Site search

INSIGHT

NSW to go it alone on a tort of privacy?

By Gavin Smith 11 March 2016
Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief

A New South Wales legislative committee has released a report following an inquiry into remedies for serious invasions of privacy in New South Wales. In an unexpected and controversial move, the report recommends that the NSW Government 'take the lead' by introducing a statutory cause of action for serious invasions of privacy. Partner Gavin Smith and Lawyers William Coote and Laura Bereicua look at the controversial report which, if it were to be enacted, will allow individuals to sue companies for invasions of privacy.

Jump To

  1. Background
  2. Elements of the cause of action
  3. Remedies
  4. Key implications
  5. Next steps

How does it affect you?

  • The proposed cause of action is designed to cover what are described by the Committee as significant gaps in the privacy protection afforded by the existing legal framework.
  • If the cause of action is introduced, persons will be able to bring an action against other individuals or entities that seriously invade their privacy. This is not the case under the current state or Commonwealth privacy legislation. For cases against individuals, the invasion must be intentional or reckless. For cases against governments or corporations, the scope of liability is widened to catch intentional, reckless and negligent invasions.
  • Where proven, entities would be liable to pay damages (including exemplary damages) even if no actual loss has been suffered.
  • For companies, this would constitute a radical change to the privacy law landscape and potentially expose them to class actions by individuals for mishandling of personal information in a manner that is merely negligent.

Background

On 3 March 2016, the New South Wales Legislative Council Standing Committee on Law and Justice (the Standing Committee) released its final report on Remedies for the serious invasion of privacy in New South Wales. The report follows an inquiry into the adequacy of remedies for serious invasions of privacy amidst increasing community concern about the use of technology, in particular the use of social media for abuse, surveillance technologies and 'big data' collection, in ways which intrude upon people's lives.

This report adds to a growing collection of comprehensive reports released by legal bodies over the last decade, which have all supported the introduction of a statutory cause of action for invasions of privacy. In September 2014, Allens reported that the Australian Law Reform Commission (ALRC) had released a report on Serious Invasions of Privacy in the Digital Era, which proposed and comprehensively designed a statutory cause of action for serious invasions of privacy. Eighteen months since the release of that report, the Standing Committee has now recognised that most inquiry participants regard the 2014 ALRC report to be 'well-considered and balanced'. As a result, the Standing Committee has ultimately recommended that any statutory cause of action established by the NSW Government should be based on the model outlined in the ALRC's 2014 report.

Elements of the cause of action

The proposed statutory action for serious invasion of privacy is characterised as an action in tort. By characterising the action in this way, it provides certainty with respect to a number of ancillary matters and allows the application of common law principles settled in analogous tort claims. The proposed cause of action would also align Australia with a number of other jurisdictions (notably, New Zealand and a number of Canadian provinces), which would allow the courts to draw on analogous case law.

The Standing Committee recommends that the following five elements should be required to attract liability:

  • The invasion of privacy must occur by intrusion into the plaintiff's seclusion or private affairs (including by unlawful surveillance) or by misuse or disclosure of private information about the plaintiff.
  • The invasion of privacy must be either intentional or reckless. In relation to what should constitute recklessness, the ALRC recommended that a statutory definition be included, based on the current definition in the Commonwealth Criminal Code. Importantly, although the ALRC chose not to extend the fault element to negligence, the Standing Committee recommends that negligence would suffice in cases against governments and corporations.
  • A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances.
  • The court must consider the invasion of privacy to be 'serious', having regard to, among other things, whether the invasion was likely to be highly offensive, distressing or harmful to a person of ordinary sensibilities in the position of the plaintiff.
  • The court must be satisfied that the public interest in privacy outweighs any countervailing public interest, including the public interest in freedom of expression such as political communication, artistic expression and freedom of the media.

Critically, the Standing Committee recommends that the tort be actionable per se; that is, a plaintiff should not have to prove that they have suffered actual damage in order to bring an action.

Remedies

The Standing Committee makes no specific recommendations on what particular remedies should be awarded to successful plaintiffs. In this respect, the Standing Committee appears to support the remedies recommended by the ALRC. These include, where appropriate:

  • compensatory damages, including damages for the plaintiff's emotional distress;
  • exemplary damages where exceptional circumstances have been proven;
  • account of profits;
  • injunction; and
  • an enforceable undertaking (including a public apology).

The ALRC also recommends that any damages awarded for a serious breach of privacy (other than those for economic loss) should be capped at the same amount for damages for non-economic loss in defamation.

The Standing Committee additionally recommends that the role and powers of the NSW Privacy Commissioner should be increased. Specifically, the Standing Committee recommends that the Commissioner should be able to hear complaints between individuals relating to alleged serious invasions of privacy, and empowered to make determinations that involve non-financial forms of redress, including apologies, take-down orders and cease and desist orders. Where there is a failure to act on these remedies, the Standing Committee recommends that the Commissioner should be empowered to refer such complaints to the NSW Civil and Administrative Tribunal on behalf of the complainant to hear the statutory cause of action.

Key implications

Wider coverage, especially for governments and corporations

This proposal recommends a significant broadening of the scope of coverage and consequences currently provided by existing privacy law in New South Wales. Under the proposed legislation, an individual would have the right to take direct action against the offending entity where there has been a serious breach of privacy. This is significantly wider than the remedies currently available to individuals. At the moment, individuals are limited to submitting complaints to the Office of the Australian Privacy Commissioner (in the case of organisations covered by the Privacy Act 1988 (Cth)) or bringing a case for common law breach of confidence.

As noted above, for the elements of the proposed tort to be met, an individual will have had to either intentionally or recklessly, seriously invaded an individual's privacy. The concept of recklessness sets a higher standard of proof than the concept of negligence. Where a person or company was aware of the consequences of their actions or omissions and nonetheless failed to act to avert those consequences, they would likely be found liable for recklessness.

However, where the case is made against a government or corporation, the Standing Committee has recommended that the fault element should be lowered to encompass negligence. This could result in liability for a very wide range of conduct, including common human errors such as the accidental leak of personal information. This would be a low bar. In this respect, the obligations of organisations under the Privacy Act, and the Office of the Australian Information Commissioner's Guide to Information Security, may provide a useful starting point for companies as to what positive actions might mitigate against any claim of recklessness or negligence.

Sword not a shield

Although the proposed tort is designed to shield individuals' 'right' to privacy, as we noted previously in relation to the ALRC report, there is a significant risk that the tort could be used as a sword by those who wish to conceal information that should legitimately be in the public domain. For example, an individual could seek to use a proposed action to bring an injunction against a media organisation seeking to publish information regarding that person. Any application for a permanent injunction would likely be preceded by an application for an interlocutory injunction to ensure the plaintiff is immediately protected from any imminent disclosure.

Although the Standing Committee provides that the court should weigh an individual's right to privacy against the public interest (which includes the freedom of the media to investigate matters of public concern), it is conceivable that in ruling on an interlocutory injunction, a court might err on the side of the plaintiff who stands to lose the most in the event that the application is dismissed. Once an interlocutory injunction is granted, it may be some time before the matter is finally determined by the court. This could prove particularly detrimental in hampering legitimate investigative journalism.

Representative proceedings

The proposed legislation could result in class action proceedings in situations where there has been a serious breach involving a large group of people. The Standing Committee did not make any recommendations on this point, and subject to any future recommendations to the contrary, the proposed legislation would therefore likely to be subject to the current law on representative actions (for example, Part IVA of the Federal Court Act 1976 (Cth)). This means it is likely that entities that intentionally or recklessly breach their privacy obligations could be subject to class actions where the personal information of numerous individuals is disclosed. This would provide further fuel to the burgeoning class action industry in Australia.

Next steps

The Standing Committee has acknowledged that there is an ongoing lack of will to enact a statutory cause of action at the federal level. For this reason, the Standing Committee recommends that New South Wales should take the lead on the issue in the hope that other jurisdictions will follow suit. Importantly, the Standing Committee is comprised of members from all of the major political parties, and this apparent multi-party support for the proposal may result in real movement on this issue, at least in New South Wales. However, whether the NSW Government will actually place these recommendations on their political agenda remains unclear, and it is possible that this may be another addition to the ever growing stack of sidelined privacy reports.

A spokesperson for the NSW Government has confirmed that the Government will provide a response to the recommendations by 5 September 2016.