a statutory cause of action. The answer to that question may well depend on both the precise legal content of the statutory cause of action as proposed by the ALRC, and on the other or alternative recommendations that may be made in respect of possible ways the law could prevent or redress serious invasions of privacy. The precise form of the cause of action will have an impact on its potential interpretation and application, on the extent of protection it may provide to potential claimants, and on the activities of those who would face potential liability.

Balancing the value of privacy with other interests

15. The Terms of Reference require the ALRC to make recommendations which recognise the necessity to balance the value of privacy with other fundamental values—including freedom of expression and open justice. The Inquiry considers this issue at several stages, both in relation to the enactment of a statutory cause of action and in relation to general legal remedies to prevent serious invasions of privacy. Questions 1, 7, 8 and 17 deal with this aspect of the Inquiry.

The detailed legal design of a statutory cause of action

16. As the Terms of Reference set out, there are a number of important issues to be considered in the design of a statutory cause of action. Which courts or tribunals would be most appropriate to hear the action? What powers may such courts or tribunals be given under the Constitution? What sort of conduct would amount to an invasion of privacy? How would the claimant’s rights to privacy be balanced against the defendant’s rights and freedoms and other matters of public interest? How serious must an invasion of privacy be before a claimant could sue, and how would the threshold of seriousness be judged? Would the claimant have to prove that the defendant intended to invade his or her privacy, or would some lesser degree of fault be sufficient? Should a claimant have to prove that he or she has suffered some sort of damage or loss and what sort of effect should be treated as damage for this purpose? What defences should apply? Should some organisations or activities be exempt from the cause of action? How should the statutory cause of action interact with the existing regulatory and remedial framework of the Privacy Act and other legislation?

17. These issues are the subject of Questions 1–25 in this Issues Paper and will be a significant focus of the ALRC Inquiry.

Remedies and prevention of serious invasions of privacy under other existing legislation

18. Commonwealth and state and territory privacy legislation has, since 1988, provided a wide-ranging regulatory and remedial framework for general information privacy or data protection in Australia. In addition, there is specific Commonwealth and state and territory legislation dealing with health records. The Privacy Act has recently been the subject of lengthy and considered review and amendment, giving the Australian Privacy Commissioner greater powers to require mandatory notification of data breaches and to require organisations to put in place or clarify their privacy policies. The amendments will take effect in March 2014 with the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) and are currently the subject of much activity in the business and governmental sectors. The ALRC does not consider it appropriate for this Inquiry to review particular aspects of Commonwealth legislation which have been the subject of recent, detailed amendment or enactment, even though they may have a considerable impact on personal privacy. This includes, for example, s 44 of the Aviation Transport Security Act 2004 (Cth) dealing with the use of body-scanners at Australian airports.

19. Question 27 asks respondents to suggest ways in which existing legislation could be strengthened to better prevent or redress serious invasions of privacy. Respondents may wish to highlight significant gaps or inconsistencies in protection under Commonwealth, state or territory laws. However, because the ALRC is required to complete its Final Report by June 2014, its capacity to make any extensive review of existing legislation is necessarily constrained.

Other legal remedies and innovative ways to reduce or redress serious invasions of privacy

20. The Terms of Reference require the ALRC to consider the nature and appropriateness of other legal remedies for serious invasions of privacy.

21. Although there is no specific common law cause of action for invasion of privacy, there are a number of common law actions which provide significant protection for individual privacy. There are, however, notable gaps in that protection. These, and questions concerning the ways in which the existing law may be supplemented, short of a broad statutory cause of action, are discussed at Question 26.

Privacy in the digital era

22. The debate about privacy in 2013 has been focused on information privacy in the digital era. In particular, attention has been given to the rapidly expanded technological capacity of organisations to track the physical location and activities of individuals, to collect and use information from social media, to aggregate data from many sources, and to intercept and interpret the details of communications. Some of these activities may amount to an invasion of the privacy of an individual. Some may breach existing criminal or civil laws or regulatory schemes on the collection or storage or dissemination of data. Comment on innovative ways in which the law may address invasions of privacy in the digital era is invited at Question 28.

23. The scope of the ALRC Inquiry extends, but is not confined, to invasions of privacy brought about by digital technology. Some gaps in the existing protection of an individual’s privacy relate to physical activities or physical intrusions that fall short of the elements of existing laws such as the torts of assault or trespass to land. Question 26 addresses the issue of physical intrusions, as well as other forms of invasion of privacy.

Principles guiding reform

24. The ALRC proposes to use the following principles to inform the development of proposals for reform. They draw on statements of principle in leading cases in Australia and other jurisdictions, international conventions, academic commentary on privacy and related fields, the Terms of Reference, and key principles identified in earlier reports, issues papers and submissions.

Privacy as a value: Privacy is important for individuals to live a dignified, fulfilling and autonomous life. It is an important element of the fundamental freedoms of individuals which underpin their ability to form and maintain meaningful and satisfying relationships with others; their freedom of movement and association; their ability to engage in the democratic process; their freedom to advance their own intellectual, cultural, artistic, financial and physical interests, without undue interference by others.

Privacy as a matter of public interest: There is a public interest in the protection of individual privacy and confidentiality.

The balancing of privacy with other values and interests: Privacy of an individual is not an absolute value which necessarily takes precedence over other values of public interest. It must be balanced with a range of other important values, freedoms and matters of public interest, including:

• freedom of speech, including the freedom of the media;

• freedom of artistic and creative expression;

• the proper administration of government and matters affecting the public or members of the public;

• the promotion of open justice;

• national security and safety;

• the prevention and detection of criminal and fraudulent activity;

• the effective delivery of essential services in the community;

• the protection of vulnerable persons in the community;

• national economic development and participation in the global digital economy; and

• the capacity of individuals to engage in digital communications and electronic financial and commercial transactions.

International standards in privacy law: The protection of privacy in Australia should be consistent with Australia’s international obligations, for example, under the International Covenant on Civil and Political Rights, and take into account, as far as appropriate, international standards and legal developments in the protection of privacy.^[9]

Flexibility and adaptability: The design of the legislative protection of privacy should be sufficiently flexible to adapt to rapidly changing technologies and capabilities without the need for constant amendments, but at the same time be drafted with sufficient precision and definition to promote certainty as to its application and interpretation.

Coherence and consistency: Any recommendation for a statutory cause of action or other remedy should promote coherence in the law and be consistent with other laws or regulatory regimes in Australian law, and should promote uniformity or consistency in the law applying throughout Australian jurisdictions.

Access to justice: The law should provide a range of means to prevent, reduce or redress serious invasions of privacy which provide appropriate access to justice for those affected.