Office of the Victorian Privacy Commissioner Submission to the Department of Prime Minister and Cabinet (Cth) on A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy November 2011 Office of the Victorian Privacy Commissioner (Privacy Victoria) GPO Box 5057 10-16 Queen Street Melbourne Victoria 3000 Australia Phone: 1300-666-444 Fax: +61-3-8619-8700 Email: enquiries@privacy.vic.gov.au Website: www.privacy.vic.gov.au Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 1 1. Introduction 1. The release of this issues paper, and the public focus on the possibility of a statutory cause of action for breach of privacy, is both welcomed and long overdue. The New South Wales Law Reform Commission, the Victorian Law Reform Commission and the Australian Law Reform Commission previously all identified and supported the broad issue of a statutory right to privacy. 2. However, the present discussion paper appears to have arisen in the shadow of the egregious breaches of privacy by News Limited in the United Kingdom. It is unfortunate that this has occurred, but it is important that the debate surrounding a statutory cause of action does not overly concentrate on freedom of the press (although it is an important consideration) nor that the cause of action be characterised as an attack on the media. While freedom of the press and expression are important concepts that will need to be considered, it would be a shame if debate and discussion focussed solely on those concepts to the exclusion of other important considerations. 1. Do recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia? 3. In the last several decades, the privacy landscape has changed fundamentally. The almost universal and increasing use of the internet and mobile communication devices present both enormous opportunities and enormous risks. 4. Social networking platforms and the development of “Web 2.0” also enable images and information to be widely shared and individuals to potentially be tracked and profiled via their activities: both on and off line. 5. Tracking and surveillance devices are no longer restricted to law enforcement organisations (as in previous times). The decreasing cost, increasing availability and increasing ease of use make such devices readily available to individuals. Global Positioning System (GPS) devices, surveillance cameras, radio-frequency identification devices (RFID), and smart phone applications which allow location tracking as well as instant video and camera photography have exploded onto the scene. Such devices can be efficient, helpful and enjoyable. However, such devices can be used to invade the privacy of others and with far greater consequences than in previous times. Where once only the media had the power of mass dissemination of information, individuals can now instantaneously share information with millions online. This allows for significant damage to occur – information can be disclosed about an individual by an individual and published to the world. It may be almost impossible to retrieve or remove this information. 6. The Office of the Victorian Privacy Commissioner receives hundreds of enquiries each year from individual members of the public concerned about interferences with their spatial privacy and personal information by other individuals. 7. Currently, the scope for legal redress for such interferences with privacy is extremely limited and unclear. In Victoria, the Surveillance Devices Act 1999 (Vic) offers some protection against unauthorised surveillance of individuals. However, the Act contains only offences for prohibited conduct and does not provide remedies to individuals who have suffered breaches of their privacy. Additionally, prosecutions for offences under the Surveillance Devices Act are relatively rare and require an individual Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 2 satisfying the relevant authority (Victoria Police) to take action. Reliance on other legal actions are possibilities (as discussed below) but will generally require individuals to obtain legal assistance. 2. Is there a need for a cause of action for serious invasion of privacy in Australia? Existing privacy laws are inadequate and contain gaps 8. Commonwealth and State/Territory privacy legislation seeks to protect personal information held and handled by public and private sector organisations. The Privacy Act 1998 (Cth) was enacted more than two decades ago, since when there has been a technological revolution. The Privacy Act regulates information held by the Commonwealth public sector, as well as some private sector organisations and credit providers.1 9. In Victoria, in the absence of any conflicting laws, the Information Privacy Act 2000 (Vic) regulates all Victorian public sector organisations as well as service providers acting under a Victorian public sector contract.2 Additionally, the Victorian Charter of Human Rights and Responsibilities Act 2006 (Vic) requires public authorities to act in ways compatible with the rights contained in the charter, which includes a right to privacy.3 Most other Australian jurisdictions have similar privacy obligations enshrined in legislation or an administrative system of privacy protection.4 10. Laws relating to defamation, telecommunications, breach of confidence, nuisance and trespass offer some privacy protections. However, significant gaps remain – in both the scope and coverage of privacy protection. Of most significance are exemptions for employee records and ‘small’ businesses in the private sector. 11. The Victorian Law Reform Commission (VLRC) found ‘significant’ gaps in the protection of privacy in the workplace.5 Employee records are specifically excluded from the private sector provisions in the federal Privacy Act.6 Such records, particularly of large corporate employers, contain vast amounts of employee personal information, often sensitive, and such information remains unprotected under privacy legislation.7 There appears to be no rationale to justify this lack of protection. 12. ‘Small’ businesses, defined as businesses with an annual turnover of less than $3 million, are exempt from the application of the Privacy Act.8 This means smaller businesses (which may hold significant personal information) need not comply with privacy principles, and the protection of personal information collected and held is at the whim of each small business. 1 But only organisations with over $3m annual turnover, See Privacy Act 1998 (Cth) s.6D and for credit providers, Part IIIA 2 Information Privacy Act 2000 (Vic), s 9. 3 Charter of Human Rights and Responsibilities Act 2006 (Vic), s 13. 4 Privacy and Personal Information Protection Act 1998 (NSW), Information Act (NT), Personal Information Protection Act 2004 (Tas), Information Privacy Act 2009 (Qld); See Privacy Victoria, Privacy Regulation across Australia, as 5 November 2009, available at www.privacy.vic.gov.au/privacy/web.nsf/content/information+sheets. 5 Victorian Law Reform Commission, Workplace Privacy Final Report, Report No 159 (2005) [1.25] 6 However, as the Information Privacy Act 2000 (Vic) contains no similar exemption, employee records are protected in the Victorian public sector. 7 Privacy Act 1988 (Cth), s 7B(3). 8 Privacy Act 1988 (Cth), s 6D. Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 3 13. The Australian Law Reform Commission (ALRC) estimated that 94% of Australian businesses fall under the ‘small business’ definition, meaning the exemption provides a significant gap in the protection of privacy within Australia.9 The ALRC has recommended closure of both of the above gaps and the adoption of consistent, uniform privacy regulation.10 I support this recommendation. 14. Technological developments (such as those discussed above) mean that even a fairly “minor” breach by way of disclosure or failure to secure personal information by employers or small businesses can have major consequences for the individuals affected. Conversely, the development of sophisticated and relatively inexpensive technology to secure information and control access to it has reduced the compliance burden, which the small business exemption in particular was expressed to be intended to avoid. 15. Enhancement and expansion of existing privacy laws, to close exemptions and to ensure more organisations and individuals are covered, will substantially reduce the threats to personal privacy posed by technological change. Privacy laws only deal with ‘information privacy’ 16. It should be remembered, however, that existing privacy laws (such as the Privacy Act 1998 (Cth) and Information Privacy Act 2000 (Vic)) deal only with ‘information privacy’ – the control of the collection and handling of personal information about an individual. Privacy, as a concept, is far wider encompassing matters such as bodily, locational, territorial and communications privacy. Even extension and expansion of existing privacy laws will be inadequate as their information focus does not allow for protection of other types of privacy. Breaches of these ‘other’ types of privacy can occur by an organisation even if they are subject to privacy laws, such as excessive search powers. A clear example of this point can be found in Wainwright v the United Kingdom11. In that case, the applicants (the Wainwrights) were strip-searched when seeking to visit their son in prison. The search of the Wainwrights was incredibly invasive, including examination of sexual organs. It left both feeling threatened by searching officers and concerned they would not be permitted to visit their son, and was found to cause post-traumatic stress disorder. The UK House of Lords dismissed appeals made by the Applicants.12 The ECHR found a violation of Article 8 (Respect for private life) of the Convention for the Protection of Human Rights and Fundamental Freedoms and awarded compensation on that basis. 17. It is important to craft a statutory cause of action which would conceivably cover such cases which fall outside the operation of existing privacy laws. Inadequacy of existing causes of action 18. Whilst the current legislative provisions provide limited protection of privacy with respect to the public sector and large corporations, individuals acting in their own capacity have no obligations under any Australian privacy legislation. Other common law actions (defamation, breach of confidence, nuisance and trespass) 13 and some 9 ALRC, For Your Information: Australian Privacy Law And Practice, Report No 108 (2008), Para 39.21. Ibid, Rec 3.1. 11 Case of Wainwright v The United Kingdom (Application no. 12350/04) Eur Court HR, Fourth Section (2006) 12 Wainwright and another (Apellants) v Home Office (Respondents) [2003] UKHL 53. 13 Office of the Victorian Privacy Commissioner, Submission to the Victorian Human Rights Consultation Committee on its inquiry into ‘A Charter of Human Rights for Victoria’, (2005), paras 55 & 56, available at www.privacy.vic.gov.au/privacy/web.nsf/content/submissions 10 Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 4 criminal actions (stalking, harassment) may be used to partially protect privacy rights, but the ability of the common law or equity to address such action is limited.14 19. There may be an argument that these other causes of action already ‘cover the field’ and therefore there is little need for a separate statutory tort. However, there are significant problems with relying on the existing legal actions. Use of other common law and criminal actions are often an awkward fit, predominantly attempting to protect and preserve other interests and protecting privacy as a side benefit. Also, existing torts may be rendered ineffective due to technological developments; the Court of Appeal of New Zealand acknowledged the limitations of trespass in protecting privacy, arguing: ‘Trespass may be of limited value as an action to protect against information obtained surreptitiously...long lens photography, auto surveillance and video surveillance now mean that intrusion is possible without a trespass being committed’. 15 20. Criminal laws may provide some assistance in telecommunications and surveillancetype privacy invasions, but will fail to compensate those who have suffered damage or loss due to the conduct. There is a significant problem of accessibility - attempting to use existing actions hampers access to the law. It requires an individual retaining a lawyer who is able and willing to try and ‘fit’ existing causes of action to the conduct in question. 21. Often this attempted ‘fit’ may result in odd outcomes. For example, in Giller v Procopets [2004] VSC 113, Gillard J found a breach of confidence (where a Defendant videotaped sexual encounters with the Plaintiff and subsequently distributed the video) but then declined to award damages (mainly due to issues about the jurisdictional basis for awarding damages).16 This can be contrasted with the outcome in Grosse v Purvis [2003] QDC 151 where a Queensland judge awarded $178,000.00 after finding a breach of privacy (and formulating a test for it). However, this proposition remains untested at higher courts. 22. The ALRC, VLRC and the New South Wales Law Reform Commission (NSWLRC) have all recommended establishment of a statutory cause of action for breach of privacy. A statutory cause of action would confer privacy obligations on individuals and expand the protection of privacy within Australia, giving certainty to all. 23. The Office of the Victorian Privacy Commissioner often receives enquiries from individual members of the public concerned about invasions of their privacy by other individuals. Very often, there are simply no legal or other remedies to address their concerns. 3. Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law? 14 E.g. in Giller v Procopets, [2004] VSC 113, [2008] VSCA 236, where Gillard J of the Victorian Supreme Court held that the plaintiff was not entitled to recover damages for mental distress in relation to a breach of confidence. The decision was overturned on appeal. The Court of Appeal awarded substantial damages for breach of confidence, but the Court declined to make any findings as to the existence of an equitable or common law right to privacy. 15 Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03, per Gault P and Blanchard J at 116. 16 Ibid, and see David Lindsay, ‘Casenote: Giller v Procopets – Distress but no damages’ (2004) Privacy Law and Policy Reporter 41. Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 5 24. Relying on the courts to recognise a cause of action for privacy may not be the best approach, given the inherent limitations associated with the courts only being able to consider particular matters brought before them by parties resourced to access justice at the requisite level. In addition, the courts would be limited by existing remedies developed within the common law or equity.17 25. Legislators have a better opportunity to craft a cause of action that is more precisely targeted and which takes into account competing public interests. Moreover, protection of a fundamental human right such as privacy should not be dependent on the efforts of a particularly persistent and well resourced plaintiff to definitively establish the existence of a cause of action. 20. The creation of a statutory cause of action would be the best way of providing redress for these types of interferences with personal privacy. 21. One of the most significant points of difference between other jurisdictions and Australia in this area is that there is an inbuilt balance between the right to privacy and the right to freedom of expression, by virtue of the existence of enforceable human rights charters or bills in these other countries. 22. This means that, were enforceable privacy rights to be recognised by Australian courts in Australia in isolation, there would be no countervailing right to freedom of expression or communication to balance them against. 23. This is one of the most compelling reasons for choosing a statutory cause of action over one that is developed solely by the courts. In the absence of any express recognition of other human rights and freedoms, it will be open to the Australian courts to develop a new cause of action which remedies any harm caused by an invasion of privacy as a tort, an extension of the law of confidence or under some other branch of law or equity, with little, if any, consideration of freedom of expression. 24. The media in Australia is already subject to laws limiting the collection and publication of personal information. It is not surprising that media organisations are alarmed at another proposed law which they see as limiting freedom of expression, and in particular fettering the media’s ability to report. However, Australian courts have already shown a readiness to acknowledge the development of a need for a common law action for breach of privacy, and in some cases, as in Jane Doe v ABC18 found such a cause of action to exist. They are supported in this by persuasive authority in other jurisdictions. 25. The current common law development is extremely slow, piecemeal and is likely to vary from State to State. It is now over 10 years since the High Court in Lenah Game Meats19 made obiter comments surrounding the establishment of a tort of privacy and yet little progress has been made. Waiting on the courts to be presented with a case which permits a sufficiently senior court to make binding comments could take some time. 26. If it is inevitable that the law will continue to develop in the direction of a common law right of action for privacy (which appears to be occurring), it would be better for there to be a federal statutory cause of action, to provide clarity and consistency. 27. Any legislation creating an actionable right to privacy should also expressly require courts to balance privacy rights with freedom of expression and communication. 17 Above n 15. Jane Doe v Australian Broadcasting Corporation [2007] VCC 281. 19 ABC v Lenah Game Meats Pty Ltd (2001) 185 ALR 1. 18 Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 6 4. Is ‘highly offensive’ an appropriate standard for a cause of action relating to serious invasions of privacy? 5. Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)? Highly offensive to a person of reasonable sensibilities 28. I agree that, in order to establish liability, a plaintiff should be required to show that in all the circumstances, there is a reasonable expectation of privacy. In addition, there needs to be some threshold level of seriousness, to ensure that trivial matters are not pursued unnecessarily. 29. In my view, the formulation used by Gleeson CJ in Lenah Game Meats and recommended by the ALRC, being ‘highly offensive to a reasonable person of ordinary sensibilities’20 is a good starting point. However, I question whether the requirement of ‘highly’ is overly restrictive and a high bar for a plaintiff to prove, given the nature of any proposed cause of action. A statutory cause of action should protect against offensive behavior. Questions as to the degree and level of intrusion and whether the intrusion was highly offensive or simply offensive may be better considered in terms of the damaged suffered and whether exemplary damages could be warranted. The question of harm 30. I note that the New Zealand Privacy Act 1993 (NZ) requires individuals to provide some loss, detriment or damage or injury before making a complaint under the Act.21 One potential option would be to reduce the requirement that an intrusion be ‘highly offensive’ (down to simply ‘offensive’) but require a potential plaintiff to show some type of damage or distress as a result of the conduct. 31. I note that the ALRC was concerned that the cause of action should only ‘succeed where the defendant’s conduct is thoroughly inappropriate and the complainant suffered serious harm as a result.’22 The potential option (of removing ‘highly’ from the offensive test) but introducing a requirement to show loss or damage may be a better method of approach. It would reduce the potential for frivolous claims but would not eliminate a cause of action for individuals who have suffered offensive conduct and suffered loss and damage. It would seem a strange situation in law that a court may find a reasonable expectation of privacy, offensive conduct to have occurred and loss and damage to have been suffered but declined to find a breach as the offensiveness was not ‘high enough’. 32. However, I would recommend that humiliation and injury to feelings should be recognised as a legitimate grounding for complaint, as it is a common reaction to a privacy intrusion and would be consistent with existing privacy legislation.23 20 Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, at para 42. Privacy Act 1993 (NZ) s 66. 22 Department of Prime Minister and Cabinet, ‘Issues Paper – A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy, September 2011, p 33. 23 See Information Privacy Act 2000 (Vic) s 43, where the Act specifically permits VCAT to award compensation for injury to feelings and humiliation suffered by a Complainant by reason of the act of practice the subject of the complaint. See also Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03 21 Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 7 Balancing other interests against privacy – element or defence? 33. Privacy naturally requires balancing against other and potentially competing public interests. The issues paper questions whether this should be ‘integrated with the cause of action’ or a ‘public interest defence’. I would strongly support the approach of the VLRC. This approach would not impose a negative onus of proof on a complainant or plaintiff, to prove that there is no countervailing public interest to justify the “seriously offensive” invasion of his or her “reasonably expected” privacy. Rather, the onus should fall on the respondent to show that his or her conduct is justified by the public interest. 34. It would seem peculiar for a plaintiff to be required to plead not only the elements of a cause of action, but also to negate a public interest argument at that stage. A plaintiff would be unlikely to be in the position to be able to determine at such an early stage what (if any) public interest arguments a defendant may raise. Rather, it would seem appropriate for the defendant (who would presumably have knowledge and evidence of the public interest in question) to plead such a matter in defence. An approach requiring a plaintiff to not only plead his or her action, but also predict and negate hypothetical public interest arguments, would be onerous and out of step with other similar torts, such as breach of confidence.24 6. How best could a statutory cause of action recognise the public interest in freedom of expression? 35. It is essential that the balancing of competing rights and interests be effectively built into any statute establishing a cause of action. 36. As pointed out above, this is necessitated by the absence of any general recognition in Australian law, either statutorily or constitutionally, of a fundamental set of rights and responsibilities which would ideally form the context in all judicial and other consideration of human rights and civil liberties. 37. Of course, it is open to the Commonwealth Parliament to legislate to recognise a right to freedom of expression or communication. 38. While the best way for a statutory cause of action to recognise the public interest in freedom of expression would be for such an interest to be seperately recognised as a right, an alternative method is to legislate to protect privacy only, but with a robust defences provision, which would allow the respondent to argue the countervailing public interest in freedom of expression. 39. As a practical matter, it would seem very difficult to require the balancing of rights and interests as a threshold step in deciding whether or not a cause of action exists. If the balancing of rights was a threshold step rather than defence, it would require extensive discussion (as to whether or not freedom of expression was a relevant which stated that ‘the harm to be protected against is in the nature of humiliation and distress’ (Gault P and Blanchard J, at 128). 24 For example, an action in breach of confidence requires, in summary, three elements (information with a necessary quality of confidence, communicated in circumstances importing and obligation of confidence, and an unauthorised use or disclosure of the information (Coco v AN Clark (Engineers) Ltd [1969] RPC 41. A public interest argument is generally considered a ‘defence’ (see NSWLRC, Consultation Paper 1 (2007) – Invasion of Privacy, at 3.5. Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 8 countervailing right) at a preliminary stage of any case. It would also require a plaintiff to attempt to anticipate a defence of freedom of expression. Requiring a court to deal with all potential public interests before a cause of action is even on foot would be highly complex. Additionally, in many cases (such as an individual taking action against another individual) public interest arguments such as freedom of expression may be irrelevant or non-applicable. 40. A better approach would appear to be that the two requirements discussed above (a reasonable expectation of privacy on the part of the claimant and an objective level of seriousness or offensiveness) would need to be established as threshold tests, then the respondent would be able to raise any defences, as set out in the statute. Defences should obviously include public interest arguments such as freedom of expression. This would then allow the court or tribunal hearing the matter to weigh the competing interests against each other in deciding whether or not an interference with privacy warranting remedy has occurred. 7. Is the inclusion of ‘intentional’ or ‘reckless’ as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault? 41. I support the approach of the VLRC with regard to the requirement for a “fault” element in any cause of action.25 While most invasions of privacy that are serious enough to meet an objective test of being “highly offensive” (as discussed above) will be either intentional or reckless, it is conceivable that such offence could arise from an extreme example of negligence. The law already recognises this in a range of contexts, even extending to criminal offences, such as negligent manslaughter. Additionally, existing privacy legislation does not require fault elements in privacy matters. 8. Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient? 42. While a non-exhaustive list of matters to be considered by a court can be of assistance in clarifying the parameters of a cause of action, the danger with such a list, even where it is expressed to be non-exhaustive, is that it may artificially limit the matters that future courts consider when presented with unforeseen fact situations. This could therefore limit the availability of redress for even very serious and offensive invasions of privacy. 9. 25 Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material? If a list were to be included, should any changes be made to the list proposed by the ALRC? VLRC Report at 152 [para 7.148]. Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 9 39. Similarly, a list of activities which could constitute an invasion of privacy, even if expressed to be non-exhaustive, could run the risk of limiting the availability of the cause of action by limiting its scope. This is particularly so in the current context of rapid technological and social change. For example, the use of social media or tablet devices in order to invade an individual’s privacy would not have been contemplated as recently as 2008, when the ALRC published its report and proposed its list.26 10. What should be included as defences to any proposed cause of action? 40. As a minimum, I support the inclusion of the defences proposed by the ALRC, namely that the: a. Act or conduct was incidental to exercise of a lawful right of defence of person or property; b. Act or conduct was required or authorised by or under law; or c. Publication of the information was, under the law of defamation, privileged. 41. I also support the inclusion of consent as a formal defence, rather than requiring a consideration of consent as part of considering whether or not there was a reasonable expectation of privacy as an element in the cause of action. I would recommend that consent be narrowly construed as express only, particularly as the individual would be consenting to what otherwise would be offensive (or highly offensive) conduct. 42. As in the discussion of the public interest above, requiring the complainant or plaintiff to demonstrate that he or she had not consented to the conduct complained of would impose a negative onus of proof on the plaintiff. 43. I would also support the inclusion of a defence of “legitimate public concern”, encompassing the right to freedom of expression, as formulated by the New Zealand Court of Appeal in Hosking v Runting.27 11. Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application? 43. I support the position of the ALRC, VLRC, and NSWLRC that there should be no blanket exemption provisions for any particular organisations, type of organisations or individuals. Rather, the defence provisions should be drafted in a robust enough fashion to allow activities such as law enforcement, national security, journalism and artistic expression in the public interest to be conducted. 26 ALRC Report at 2565. Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03, although it should be noted that the Court considered it ultimately ‘unnecessary to consider whether the respondents could rely on a defence that there is a legitimate public concern in publishing the photographs’ [171]. 27 Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 10 12. Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action? 44. I support the inclusion of a broad range of flexible and adaptable remedies, as recommended by the ALRC.28 However, I would question why the possibility of exemplary damages has been excluded. A court of competent jurisdiction should be able to award exemplary or punitive damages for intentional, deliberate or particularly egregious breaches of privacy should it see fit. In Grosse v Purvis, Skoien SDJC awarded aggravated compensatory damages and exemplary damages for a breach of privacy. Secondly, the High Court confirmed the possibility of exemplary damages in negligence where a defendant ‘can be shown to have acted consciously in contumelious disregard of the rights of the plaintiff’.29 Fettering a court’s discretion to exclude the possibility of exemplary damages appears unnecessary. 13. Should the legislation prescribe a maximum award of damages for non-economic loss, and if so, what should that limit be? 45. In principle, the award of damages should reflect the injurious effect caused to the plaintiff by the invasion of privacy complained of. I agree with the VLRC that, given the relatively modest amounts of damages awarded in privacy and confidentiality matters to date, a cap on damages would seem to be unnecessary. 46. Additionally, a cap on damages can cause a perverse outcome should a significant non-economic loss exceed any statutory cap. For example, in NK v Northern Sydney Central Coast Area Health Service, Judicial Member Montgomery of the New South Wales Administrative Decisions Tribunal awarded a complainant the statutorily maximum of $40,000.00 compensation for various breaches of the Privacy and Personal Information Protection Act 1997 (NSW) and the Health Records and Information Privacy Act 2002 (NSW). The Complainant in that case was so affected by the breaches of privacy that he attempted suicide. However, the Tribunal noted ‘It is my view that NK is entitled to the maximum amount that can be awarded under the applicable legislation. He is entitled to compensatory damages as a step towards restoring him to the position that he would have been in but for the breaches. However, I also note my view NK can never be adequately compensated for the loss that he has suffered....the amout that can be awarded is restricted to an amount that is lower than what might have otherwise been awarded’30 47. However, I acknowledge the point made in the Discussion Paper concerning the limit placed on actions under defamation by the Defamation Act 2005 (Cth) and the possibility of forum shopping if there is no limit set for a statutory cause of action in privacy. For that reason, any limit imposed should be neither more nor less than that under defamation law. 28 ALRC Report, rec 74-5. Gray v Motor Accident Commission (1999) Aust Torts Reports 81-494 per Gleeson CJ, McHugh, Gummow and Hayne JJ at 65,505. 30 NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81. 29 Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 11 14. Should any proposed cause of action require proof of damage? If so, how should damage be defined for the purposes of the cause of action? 48. Proof of damage should constitute an element of the cause of action (as discussed above) in order to limit frivolous claims. It would clearly be relevant where the plaintiff is claiming monetary compensation by way of damages. However, plaintiffs should not be called upon to prove damage as a threshold issue, given the nature of the interest that is sought to be protected by the cause of action. It should be sufficient that the plaintiff had a legitimate expectation of privacy in the circumstances and the conduct complained of would be offensive to a reasonable person. 49. As discussed above, injury to feelings or humiliation should be specified as a type of relevant damage, as is recognised by existing privacy laws. 15. Should any proposed cause of action also allow for an offer of amends process? 50. Given the complicated nature of privacy rights and the fact that ‘damage’ – and thus ‘compensation’ – is often difficult to formulate and quantify, provision for an offer of amends process would be sensible. Additionally, an individual who has had their privacy breached may be reluctant to take action in an open court as subsequent publicly could further compound the issue. The importance of court-based alternative dispute resolution processes to encourage parties to resolve disputes before litigation commenced should not be overlooked. 51. In my experience, many complainants who are aggrieved by an invasion of their privacy by a Victorian public sector organisation are most concerned that the organisation acknowledges its actions and the effect they have had on the complainant and apologises and/or undertakes to take steps to avoid similar transgressions in the future. This is likely to equally apply to breaches by individuals. 16. Should any proposed cause of action be restricted to natural persons? 52. I support the view expressed by the High Court in Lenah Game Meats and by the ALRC, NSWLRC and VLRC that privacy laws form part of human rights protections and should only apply to natural persons. 17. Should any proposed cause of action be restricted to living persons? 51. Neither the Privacy Act 1988 (Cth) nor the Information Privacy Act 2000 (Vic) offer any protection for the collection and handling of personal information relating to deceased persons. The Health Records Act 2001 (Vic), however, does. 52. Notwithstanding this and the views expressed by the ALRC, NSWLRC and the VLRC, I support the extension of privacy protection to deceased persons, for the following reasons: Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 12 18. A cause of action for privacy breaches may be more comparable to equitable actions like breach of confidentiality than to actions such as defamation. While a right to recover damages for defamation ceases upon death, a duty of confidentiality can persist after death. Special sensitivities may arise when disclosing information about deceased persons to the world at large, as is recognised in many Indigenous cultures. Protecting information privacy after death may affect how people act during their lifetime. Individuals may be less inclined to reveal their information, particularly sensitive or intimate details, if they are concerned that those details might be revealed or otherwise used as soon as they die. There are a number of overseas cases giving rise to community debate about the handling of personal information after a person has died, or in respect of a deceased person. These include requests by the press for autopsy photographs of child victims of sexual and violent crime31 and the collection by coronial staff of autopsy photographs of famous and gruesome cases which were used to create personal scrapbooks and to show at cocktail parties.32 In this latter case, the court recognised a privacy interest which was grounded in maintaining the dignity of the deceased. Disclosure of a deceased person’s information may impact the living. A disclosure may cause distress to the survivors and records relating to the deceased individual may contain details of the living, as in the case of coronial records. The information relating to the deceased individual may also be about a group or family, as is particularly the case with genetic data. Ready access to a deceased person’s biographical and other data may facilitate the creation of fraudulent or stolen identities. Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced? 53. For reasons of consistency with other areas of law, I support the three year limitation period proposed by the VLRC. However, the issues paper states that the limitation period should be ‘from the date of the relevant conduct.’33 This could potentially pose a problem where an individual only becomes aware of the relevant conduct sometime later. For example, the Victorian Information Privacy Act only contains restrictions on bringing complaints when the complaint ‘was made more than 45 days after the complainant became aware of the act or practice’34 (my emphasis). It is possible that an individual could suffer a breach of their privacy but be unaware until sometime later, particularly as the privacy breach could be deliberately concealed. I note that Australia still does not have mandatory breach notification laws, which could 31 nd Sarasota Herald-Tribune v. Florida, District Court of Appeal of Florida (2 District), Case no. 2D05-5408, 22 November 2005, judicial opinion available at Florida Second District Court of Appeal, http://www.2dca.org/ Opinions. The disturbing nature of the photographs and further details about the case are discussed in Reporters Committee for Freedom of the Press, Crime scene, autopsy photos must be shown to media, 1 December 2005, News media update, http://www.rcfp.org/news/2005/1201-sct-crimes.html, accessed 3 December 2007; 32 Reid v Pierce County, 136 Wn 2d 195, 3 September 1998, judicial opinion available at Municipal Research and Services Center of Washington at http://www.mrsc.org/mc/supreme/archive/136wn2d/136wn2d0195.htm, accessed 3 December 2007. 33 Above n 21, p 49. 34 Information Privacy Act 2000 (Vic) s 29(1)(d). Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 13 potentially ameliorate this issue, despite prevalence in other jurisdictions35 and calls from the Australian Privacy Commissioner.36 54. It is possible that a privacy breach could be deliberately concealed. If the limitation period begins from the ‘date of relevant conduct’ it may leave the individual statute barred from taking action. Such an approach is also consistent with the Limitation of Actions Act 1958 (Vic), where the Act only restricts individuals from taking action in personally injury cases three years from the date ‘on which the person first knows’ that he has suffered injuries and that the injuries were caused by some person.37 19. Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy?38 55. Provisions granting jurisdiction to particular Commonwealth and State or territory courts and tribunals should balance the concepts of appropriateness and accessibility. 56. This may favour an approach which grants jurisdiction to the Federal Magistrates Court (and equivalent State and Territory tribunals) for some matters and others to the Federal Court (and equivalent State or Territory courts) for others, depending on the remedies sought by the plaintiff. HELEN VERSEY Victorian Privacy Commissioner 35 For example, mandatory data breach notification laws exist in 25 US states . See Mark Burdon, Bill Lane and Pual von Nessen, ‘The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments’, Computer Law and Security Review, 26(2) pp 115-129. 36 Asher Moses, ‘Thousands of privacy breaches going unreported’, Sydney Morning Herald, 27 July 2011 available at http://www.smh.com.au/technology/technology-news/thousands-of-privacy-breaches-goingunreported-20110727-1hzes.html, accessed 7 November 2011. 37 See Limitation of Actions Act 1958 (Vic) s 5. 38 This question is usefully considered in light of any answer that may be given to the question asked above (at page 45-46) as to a limitation upon the amount of damages payable for non-economic loss under such a cause of action. Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Page 14