This submission by the Australian Privacy Foundation (APF) to the Australian Law Reform Commission (ALRC) strongly endorses establishment in national legislation in Australia of a cause of action for serious invasion of an individual’s privacy. It is appropriate to describe the action as an action in tort, or a ‘privacy tort’. The Australian Privacy Foundation (APF) is Australia's leading privacy advocacy organisation. This submission is in response to the proposals in ALRC Discussion Paper 80: Serious Invasions of Privacy. Key submissions made by the APF are as follows: (i) The most effective structure of a cause of action is that which is consistent with an intentional tort; consisting of elements that a plaintiff must satisfy with countervailing defences available to any putative defendant. There should be no requirement for the court to undertake a balancing exercise as an essential element in determining whether the plaintiff can, on his or her own case, succeed or not. (ii) The cause of action for a ‘serious invasion of privacy’ should additionally be described as an ‘interference with privacy’ for the purposes of the Privacy Act 1988 (Cth). (iii) The focus of the tort should be upon the intrusion into a plaintiff’s seclusion or private affairs (including by unlawful surveillance) and/or the misuse or disclosure of private information about the plaintiff. (iv) There is no sound legal or policy basis for limiting the scope of the action to either intentional or reckless acts rather than incorporating negligent acts. (v) There is potential for an undesirable downward ratchet effect in the concept of “reasonable expectations”: the lack of a practical remedy enables continuation of an intrusive practice without restraint, which practice reduces the level of protection that would be “reasonably expected”, which in turn reduces the scope of the tort over time. (vi) The fourth proposed element of the tort, that it is only available where the invasion of privacy is 'serious', is both unnecessary and arbitrary. (vii) There is little utility in incorporating a balancing exercise of the plaintiff’s privacy interest against freedom of expression or other broader public interest, the fifth element of the proposed cause of action. (viii) Federal, State and Territory courts should have jurisdiction to hear a serious invasion of privacy action. However, there are very strong reasons for providing the option to complainants/plaintiffs to take a ‘serious invasion of privacy’ complaint to the Privacy Commissioner. A new sub-section 13(6) should be added to the Privacy Act 1988 (Cth): ‘(6) A serious invasion of privacy under the [title of new Commonwealth Act] is an interference with the privacy of an individual,’ together with such limited consequential changes (if any) as are necessary to make the Privacy Act consistent with the new statutory action and the [title of new Commonwealth Act]. (ix) There may be a case for clarifying the law of breach of confidence even if a statutory tort were to be introduced, but some of the ALRC’s proposals are not justifiable. (x) While it is important to remove inconsistencies and promote uniformity in the the current State and Territory surveillance device and workplace surveillance laws, this must not be at the expense of reducing the level of protection of Australians against unjustified surveillance. Proposed uniform laws should apply to all existing and emerging technologies that are capable of monitoring and recording the activities of people and their data. Surveillance device laws should incorporate a mechanism for awarding compensation, or other forms of relief, to victims of unauthorised surveillance. (xi) The public interest activities of responsible journalists in investigating and reporting on matters of public interest, such as uncovering corruption, do not require a broad or vague exception for journalists. (xii) The ALRC proposal is desirable that a new APP (Australian Privacy Principle) be inserted into the Privacy Act to require an APP entity to provide a simple mechanism for an individual to request the destruction or de-identification of personal information that was provided to an APP entity by the individual. A regulator should be so empowered, preferably the Privacy Commissioner with a right of appeal to the AAT (Administrative Appeals Tribunal). (xiii) The definition of “personal information” in the Privacy Act 1988 (Cth) should be amended so as to confirm that the information will remain personal information, despite any steps to anonymise it, if there is any significant possibility that it may be re-identified in future.
Read full abstract