Privacy reforms: a closer look at the proposed statutory tort of invasion of privacy

Currently, there is no statutory recourse for individuals whose privacy has been invaded in circumstances which fall outside the scope the existing protections afforded by the Privacy Act 1988 (Cth)and the Australian Privacy Principles (APPs); such circumstances could include, by way of example, unsolicited filming or surveillance in places where there is a reasonable expectation of privacy, recording private conversations without consent, or disclosing sensitive facts relating to an individual’s private life.

Similarly, the Australian common law has not yet developed a tort of privacy, although the High Court of Australia left this possibility open (in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] 208 CLR 199 and Smethurst v Commissioner of Police [2020] HCA 14).

Elements of the proposed cause of action

The Privacy and Other Legislation Amendment Bill 2024, if passed, would introduce a cause of action, which would allow individuals to seek redress for serious invasions of their privacy. The statutory tort has been under consideration for some time, and the form adopted by the Bill largely mirrors the model proposed by the Australian Law Reform Commission in 2014, in its report, Serious Invasions of Privacy in the Digital Era Final Report June 2014 (ALRC Report 123). Given the apparent similarity between the model proposed in the Bill and the 2014 Report, discussion of the various elements of the proposed cause of action in the 2014 Report remain useful in understanding how the Bill might operate in practice. Under this proposed model, to successfully sue for a serious invasion of privacy, a plaintiff must establish the following, in relation to the alleged invasion of privacy:

(a) The invasion of privacy must be either by:

(i) intrusion into seclusion; or

(ii) misuse of information that relates to the plaintiff.

(b) That a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances.

(c) The invasion of privacy must have been committed intentionally or recklessly.

(d) The invasion of privacy must be ‘serious’.

(e) If the defendant argues that there was public interest in the relevant act said to amount to the invasion of privacy, the plaintiff must establish that the public interest was outweighed by the public interest in protecting the plaintiff’s privacy.

Further, the invasion need not cause actual damage (that is, an invasion will be actionable without proof of damage), and damages for emotional distress may be awarded.

What is “intrusion into seclusion”?

The Explanatory Memorandum for the Bill explains that:

Intruding upon the seclusion of an individual includes (but is not limited to) physical intrusions and watching, listening to or recording an individual’s private activities or affairs. It includes situations where no further action is taken beyond the physical intrusion. For example an intrusion upon seclusion could occur where a person spies on the plaintiff in their home. It is not required that any information be shared about the plaintiff for them to be able to establish an intrusion into their seclusion.

The circumstances in which an intrusion into seclusion might be found, are potentially very broad, although the 2014 Report noted that it is important not to look at the elements in isolation. For example, to have an action, the plaintiff must also have a reasonable expectation of privacy (discussed below).

What constitutes “misuse of information that relates to the plaintiff”?

Similarly to an intrusion into seclusion, the act of “misusing information” is intended to encompass a broad range of activities. The Explanatory Memorandum for the Bill states that:

Maliciously releasing an individual’s information online without their consent (doxing) may amount to a misuse of information. Storing, interfering with or modifying information could also be ways in which information may be misused.

Importantly, the concept of ‘information that relates to a plaintiff’ under the Bill is broader than the protection against [misuse of] ‘private information’, proposed in the 2014 Report. This broader concept will likely allow the tort to capture acts involving information that is not necessarily ‘private’ but where the use of that information constitutes an invasion of privacy; however, it is assumed that what constitutes ‘information that relates to a plaintiff’, will be a concept that is developed and refined by the courts.

It is also important to note that the definition of “Personal Information” in the Privacy Act is irrelevant for the purposes of this aspect of the proposed cause of action. Indeed, the part of the Bill that provides for the tort is intended to be treated as a set of stand-alone provisions independent from the Privacy Act.

Recklessness not negligence

As set out above, the relevant invasion of privacy must have been intentional or reckless in the circumstances ‘Recklessness’ in this context has the same meaning as in the Criminal Code 1995 (Cth), which provides as follows:

 

5.4 Recklessness

(1) A person is reckless with respect to a circumstance if:

(a) he or she is aware of a substantial risk that the circumstance exists or will exist; and

(b) having regard to the circumstances known to him or her, it is unjustifiable to take the risk.

(2) A person is reckless with respect to a result if:

(a) he or she is aware of a substantial risk that the result will occur; and

(b) having regard to the circumstances known to him or her, it is unjustifiable to take the risk.

(3) The question whether taking a risk is unjustifiable is one of fact.

(4) If recklessness is a fault element for a physical element of an offence, proof of intention, knowledge or recklessness will satisfy that fault element.

Therefore, in practice, a plaintiff would be required to establish that the relevant defendant, with respect to having allegedly committed a serious breach of privacy:

• was aware that their conduct created a risk of a serious invasion of privacy;
• (b) it was not justifiable to take such a risk; and
• (c) in disregard of that risk, engaged in the relevant conduct.

Importantly, mere negligence will not be sufficient to bring a claim under the tort. However, a cause of action in negligence may still be available to a plaintiff in circumstances where that plaintiff can demonstrate that there was a duty of care in its relationship with the defendant that the defendant breached via the relevant invasion of privacy. This distinction between negligence is of critical importance when considering the potential application of the tort in the context of data storage practices and data breaches (see below).

Seriousness

The proposed tort guards against the litigation of trivial claims through the requirement that the invasion of privacy be serious. The Explanatory Memorandum states:

The assessment is to be made in relation to a person of ordinary sensibilities in the position of the plaintiff, rather than based on the subjective views of the plaintiff. This would distinguish the likely effect of the conduct from the actual effect of the conduct.

It is interesting to compare the test of seriousness proposed in the Bill with that which has been introduced in various Australian jurisdictions over recent years, in respect of defamation. That test, provides that it is an element of the cause of action for defamation that the publication of defamatory matter about a person has caused or is likely to cause, serious harm to the reputation of the person. That inquiry requires proof of serious harm to the reputation of the person. In that context, Courts have determined that serious harm is not to be conflated with hurt to feelings (see Rader v Haines [2022] NSWCA 198, [29]), and the fact that the publisher was motivated by malice is not a factor (see High Quality Jewellers Pty Ltd & Ors v Ramaihi (Ruling) [2022] VCC 2240, [115]).

The test proposed in the Bill in respect of serious invasions of privacy appears to be somewhat different. Distress or harm to dignity is relevant, and the Explanatory Memorandum explains that where the relevant invasion of privacy was motivated by malice, or the defendant knew of the likely offence distress or harm to be caused by the invasion, the invasion of privacy is more likely to be serious.

Public interest test

As set out above, it will be open to a defendant to argue that there was a public interest in the relevant invasion of privacy. In those circumstances, the plaintiff will then need to prove that the public interest asserted by the defendant was outweighed by the public interest in protecting the plaintiff’s privacy.

The Bill sets out a number of non-exhaustive factors that might form the basis of a public interest argument by a defendant. Those factors include freedom of expression (including political communication), freedom of the media, open justice, and public health and safety.

Limitation period and “single publication rule”

Under the Bill, a plaintiff is required to commence an action before the earlier of:

• the day that is one year after the day on which the plaintiff became aware of the invasion of privacy; and
• the date that is three years after the invasion of privacy occurred.

If the plaintiff was under 18 years of age when the relevant invasion of privacy occurred, the limitation period is longer; the plaintiff is entitled to commence proceedings at any point before the plaintiff’s 21st birthday.

A plaintiff can seek to extend the limitation period up to 6 years after the day on which the invasion of privacy occurred. Such an extension will be granted if the court is satisfied that it was “not reasonable in the circumstances” for the plaintiff to have commenced proceedings in accordance with the ordinary limitation periods.

Interestingly, this test echoes the test for extensions of limitation periods in defamation law in jurisdictions where Stage 1 of recent defamation law reforms have not been implemented. The current formulation of the test in those jurisdictions where those reforms have passed is whether it is “just and reasonable to allow an action to proceed” (see for example, Limitation Act 1969 (NSW), s 56A). However, where the reforms have not been implemented, the Court will apply the “not reasonable test”. It remains to be seen whether jurisprudence on the “not reasonable test” (see by way of recent example, Lehrmann v Network Ten Pty Limited (Limitation Extension) [2023] FCA 385) in the context of defamation law will be applied for the purposes of serious invasions of privacy, if the Bill passes.

The Bill also provides for a “single-publication rule”. Again, this is borrowed from defamation law, with some adjustments. As is explained in the Explanatory Memorandum:

The effect of [this rule] is that, where information that is substantially the same is published multiple times by the same publisher, or the publisher’s associate, the date of the first publication would be taken to be the date of the invasion of privacy.

Exemptions

It should be noted that under the proposal in the Bill, virtually anyone can be liable for a serious invasion of privacy. From individuals acting in a personal capacity, to companies undertaking commercial activities, the tort will have wide application. The following however, will be expressly exempt:

• Enforcement bodies, to the extent that the enforcement body reasonably believes that the invasion of privacy is reasonably necessary for one or more activities related to enforcement.
• Intelligence agencies. A disclosure of information to an intelligence agency is also exempt.
• Persons under 18.

Journalists and related individuals would also enjoy an exemption, considered in further detail below.

Defences

Defences to the tort include that:

(a) the invasion of privacy was required or authorised by Australian law or court/tribunal order;

(b) the plaintiff expressly or impliedly consented to the invasion of privacy;

(c) the defendant reasonably believed the invasion of privacy was necessary to prevent or lessen a serious threat to life or safety; and

(d) the invasion of privacy was incidental to the exercise of a lawful right of defence of persons or property and proportionate, necessary and reasonable.

The Bill also proposes that defences of absolute privilege, publication of public documents, and fair reporting, as those defences arise in the context of defamation law, would also be available in answer to a claim for a serious invasion of privacy. Importantly however, the defence of truth is not available where the defendant invaded the plaintiff’s privacy by misusing information.

Remedies

Relevant courts will be empowered to award damages for invasions of privacy. Damages may be awarded for emotional distress, and, in exceptional circumstances, exemplary or punitive damages may be awarded. The Explanatory Memorandum to the Bill says that exemplary damages, for example, might be given where the defendant has attempted to procure financial gain from an intentional invasion of privacy. Damages will be capped at $478,550, which is the maximum amount available under defamation law, and will be indexed each year in line with the indexation of the cap that occurs under defamation law. Aggravated damages are not permitted to be awarded.

Additionally, relevant courts may also grant account of profits, injunctions, apology orders, correction orders, destruction or delivery up of materials, or declaratory relief, however, the court can also grant any other remedies it thinks appropriate in the circumstances.

Guidance from international torts

By introducing this cause of action as a statutory tort, it is the Government’s intention that the tort will be developed by the Courts, who would draw on key concepts from other torts, including privacy torts in other jurisdictions.

Australian Courts might, for example, draw guidance from the United Kingdom’s common law tort in relation to the misuse of private information. The UK tort incorporates similar concepts to the proposed statutory tort, relevantly, that the plaintiff had a reasonable expectation of privacy and that the public interest weighs in favour of protecting the plaintiff’s privacy rather than the disclosure of the information. UK jurisprudence indicates that a “misuse” of private information requires a positive action on behalf of the defendant, such that a company who suffers a cyber attack through which customer data is stolen cannot be liable for misuse of that information (Warren v DSG Retail Ltd [2021] EWHC 2168).

The tort and data breaches

Are victims of data breaches likely to bring a cause of action for a serious invasion of privacy if the reform is passed in its present form? It is difficult to anticipate the potential application of the tort in this context, but the door appears to have been left open. For example, the Explanatory Memorandum says that “storing” information that relates to an individual could constitute “misuse” of personal information. Although on one view, in practice, “misuse” signifies “disclosure” or “publication”, the Explanatory Memorandum makes clear that misuse of information is not limited in this way. In the 2014 Report, the ALRC expressed the view that it was not reasonable to confine “misuse” to disclosure as some other types of misuse of private information may invade a person’s privacy. It may therefore, be theoretically possible for the mere storage of information relating to a person, to be actionable, where a data breach has occurred in relation to that information (though contrast this with the UK position noted above).

The fault threshold is of particular relevance in the context of data breaches. Some data breaches might for instance, arise in circumstances of negligence. Those data breaches would not be actionable. It has been suggested that if negligence is sufficient, this would provide a deterrence effect to ensure higher standards of data storage. In answer to this, the 2014 Report stated that “[t]he ALRC considers that, in general, regulatory responses are a better way to deal with data breaches than a civil action for invasion of privacy.” However, the 2014 Report also says that:

"[I]n many situations involving serious data breaches, for example, the risk may be well-known in the industry so that it may be obvious or provable that the defendant was aware of the risk, providing the basis for a finding of recklessness, or even intent on an imputed basis.”

This might suggest that a cause of action could arise, where the relevant data breach is sufficiently serious.

The tort and the media

As stated above, in simple terms, journalism is exempt from the tort. This is a significant departure from the model proposed in the 2014 Report. The Explanatory Memorandum explains that this exemption is proposed to avoid any ‘chilling effect’ on public interest reporting and states that:

[T]he exemption applies to invasions of privacy by a journalist, the journalist’s employer, or certain persons assisting the journalist, where the invasion involves the collection, preparation for publication or publication of journalistic material.

The tort will not apply to an invasion of privacy to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material by:

• a journalist;
• an employer of a journalist;
• a person assisting a journalist who is employed or engaged by the journalist’s employer;
• a person assisting a journalist in the person’s professional capacity.

A journalist, for the purposes of this provision, is a person who:

• works in a professional capacity as a journalist and
• is subject to :
• (i) standards of professional conduct that apply to journalists; or
• (ii) a code of practice that applies to journalists.

Therefore citizen journalists, and other content creators not operating in a professional journalistic capacity are unlikely to receive the benefit of the journalism exemption. Further, although it can give rise to complexities, in a defamation context, a source can in theory be sued over publications made to a journalist which are then republished by the journalist. It would appear that in such scenarios, the source would not be protected by this exemption, to the extent any such disclosure constituted a serious invasion of privacy.

"Journalistic material" is defined in the Bill as having the character of, or consisting of commentary or opinion on news, current affairs or a documentary. “Commentary or opinion on news”, “current affairs” and “documentary” are not defined. In certain extrinsic contexts, these terms have recognised meanings. For example, a “Current Affairs Program” means “a program focusing on social, economic or political issues of current relevance to the community” under the Free TV Commercial Television Industry Code of Practice. A “Documentary” means “a program that is a creative treatment of actuality other than a news, current affairs, sports coverage, magazine, infotainment or light entertainment program” under the Broadcasting Services (Australian Content and Children’s Television) Standards 2020. The precise meaning of these terms however, in the context of the Bill, will ultimately be determined by the Courts. Nonetheless it is worth noting that there are likely to be many types of media and entertainment content that do not meet the description "journalistic material", for example, sketch comedy. Such content will not likely be protected by the journalism exemption. In such circumstances, defamation defences may assume greater importance in the context of the tort, given the definition of “journalistic material”.

Next steps

On 19 September 2024, the Senate referred the Bill to the Legal and Constitutional Affairs Legislation Committee, for inquiry and report by 14 November 2024. The submissions closing date is 11 October 2024.