Submission - Right to Sue for Serious Invasion of Personal Privacy - Office of the Australian

Submission - Right to Sue for Serious Invasion of Personal Privacy - Office of the Australian

Issues Paper

A Commonwealth statutory cause of action for serious invasion of privacy

Submission to the Attorney-General’s Department

November 2011

Submission by Prof. John McMillan, Australian Information Commissioner

andTimothy Pilgrim, Australian Privacy Commissioner

Contents

Executive summary

Summary of key responses

General comments

Responses to key questions

Introduction

The Office of the Australian Information Commissioner

Background

Privacy and the Privacy Act

Privacy reform

Comparing the law reform commission models

Recognition of a right to privacy in international jurisdictions

Structure of this submission

General comments

Enhancing privacy protection

The role of a statutory cause of action for invasion of privacy

Role of OAIC

Comments in response to specific Issues Paper questions

Question 1 – Do recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia?

Question 2 – Is there a need for a cause of action for serious invasion of privacy in Australia?

Question 3 – Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law?

Question 4 – Is “highly offensive” an appropriate standard for a cause of action relating to serious invasions of privacy?

Question 5 – Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?

Question 6 – How best could a statutory cause of action recognise the public interest in freedom of expression?

Question 7 – Is the inclusion of “intentional” or “reckless” as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault?

Question 8 – Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient?

Question 9 – Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material? If a list were to be included, should any changes be made to the list proposed by the ALRC?

Question 10 – What should be included as defences to any proposed cause of action?

Question 11 – Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application?

Question 12 – Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action?

Question 13 – Should the legislation prescribe a maximum award of damages for non-economic loss, and if so, what should that limit be?

Question 14 – Should any proposed cause of action require proof of damage? If so, how should damage be defined for the purposes of the cause of action?

Question 15 – Should any proposed cause of action also allow for an offer of amends process?

Question 16 – Should any proposed cause of action be restricted to natural persons?

Question 17 – Should any proposed cause of action be restricted to living persons?

Question 18 – Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced?

Question 19 – Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy?

Additional issue – interaction between Commonwealth and State laws

Submission by the Office of the Australian Information Commissioner

Executive summary

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the release by the Australian Government of the Issues Paper “A Commonwealth statutory cause of action for serious invasion of privacy” (Issues Paper).[1]
  2. Privacy is an internationally recognised human right. As a party to the International Covenant on Civil and Political Rights, Australia is required to give effect to the privacy rights contained in Article 17 of that instrument. The Privacy Act 1988 (Cth) (Privacy Act) is an example of a legislative measure adopted in Australia to give effect to this obligation. However, the Privacy Act is not a full implementation of Article 17 as there are a number of areas it does not cover. For example:
  • the Privacy Act regulates only information privacy, and not other areas of privacy such as territorial and bodily privacy, and
  • various entities (such as small businesses) and acts or practices (such as some acts or practices of journalists and political organisations) are exempt from the requirements of the Privacy Act.
  1. The release of the Issues Paper is another step in the Australian Government’s consideration of the recommendations made by the Australian Law Reform Commission (ALRC) in its 2008 Report 108 ForYour Information, Privacy Law and Practice (ALRC Report). The ALRC’s recommendations included that federal legislation provide for a statutory cause of action for a serious invasion of privacy.[2] In addition, both the New South Wales Law Reform Commission (NSWLRC) and Victorian Law Reform Commission (VLRC) have recommended the creation of statutory causes of action for privacy invasion.

Summary of key responses

  1. This submission contains the OAIC’s general observations in response to a proposed statutory cause of action for serious invasion of privacy, and the OAIC’s comments in response to each question posed in the Issues Paper. Key comments and responses are outlined below.

General comments

  1. The OAIC strongly supportsthe privacy law reform processcurrently underway. This process will strengthen privacy regulation under the Privacy Act. However, there are identified areas for reform arising from the ALRC Report where implementation decisions have not yet been made, and areas which are not the subject of the current reform process.
  2. The OAIC appreciates that a statutory cause of action for invasion of privacy may complement any Privacy Act reforms by addressing areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals. The OAIC believes it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute and that it must be balanced against competing rights including the right to freedom of expression.
  3. The OAIC is concerned that a cause of action actionable directly to the courts may pose access to justice issues and therefore deliver limited benefits. The OAIC therefore suggests that consideration be given to a model where an individual alleging a privacy invasion initially complains to the OAIC under a model similar to that currently used for complaints of privacy interference in breach of the Privacy Act. An option to proceed to court could be available in limited circumstances such as permitting the OAIC to refer a question of law to the Federal Court for guidance, and allowing a party to commence court proceedings where the OAIC declines to make a determination following an unsuccessful conciliation.
  4. Given the OAIC’s current role in privacy regulation and complaints, consideration should be given to creating intervener and amicus curiae roles for the Australian Information Commissioner in relation to privacy invasion actions in the courts.

Responses to key questions

  1. The OAIC supports any cause of action for invasion of privacy being created by statute rather than being left to develop at common law.
  2. The OAIC considers that a standard of offensiveness should be a threshold requirement for establishing the cause of action. However, the OAIC has some concerns that a “highly offensive” threshold may be largely unattainable, preventing meritorious cases from proceeding (for example, where security cameras on a residential property capture footage from a neighbouring property).
  3. Any cause of action should be available to individuals seeking redress against intentional and reckless acts. The OAIC suggests further consideration also be given to including some negligent acts within the ambit of the action.
  4. The right to privacy is not absolute and weighing privacy rights against competing public interests is critical to the cause of action. It is preferable for this balancing of interests to be integrated into the cause of action (rather than the public interest constituting a separate defence).
  5. The OAIC supports the inclusion in legislation of relevant matters to be taken into account by the court in considering whether the cause of action for invasion of privacy has been made out. However, a number of items included in the NSWLRC’s list of relevant matters should be reconsidered.
  6. The legislation should contain a non-exhaustive list of the types of acts that might constitute an invasion of privacy. To ensure it is clear that the cause of action is intended to cover all aspects of an individual’s privacy, the OAIC suggests that the list be prefaced by a statement to that effect.
  7. The OAIC supports the inclusion of an exhaustive list of defences in the legislation. The OAIC agrees with the defences suggested by the ALRC, but suggests limiting the defence of “incidental to the exercise of a lawful right of defence of person or property” to cases where the act or conduct was a reasonable and proportionate response to the threatened harm. In addition, the OAIC supports a defence similar to the defence of “innocent dissemination” in defamation law.
  8. The OAIC considers that exemptions to the cause of action are not required, as the elements of the action together with the suggested defences provide adequate safeguards against unmeritorious claims.
  9. The OAIC supports courts being able to apply the remedy that is most appropriate in the circumstances without being limited by the jurisdictional restraints that may apply under the general law. In relation to damages, the OAIC suggests that no maximum award of damages for non-economic loss be prescribed in the legislation. If a complaints model is adopted, the OAIC suggests the OAIC have a flexible range of powers and remedies available to it, including those currently available in the Privacy Act and through proposed Privacy Act reforms.
  10. If a cause of action is introduced, the OAIC supports the inclusion of mechanisms which encourage the early resolution of disputes. If an “offer of amends” process is used, the defamation model may need to be adapted in order to function appropriately in the privacy context.
  11. Consistently with the right to privacy being a human right, the OAIC recommends that the cause of action be actionable without proof of damage, and be restricted to natural, living persons.
  12. The OAIC supports an approach requiring an action (or complaint – see vii above) for invasion of privacy to be commenced within 12 months from the date the applicant became aware of the relevant act or conduct, with a discretion allowing an action to be brought outside the 12 month period.
  13. If a cause of action is actionable to the courts, the OAIC favours the Federal Court and Federal Magistrates Court being granted jurisdiction to hear and determine claims.
  14. Any cause of action should be introduced in a manner thatdoes not contribute to inconsistent and fragmented privacy regulation in Australia. Subject to any constitutional restraints, the OAIC considers that this would be best achieved by introducing any statutory cause of action into Commonwealth law and granting jurisdiction to the Federal courts. If a complaints model is adopted, the OAIC sees merit in including the relevant provisions in the Privacy Act.

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the Australian Government’s release of the Issues Paper in relation to a Commonwealth statutory cause of action for serious invasion of privacy (Issues Paper).[3]
  2. The release of the Issues Paper follows recommendations by the Australian Law Reform Commission (ALRC) in its 2008 report For Your Information: Australian Privacy Law and Practice (ALRC Report)[4] for federal legislation to provide a statutory cause of action for a serious invasion of privacy.[5]

The Office of the Australian Information Commissioner

  1. The OAIC was established by the Australian Information Commissioner Act 2010 (Cth)(the AIC Act) and commenced operation on 1 November 2010.
  2. The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
  3. The former Office of the Privacy Commissioner was integrated into the OAIC on 1November 2010.
  4. The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
  5. The Commissioners of the OAIC share two broad functions:
  • the FOI functions, set out in s8 of the AIC Act – providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
  • the privacy functions, set out in s9 of the AIC Act – protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth)(Privacy Act) and other legislation.
  1. The Information Commissioner also has the information commissioner functions, set out in s7 of the AIC Act. These comprise strategic functions relating to information management by the Australian Government.

Background

Privacy and the Privacy Act

  1. Privacy is a human right recognised in several international instruments, including Article 12 of the Universal Declaration of Human Rights[6] and Article 17 of the International Covenant on Civil and Political Rights 1966(ICCPR).[7]The ICCPR requires parties to adopt such legislative measures as may be necessary to give effect to the rightsinthat instrument, including the privacy rights in Article 17.
  2. The Privacy Act is a legislative measure adopted in Australia to protect privacy, and gives partial effect to Article 17. It regulates the handling of personal information by Australian, ACT and Norfolk Island government agencies. It also regulates the activities of certain private sector organisations, including health service providers and businesses with an annual turnover of more than $3 million. The activities of State and other Territory government agencies are regulated by State or Territory legislation where it exists.
  3. Personal information is defined in the Privacy Act as information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[8] Examples include names, medical records and photographs.
  4. The Privacy Act regulates the collection of personal information, the accuracy of the information, how it is kept secure, and how it is used and disclosed. It also provides rights to individuals to access and correct the information organisations and government agencies hold about them. Where an individual feels that an agency or organisation has handled their personal information in a way that does not comply with the requirements of the Privacy Act, that individual can make a complaint to the OAIC alleging an interference with their privacy.[9]
  5. The Privacy Act, however, is not a complete legislative response to the requirements of Article 17 of the ICCPR. First, a number of entities and practices are exempt from the requirements of the Privacy Act (see paragraph35 below). Second, the protection of personal information is just one aspect of privacy. Other types of privacy can include territorial privacy, physical or bodily privacy and the privacy of communications.In this context, the OAIC acknowledges the existence of other laws which touch on privacy issues to some extent.[10]

Privacy reform

  1. In 2006, the ALRC was asked to inquire into and report on the extent to which the Privacy Actand related laws continued to provide an effective framework for the protection of privacy in Australia.[11]The ALRC’s review of privacy culminated in the release in 2008 of the ALRC Report which made 295 recommendations in relation to privacy regulation in Australia.[12]The ALRC Report contains a number of specific recommendations in relation to the creation of a statutory cause of action for serious invasion of privacy.[13]
  2. The Government indicated that it intended to respond to the 295 recommendations in the ALRC report in two stages, and that consideration of a statutory cause of action for serious invasion of privacy would form part of the second stage.
  3. In October 2009, the Government released Enhancing National Privacy, Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (October 2009) (First Stage Response) whichdealt with 197 of the ALRC’s 295 recommendations.[14]The Government has now released the Issues Paper seeking comment from interested stakeholders on various questions relating to the possible introduction of a statutory cause of action for serious invasion of privacy.
  4. Both the New South Wales Law Reform Commission (NSWLRC) and Victorian Law Reform Commission (VLRC) have also conducted recent inquiries into privacy protection,[15],[16] with both recommending the creation of statutory causes of action for invasion of privacy.[17],[18]
  5. The Issues Paper outlines these recommendations by the ALRC, NSWLRC and VLRC. It also summarises the position with respect to invasions of privacy in international jurisdictions.

Comparing the law reform commission models

ALRC model
  1. The ALRC Report recommended that federal legislation provide for a statutory cause of action for serious invasion of privacy.[19] The ALRC proposed a two-limb test for establishing liability under the cause of action:
  • a reasonable expectation of privacy, and
  • the act or conduct complained of is highly offensive to a reasonable person of ordinary sensibilities.
  1. In determining whether an individual’s privacy has been invaded for the purposes of the cause of action, the model also required the court to take into account whether the public interest in maintaining the claimant’s privacy outweighs other matters of public interest (including the interest of the public to be informed about matters of public concern and the public interest in allowing freedom of expression).
  2. The model also set out a limited number of defences to the cause of action, as well as a broad range of remedies.
NSWLRC model
  1. The NSWLRCalso recommended the creation of a statutory cause of action for invasion of privacy.Under the draft Civil Liability Amendment (Privacy) Billannexed to the NSWLRC Report (NSWLRC draft Bill),[20] an individual’s privacy would be invaded if the conduct of another person invaded the privacy that the individual was reasonably entitled to expect in all of the circumstances, having regard to any relevant public interest (including the interest of the public in being informed about matters of public concern).
  2. The NSWLRC draft Bill requires the court to take into account a number of matters in determining whether an individual’s privacy has been invaded, including the nature of the conduct concerned (including the extent to which a reasonable person of ordinary sensibilities would consider the conduct to be offensive) and the nature of the subject matter alleged to be private.
  3. The NSWLRC draft Bill also includes defences to the cause of action and the remedies available to the court where the cause of action is established.
VLRC model
  1. The VLRC recommended the creation of two statutory causes of action for serious invasion of privacy caused by misuse of surveillance in a public place:[21]
  • serious invasion of privacy by misuse of public information, and
  • serious invasion of privacy by intrusion upon seclusion.
  1. The VLRC proposed a two-limb test for establishing liability for both invasions of privacy:
  • a reasonable expectation of privacy, and
  • a reasonable person would consider the conduct highly offensive.
  1. The VLRC Report outlined suggested defences, including a public interest defence, and remedies.
The models compared
  1. A comparison of the above models reveals the following similarities and differences on key points:
  • Both the ALRC and NSWLRC recommended a single cause of action for serious invasion of privacy, while the VLRC recommended two separate causes of action.
  • Both the ALRC and VLRC recommended essentially the same two-limb test, requiring a plaintiff to establish both a reasonable expectation of privacy and that the act or conduct complained of would be highly offensive to a person of ordinary sensibilities.
Top View