Office of the Victorian Privacy Commissioner
Submission to the Department of
Prime Minister and Cabinet (Cth)
on
A Commonwealth Statutory Cause of Action for
Serious Invasion of Privacy
November 2011
Office of the Victorian Privacy Commissioner (Privacy Victoria)
GPO Box 5057
10-16 Queen Street
Melbourne Victoria 3000
Australia
Phone: 1300-666-444
Fax: +61-3-8619-8700
Email: enquiries@privacy.vic.gov.au
Website: www.privacy.vic.gov.au
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 1
1. Introduction
1. The release of this issues paper, and the public focus on the possibility of a
statutory cause of action for breach of privacy, is both welcomed and long
overdue. The New South Wales Law Reform Commission, the Victorian Law
Reform Commission and the Australian Law Reform Commission previously
all identified and supported the broad issue of a statutory right to privacy.
2. However, the present discussion paper appears to have arisen in the shadow of
the egregious breaches of privacy by News Limited in the United Kingdom. It
is unfortunate that this has occurred, but it is important that the debate
surrounding a statutory cause of action does not overly concentrate on freedom
of the press (although it is an important consideration) nor that the cause of
action be characterised as an attack on the media. While freedom of the press
and expression are important concepts that will need to be considered, it would
be a shame if debate and discussion focussed solely on those concepts to the
exclusion of other important considerations.
1. Do recent developments in technology mean that additional ways of protecting
individuals’ privacy should be considered in Australia?
3. In the last several decades, the privacy landscape has changed fundamentally. The
almost universal and increasing use of the internet and mobile communication devices
present both enormous opportunities and enormous risks.
4. Social networking platforms and the development of “Web 2.0” also enable images
and information to be widely shared and individuals to potentially be tracked and
profiled via their activities: both on and off line.
5. Tracking and surveillance devices are no longer restricted to law enforcement
organisations (as in previous times). The decreasing cost, increasing availability and
increasing ease of use make such devices readily available to individuals. Global
Positioning System (GPS) devices, surveillance cameras, radio-frequency
identification devices (RFID), and smart phone applications which allow location
tracking as well as instant video and camera photography have exploded onto the
scene. Such devices can be efficient, helpful and enjoyable. However, such devices
can be used to invade the privacy of others and with far greater consequences than in
previous times. Where once only the media had the power of mass dissemination of
information, individuals can now instantaneously share information with millions
online. This allows for significant damage to occur – information can be disclosed
about an individual by an individual and published to the world. It may be almost
impossible to retrieve or remove this information.
6. The Office of the Victorian Privacy Commissioner receives hundreds of enquiries
each year from individual members of the public concerned about interferences with
their spatial privacy and personal information by other individuals.
7. Currently, the scope for legal redress for such interferences with privacy is extremely
limited and unclear. In Victoria, the Surveillance Devices Act 1999 (Vic) offers some
protection against unauthorised surveillance of individuals. However, the Act contains
only offences for prohibited conduct and does not provide remedies to individuals
who have suffered breaches of their privacy. Additionally, prosecutions for offences
under the Surveillance Devices Act are relatively rare and require an individual
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 2
satisfying the relevant authority (Victoria Police) to take action. Reliance on other
legal actions are possibilities (as discussed below) but will generally require
individuals to obtain legal assistance.
2. Is there a need for a cause of action for serious invasion of privacy in Australia?
Existing privacy laws are inadequate and contain gaps
8. Commonwealth and State/Territory privacy legislation seeks to protect personal
information held and handled by public and private sector organisations. The Privacy
Act 1998 (Cth) was enacted more than two decades ago, since when there has been a
technological revolution. The Privacy Act regulates information held by the
Commonwealth public sector, as well as some private sector organisations and credit
providers.1
9. In Victoria, in the absence of any conflicting laws, the Information Privacy Act 2000
(Vic) regulates all Victorian public sector organisations as well as service providers
acting under a Victorian public sector contract.2 Additionally, the Victorian Charter
of Human Rights and Responsibilities Act 2006 (Vic) requires public authorities to act
in ways compatible with the rights contained in the charter, which includes a right to
privacy.3 Most other Australian jurisdictions have similar privacy obligations
enshrined in legislation or an administrative system of privacy protection.4
10. Laws relating to defamation, telecommunications, breach of confidence, nuisance and
trespass offer some privacy protections. However, significant gaps remain – in both
the scope and coverage of privacy protection. Of most significance are exemptions for
employee records and ‘small’ businesses in the private sector.
11. The Victorian Law Reform Commission (VLRC) found ‘significant’ gaps in the
protection of privacy in the workplace.5 Employee records are specifically excluded
from the private sector provisions in the federal Privacy Act.6 Such records,
particularly of large corporate employers, contain vast amounts of employee personal
information, often sensitive, and such information remains unprotected under privacy
legislation.7 There appears to be no rationale to justify this lack of protection.
12. ‘Small’ businesses, defined as businesses with an annual turnover of less than $3
million, are exempt from the application of the Privacy Act.8 This means smaller
businesses (which may hold significant personal information) need not comply with
privacy principles, and the protection of personal information collected and held is at
the whim of each small business.
1
But only organisations with over $3m annual turnover, See Privacy Act 1998 (Cth) s.6D and for credit
providers, Part IIIA
2
Information Privacy Act 2000 (Vic), s 9.
3
Charter of Human Rights and Responsibilities Act 2006 (Vic), s 13.
4
Privacy and Personal Information Protection Act 1998 (NSW), Information Act (NT), Personal Information
Protection Act 2004 (Tas), Information Privacy Act 2009 (Qld); See Privacy Victoria, Privacy Regulation
across Australia, as 5 November 2009, available at
www.privacy.vic.gov.au/privacy/web.nsf/content/information+sheets.
5
Victorian Law Reform Commission, Workplace Privacy Final Report, Report No 159 (2005) [1.25]
6
However, as the Information Privacy Act 2000 (Vic) contains no similar exemption, employee records are
protected in the Victorian public sector.
7
Privacy Act 1988 (Cth), s 7B(3).
8
Privacy Act 1988 (Cth), s 6D.
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 3
13. The Australian Law Reform Commission (ALRC) estimated that 94% of Australian
businesses fall under the ‘small business’ definition, meaning the exemption provides
a significant gap in the protection of privacy within Australia.9 The ALRC has
recommended closure of both of the above gaps and the adoption of consistent,
uniform privacy regulation.10 I support this recommendation.
14. Technological developments (such as those discussed above) mean that even a fairly
“minor” breach by way of disclosure or failure to secure personal information by
employers or small businesses can have major consequences for the individuals
affected. Conversely, the development of sophisticated and relatively inexpensive
technology to secure information and control access to it has reduced the compliance
burden, which the small business exemption in particular was expressed to be
intended to avoid.
15. Enhancement and expansion of existing privacy laws, to close exemptions and to
ensure more organisations and individuals are covered, will substantially reduce the
threats to personal privacy posed by technological change.
Privacy laws only deal with ‘information privacy’
16. It should be remembered, however, that existing privacy laws (such as the Privacy Act
1998 (Cth) and Information Privacy Act 2000 (Vic)) deal only with ‘information
privacy’ – the control of the collection and handling of personal information about an
individual. Privacy, as a concept, is far wider encompassing matters such as bodily,
locational, territorial and communications privacy. Even extension and expansion of
existing privacy laws will be inadequate as their information focus does not allow for
protection of other types of privacy. Breaches of these ‘other’ types of privacy can
occur by an organisation even if they are subject to privacy laws, such as excessive
search powers. A clear example of this point can be found in Wainwright v the United
Kingdom11. In that case, the applicants (the Wainwrights) were strip-searched when
seeking to visit their son in prison. The search of the Wainwrights was incredibly
invasive, including examination of sexual organs. It left both feeling threatened by
searching officers and concerned they would not be permitted to visit their son, and
was found to cause post-traumatic stress disorder. The UK House of Lords dismissed
appeals made by the Applicants.12 The ECHR found a violation of Article 8 (Respect
for private life) of the Convention for the Protection of Human Rights and
Fundamental Freedoms and awarded compensation on that basis.
17. It is important to craft a statutory cause of action which would conceivably cover such
cases which fall outside the operation of existing privacy laws.
Inadequacy of existing causes of action
18. Whilst the current legislative provisions provide limited protection of privacy with
respect to the public sector and large corporations, individuals acting in their own
capacity have no obligations under any Australian privacy legislation. Other common
law actions (defamation, breach of confidence, nuisance and trespass) 13 and some
9
ALRC, For Your Information: Australian Privacy Law And Practice, Report No 108 (2008), Para 39.21.
Ibid, Rec 3.1.
11
Case of Wainwright v The United Kingdom (Application no. 12350/04) Eur Court HR, Fourth Section (2006)
12
Wainwright and another (Apellants) v Home Office (Respondents) [2003] UKHL 53.
13
Office of the Victorian Privacy Commissioner, Submission to the Victorian Human Rights Consultation
Committee on its inquiry into ‘A Charter of Human Rights for Victoria’, (2005), paras 55 & 56, available at
www.privacy.vic.gov.au/privacy/web.nsf/content/submissions
10
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 4
criminal actions (stalking, harassment) may be used to partially protect privacy rights,
but the ability of the common law or equity to address such action is limited.14
19. There may be an argument that these other causes of action already ‘cover the field’
and therefore there is little need for a separate statutory tort. However, there are
significant problems with relying on the existing legal actions. Use of other common
law and criminal actions are often an awkward fit, predominantly attempting to
protect and preserve other interests and protecting privacy as a side benefit. Also,
existing torts may be rendered ineffective due to technological developments; the
Court of Appeal of New Zealand acknowledged the limitations of trespass in
protecting privacy, arguing:
‘Trespass may be of limited value as an action to protect against information obtained
surreptitiously...long lens photography, auto surveillance and video surveillance now mean
that intrusion is possible without a trespass being committed’. 15
20. Criminal laws may provide some assistance in telecommunications and surveillancetype privacy invasions, but will fail to compensate those who have suffered damage or
loss due to the conduct. There is a significant problem of accessibility - attempting to
use existing actions hampers access to the law. It requires an individual retaining a
lawyer who is able and willing to try and ‘fit’ existing causes of action to the conduct
in question.
21. Often this attempted ‘fit’ may result in odd outcomes. For example, in Giller v
Procopets [2004] VSC 113, Gillard J found a breach of confidence (where a
Defendant videotaped sexual encounters with the Plaintiff and subsequently
distributed the video) but then declined to award damages (mainly due to issues about
the jurisdictional basis for awarding damages).16 This can be contrasted with the
outcome in Grosse v Purvis [2003] QDC 151 where a Queensland judge awarded
$178,000.00 after finding a breach of privacy (and formulating a test for it). However,
this proposition remains untested at higher courts.
22. The ALRC, VLRC and the New South Wales Law Reform Commission (NSWLRC)
have all recommended establishment of a statutory cause of action for breach of
privacy. A statutory cause of action would confer privacy obligations on individuals
and expand the protection of privacy within Australia, giving certainty to all.
23. The Office of the Victorian Privacy Commissioner often receives enquiries from
individual members of the public concerned about invasions of their privacy by other
individuals. Very often, there are simply no legal or other remedies to address their
concerns.
3.
Should any cause of action for serious invasion of privacy be created by statute or be left
to development at common law?
14
E.g. in Giller v Procopets, [2004] VSC 113, [2008] VSCA 236, where Gillard J of the Victorian Supreme
Court held that the plaintiff was not entitled to recover damages for mental distress in relation to a breach of
confidence. The decision was overturned on appeal. The Court of Appeal awarded substantial damages for
breach of confidence, but the Court declined to make any findings as to the existence of an equitable or common
law right to privacy.
15
Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03, per Gault P and Blanchard J at 116.
16
Ibid, and see David Lindsay, ‘Casenote: Giller v Procopets – Distress but no damages’ (2004) Privacy Law
and Policy Reporter 41.
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 5
24. Relying on the courts to recognise a cause of action for privacy may not be the best
approach, given the inherent limitations associated with the courts only being able to
consider particular matters brought before them by parties resourced to access justice
at the requisite level. In addition, the courts would be limited by existing remedies
developed within the common law or equity.17
25. Legislators have a better opportunity to craft a cause of action that is more precisely
targeted and which takes into account competing public interests. Moreover,
protection of a fundamental human right such as privacy should not be dependent on
the efforts of a particularly persistent and well resourced plaintiff to definitively
establish the existence of a cause of action.
20. The creation of a statutory cause of action would be the best way of providing redress
for these types of interferences with personal privacy.
21. One of the most significant points of difference between other jurisdictions and
Australia in this area is that there is an inbuilt balance between the right to privacy
and the right to freedom of expression, by virtue of the existence of enforceable
human rights charters or bills in these other countries.
22. This means that, were enforceable privacy rights to be recognised by Australian courts
in Australia in isolation, there would be no countervailing right to freedom of
expression or communication to balance them against.
23. This is one of the most compelling reasons for choosing a statutory cause of action
over one that is developed solely by the courts. In the absence of any express
recognition of other human rights and freedoms, it will be open to the Australian
courts to develop a new cause of action which remedies any harm caused by an
invasion of privacy as a tort, an extension of the law of confidence or under some
other branch of law or equity, with little, if any, consideration of freedom of
expression.
24. The media in Australia is already subject to laws limiting the collection and
publication of personal information. It is not surprising that media organisations are
alarmed at another proposed law which they see as limiting freedom of expression,
and in particular fettering the media’s ability to report. However, Australian courts
have already shown a readiness to acknowledge the development of a need for a
common law action for breach of privacy, and in some cases, as in Jane Doe v ABC18
found such a cause of action to exist. They are supported in this by persuasive
authority in other jurisdictions.
25. The current common law development is extremely slow, piecemeal and is likely to
vary from State to State. It is now over 10 years since the High Court in Lenah Game
Meats19 made obiter comments surrounding the establishment of a tort of privacy and
yet little progress has been made. Waiting on the courts to be presented with a case
which permits a sufficiently senior court to make binding comments could take some
time.
26. If it is inevitable that the law will continue to develop in the direction of a common
law right of action for privacy (which appears to be occurring), it would be better for
there to be a federal statutory cause of action, to provide clarity and consistency.
27. Any legislation creating an actionable right to privacy should also expressly require
courts to balance privacy rights with freedom of expression and communication.
17
Above n 15.
Jane Doe v Australian Broadcasting Corporation [2007] VCC 281.
19
ABC v Lenah Game Meats Pty Ltd (2001) 185 ALR 1.
18
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 6
4.
Is ‘highly offensive’ an appropriate standard for a cause of action relating to serious
invasions of privacy?
5.
Should the balancing of interests in any proposed cause of action be integrated into the
cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)?
Highly offensive to a person of reasonable sensibilities
28. I agree that, in order to establish liability, a plaintiff should be required to show that in
all the circumstances, there is a reasonable expectation of privacy. In addition, there
needs to be some threshold level of seriousness, to ensure that trivial matters are not
pursued unnecessarily.
29. In my view, the formulation used by Gleeson CJ in Lenah Game Meats and
recommended by the ALRC, being ‘highly offensive to a reasonable person of
ordinary sensibilities’20 is a good starting point. However, I question whether the
requirement of ‘highly’ is overly restrictive and a high bar for a plaintiff to prove,
given the nature of any proposed cause of action. A statutory cause of action should
protect against offensive behavior. Questions as to the degree and level of intrusion
and whether the intrusion was highly offensive or simply offensive may be better
considered in terms of the damaged suffered and whether exemplary damages could
be warranted.
The question of harm
30. I note that the New Zealand Privacy Act 1993 (NZ) requires individuals to provide
some loss, detriment or damage or injury before making a complaint under the Act.21
One potential option would be to reduce the requirement that an intrusion be ‘highly
offensive’ (down to simply ‘offensive’) but require a potential plaintiff to show some
type of damage or distress as a result of the conduct.
31. I note that the ALRC was concerned that the cause of action should only ‘succeed
where the defendant’s conduct is thoroughly inappropriate and the complainant
suffered serious harm as a result.’22 The potential option (of removing ‘highly’ from
the offensive test) but introducing a requirement to show loss or damage may be a
better method of approach. It would reduce the potential for frivolous claims but
would not eliminate a cause of action for individuals who have suffered offensive
conduct and suffered loss and damage. It would seem a strange situation in law that a
court may find a reasonable expectation of privacy, offensive conduct to have
occurred and loss and damage to have been suffered but declined to find a breach as
the offensiveness was not ‘high enough’.
32. However, I would recommend that humiliation and injury to feelings should be
recognised as a legitimate grounding for complaint, as it is a common reaction to a
privacy intrusion and would be consistent with existing privacy legislation.23
20
Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, at para 42.
Privacy Act 1993 (NZ) s 66.
22
Department of Prime Minister and Cabinet, ‘Issues Paper – A Commonwealth Statutory Cause of Action for
Serious Invasion of Privacy, September 2011, p 33.
23
See Information Privacy Act 2000 (Vic) s 43, where the Act specifically permits VCAT to award
compensation for injury to feelings and humiliation suffered by a Complainant by reason of the act of practice
the subject of the complaint. See also Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03
21
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 7
Balancing other interests against privacy – element or defence?
33. Privacy naturally requires balancing against other and potentially competing public
interests. The issues paper questions whether this should be ‘integrated with the cause
of action’ or a ‘public interest defence’. I would strongly support the approach of the
VLRC. This approach would not impose a negative onus of proof on a complainant
or plaintiff, to prove that there is no countervailing public interest to justify the
“seriously offensive” invasion of his or her “reasonably expected” privacy. Rather,
the onus should fall on the respondent to show that his or her conduct is justified by
the public interest.
34. It would seem peculiar for a plaintiff to be required to plead not only the elements of a
cause of action, but also to negate a public interest argument at that stage. A plaintiff
would be unlikely to be in the position to be able to determine at such an early stage
what (if any) public interest arguments a defendant may raise. Rather, it would seem
appropriate for the defendant (who would presumably have knowledge and evidence
of the public interest in question) to plead such a matter in defence. An approach
requiring a plaintiff to not only plead his or her action, but also predict and negate
hypothetical public interest arguments, would be onerous and out of step with other
similar torts, such as breach of confidence.24
6.
How best could a statutory cause of action recognise the public interest in freedom of
expression?
35. It is essential that the balancing of competing rights and interests be effectively built
into any statute establishing a cause of action.
36. As pointed out above, this is necessitated by the absence of any general recognition in
Australian law, either statutorily or constitutionally, of a fundamental set of rights and
responsibilities which would ideally form the context in all judicial and other
consideration of human rights and civil liberties.
37. Of course, it is open to the Commonwealth Parliament to legislate to recognise a right
to freedom of expression or communication.
38. While the best way for a statutory cause of action to recognise the public interest in
freedom of expression would be for such an interest to be seperately recognised as a
right, an alternative method is to legislate to protect privacy only, but with a robust
defences provision, which would allow the respondent to argue the countervailing
public interest in freedom of expression.
39. As a practical matter, it would seem very difficult to require the balancing of rights
and interests as a threshold step in deciding whether or not a cause of action exists. If
the balancing of rights was a threshold step rather than defence, it would require
extensive discussion (as to whether or not freedom of expression was a relevant
which stated that ‘the harm to be protected against is in the nature of humiliation and distress’ (Gault P and
Blanchard J, at 128).
24
For example, an action in breach of confidence requires, in summary, three elements (information with a
necessary quality of confidence, communicated in circumstances importing and obligation of confidence, and an
unauthorised use or disclosure of the information (Coco v AN Clark (Engineers) Ltd [1969] RPC 41. A public
interest argument is generally considered a ‘defence’ (see NSWLRC, Consultation Paper 1 (2007) – Invasion of
Privacy, at 3.5.
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 8
countervailing right) at a preliminary stage of any case. It would also require a
plaintiff to attempt to anticipate a defence of freedom of expression. Requiring a court
to deal with all potential public interests before a cause of action is even on foot
would be highly complex. Additionally, in many cases (such as an individual taking
action against another individual) public interest arguments such as freedom of
expression may be irrelevant or non-applicable.
40. A better approach would appear to be that the two requirements discussed above (a
reasonable expectation of privacy on the part of the claimant and an objective level of
seriousness or offensiveness) would need to be established as threshold tests, then the
respondent would be able to raise any defences, as set out in the statute. Defences
should obviously include public interest arguments such as freedom of expression.
This would then allow the court or tribunal hearing the matter to weigh the competing
interests against each other in deciding whether or not an interference with privacy
warranting remedy has occurred.
7.
Is the inclusion of ‘intentional’ or ‘reckless’ as fault elements for any proposed cause of
action appropriate, or should it contain different requirements as to fault?
41. I support the approach of the VLRC with regard to the requirement for a “fault”
element in any cause of action.25 While most invasions of privacy that are serious
enough to meet an objective test of being “highly offensive” (as discussed above) will
be either intentional or reckless, it is conceivable that such offence could arise from
an extreme example of negligence. The law already recognises this in a range of
contexts, even extending to criminal offences, such as negligent manslaughter.
Additionally, existing privacy legislation does not require fault elements in privacy
matters.
8.
Should any legislation allow for the consideration of other relevant matters, and, if so, is
the list of matters proposed by the NSWLRC necessary and sufficient?
42. While a non-exhaustive list of matters to be considered by a court can be of assistance
in clarifying the parameters of a cause of action, the danger with such a list, even
where it is expressed to be non-exhaustive, is that it may artificially limit the matters
that future courts consider when presented with unforeseen fact situations. This could
therefore limit the availability of redress for even very serious and offensive invasions
of privacy.
9.
25
Should a non-exhaustive list of activities which could constitute an invasion of privacy be
included in the legislation creating a statutory cause of action, or in other explanatory
material? If a list were to be included, should any changes be made to the list proposed by
the ALRC?
VLRC Report at 152 [para 7.148].
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 9
39. Similarly, a list of activities which could constitute an invasion of privacy, even if
expressed to be non-exhaustive, could run the risk of limiting the availability of the
cause of action by limiting its scope. This is particularly so in the current context of
rapid technological and social change. For example, the use of social media or tablet
devices in order to invade an individual’s privacy would not have been contemplated
as recently as 2008, when the ALRC published its report and proposed its list.26
10.
What should be included as defences to any proposed cause of action?
40. As a minimum, I support the inclusion of the defences proposed by the ALRC,
namely that the:
a. Act or conduct was incidental to exercise of a lawful right of defence of
person or property;
b. Act or conduct was required or authorised by or under law; or
c. Publication of the information was, under the law of defamation, privileged.
41. I also support the inclusion of consent as a formal defence, rather than requiring a
consideration of consent as part of considering whether or not there was a reasonable
expectation of privacy as an element in the cause of action. I would recommend that
consent be narrowly construed as express only, particularly as the individual would be
consenting to what otherwise would be offensive (or highly offensive) conduct.
42. As in the discussion of the public interest above, requiring the complainant or plaintiff
to demonstrate that he or she had not consented to the conduct complained of would
impose a negative onus of proof on the plaintiff.
43. I would also support the inclusion of a defence of “legitimate public concern”,
encompassing the right to freedom of expression, as formulated by the New Zealand
Court of Appeal in Hosking v Runting.27
11.
Should particular organisations or types of organisations be excluded from the ambit of
any proposed cause of action, or should defences be used to restrict its application?
43. I support the position of the ALRC, VLRC, and NSWLRC that there should be no
blanket exemption provisions for any particular organisations, type of organisations or
individuals. Rather, the defence provisions should be drafted in a robust enough
fashion to allow activities such as law enforcement, national security, journalism and
artistic expression in the public interest to be conducted.
26
ALRC Report at 2565.
Hosking v Runting and Pacific Magazines NZ Ltd [2004] CA 101-03, although it should be noted that the
Court considered it ultimately ‘unnecessary to consider whether the respondents could rely on a defence that
there is a legitimate public concern in publishing the photographs’ [171].
27
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 10
12.
Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate
to, the proposed cause of action?
44. I support the inclusion of a broad range of flexible and adaptable remedies, as
recommended by the ALRC.28 However, I would question why the possibility of
exemplary damages has been excluded. A court of competent jurisdiction should be
able to award exemplary or punitive damages for intentional, deliberate or particularly
egregious breaches of privacy should it see fit. In Grosse v Purvis, Skoien SDJC
awarded aggravated compensatory damages and exemplary damages for a breach of
privacy. Secondly, the High Court confirmed the possibility of exemplary damages in
negligence where a defendant ‘can be shown to have acted consciously in
contumelious disregard of the rights of the plaintiff’.29 Fettering a court’s discretion to
exclude the possibility of exemplary damages appears unnecessary.
13.
Should the legislation prescribe a maximum award of damages for non-economic loss, and
if so, what should that limit be?
45. In principle, the award of damages should reflect the injurious effect caused to the
plaintiff by the invasion of privacy complained of. I agree with the VLRC that, given
the relatively modest amounts of damages awarded in privacy and confidentiality
matters to date, a cap on damages would seem to be unnecessary.
46. Additionally, a cap on damages can cause a perverse outcome should a significant
non-economic loss exceed any statutory cap. For example, in NK v Northern Sydney
Central Coast Area Health Service, Judicial Member Montgomery of the New South
Wales Administrative Decisions Tribunal awarded a complainant the statutorily
maximum of $40,000.00 compensation for various breaches of the Privacy and
Personal Information Protection Act 1997 (NSW) and the Health Records and
Information Privacy Act 2002 (NSW). The Complainant in that case was so affected
by the breaches of privacy that he attempted suicide. However, the Tribunal noted
‘It is my view that NK is entitled to the maximum amount that can be awarded under the
applicable legislation. He is entitled to compensatory damages as a step towards restoring him
to the position that he would have been in but for the breaches.
However, I also note my view NK can never be adequately compensated for the loss that he
has suffered....the amout that can be awarded is restricted to an amount that is lower than what
might have otherwise been awarded’30
47. However, I acknowledge the point made in the Discussion Paper concerning the limit
placed on actions under defamation by the Defamation Act 2005 (Cth) and the
possibility of forum shopping if there is no limit set for a statutory cause of action in
privacy. For that reason, any limit imposed should be neither more nor less than that
under defamation law.
28
ALRC Report, rec 74-5.
Gray v Motor Accident Commission (1999) Aust Torts Reports 81-494 per Gleeson CJ, McHugh, Gummow
and Hayne JJ at 65,505.
30
NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81.
29
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 11
14.
Should any proposed cause of action require proof of damage? If so, how should damage
be defined for the purposes of the cause of action?
48. Proof of damage should constitute an element of the cause of action (as discussed
above) in order to limit frivolous claims. It would clearly be relevant where the
plaintiff is claiming monetary compensation by way of damages. However, plaintiffs
should not be called upon to prove damage as a threshold issue, given the nature of
the interest that is sought to be protected by the cause of action. It should be sufficient
that the plaintiff had a legitimate expectation of privacy in the circumstances and the
conduct complained of would be offensive to a reasonable person.
49. As discussed above, injury to feelings or humiliation should be specified as a type of
relevant damage, as is recognised by existing privacy laws.
15.
Should any proposed cause of action also allow for an offer of amends process?
50. Given the complicated nature of privacy rights and the fact that ‘damage’ – and thus
‘compensation’ – is often difficult to formulate and quantify, provision for an offer of
amends process would be sensible. Additionally, an individual who has had their
privacy breached may be reluctant to take action in an open court as subsequent
publicly could further compound the issue. The importance of court-based alternative
dispute resolution processes to encourage parties to resolve disputes before litigation
commenced should not be overlooked.
51. In my experience, many complainants who are aggrieved by an invasion of their
privacy by a Victorian public sector organisation are most concerned that the
organisation acknowledges its actions and the effect they have had on the complainant
and apologises and/or undertakes to take steps to avoid similar transgressions in the
future. This is likely to equally apply to breaches by individuals.
16.
Should any proposed cause of action be restricted to natural persons?
52. I support the view expressed by the High Court in Lenah Game Meats and by the
ALRC, NSWLRC and VLRC that privacy laws form part of human rights protections
and should only apply to natural persons.
17.
Should any proposed cause of action be restricted to living persons?
51. Neither the Privacy Act 1988 (Cth) nor the Information Privacy Act 2000 (Vic) offer any
protection for the collection and handling of personal information relating to deceased
persons. The Health Records Act 2001 (Vic), however, does.
52. Notwithstanding this and the views expressed by the ALRC, NSWLRC and the VLRC, I
support the extension of privacy protection to deceased persons, for the following
reasons:
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 12






18.
A cause of action for privacy breaches may be more comparable to equitable actions
like breach of confidentiality than to actions such as defamation. While a right to
recover damages for defamation ceases upon death, a duty of confidentiality can
persist after death.
Special sensitivities may arise when disclosing information about deceased persons to
the world at large, as is recognised in many Indigenous cultures.
Protecting information privacy after death may affect how people act during their
lifetime. Individuals may be less inclined to reveal their information, particularly
sensitive or intimate details, if they are concerned that those details might be revealed
or otherwise used as soon as they die.
There are a number of overseas cases giving rise to community debate about the
handling of personal information after a person has died, or in respect of a deceased
person. These include requests by the press for autopsy photographs of child victims
of sexual and violent crime31 and the collection by coronial staff of autopsy
photographs of famous and gruesome cases which were used to create personal
scrapbooks and to show at cocktail parties.32 In this latter case, the court recognised a
privacy interest which was grounded in maintaining the dignity of the deceased.
Disclosure of a deceased person’s information may impact the living. A disclosure
may cause distress to the survivors and records relating to the deceased individual
may contain details of the living, as in the case of coronial records. The information
relating to the deceased individual may also be about a group or family, as is
particularly the case with genetic data.
Ready access to a deceased person’s biographical and other data may facilitate the
creation of fraudulent or stolen identities.
Within what period, and from what date, should an action for serious invasion of privacy be
required to be commenced?
53. For reasons of consistency with other areas of law, I support the three year limitation
period proposed by the VLRC. However, the issues paper states that the limitation
period should be ‘from the date of the relevant conduct.’33 This could potentially pose
a problem where an individual only becomes aware of the relevant conduct sometime
later. For example, the Victorian Information Privacy Act only contains restrictions on
bringing complaints when the complaint ‘was made more than 45 days after the
complainant became aware of the act or practice’34 (my emphasis). It is possible that
an individual could suffer a breach of their privacy but be unaware until sometime
later, particularly as the privacy breach could be deliberately concealed. I note that
Australia still does not have mandatory breach notification laws, which could
31
nd
Sarasota Herald-Tribune v. Florida, District Court of Appeal of Florida (2 District), Case no. 2D05-5408,
22 November 2005, judicial opinion available at Florida Second District Court of Appeal, http://www.2dca.org/
Opinions. The disturbing nature of the photographs and further details about the case are discussed in Reporters
Committee for Freedom of the Press, Crime scene, autopsy photos must be shown to media, 1 December 2005,
News media update, http://www.rcfp.org/news/2005/1201-sct-crimes.html, accessed 3 December 2007;
32
Reid v Pierce County, 136 Wn 2d 195, 3 September 1998, judicial opinion available at Municipal Research
and Services Center of Washington at http://www.mrsc.org/mc/supreme/archive/136wn2d/136wn2d0195.htm,
accessed 3 December 2007.
33
Above n 21, p 49.
34
Information Privacy Act 2000 (Vic) s 29(1)(d).
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 13
potentially ameliorate this issue, despite prevalence in other jurisdictions35 and calls
from the Australian Privacy Commissioner.36
54. It is possible that a privacy breach could be deliberately concealed. If the limitation
period begins from the ‘date of relevant conduct’ it may leave the individual statute
barred from taking action. Such an approach is also consistent with the Limitation of
Actions Act 1958 (Vic), where the Act only restricts individuals from taking action in
personally injury cases three years from the date ‘on which the person first knows’
that he has suffered injuries and that the injuries were caused by some person.37
19.
Which forums should have jurisdiction to hear and determine claims made for serious
invasion of privacy?38
55. Provisions granting jurisdiction to particular Commonwealth and State or territory courts
and tribunals should balance the concepts of appropriateness and accessibility.
56. This may favour an approach which grants jurisdiction to the Federal Magistrates Court
(and equivalent State and Territory tribunals) for some matters and others to the Federal
Court (and equivalent State or Territory courts) for others, depending on the remedies
sought by the plaintiff.
HELEN VERSEY
Victorian Privacy Commissioner
35
For example, mandatory data breach notification laws exist in 25 US states . See Mark Burdon, Bill Lane and
Pual von Nessen, ‘The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal
Developments’, Computer Law and Security Review, 26(2) pp 115-129.
36
Asher Moses, ‘Thousands of privacy breaches going unreported’, Sydney Morning Herald, 27 July 2011
available at http://www.smh.com.au/technology/technology-news/thousands-of-privacy-breaches-goingunreported-20110727-1hzes.html, accessed 7 November 2011.
37
See Limitation of Actions Act 1958 (Vic) s 5.
38
This question is usefully considered in light of any answer that may be given to the question asked above (at
page 45-46) as to a limitation upon the amount of damages payable for non-economic loss under such a cause of
action.
Privacy Victoria – Submission to Department of Prime Minister and Cabinet on a
Commonwealth Statutory Cause of Action for Serious Invasion of Privacy
Page 14