Issues Paper - A Commonwealth statutory cause of action for serious invasion of privacy

Submission to the Attorney-General's Department (November 2011)

Submission by Prof. John McMillan, Australian Information Commissioner
and Timothy Pilgrim, Australian Privacy Commissioner

Contents

• Executive summary
  • Summary of key responses
    • General comments
    • Responses to key questions
• Introduction
  • The Office of the Australian Information Commissioner
  • Background
    • Privacy and the Privacy Act
    • Privacy reform
    • Comparing the law reform commission models
    • Recognition of a right to privacy in international jurisdictions
  • Structure of this submission
• General comments
  • Enhancing privacy protection
  • The role of a statutory cause of action for invasion of privacy
  • Role of OAIC
• Comments in response to specific Issues Paper questions
  • Question 1 - Do recent developments in technology mean that additional ways of protecting individuals' privacy should be considered in Australia?
  • Question 2 - Is there a need for a cause of action for serious invasion of privacy in Australia?
  • Question 3 - Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law?
  • Question 4 - Is "highly offensive" an appropriate standard for a cause of action relating to serious invasions of privacy?
  • Question 5 - Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?
  • Question 6 - How best could a statutory cause of action recognise the public interest in freedom of expression?
  • Question 7 - Is the inclusion of "intentional" or "reckless" as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault?
  • Question 8 - Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient?
  • Question 9 - Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material?  If a list were to be included, should any changes be made to the list proposed by the ALRC?
  • Question 10 - What should be included as defences to any proposed cause of action?
  • Question 11 - Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application?
  • Question 12 - Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action?
  • Question 13 - Should the legislation prescribe a maximum award of damages for non-economic loss, and if so, what should that limit be?
  • Question 14 - Should any proposed cause of action require proof of damage?  If so, how should damage be defined for the purposes of the cause of action?
  • Question 15 - Should any proposed cause of action also allow for an offer of amends process?
  • Question 16 - Should any proposed cause of action be restricted to natural persons?
  • Question 17 - Should any proposed cause of action be restricted to living persons?
  • Question 18 - Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced?
  • Question 19 - Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy?
  • Additional issue - interaction between Commonwealth and State laws

---

Executive summary

1. The Office of the Australian Information Commissioner (OAIC) welcomes the release by the Australian Government of the Issues Paper "A Commonwealth statutory cause of action for serious invasion of privacy" (Issues Paper).[1]
2. Privacy is an internationally recognised human right. As a party to the International Covenant on Civil and Political Rights, Australia is required to give effect to the privacy rights contained in Article 17 of that instrument. The Privacy Act 1988 (Cth) (Privacy Act) is an example of a legislative measure adopted in Australia to give effect to this obligation. However, the Privacy Act is not a full implementation of Article 17 as there are a number of areas it does not cover. For example:
   • the Privacy Act regulates only information privacy, and not other areas of privacy such as territorial and bodily privacy, and
   • various entities (such as small businesses) and acts or practices (such as some acts or practices of journalists and political organisations) are exempt from the requirements of the Privacy Act.
3. The release of the Issues Paper is another step in the Australian Government's consideration of the recommendations made by the Australian Law Reform Commission (ALRC) in its 2008 Report 108 For Your Information, Privacy Law and Practice (ALRC Report). The ALRC's recommendations included that federal legislation provide for a statutory cause of action for a serious invasion of privacy.[2] In addition, both the New South Wales Law Reform Commission (NSWLRC) and Victorian Law Reform Commission (VLRC) have recommended the creation of statutory causes of action for privacy invasion.

---

Summary of key responses

4. This submission contains the OAIC's general observations in response to a proposed statutory cause of action for serious invasion of privacy, and the OAIC's comments in response to each question posed in the Issues Paper. Key comments and responses are outlined below.

General comments

5. The OAIC strongly supports the privacy law reform process currently underway. This process will strengthen privacy regulation under the Privacy Act. However, there are identified areas for reform arising from the ALRC Report where implementation decisions have not yet been made, and areas which are not the subject of the current reform process.
6. The OAIC appreciates that a statutory cause of action for invasion of privacy may complement any Privacy Act reforms by addressing areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals. The OAIC believes it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute and that it must be balanced against competing rights including the right to freedom of expression.
7. The OAIC is concerned that a cause of action actionable directly to the courts may pose access to justice issues and therefore deliver limited benefits. The OAIC therefore suggests that consideration be given to a model where an individual alleging a privacy invasion initially complains to the OAIC under a model similar to that currently used for complaints of privacy interference in breach of the Privacy Act. An option to proceed to court could be available in limited circumstances such as permitting the OAIC to refer a question of law to the Federal Court for guidance, and allowing a party to commence court proceedings where the OAIC declines to make a determination following an unsuccessful conciliation.
8. Given the OAIC's current role in privacy regulation and complaints, consideration should be given to creating intervener and amicus curiae roles for the Australian Information Commissioner in relation to privacy invasion actions in the courts.

Responses to key questions

9. The OAIC supports any cause of action for invasion of privacy being created by statute rather than being left to develop at common law.
10. The OAIC considers that a standard of offensiveness should be a threshold requirement for establishing the cause of action. However, the OAIC has some concerns that a "highly offensive" threshold may be largely unattainable, preventing meritorious cases from proceeding (for example, where security cameras on a residential property capture footage from a neighbouring property).
11. Any cause of action should be available to individuals seeking redress against intentional and reckless acts. The OAIC suggests further consideration also be given to including some negligent acts within the ambit of the action.
12. The right to privacy is not absolute and weighing privacy rights against competing public interests is critical to the cause of action. It is preferable for this balancing of interests to be integrated into the cause of action (rather than the public interest constituting a separate defence).
13. The OAIC supports the inclusion in legislation of relevant matters to be taken into account by the court in considering whether the cause of action for invasion of privacy has been made out. However, a number of items included in the NSWLRC's list of relevant matters should be reconsidered.
14. The legislation should contain a non-exhaustive list of the types of acts that might constitute an invasion of privacy. To ensure it is clear that the cause of action is intended to cover all aspects of an individual's privacy, the OAIC suggests that the list be prefaced by a statement to that effect.
15. The OAIC supports the inclusion of an exhaustive list of defences in the legislation. The OAIC agrees with the defences suggested by the ALRC, but suggests limiting the defence of "incidental to the exercise of a lawful right of defence of person or property" to cases where the act or conduct was a reasonable and proportionate response to the threatened harm. In addition, the OAIC supports a defence similar to the defence of "innocent dissemination" in defamation law.
16. The OAIC considers that exemptions to the cause of action are not required, as the elements of the action together with the suggested defences provide adequate safeguards against unmeritorious claims.
17. The OAIC supports courts being able to apply the remedy that is most appropriate in the circumstances without being limited by the jurisdictional restraints that may apply under the general law. In relation to damages, the OAIC suggests that no maximum award of damages for non-economic loss be prescribed in the legislation. If a complaints model is adopted, the OAIC suggests the OAIC have a flexible range of powers and remedies available to it, including those currently available in the Privacy Act and through proposed Privacy Act reforms.
18. If a cause of action is introduced, the OAIC supports the inclusion of mechanisms which encourage the early resolution of disputes. If an "offer of amends" process is used, the defamation model may need to be adapted in order to function appropriately in the privacy context.
19. Consistently with the right to privacy being a human right, the OAIC recommends that the cause of action be actionable without proof of damage, and be restricted to natural, living persons.
20. The OAIC supports an approach requiring an action (or complaint - see vii above) for invasion of privacy to be commenced within 12 months from the date the applicant became aware of the relevant act or conduct, with a discretion allowing an action to be brought outside the 12 month period.
21. If a cause of action is actionable to the courts, the OAIC favours the Federal Court and Federal Magistrates Court being granted jurisdiction to hear and determine claims.
22. Any cause of action should be introduced in a manner that does not contribute to inconsistent and fragmented privacy regulation in Australia. Subject to any constitutional restraints, the OAIC considers that this would be best achieved by introducing any statutory cause of action into Commonwealth law and granting jurisdiction to the Federal courts. If a complaints model is adopted, the OAIC sees merit in including the relevant provisions in the Privacy Act.

---

Introduction

1. The Office of the Australian Information Commissioner (OAIC) welcomes the Australian Government's release of the Issues Paper in relation to a Commonwealth statutory cause of action for serious invasion of privacy (Issues Paper).[3]
2. The release of the Issues Paper follows recommendations by the Australian Law Reform Commission (ALRC) in its 2008 report For Your Information: Australian Privacy Law and Practice (ALRC Report)[4] for federal legislation to provide a statutory cause of action for a serious invasion of privacy.[5]

The Office of the Australian Information Commissioner

3. The OAIC was established by the Australian Information Commissioner Act 2010 (Cth) (the AIC Act) and commenced operation on 1 November 2010.
4. The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
5. The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.
6. The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
7. The Commissioners of the OAIC share two broad functions:
   • the FOI functions, set out in s8 of the AIC Act - providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
   • the privacy functions, set out in s9 of the AIC Act - protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and other legislation.
8. The Information Commissioner also has the information commissioner functions, set out in s7 of the AIC Act. These comprise strategic functions relating to information management by the Australian Government.

Background

Privacy and the Privacy Act

9. Privacy is a human right recognised in several international instruments, including Article 12 of the Universal Declaration of Human Rights[6] and Article 17 of the International Covenant on Civil and Political Rights 1966 (ICCPR).[7] The ICCPR requires parties to adopt such legislative measures as may be necessary to give effect to the rights in that instrument, including the privacy rights in Article 17.
10. The Privacy Act is a legislative measure adopted in Australia to protect privacy, and gives partial effect to Article 17. It regulates the handling of personal information by Australian, ACT and Norfolk Island government agencies. It also regulates the activities of certain private sector organisations, including health service providers and businesses with an annual turnover of more than $3 million. The activities of State and other Territory government agencies are regulated by State or Territory legislation where it exists.
11. Personal information is defined in the Privacy Act as information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[8] Examples include names, medical records and photographs.
12. The Privacy Act regulates the collection of personal information, the accuracy of the information, how it is kept secure, and how it is used and disclosed. It also provides rights to individuals to access and correct the information organisations and government agencies hold about them. Where an individual feels that an agency or organisation has handled their personal information in a way that does not comply with the requirements of the Privacy Act, that individual can make a complaint to the OAIC alleging an interference with their privacy.[9]
13. The Privacy Act, however, is not a complete legislative response to the requirements of Article 17 of the ICCPR. First, a number of entities and practices are exempt from the requirements of the Privacy Act (see paragraph 35 below). Second, the protection of personal information is just one aspect of privacy. Other types of privacy can include territorial privacy, physical or bodily privacy and the privacy of communications. In this context, the OAIC acknowledges the existence of other laws which touch on privacy issues to some extent.[10]

Privacy reform

14. In 2006, the ALRC was asked to inquire into and report on the extent to which the Privacy Act and related laws continued to provide an effective framework for the protection of privacy in Australia.[11] The ALRC's review of privacy culminated in the release in 2008 of the ALRC Report which made 295 recommendations in relation to privacy regulation in Australia.[12] The ALRC Report contains a number of specific recommendations in relation to the creation of a statutory cause of action for serious invasion of privacy.[13]
15. The Government indicated that it intended to respond to the 295 recommendations in the ALRC report in two stages, and that consideration of a statutory cause of action for serious invasion of privacy would form part of the second stage.
16. In October 2009, the Government released Enhancing National Privacy, Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (October 2009) (First Stage Response) which dealt with 197 of the ALRC's 295 recommendations.[14] The Government has now released the Issues Paper seeking comment from interested stakeholders on various questions relating to the possible introduction of a statutory cause of action for serious invasion of privacy.
17. Both the New South Wales Law Reform Commission (NSWLRC) and Victorian Law Reform Commission (VLRC) have also conducted recent inquiries into privacy protection,[15],[16] with both recommending the creation of statutory causes of action for invasion of privacy.[17],[18]
18. The Issues Paper outlines these recommendations by the ALRC, NSWLRC and VLRC. It also summarises the position with respect to invasions of privacy in international jurisdictions.

Comparing the law reform commission models

ALRC model

19. The ALRC Report recommended that federal legislation provide for a statutory cause of action for serious invasion of privacy.[19] The ALRC proposed a two-limb test for establishing liability under the cause of action:
    • a reasonable expectation of privacy, and
    • the act or conduct complained of is highly offensive to a reasonable person of ordinary sensibilities.
20. In determining whether an individual's privacy has been invaded for the purposes of the cause of action, the model also required the court to take into account whether the public interest in maintaining the claimant's privacy outweighs other matters of public interest (including the interest of the public to be informed about matters of public concern and the public interest in allowing freedom of expression).
21. The model also set out a limited number of defences to the cause of action, as well as a broad range of remedies.

NSWLRC model

22. The NSWLRC also recommended the creation of a statutory cause of action for invasion of privacy. Under the draft Civil Liability Amendment (Privacy) Bill annexed to the NSWLRC Report (NSWLRC draft Bill),[20] an individual's privacy would be invaded if the conduct of another person invaded the privacy that the individual was reasonably entitled to expect in all of the circumstances, having regard to any relevant public interest (including the interest of the public in being informed about matters of public concern).
23. The NSWLRC draft Bill requires the court to take into account a number of matters in determining whether an individual's privacy has been invaded, including the nature of the conduct concerned (including the extent to which a reasonable person of ordinary sensibilities would consider the conduct to be offensive) and the nature of the subject matter alleged to be private.
24. The NSWLRC draft Bill also includes defences to the cause of action and the remedies available to the court where the cause of action is established.

VLRC model

25. The VLRC recommended the creation of two statutory causes of action for serious invasion of privacy caused by misuse of surveillance in a public place:[21]
    • serious invasion of privacy by misuse of public information, and
    • serious invasion of privacy by intrusion upon seclusion.
26. The VLRC proposed a two-limb test for establishing liability for both invasions of privacy:
    • a reasonable expectation of privacy, and
    • a reasonable person would consider the conduct highly offensive.
27. The VLRC Report outlined suggested defences, including a public interest defence, and remedies.

The models compared

28. A comparison of the above models reveals the following similarities and differences on key points:
    • Both the ALRC and NSWLRC recommended a single cause of action for serious invasion of privacy, while the VLRC recommended two separate causes of action.
    • Both the ALRC and VLRC recommended essentially the same two-limb test, requiring a plaintiff to establish both a reasonable expectation of privacy and that the act or conduct complained of would be highly offensive to a person of ordinary sensibilities. In contrast, the NSWLRC model requires an overall consideration of whether the conduct of another person invaded the privacy that an individual was reasonably entitled to expect in all of the circumstances having regard to any relevant public interest. In addition, the NSWLRC model requires the court to take into account a number of matters during this overall consideration (including the offensiveness of the conduct). However, because offensiveness is only a matter to take into account rather than being a threshold requirement, the OAIC understands that it would be possible to establish the cause of action without achieving a particular objective standard of offensiveness.
    • Both the ALRC and NSWLRC models have integrated the consideration of competing public interests into the cause of action so that it is considered at the time of determining whether an actionable breach of privacy exists. Under the VLRC model, however, competing public interests would be raised by way of defence to the cause of action.

Recognition of a right to privacy in international jurisdictions

29. As noted in paragraph 18 above, the Issues Paper includes a summary of the position with respect to invasions of privacy in international jurisdictions. For example, it notes that:
    • In the United States, nearly all states now recognise a right to privacy, either at common law or as a creation of statute. The OAIC notes that the Fourth Amendment to the US Constitution also provides some protection against unreasonable searches and seizures.
    • In the European Union, Article 8 of the European Convention on Human Rights (ECHR) contains a right to private and family life, home and correspondence, and prohibits interference by a public authority with the exercise of these rights except in specified circumstances.
    • In the United Kingdom, the cause of action for breach of confidence has been extended to encompass misuse or wrongful dissemination of private information, with recent developments having been influenced by Article 8 of the ECHR.
    • In Canada, four provinces have statutory causes of action for invasion of privacy and there is no common law right to privacy.
    • In New Zealand, there is a recognised common law tort of privacy which is established by demonstrating facts in respect of which there is a reasonable expectation of privacy, and publicity having been given to those private facts which would be considered highly offensive to an objective reasonable person.

Structure of this submission

30. The OAIC's comments on the Issues Paper are structured as follows:
    • the "Executive Summary" above noting the OAIC's main suggestions
    • the "General comments" section discussing the OAIC's general observations in response to a proposed statutory cause of action for serious invasion of privacy, and
    • the "Comments in response to specific Issues Paper questions" section outlining the OAIC's comments in response to each such question raised in the Issues Paper.

---

General comments

Enhancing privacy protection

31. Australia is a party to the ICCPR, Article 17 of which provides:
    1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
    2. Everyone has the right to the protection of the law against such interference or attacks.
32. Article 17 of the ICCPR demonstrates that privacy is an important human right warranting recognition and protection.
33. Article 2 of the ICCPR sets out the obligations on parties to ensure that the rights provided for in the ICCPR are afforded to its citizens:
    1. ...
    2. Where not already provided for by existing legislative or other measures, each State Party to the present Covenant undertakes to take the necessary steps, in accordance with its constitutional processes and with the provisions of the present Covenant, to adopt such laws or other measures as may be necessary to give effect to the rights recognized in the present Covenant.
    3. Each State Party to the present Covenant undertakes:
       1. to ensure that any person whose rights or freedoms as herein recognized are violated shall have an effective remedy, notwithstanding that the violation has been committed by persons acting in an official capacity
       2. to ensure that any person claiming such a remedy shall have his right thereto determined by competent judicial, administrative or legislative authorities, or by any other competent authority provided for by the legal system of the State, and to develop the possibilities of judicial remedy
       3. to ensure that the competent authorities shall enforce such remedies when granted.
34. The Privacy Act is an example of a legislative measure adopted in Australia to give effect to the requirements of Article 17.
35. At present, however, there are a number of areas not covered by privacy regulation in Australia and it has been suggested that the Privacy Act "is not a full implementation in domestic law of the meaning of Article 17".[22]^,[23] For example, the Privacy Act does not cover the actions of individuals per se,[24] or various exempt entities (such as small businesses)[25] and acts or practices (such as journalistic[26] and political[27] acts and practices). In addition:
    • the Privacy Act only regulates information privacy and provides no protection for bodily and territorial privacy
    • there is no mandatory requirement to notify the OAIC of data breaches
    • there is uncertainty as to how the Privacy Act applies to personal information submitted via the Internet by individuals in Australia to an overseas organisation, and
    • improvements to the powers of the Australian Information Commissioner have been identified but not yet implemented.[28]
36. While the OAIC strongly supports the privacy law reform process currently underway (outlined in paragraphs 14-17 above) and notes that this process may address some of the issues identified in paragraph 35, there are still a number of areas for reform identified by the ALRC on which decisions about implementation are yet to be made.
37. In addition, the OAIC considers that not all aspects of privacy regulation that are currently outside the scope of coverage of the Privacy Act are best addressed by amending that Act. For example:
    • It may be difficult to apply the Privacy Act, which is directed to information privacy, to other types of privacy such as territorial and bodily privacy.
    • Extending the existing Privacy Act and the National Privacy Principles to cover the actions of individuals may not be practical.[29],[30] The Privacy Act has been specifically tailored to regulate the acts and practices of agencies and organisations and, as a result, the OAIC considers it is generally ill-suited in its current form to the regulation of individuals.[31] For instance, it would be difficult and undesirable to require individuals to give notice or seek consent for collection of personal information. Also, applying data quality and data security principles to personal information held by an individual could be inappropriate. Moreover, such obligations would be very difficult to enforce.
    In relation to these areas, a privacy invasion action may offer a better solution.

The role of a statutory cause of action for invasion of privacy

Enhancing privacy protection

38. While the OAIC considers that there is a need, as part of the privacy law reform process, to consider amendments to the Privacy Act to address some of the areas not covered by that Act, the OAIC appreciates that a statutory cause of action for invasion of privacy may complement those amendments. It would enhance Australia's implementation of Article 17 of the ICCPR into domestic law. Such a cause of action may address aspects of privacy regulation that remain outside the scope of coverage of the Privacy Act by, for example, permitting actions:
    • against individuals whose actions invade privacy
    • against entities that continue to fall within an exemption to the Privacy Act, and
    • in respect of invasions of privacy beyond invasions of information privacy.
39. However, the OAIC believes it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute. Privacy is a right that must be appropriately balanced against other competing rights, including the right to freedom of expression and the public interest in being informed about matters of public concern.[32]

A Complaints Model for Privacy Invasion

40. The model proposed in the Issues Paper focuses on a cause of action actionable directly to the courts. The OAIC is concerned that such a model may pose access to justice issues for a significant portion of the population, thereby limiting the benefits to be obtained from the cause of action. While making individuals subject to the requirements of the existing National Privacy Principles (and therefore the related complaints process) may not be practical (see paragraph 37 above), the OAIC believes that consideration should be given to a model where a person alleging an invasion of privacy initially complains to the OAIC (the Complaints Model for Privacy Invasion).
41. For example, the current complaints mechanism contained in the Privacy Act for privacy interferences (as enhanced by foreshadowed reforms to the Commissioner's powers)[33] could be extended to deal with complaints for privacy invasion, the elements of which could be articulated in the Privacy Act. The key features of the current privacy interference complaints model are:
    • a complaint is assessed to determine whether the OAIC has jurisdiction to investigate and if so, whether the complaint should be investigated, whether enquiries should be conducted or whether it should be summarily dismissed
    • if the complaint is not summarily dismissed, the complaint is investigated to enable the OAIC to decide whether to proceed to conciliation or to cease investigation and close the complaint
    • if the complaint proceeds to conciliation, OAIC staff work with the parties in an attempt to conciliate the complaint to the satisfaction of both parties
    • if the complaint is not resolved at conciliation, the OAIC may either proceed to make a determination in the matter, or may decline to make a determination and close the complaint
    • both a determination and a decision to close a complaint and not proceed to determination can be reviewed under the Administrative Decisions (Judicial Review) Act 1977 (Cth)
    • a determination made against an agency involving the payment of financial compensation is reviewable by the Administrative Appeals Tribunal
    • following a determination, either the complainant or the OAIC can commence proceedings in the Federal Court or Federal Magistrates Court to enforce a determination. This process involves the court dealing by way of a hearing de novo with the question of whether the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant.
    Key enhancements to this model foreshadowed in the Government's First Stage Response include:
    • improved powers under s 41 of the Privacy Act to not investigate or further investigate complaints, including where investigation is not warranted having regard to all the circumstances[34]
    • permitting a party to make an application directly to the Federal Court alleging interference with their privacy where the Commissioner decides not to investigate a complaint further following an unsuccessful conciliation[35]
    • permitting a party to apply to the Administrative Appeals Tribunal for merit review of any determination made by the Commissioner.[36]
42. In the context of unsuccessful conciliation, the Government's First Stage Response states that "where the Privacy Commissioner decides not to investigate or further investigate the complaint and any parties to the complaint are not satisfied with this decision, they will have the ability to make an application directly to the Federal Court alleging interference with their privacy".[37] If this same approach is adopted in relation to the Complaints Model for Privacy Invasion, it may be that only a small set of complaints proceed to the courts (being those in which the Commissioner sees no merit in proceeding with the complaint). However, other options are available to allow the courts a greater role in providing guidance in this new area of law. One option is to authorise the Commissioner to refer a question of law to the Federal Court for guidance, on either the application of a party to the complaint or the Commissioner's own initiative.[38]
43. Another option would be a private right of action based on s 98 of the Privacy Act. That section provides that the Commissioner or any other person may apply to the Federal Court or Federal Magistrates Court for an injunction to restrain a person from engaging in conduct that contravenes the Privacy Act. This option may detract from the proposed Complaints Model for Privacy Invasion, which the OAIC supports. A private right of action modelled on s 98 might also be thought to derogate from free speech.[39] On the other hand, the OAIC notes that s 98 has been used successfully only twice since its enactment.[40]
44. A complaints approach coupled with court access in limited circumstances provides the dual benefits of increasing access to justice through a free complaints process, and providing a role for the courts. The Complaints Model for Privacy Invasion utilises the OAIC's existing processes and expertise in conciliating privacy complaints. The Model is also consistent with the emphasis in federal law on alternative dispute resolution.[41] Further, the Complaints Model for Privacy Invasion conforms with Article 2(3)(b) of the ICCPR, which requires each party to undertake to ensure that any person claiming a remedy shall have their right determined by competent judicial, administrative or legislative authorities.
45. Legislation creating a statutory cause of action for privacy invasion is likely to overlap with the existing scheme in the Privacy Act for privacy interference complaints.[42] That is, it is likely that some privacy breaches could be pursued under either the statutory cause of action or the existing scheme in the Privacy Act. Complainants should not be permitted to pursue both options simultaneously and a mechanism facilitating an election or stay of one action may be required, particularly if an invasion of privacy is directly actionable to the courts. This possibility of overlap is a consideration in the OAIC's preference for a Complaints Model for Privacy Invasion to be adopted.
46. While the OAIC supports the approach outlined in paragraphs 38-45 comprising amendments to the Privacy Act together with adoption of the Complaints Model for Privacy Invasion, the OAIC has answered the questions raised in the Issues Paper primarily on the basis that any cause of action adopted may be actionable directly to the courts.

Framing the cause of action

47. Subject to any other constraints, it may be possible to frame the additional protection for privacy represented by a statutory cause of action as a legal right, being a right to not have one's privacy invaded. However, the OAIC considers it appropriate to provide this additional protection by way of a right to take action, as contemplated by the Issues Paper (or, if a Complaints Model for Privacy Invasion is adopted, to make a complaint). As noted above, the right to privacy is not absolute and must be balanced against other competing rights. Framing this additional protection as a right to take action (or make a complaint) caters for this requirement by allowing more precise formulation of elements giving rise to the protection.

Role of OAIC

48. Given the OAIC's role in privacy regulation, it is appropriate to consider a number of possible roles that the OAIC might play if a statutory cause of action for invasion of privacy is introduced.
49. As suggested above, there is merit in considering a complaint handling role for the OAIC. Given the OAIC's considerable experience in handling and resolving privacy interference complaints over many years, the OAIC is well-placed to take on this additional complaint-handling role.
50. If a cause of action is actionable to the courts (either directly or following an initial complaint to the OAIC), the OAIC sees merit in legislating to permit the Australian Information Commissioner to have the option of the following roles in proceedings:
    • a right to intervene in proceedings (or alternatively to seek the leave of the court to intervene)
    • a right to seek the leave of the court to act in the role of amicus curiae in the proceedings.
51. In relation to an intervener role, the OAIC favours permitting intervention as of right. The OAIC notes, as an example, that the President of the NSW Anti-Discrimination Board has the right to intervene in proceedings of the NSW Industrial Relations Commission if the President establishes that the proceedings concern unlawful discrimination under the Anti-Discrimination Act 1977 (NSW).[43] Alternatively, legislation gives the Australian Human Rights Commission the function of intervening in court matters with the leave of the court and subject to any conditions imposed by the court.[44]
52. In relation to an amicus curiae role, the OAIC notes that legislation grants this role to the various Commissioners of the Australian Human Rights Commission in specified circumstances.[45] These circumstances include proceedings where the orders sought may affect to a significant extent the human rights of non-parties, proceedings that may have significant implications for the administration of the relevant Act, and proceedings where it is in the public interest for the Commissioner to assist the court. The OAIC considers that it may be appropriate for an amicus curiae function to be available to the Australian Information Commissioner in analogous circumstances.

---

Comments in response to specific Issues Paper questions

Question 1 - Do recent developments in technology mean that additional ways of protecting individuals' privacy should be considered in Australia?

53. Since its enactment over twenty years ago, the Privacy Act has operated against a backdrop of significant change particularly associated with the "information age" and the rise of the Internet. The Internet, for example, means that information is easy to access and publish; it is searchable, downloadable and reusable and can remain in circulation indefinitely. Personal information made available online can be difficult to recoup, delete or control. The wide availability of the Internet in Australia[46] allows a significant number of individuals to access this information.
54. Other examples of significant change include increases in surveillance and the use of biometric technology.
55. These technological developments have created privacy challenges in relation to the protection of information privacy. Privacy breaches can now occur in an increased number of ways and the potential scale of breaches has increased as has the potential impact of and damage caused by such breaches. In addition, there is uncertainty as to how the Privacy Act applies to personal information submitted via the Internet by individuals in Australia to an overseas organisation.
56. Further, and as noted at paragraph 35 above, the Privacy Act is limited in the protection it offers to the acts or practices of agencies and organisations covered by the Act. As well as providing exemptions for a number of entities, acts and practices, the Privacy Act is limited to protecting information privacy. It does not, for example, protect invasions of bodily or territorial privacy. Technological developments have similarly increased the scope and methods by which these other types of privacy may be invaded, and the potential impact and damage caused by such invasions.
57. For these reasons, the OAIC considers that recent developments in technology mean that consideration should be given to providing for additional ways of protecting individuals' privacy in Australia. In addition to legislative amendments to enhance privacy regulation to include entities and practices not currently covered by the Privacy Act, mandatory data breach notification could be introduced which would assist in minimising the impact and damage of breaches - it would ensure that privacy breaches are investigated and that individuals are made aware when a breach may have compromised their personal information.

Question 2 - Is there a need for a cause of action for serious invasion of privacy in Australia?

58. Privacy is an important, internationally-recognised human right warranting specific recognition and protection (see paragraph 32 above). At present, however, there are a number of areas not currently covered by privacy regulation in Australia (see paragraph 35 above).
59. While the OAIC strongly supports the privacy law reform process currently underway, noting that this process may address some of the areas not currently covered by the Privacy Act, the OAIC appreciates that a statutory cause of action for invasion of privacy may complement this reform process and address outstanding areas. For example, such a cause of action would permit actions:
    • against individuals whose actions invade privacy
    • against entities that continue to fall within an exemption to the Privacy Act, and
    • in respect of invasions of privacy beyond invasions of information privacy.
60. However, the OAIC is concerned to ensure that any cause of action is formulated in a way that does not limit the benefits to be obtained from it.
61. The OAIC has identified three primary concerns that it believes warrant further consideration. In summary, these are:
    • Access to justice: If the cause of action is actionable directly to the courts, sections of the public who are not in a position to access the civil justice system may be unable to enforce their rights. This could mean the cause of action does not achieve its goal of providing effective broader legislative protection for privacy and a remedy against privacy invasion for all Australians. For this reason, the OAIC recommends the adoption of a Complaints Model for Privacy Invasion (see paragraph 40 above).
    • Offensiveness threshold: in relation to the "seriousness" of the invasion of privacy, the OAIC queries whether limiting a cause of action to "highly offensive" conduct is unnecessarily demanding. There are likely to be cases which are meritorious but unable to meet that requirement (this is addressed further in the OAIC's response to Question 4 below).
    • Balancing rights: The OAIC believes it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute. Privacy is a right that must be appropriately balanced against other competing rights, including the right to freedom of expression and the public interest in being informed about matters of public concern. The OAIC strongly supports the need to balance competing interests (and comments on this further in response to Questions 5 and 6 below).

Question 3 - Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law? 

62. The OAIC supports any cause of action for invasion of privacy being created by statute rather than being left to develop at common law.
63. A statute avoids the uncertainty of relying on common law development, and the need to wait for courts to develop the cause of action. It also will assist in ensuring that any cause of action that is created operates uniformly throughout Australia.
64. Further, leaving development to the common law means placing reliance on court action as the exclusive forum in which legal rights are created and determined. Creating a new action via statute, however, may result in more flexibility for developing alternative mechanisms and procedures for resolving disputes, and diversifying the available remedies.

Question 4 - Is "highly offensive" an appropriate standard for a cause of action relating to serious invasions of privacy?

65. Both the ALRC and VLRC tests for establishing an invasion of privacy include a threshold requirement that the act or conduct concerned be "highly offensive" to a reasonable person.[47] In contrast, the NSWLRC draft Bill requires consideration of the offensiveness of the conduct as one of a number of relevant matters, but not as a threshold requirement.[48]
66. The OAIC agrees that the objective offensiveness of the defendant's conduct is a factor relevant to the cause of action and the OAIC supports a standard of offensiveness as a threshold requirement for establishing the cause of action. In the OAIC's view, an objective test of offensiveness as a threshold requirement allows the cause of action to become reflective of societal attitudes as they change and may serve to limit frivolous or vexatious claims. Having a threshold may also serve to allay some of the concerns identified in the ALRC Report about certain matters unintentionally falling within the scope of a statutory cause of action, such as in the case of street art.[49]
67. However, the OAIC has some concerns that a "highly offensive" threshold may be largely unattainable, preventing meritorious cases from proceeding. As an example, consider an alleged invasion of privacy where an individual erects surveillance cameras on their residential property in a manner that results in the capturing of footage from a neighbouring property. Arguably this conduct may not meet the criteria for "highly offensive", notwithstanding the fact that many people may consider it offensive and support a remedy being available to the neighbours.
68. The ALRC's reasoning in adopting a "highly offensive" standard (as opposed to a lesser standard of offensiveness) was that this threshold would help to protect freedom of expression.[50] The OAIC agrees that it is important that any statutory cause of action is formulated in a way that ensures that privacy is not privileged above other competing rights, such as freedom of expression.
69. However, a requirement to balance competing interests in considering whether an individual's privacy has been invaded (as supported by the OAIC in its response to Question 5 below) sufficiently and appropriately protects those competing interests. The OAIC considers that the additional protection of a threshold requirement of "highly offensive" conduct (as opposed to a lesser standard of offensiveness) is unnecessary.
70. The OAIC considers that the level of offensiveness of the conduct is a factor that will be very relevant to, and appropriately forms part of, a consideration of the appropriate remedy for a particular invasion of privacy. Proceedings involving conduct that was offensive to a high degree would likely attract a greater remedy (such as damages, or higher damages) than a case where the offensiveness was of a lower degree.
71. If the Complaints Model for Privacy Invasions is adopted (as suggested by the OAIC at paragraph 40 above), the OAIC suggests that it may be appropriate for the OAIC to issue guidance in relation to the issue of offensiveness, including how the requirement is to be applied and the types of conduct that would meet the objective test. This may further assist in addressing concerns outlined above about protecting competing interests such as freedom of expression. In addition, to ensure that the OAIC is able to focus on complaints that warrant investigation, the Complaints Model for Privacy Invasion should be coupled with an ability for the OAIC to decline complaints in appropriate circumstances, including on the grounds outlined in paragraph 41 above.

Question 5 - Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?

72. The OAIC believes it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute. Privacy is a right that must be appropriately balanced against other competing rights including the right to freedom of expression and the public interest in being informed about matters of public concern. The balancing process will therefore be an essential part of an appropriate cause of action for invasion of privacy.
73. The OAIC agrees with the ALRC's and NSWLRC's approach of integrating the balancing of competing public interests into the cause of action so that the balancing occurs as part of the consideration of whether the plaintiff's privacy has been invaded. The OAIC considers that it is conceptually preferable to deal with competing public interests in this way such that no invasion of privacy will exist if a competing public interest outweighs the interest in a right to privacy (rather than finding an invasion of privacy to which there is a defence).
74. The OAIC notes the VLRC's concern that integrating the consideration of competing public interests into the cause of action will require the plaintiff to prove a negative (being the lack of a countervailing public interest).[51] However, the OAIC considers that the presence or absence of competing public interests is likely to be very relevant to the consideration of whether the plaintiff has made out the elements of the cause of action. That is, the presence or absence of other public interests is likely to be relevant to whether or not the plaintiff had a reasonable expectation of privacy in the circumstances, as well as to the level of offensiveness of the act or conduct. The plaintiff will need to lead evidence - including, where relevant, in relation to countervailing public interests - to prove those elements.

Question 6 - How best could a statutory cause of action recognise the public interest in freedom of expression?

75. The OAIC considers that the public interest in freedom of expression could best be recognised by the balancing test supported by the OAIC in its response to Question 5 above. This would require courts to consider competing interests, including the public interest in freedom of expression, when considering whether the cause of action has been made out.
76. As mentioned in relation to Question 5, the OAIC believes that it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute; rather, it is a right that must be appropriately balanced against other competing rights including the right to freedom of expression and the public interest in being informed about matters of public concern.

Question 7 - Is the inclusion of "intentional" or "reckless" as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault?

77. The OAIC agrees that it is appropriate for the statutory cause of action to be available to individuals seeking redress against intentional or reckless acts. However, the OAIC suggests that further consideration be given to whether or not some negligent acts should also be included within the ambit of the cause of action. The OAIC considers that there may be cases where it would be appropriate and desirable for individuals whose privacy is invaded as a result of some negligent acts to have access to a remedy. For example, the VLRC suggested that "grossly negligent" acts be included within the ambit of its proposed cause of action, giving the example of a medical practitioner who leaves a patient's highly sensitive medical records on a train or tram.[52]
78. The OAIC also notes the NSWLRC's preference "not to lay down an absolute rule" as to the required standard of fault. The NSWLRC felt that liability is only likely to arise where the defendant has acted intentionally, but noted that there may be circumstances where a defendant ought to be liable for reckless or negligent conduct. The NSWLRC suggested that "this is a matter that is more appropriately left to development in case law".[53]
79. Whatever approach is adopted, the OAIC considers that the particular fault element involved will also be relevant to determining the appropriate remedy to be awarded.
80. The OAIC notes that no fault element is required for complaints made to the OAIC for an interference with privacy under the current provisions of the Privacy Act. A finding of an interference with privacy can be made in relation to negligent and accidental acts, as well as those which are intentional or reckless.

Question 8 - Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient?

81. The OAIC supports the inclusion in legislation of relevant matters to be taken into account by the court in considering whether the cause of action for invasion of privacy has been made out. Further, the OAIC agrees with the NSWLRC's approach of including a list of mandatory factors, as well as the option for the court to take into account any other matter it considers relevant in the circumstances.[54]
82. The OAIC sees advantages in providing explicit legislative guidance on the application of the cause of action. In particular, such guidance may assist in promoting more consistent application and development of a new cause of action. Further, if the Complaints Model for Privacy Invasions is adopted, these considerations would guide administrative decision-making.
83. In relation to the list of matters suggested by the NSWLRC, the OAIC suggests reconsideration of the following items:
    • "the conduct of the individual and of the alleged wrongdoer both before and after the conduct concerned (including any apology or offer to make amends made by the alleged wrongdoer)"[55] - the OAIC considers that the conduct of the individual and alleged wrongdoer, particularly following the conduct concerned, is an issue that is more appropriately considered in relation to remedies and possibly defences.[56]
    • "the effect of the conduct concerned on the health, welfare and emotional well-being of the individual"[57] - the OAIC considers that this matter is relevant to the question of remedies rather than whether or not the cause of action has been established. Further, if the cause of action is actionable without proof of damage,[58] it may be inconsistent to require consideration of the effect of the conduct on health and well-being as part of determining whether or not the cause of action has been made out.
    • "the nature of the conduct concerned (including the extent to which a reasonable person of ordinary sensibilities would consider the conduct to be offensive)"[59] - as discussed in the OAIC's response to Question 4, the OAIC considers that the offensiveness of the conduct of the alleged wrongdoer should form an element of the cause of action, rather than being merely a relevant matter to be taken into account by the court.

Question 9 - Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material?  If a list were to be included, should any changes be made to the list proposed by the ALRC?

84. The OAIC agrees that the legislation should contain a non-exhaustive list of the types of acts that might constitute an invasion of privacy. This achieves the dual aims of providing some guidance as to the scope of the cause of action while still allowing flexibility for the cause of action to evolve with social and technological developments. As noted in the OAIC's response to Question 1, privacy regulation operates against a backdrop of significant technological change; it is critical that the legislation be formulated in a way that allows the cause of action to evolve as the circumstances require.
85. The OAIC notes that the legislative drafting should ensure that it is clear that the list is by way of broad example only and that the elements of the cause of action will still need to be satisfied in order to establish an actionable invasion of privacy.
86. The ALRC's proposed non-exhaustive list is:[60]
    1. there has been an interference with an individual's home or family life
    2. an individual has been subjected to unauthorised surveillance
    3. an individual's correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed, or
    4. sensitive facts relating to an individual's private life have been disclosed.
87. While the OAIC agrees with each of the examples included in the list proposed by the ALRC, the OAIC considers that any statutory cause of action could cover all aspects of an individual's privacy. This includes bodily and territorial privacy in addition to information privacy. Aspects of territorial privacy are covered in items (a) and (b) of the ALRC's list, but bodily privacy is not addressed.
88. To ensure it is clear that the cause of action is intended to cover all aspects of an individual's privacy, the OAIC suggests that the list be prefaced by a statement noting that the cause of action is intended to be available in relation to invasions of any aspect of an individual's privacy, including invasions of an individual's information, territorial and bodily privacy. In addition, or in the alternative, an example of a bodily privacy invasion could be included in the list to signal an intention that such invasions are within the scope of the action (an example of an invasion of bodily privacy could be "an individual has been subjected to unauthorised genetic testing").
89. In relation to item (d) in the ALRC's proposed list ("sensitive facts relating to an individual's private life have been disclosed"), the OAIC suggests that it be made clear that the term "sensitive facts" is not limited to "sensitive information" as defined in the Privacy Act.[61] Clarifying this point will ensure that item (d) indicates an intention for information privacy to be covered generally, as well as ensuring the item is flexible and adaptable to range of circumstances.

Question 10 - What should be included as defences to any proposed cause of action?

90. The OAIC supports the inclusion in legislation of an exhaustive list of defences to the statutory cause of action. The OAIC considers that generally, each defence should be cast as narrowly as is appropriate to ensure that only the intended acts and conduct fall within its scope, and meritorious claims are not prevented from succeeding.
91. The OAIC agrees with the three defences recommended in the ALRC Report:[62]
    1. the act or conduct was incidental to the exercise of a lawful right of defence of person or property
    2. the act or conduct was required or authorised by or under law
    3. the publication of the information was, under the law of defamation, privileged.
92. However, in relation to the ALRC's proposed defence at (a) above ("the act or conduct was incidental to the exercise of a lawful right of defence of person or property"), the OAIC sees merit in adopting a qualifier so that the defence is only available where the act or conduct was a reasonable and proportionate response to the threatened harm, as suggested by the VLRC.[63] This qualifier may assist in defining the scope of this defence and ensuring it is not inappropriately applied.
93. The OAIC also sees merit in adopting an additional defence similar to the statutory defence in defamation law of "innocent dissemination", as suggested by the NSWLRC.[64] Given that the cause of action might arise in respect of intentional acts (as opposed to intentional privacy invasions), it may extend to situations in which a subordinate distributor intentionally publishes or distributes information which invades an individual's privacy, notwithstanding the fact the distributor could not reasonably have known that a privacy invasion would occur. The OAIC considers that a defence should be available in such circumstances.
94. The OAIC notes that the VLRC proposed an additional defence for public officers engaged in duty.[65] The OAIC is of the view that such scenarios may be sufficiently protected without such a defence. The fact that a particular act or conduct was performed by a public officer engaged in duty would be a relevant factor in:
    • weighing competing public interests
    • determining whether the plaintiff had a reasonable expectation of privacy, and
    • determining whether the conduct met the offensiveness threshold.
    Even in cases where a particular act or conduct performed by a public officer engaged in duty met the elements of the cause of action, and it was determined that the privacy interest outweighs other public interests, the defence that the act or conduct was "required or authorised by or under law" may be available to the public officer. The OAIC notes, however, that other relevant stakeholders may be better placed to provide relevant information about the necessity of a specific defence for public officers engaged in duty.
95. If the defences supported by the OAIC in paragraphs 91-93 above are adopted, the OAIC does not consider that any of the remaining defences raised by the NSWLRC or VLRC are necessary.[66] The OAIC is of the view that the defences supported by the OAIC, together with the elements of the cause of action and the requirement to balance competing public interests, provide adequate safeguards to ensure unmeritorious claims do not succeed.
96. Although the OAIC recommends that the balancing of competing interests should be integrated into the cause of action,[67] if it is determined otherwise, the OAIC suggests in the alternative that conduct in the public interest should be an additional defence to the cause of action as proposed by the VLRC.[68]

Question 11 - Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application?

97. The OAIC considers that there should be no exemptions to the statutory cause of action. The elements of the cause of action (balancing competing public interests, reasonable expectation of privacy, and offensiveness of the conduct) together with an exhaustive list of defences provide adequate protection from unmeritorious actions for individuals and entities engaged in legitimate activities.
98. The OAIC notes that given the exemptions that currently exist in the Privacy Act, a situation is likely to emerge if a cause of action is adopted where certain entities, acts or practices are actionable under the statutory cause of action and not under the current privacy interference complaints regime in the Privacy Act. The OAIC does not foresee any difficulties with this dichotomy, even if the Complaints Model for Privacy Invasions is adopted (as suggested by the OAIC at paragraph 40), resulting in complaints to the OAIC under both regimes. Situations where a complaint could be made under either regime are discussed at paragraph 45 above.
99. However, if the new cause of action is to be included within the Privacy Act, the legislation will need to make clear that the existing Privacy Act exemptions do not apply to the cause of action.

Question 12 - Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action?

100. The OAIC supports the ALRC's view that the court should be able to apply a remedy that is most appropriate to the circumstances of the case, without being limited by the jurisdictional restraints that may apply under the general law.[69]
101. The OAIC also generally agrees with the remedies recommended by the ALRC.[70] However, the OAIC sees merit in further consideration being given to using less legalistic language,[71] noting that other stakeholders may be best placed to comment on this issue.
102. The OAIC considers that in addition to the remedies recommended by the ALRC, the court should be able to make ancillary orders, such as property preservation orders and search orders. This could be achieved either by expressly articulating this relief, or by including a general "such other relief as the Court considers necessary in the circumstances" provision (as recommended by the NSWLRC).[72]
103. If the Complaints Model for Privacy Invasions is adopted (as suggested by the OAIC at paragraph 40), a complainant could be eligible for a remedy determined by a Commissioner of the OAIC. The OAIC suggests that there should be a flexible range of powers and remedies available to it, including powers and remedies analogous to those available in the Privacy Act (as enhanced by any changes to the Commissioner's powers as foreshadowed by the Government's First Stage Response - see paragraph 41 above) in relation to complaints about interferences with privacy. This would include the power to investigate and conciliate complaints, and to make a determination that includes:
     • a declaration that certain conduct was an invasion of privacy
     • a declaration that the respondent should perform an act to redress loss or damage, and
     • a declaration that the plaintiff is entitled to compensation.

Question 13 - Should the legislation prescribe a maximum award of damages for non-economic loss, and if so, what should that limit be? 

104. On balance, the OAIC suggests that no maximum award of damages for non-economic loss be prescribed in the legislation.
105. Prescribing a limit may have the effect of focusing attention on that upper limit and implying that serious privacy invasions should result in a payout of that magnitude. Further, the OAIC notes that the Australian Information Commissioner's power under s 52 of the Privacy Act to declare in a determination the amount of compensation to which a complainant is entitled is not capped.
106. This is in contrast to the position under defamation law where damages for non-economic loss are capped.[73] While not supporting a cap in the context of an invasion of privacy, the OAIC considers that it would be appropriate for the court to obtain guidance from the award of damages in defamation actions, and considers that an amount greater than the cap on damages for defamation actions would be awarded only in extraordinary circumstances.

Question 14 - Should any proposed cause of action require proof of damage?  If so, how should damage be defined for the purposes of the cause of action? 

107. The OAIC recommends that the cause of action should be actionable without proof of damage. The OAIC agrees with the ALRC's view that as a human right, an action for invasion of privacy should not be dependent on proving damage.[74]

Question 15 - Should any proposed cause of action also allow for an offer of amends process? 

108. The OAIC supports the inclusion of a mechanism which encourages the early resolution of disputes.
109. As the Issues Paper notes,[75] an "offer of amends" approach is consistent with the policy intent behind the new Civil Dispute Resolution Act 2011 (Cth) (CDRA), legislation which the OAIC notes was enacted after the reports of the ALRC, NSWLRC and VLRC. The CDRA requires parties to file a statement setting out the steps they have taken to attempt to resolve a dispute prior to litigation and applies to most proceedings commenced in the Federal Court and Federal Magistrates Court.
110. While supporting in principle an offer of amends process, the OAIC considers that the offer of amends model that exists in the defamation context[76] may need to be adapted in order to function appropriately in the privacy context. In particular:
     • If a Complaints Model for Privacy Invasions is adopted (as suggested at paragraph 40 above), the conciliation mechanism this involves (see paragraph 41 above) will encourage and facilitate the early resolution of disputes. Notwithstanding this process, the OAIC notes that it may still be useful to make available an offer of amends process where court proceedings follow the complaints process given that parties' circumstances can change in the interim period.
     • Consideration should be given to how the offer requirements in the defamation model will be adopted in the privacy context, noting that certain mandatory requirements in the defamation process are not immediately appropriate in all privacy contexts (such as an offer to publish a reasonable correction in the context of a territorial privacy invasion, and an offer to take reasonable steps to inform people to whom the material has been distributed that it is or may be defamatory).
     • If the cause of action is actionable to the Federal courts only (as opposed to State and Territory courts), the OAIC suggests that consideration should be given as to whether an offer of amends process is necessary in addition to the requirements of the CDRA and if so, how the two processes would interact. The OAIC notes that defamation actions (in which an offer of amends process applies) are generally actionable to State and Territory courts where the requirements of the CDRA do not apply.

Question 16 - Should any proposed cause of action be restricted to natural persons?

111. The OAIC recommends that the proposed cause of action should only be available to natural persons. The OAIC agrees with the ALRC that extending the protection of a human right to a non-human entity is inconsistent with the fundamental approach of Australian privacy law.[77]

Question 17 - Should any proposed cause of action be restricted to living persons?

112. The OAIC notes that the Australian Government's First Stage Response to the ALRC Report did not accept recommendations from the ALRC to extend provisions in the Privacy Act to the personal information of deceased people.[78] To ensure consistency with this position, the OAIC considers that the statutory cause of action should be restricted to living persons.

Question 18 - Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced? 

113. A complaint of privacy interference can be made within 12 months from the date the applicant became aware of the relevant act or conduct. The Commissioner then has a discretion as to whether or not to investigate a complaint of privacy interference made after this date.[79]
114. The OAIC sees merit in adopting a similar and consistent approach in relation to actions for privacy invasion (or complaints if a Complaints Model for Privacy Invasions is adopted, as suggested at paragraph 40 above); that is, an approach that requires an action (or complaint) for invasion of privacy to be commenced within 12 months from the date the applicant became aware of the relevant act or conduct, with a discretion allowing an action to be brought outside the 12 month period.
115. The OAIC prefers the approach of calculating the time period from the date the applicant became aware of conduct, as opposed to the date that the relevant act or practice occurred.[80] The OAIC notes, for example, that advances in surveillance technology mean that individuals may not be aware that their privacy has been invaded for some time after the conduct occurred. The OAIC is of the view that such individuals should not be prevented from commencing an action for invasion of privacy (or making a complaint).

Question 19 - Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy? 

116. The OAIC is in favour of the Federal Court and Federal Magistrates Court being granted jurisdiction to hear and determine claims.
117. If a Complaints Model for Privacy Invasions is adopted (as proposed at paragraph 40 above), the OAIC supports the Federal Court and Federal Magistrates Court being granted jurisdiction to hear and decide any matters that progress to the courts under that model.
118. The OAIC notes that the Federal Court and Federal Magistrates Court are the courts with jurisdiction to hear matters under the current Privacy Act.

Additional issue - interaction between Commonwealth and State laws

119. The Issues Paper also asks the following questions:
     • If a statutory cause of action is to be legislated, should it be established in Commonwealth and/or State and Territory law?[81]
     • What should be the relationship between any Commonwealth law and State and Territory laws in relation to the cause of action?[82]
120. A major concern in relation to privacy laws at a State and Territory level is the interaction of these laws with Commonwealth legislation and whether inconsistency and fragmentation in coverage will arise.
121. The OAIC therefore considers that any cause of action should be introduced in a manner that:
     • does not contribute to inconsistent and fragmented privacy regulation in Australia, and
     • does not provide a situation where plaintiffs can forum-shop.
122. Subject to any constitutional restraints, the OAIC considers that consistent development of the law would be best achieved by introducing any statutory cause of action into Commonwealth law, with the Federal courts having jurisdiction to hear matters arising under the provisions. If a Complaints Model for Privacy Invasions is adopted, this would similarly be best included in Commonwealth legislation and the OAIC sees merit in achieving this by its inclusion in the Privacy Act.
123. The OAIC notes that if uniform legislation is adopted by the States, it may be necessary for any cause of action brought under that legislation to be actionable to local, district or supreme courts in the relevant State or Territory. A risk with this approach is the emergence of differing judicial interpretations of the legislation in each jurisdiction. A further risk with uniform legislation is fragmentation arising from the adoption in some States of variations to the legislation.

---

---

Footnote

[1] Issues Paper - A Commonwealth statutory cause of action for serious invasion of privacy (Issues Paper), available at http://www.dpmc.gov.au/privacy/causeofaction/.

[2] ALRC Report 108 For Your Information, Privacy Law and Practice (ALRC Report), available at http://www.alrc.gov.au/publications/report-108. See recommendations 74-1 to 74-7 (reproduced in the Issues Paper pp 54-55).

[3] Issues Paper - A Commonwealth statutory cause of action for serious invasion of privacy (Issues Paper), available at http://www.dpmc.gov.au/privacy/causeofaction/.

[4] ALRC Report 108 For Your Information: Australian Privacy Law and Practice (ALRC Report), available at http://www.alrc.gov.au/publications/report-108.

[5] See ALRC Report recommendations 74-1 to 74-7 (reproduced in the Issues Paper pp 54-55).

[6] Article 12 provides: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

[7] Article 17 provides:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.

[8] "Personal information" is defined in the Privacy Act s 6.

[9] Generally speaking, agencies are required to comply with the requirements of the Information Privacy Principles (IPPs - Privacy Act s 14), while organisations (as defined in the Act) are required to comply with the National Privacy Principles (NPPs - Privacy Act, Schedule 3). Sections 13 and 13A identify when an act or conduct will constitute an interference with the privacy of an individual, which includes when an act or conduct breaches the IPPs (in the case of agencies) or the NPPs (in the case of organisations).

[10] For example the Telecommunications (Interception and Access) Act 1979 (Cth).

[11] The Terms of Reference for the ALRC's Review of the Privacy Act 1988 are available at http://www.alrc.gov.au/inquiries/privacy/terms-of-reference.

[12] ALRC Report, available at http://www.alrc.gov.au/publications/report-108.

[13] See ALRC Report recommendations 74-1 to 74-7 (reproduced in the Issues Paper pp 54-55).

[14] Enhancing National Privacy, Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (October 2009) (First Stage Response) is available at http://www.dpmc.gov.au/privacy/reforms.cfm.

[15] NSWLRC Report 120 (Invasion of Privacy) (NSWLRC Report) is available at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r120toc.

[16] VLRC Report 18 (Surveillance in Public Places) (VLRC Report) is available at http://www.lawreform.vic.gov.au/wps/wcm/connect/justlib/Law+Reform/Home/Completed+Projects/Surveillance+in+Public+Places/LAWREFORM+-+Surveillance+in+Public+Places+-+final+report .

[17] See NSWLRC Report, Appendix A: draft Civil Liability Amendment (Privacy) Bill (NSWLRC draft Bill) (reproduced in the Issues Paper pp 56-63).

[18] See VLRC Report recommendations 22-33  (reproduced in the Issues Paper pp 64-65).

[19] See ALRC Report recommendations 74-1 to 74-7.

[20] See the NSWLRC Report (the NSWLRC draft Bill is also reproduced in the Issues Paper pp 56-63).

[21] See VLRC Report recommendations 22-33.

[22] See ALRC Report paragraphs 74.15. See also ALRC Report paragraph 74.14 which discusses the United Nations High Commissioner for Human Rights' General Comment 16 which states that Article 17 should protect citizens against all interferences and attacks on privacy, family, home or correspondence "whether they emanate from State authorities or from natural or legal persons", and that "state parties are under a duty themselves not to engage in interferences inconsistent with Article 17 and to provide the legislative framework prohibiting such acts by natural or legal persons".

[23] As noted in paragraph 13 above, the OAIC acknowledges the existence of other laws which touch on privacy issues to some extent.

[24] Individuals are covered in limited circumstances, such as where the individual is also an organisation (such as a sole trader with an annual turnover of greater than $3 million), and where an individual handles tax file numbers.

[25] See Privacy Act ss 6C(1) and 6D.

[26] See Privacy Act s 7B(4).

[27] See Privacy Act s 7C.

[28] See the Government's First Stage Response pp 91-98. Draft legislation implementing the foreshadowed changes to the Information Commissioner's powers is yet to be released.

[29] In the context of blog and other online posts, the ALRC Report stated at paragraph 11.21: "It is not practical or desirable to expand the scope of the Privacy Act to regulate individuals acting in a non-commercial capacity. There are other methods that could deal more appropriately with situations where an individual acting in a personal capacity interferes with another individual's privacy. In Chapter 74, the ALRC recommends that the Privacy Act be amended to include a statutory cause of action for serious invasion of privacy... the recommended statutory cause of action may be used against an individual acting in a non-commercial capacity..."

[30] The former OPC's Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31 (Feb 2007), available at http://www.privacy.gov.au/materials/types/submissions/view/6757 stated at p 428, paragraph 53: "the Privacy Act... is ill-suited to the regulation of individuals in their personal capacity.  For instance, it would be difficult and undesirable to require individuals to give notice or seek consent for collection of personal information".

[31] The OAIC notes that the acts and practices of individuals are regulated in limited circumstances, such as where an individual meets the definition of organisation (e.g. a sole trader with an annual turnover greater than $3million).

[32] The OAIC comments further on competing public interests in response to Questions 5 and 6.

[33] See the Government's First Stage Response pp 91-98.

[34] See the Government's First Stage Response p 91 - response to recommendation 49-1.

[35] See the Government's First Stage Response pp 92-93 - response to recommendation 49-5.

[36] See the Government's First Stage Response p 94 - response to recommendation 49-7.

[37] See the Government's First Stage Response pp 92-93 - response to recommendation 49-5.

[38] Similar to the ability granted to the Australian Information Commissioner by s 55H of the Freedom of Information Act 1982 (Cth) in relation to Information Commissioner reviews.

[39] For example, see Rolph, D Align this tort with defamation remedies, appearing in The Australian p 29 on 30 September 2011.

[40] See Smallbone v New South Wales Bar Association [2011] FCA 1145 and Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance [2004] FCA 637.

[41] See Attorney-General's Department, A Strategic Framework for Access to Justice in the Federal Civil Justice System (2009). The Civil Dispute Resolution Act 2011 (Cth) (CDRA) applies to most proceedings commenced in the Federal Court and Federal Magistrates Court, and requires parties to file a statement setting out the steps they have taken to attempt to resolve a dispute prior to litigation.

[42] See Privacy Act ss 13 and 13A and Part V.

[43] See Industrial Relations Act 1996 (NSW) s 167.

[44] See Australian Human Rights Commission Act 1986 (Cth) s 11(1)(o).

[45] See Australian Human Rights Commission Act 1986 (Cth) s 46PV.

[46] See the Issues Paper p 10.

[47] See ALRC Report recommendation 74-2 and VLRC Report recommendations 25 and 26.

[48] See NSWLRC draft Bill s 74(3)(a)(ii).

[49] See ALRC Report paragraph 74.136.

[50] See ALRC Report paragraph 74.135.

[51] See VLRC Report paragraph 7.180.

[52] See VLRC Report paragraph 7.148.  The NSWLRC Report also refers to a situation where a doctor is grossly negligent in disclosing medical records of a patient (paragraph 5.56).

[53] See NSWLRC Report paragraph 5.56.

[54] See NSWLRC Report s 74(3).

[55] See NSWLRC draft Bill s 74(3)(vi).

[56] An offer of amends may be relevant to the question of defences if an offer of amends process similar to that in defamation law is adopted.

[57] See NSWLRC draft Bill s 74(3)(vii).

[58] See discussion under Question 14 below.

[59] See NSWLRC draft Bill s 74(3)(ii).

[60] See ALRC Report recommendation 74-1.

[61] "Sensitive information" is defined in s 6 of the Privacy Act as:

• information or an opinion about specified aspects of an individual such as racial or ethnic origin, political opinions or memberships, religious beliefs or sexual preferences
• health information about an individual, or
• genetic information about an individual

Notably, the definition does not refer to other items of information that the community may consider "sensitive", such as financial information.

[62] See ALRC Report recommendation 74-4.

[63] See VLRC Report paragraph 7.157.

[64] See NSWLRC draft Bill s 75(1)(d): it is a defence to a privacy invasion action if the defendant proves that the conduct of the defendant was the publication of matter in circumstances where:

1. the defendant published the matter merely in the capacity, or as an employee or agent, of a subordinate distributor, and
2. the defendant neither knew, nor ought reasonably to have known, that the publication of the matter constituted an invasion of privacy, and
3. the defendant's lack of knowledge was not due to any negligence on the part of the defendant

"Subordinate distributor" has the same meaning as in s 32 of the Defamation Act 2005: a person is a subordinate distributor if the person:

1. was not the first or primary distributor of the matter, and
2. was not the author or originator of the matter, and
3. did not have any capacity to exercise editorial control over the content of the matter (or over the publication of the matter) before it was first published.

[65] See VLRC Report paragraphs 7.160-7.161.

[66] These defences include:

• NSWLRC Report: fair report (s 75(1)(c)(ii), "qualified privilege in the law of defamation at least as it existed at common law before Lange v Australian Broadcasting Corporation (1997) 189 CLR 520" (s 75(1)(e))
• VLRC Report: consent, public interest, fair comment (see recommendations 27 and 28).

[67] See the OAIC's response to Questions 5 and 6 above; see also ALRC Report recommendation 74-2 and NSWLRC draft Bill s 74(2).

[68] See VLRC Report paragraphs 7.170-7.187 and recommendations 27(f) and 28(e).

[69] See ALRC Report recommendation 74-5.

[70] See ALRC Report recommendation 74-5.

[71] See NSWLRC Report paragraphs 7.2 and 7.3: "by identifying the remedies as orders that take their nature from the statute rather than from the general law, the legislation intends to empower courts to determine when the principles and rules applicable to analogous remedies at general law should apply and when they should be rejected ... use of the traditional language of "damages" and "injunctions" obscured the point.  The Bill makes it clear that the remedies it authorises are an order for compensation (not damages)... and a prohibitory order (not an injunction)..."

[72] See NSWLRC draft Bill s 76(1)(e).

[73] The Uniform Defamation Law (e.g. Defamation Act 2005 (NSW) s 35) limits damages for non-economic loss to $250,000 (as indexed) unless a Court is satisfied that aggravated damages are also payable.

[74] See ALRC Report paragraph 74.168 and recommendation 74-3(b).

[75] Issues Paper p 47.

[76] The Uniform Defamation Law (e.g. Defamation Act 2005 (NSW) ss 12-19) deals with "offers to make amends". An offer to make amends must offer to publish a reasonable correction, must offer to take reasonable steps to inform people to whom the material has been distributed that it is or may be defamatory and must include an offer to pay reasonable expenses incurred by the plaintiff before the offer and in considering the offer. The offer may make any other offer including to pay compensation or publish an apology. A defence to the defamation action arises where the plaintiff does not accept an offer which meets a number of requirements including that it is "reasonable in all the circumstances".

[77] See ALRC Report paragraph 74.160 and recommendation 74-3(a).

[78] ALRC Report Chapter 8 and recommendations 8-1 to 8-3; Government Response pp 28-29.

[79] Privacy Act s 41(1)(c).

[80] The NSWLRC and VLRC both recommended the time be calculated from the date on which the relevant act or practice occurred - see NSWLRC Report paragraphs 9.1-9.2 and VLRC Report paragraphs 7.243-7.248.

[81] See Issues Paper p 29.

[82] See Issues Paper p 31.