Part 11: Statutory tort
57. Is a statutory tort for invasion of privacy needed?
58. Should serious invasions of privacy be addressed through the criminal law or through a statutory tort?
11.1 The OAIC supports the proposal to enhance Australia’s privacy framework by including additional remedies for invasions of privacy. A statutory tort for serious invasions of privacy would be an important addition to the suite of regulatory measures needed to address online harms. This includes the serious risks that can be posed to individuals’ privacy by private individuals and entities who publish, disseminate and duplicate information, including through the use of live streaming technologies.
11.2 This would generally align with previous findings and recommendations that Australia’s privacy framework should include additional remedies for invasions of privacy, including recommendation 19 in the ACCC’s Digital Platform’s Inquiry final report. It would also complement the proposal to introduce a direct right of action for individuals.
11.3 Importantly, a statutory tort would provide greater coverage and protection to individuals in line with Article 17 of the ICCPR. Article 17 provides that:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
11.4 As recommended above in relation to the direct right of action, the OAIC considers that the statutory tort be supplemented by legislative powers for the OAIC to be notified of, to exercise a right to intervene in proceedings, and to seek the leave of the court to act in the role of amicus curiae in the proceedings. This will be important where proceedings have the potential to impact the evolution of the Privacy Act and privacy jurisprudence and policy.
Recommendation 57 – Introduce a statutory tort for serious invasions of privacy into Australia’s privacy framework.
Recommendation 58 – Supplement the statutory tort with legislative powers for the OAIC to be notified of, to exercise a right to intervene in proceedings, and to seek the leave of the court to act in the role of amicus curiae in the proceedings.
59. What types of invasions of privacy should be covered by a statutory tort?
60. Should a statutory tort of privacy apply only to intentional, reckless invasions of privacy or should it also apply to breaches of privacy as a result of negligence or gross negligence?
11.5 Privacy regulation operates against a backdrop of significant technological change. It is therefore critical that the legislation is formulated in a way that allows a cause of action or complaint to evolve as the circumstances require.
11.6 The ALRC previously recommended that a statutory tort cover two types of invasion of privacy: intrusion into seclusion (including by unlawful surveillance) and misuse of private information (whether true or not).
11.7 The OAIC considers that the tort should be framed flexibly to ensure that Article 17 of the ICCPR is fully implemented and that it is able to respond to the complete range of serious privacy invasive conduct that arises over time in a wide range of settings. Particularly, the mechanism should be technology neutral, in order to address privacy invasive acts and practices that may emerge as a result of technological and consequential social trends. A limited tort may be less able to adapt and apply flexibly to changing technologies and practices than a more general and comprehensive tort that applies to all serious invasions of privacy.
11.8 Further, enacting a limited tort that deals only with specific types of privacy invasion risks leaving gaps in privacy protection. For example, it is not clear that this proposed tort would provide a remedy in the case of serious invasion of an individual’s bodily privacy (such as in the case of unauthorised bodily testing). While the majority of serious privacy invasions may fall within the two proposed categories, some will not and this will create further fragmentation in privacy protections.
11.9 Similarly, the OAIC does not support the cause of action being confined to intentional or reckless invasions of privacy. Negligent acts should also be covered to avoid unnecessarily limiting the application of the tort to different circumstances that may result in serious privacy invasions. To accommodate this, the tort should not specify a fault element.
Recommendation 59 – Enact a single and comprehensive tort, rather than confining the tort to intrusion upon seclusion and misuse or disclosure of private information.
Recommendation 60 – Enact a tort that does not specify a fault element to ensure it covers intentional, reckless and negligent acts.
61. How should a statutory tort for serious invasions of privacy be balanced with competing public interests?
11.10 Previous reports into a proposed cause of action have considered that the tort will need to be formulated in a way that recognises that the right to privacy is not absolute. The right to privacy will need to recognise other competing rights, including the right to freedom of expression and the public interest in being informed about matters of public concern. The recognition of these other rights and interests will therefore be an essential part of a mechanism to redress serious privacy invasion.
11.11 The OAIC supports integrating the recognition of other public interests as part of the consideration of whether an individual’s privacy has been seriously invaded. This may be a conceptually preferable way of ensuring that all relevant public interests are considered before any decision is reached that there was a serious invasion of privacy. It is preferable to raising a particular public interest consideration as a defence to a finding that an invasion of privacy has occurred.
Recommendation 61 – Include a requirement to weigh other public interests, including the right to freedom of expression and the public interest in being informed about matters of public concern, as part of the consideration as to whether an individual’s privacy has been seriously invaded.
62. If a statutory tort for the invasion of privacy was not enacted, what other changes could be made to existing laws to provide redress for serious invasions of privacy?
11.12 Other changes to strengthen current laws and regulatory frameworks to better prevent or redress serious invasions of privacy is to extend the Privacy Act to entities and activities that are currently exempted, in accordance with the OAIC’s Recommendations 27, 28 and 29.
11.13 Amending the current regulatory framework to remove these exemptions would provide additional protections against privacy invasion for individuals in relation to the handling of their personal information.
11.14 However, it should be noted that these improvements would apply only to information privacy and not to other types of privacy (such as bodily and territorial privacy) and would not apply to breaches of privacy by an individual (unless they were an APP entity).
 See for example, Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (No. 38, 2019).