ALRC recommends statutory cause of action for invasion of privacy

By Gina Elliott.

Key Points:
Businesses that handle personal information will need to gain an understanding of the new state of play and consider reviewing their privacy practices to ensure their risk is minimised.

In the December 2007 edition of LDR Insights we reported on some of the key proposals put forward by the Australian Law Reform Commission (ALRC) as part of its extensive review of Australia's privacy laws. That review has now concluded with the release of the ALRC's report, "For Your Information: Australian Privacy Law and Practice", on 11 August 2008.

Among the ALRC's 295 recommendations concerning Australian privacy law and practice is a recommendation that Commonwealth legislation introduce a new cause of action which would allow an individual to sue another individual, organisation or government entity for a serious invasion of privacy. If introduced, the statutory cause of action could significantly increase the risk of litigation, not only for media organisations that publish information about individuals, but for any business that handles personal information - for example, banks, employers, schools, health service providers, real estate agents, government agencies, etc. In this article, we discuss the scope and implications of the proposed new statutory cause of action.

What must the plaintiff show to establish the cause of action?

To establish the cause of action for serious invasion of privacy, a plaintiff would need to show that, in all the circumstances:

• the plaintiff had a reasonable expectation of privacy;
• the defendant's conduct was highly offensive to a reasonable person of ordinary sensibilities (this sets a higher bar for plaintiffs than the ALRC's previous proposal, which merely required the conduct to be "sufficiently serious to cause substantial offence to a person of ordinary sensibilities"); and
• the defendant's conduct was either intentional or reckless (ie. not negligent).

The cause of action would only be available to natural persons, not commercial or government entities. Significantly, as with the torts of defamation and trespass to the person, the cause of action could be established without proof that the invasion of privacy had caused actual damage to the plaintiff.

Public interest defence removed in favour of "balancing competing interests"

In determining whether the cause of action is made out, the court would have to consider whether the public interest in maintaining the plaintiff's privacy outweighed other matters of public interest, including:

• the public being informed about matters of public concern; and
• freedom of expression.

This "balancing act" approach is a step back from the ALRC's previous proposal that there be a specific defence for the disclosure of information in the public interest or fair comment on matters of public interest.

The elimination of this potentially powerful defence has understandably alarmed media organisations, despite the ALRC's assurance that the new "balancing act" approach, combined with the high threshold requirement that the conduct be "highly offensive", actually gives media organisations more, not less, protection than under the previous proposals.

Some pros and cons for business

Even if the statute does provides adequate protection to media organisations in the final analysis, there is still cause for concern that the very introduction of the cause of action will encourage litigation, including spurious claims, causing much hassle and expense for the targets of those claims.

In other industries, concerns have been raised about the possible effect of the cause of action on the ability of businesses to conduct marketing campaigns (particularly telemarketing and door-to-door sales) or debt recovery or security enforcement operations. Such activities may ultimately be protected by the high threshold test for establishing the cause of action, but the concern of a possible flood of spurious claims remains.

One positive aspect of the reforms for businesses is that they will find it easier to assess how the law affects their business, and implement policies to minimise their liability, than if the law were contained in incrementally developed, uncertain and often inconsistent common law (as is currently the case - see our discussion of the current state of play below). The ALRC sensibly recommends that any common law action for invasion of privacy be abolished once the statutory cause of action is established.

What types of conduct would be caught by the cause of action?

The ALRC proposes that the legislation set out a non-exhaustive list of the types of conduct that may fall within the cause of action, including:

• serious interference with an individual's home or family life;
• unauthorised surveillance of an individual;
• interference with, or misuse or disclosure of, an individual's correspondence or private written, oral or electronic communication; and
• disclosure of sensitive facts relating to an individual's private life.

The ALRC also gives the following examples of scenarios where the elements of the cause of action would be satisfied:

• Mr A sends a DVD of himself and Ms B, his former girlfriend, having sex, to Ms B's parents, friends, neighbour and employer.
• Mr C sets up a tiny hidden camera in the women's toilet at his workplace and uploads the resulting images of his colleagues to a website hosted overseas which features similar images. Although Mr C is the proper defendant in this situation, a victim might instead choose to sue Mr C's employer, claiming it is vicariously liable for Mr C's actions (particularly if the employer's pockets are deeper than Mr C's). Such a claim would probably fail, as Mr C's actions would be outside the scope of his employment, but the embarrassment and hassle to the employer in fighting the claim may be significant.
• Ms D works in a hospital and accesses the medical records of a famous sportsperson who is being treated for drug addiction. Ms D makes a copy of the file and sells it to a newspaper, who publishes the information in a front page story. Both Ms D and the newspaper could be sued in this scenario. Again, query whether the hospital may be targeted for Ms D's conduct.
• Ms E runs a small business and uses a finance firm to handle her tax and financial matters. Staff at the finance firm do some spring cleaning and put a number of files in a recycling bin on the footpath, including files containing Ms E's personal and contact details, tax file number, ABN and credit card details. A passer-by grabs the file and uses it to commit identity fraud. Ms E could not only complain to the Privacy Commissioner for a breach of the Privacy Act, but could also sue the finance firm, potentially with much greater consequences, under the new statutory cause of action.

The cause of action would not be limited to invasions of privacy in the home or other private places. The question is whether the circumstances gave rise to a reasonable expectation of privacy, not whether the conduct occurred in a public or private place. The distinction is usefully illustrated by the contrasting outcomes in the following cases:

• In Hoskin v Runting [2005] 1 NZLR 1, a reasonable expectation of privacy did not arise because the photographs in question were taken in public and "disclosed nothing more than could have been observed by a member of the public in Newmarket on that particular day".
• In Campbell v MGN Ltd [2004] 2 AC 457, the activity was photographed in public, but the information contained in the photographs was health information (about the plaintiff's drug addiction) which was a category of information that had long been recognised as private.

Defences

The ALRC has indicated that the defences to the cause of action should include:

• that the conduct was incidental to the exercise of a lawful right of defence of person or property;
• that the conduct was required or authorised by law. For example, a financial institution may not be liable for disclosing private information about one of its customers if it was doing so as part of its obligation to report suspicious matters under the Anti-Money Laundering / Counter Terrorism Financing Act 2006 (Cth).
• that the publication of the information was privileged under defamation law. This defence may offer protection for some instances of disclosure to public bodies or officials or people with a particular interest in having the information.

As mentioned above, the defence of public interest that was previously proposed has been removed. The remaining defences, with the possible exception of the privilege defence, are unlikely to be of much use to media organisations, who would generally be better off seeking to convince the court that:

• the plaintiff did not have a reasonable expectation of privacy;
• the conduct was not highly offensive to a reasonable person of ordinary sensibilities; and/or
• the public interest in freedom of expression and the public being informed of matters of public concern outweighed the public interest in maintaining the plaintiff's privacy.

Remedies

A wide range of remedies would be available, including damages, aggravated (but not exemplary) damages, accounts of profits, injunctions, declarations, court-ordered apologies, correction orders and orders to deliver up and/or destroy material.

Current state of play

The Federal Government has indicated that it will consider the ALRC's recommendations in two stages, with legislation regarding the first stage to be introduced into Parliament within 12-18 months. The statutory cause of action for invasion of privacy will not be considered until the second stage, so we may not see legislation introducing this cause of action for a number of years. So what is the state of play until then?

The Privacy Act 1988 (Cth) regulates the collection, use, disclosure, quality and security of personal information. It does not generally protect against invasions of personal privacy such as interference with a person's home or family life or unauthorised surveillance, unless the invasion also involved a prohibited use of personal information.

At common law, the courts of Australia, New Zealand and the UK had traditionally declined to recognise a right to personal privacy, but recent cases suggest the tide is turning. In Australian Broadcasting Corporation v Lenah Game Meats (2001) 208 CLR 199, the High Court indicated that previous cases did not prevent the possibility of a cause of action for invasion of privacy being developed in the future. Since then, lower courts have recognised a common law cause of action for invasion of privacy in Grosse v Purvis (2003) Aust Torts Reports 81-706 and Doe v Australian Broadcasting Corporation [2007] VCC 281. On the other hand, judges in the Supreme Court of Victoria and the Federal Court have held that Australian law has not yet developed to the point where it recognises a tort of invasion of privacy (Giller v Procopets [2004] VSC 113; Kalaba v Commonwealth [2004] FCA 763).

Even with no established tort of invasion of privacy, a number of other common law actions can be utilised by people seeking redress for privacy violations. These include nuisance, trespass, defamation, injurious falsehood, passing off and breach of confidence (which has been significantly expanded in the UK in recent years, to the point where it is now effectively a tort of invasion of privacy).

Conclusion

The ALRC emphasised in its report that the elements of the proposed new cause of action are intended to set a high threshold for plaintiffs to meet: "Setting a high threshold to establish a serious invasion of privacy is consciously intended to ensure that freedom of expression is respected and not unduly curtailed... – the cause of action will only succeed where the defendant's conduct is thoroughly inappropriate and the complainant suffered serious harm as a result".

Whether the courts will interpret any new statutory cause of action in such a narrow way remains to be seen. Even if they do, the introduction of the cause of action will mark a significant shift in the legal landscape relating to invasions of personal privacy. Businesses that handle personal information will need to gain an understanding of the new state of play and consider reviewing their privacy practices to ensure their risk is minimised.

In the meantime, businesses should be aware of their risks and rights under the current state of play, and watch this space for further developments.

For further information, please contact Gina Elliott.