Key Points

  • After 15 years of contemplation of the existence of a serious invasions of privacy tort at common law, the Australian Law Reform Commission in 2014 formally recommended its creation to the federal government.
  • Public liability insurers would potentially be one of the first to be impacted by any more far reaching development of privacy laws and need to be alive to how its insureds could be affected by such developments.
  • Despite the demand for change in privacy laws, the creation of a serious invasions of privacy tort still seems unclear.

Background

It is almost three years ago now the Australian Law Reform Commission (ALRC) published a report on Serious Invasions of Privacy in the Digital Era, recommending that a federal statutory cause of action in tort for serious invasions of privacy be created. This tort was not a new idea – not by far. Over the past 15 years, the Australian Courts have contemplated the existence of a similar tort at common law with the general consensus that the case for its existence is arguable, leaving the position at common law unclear.

Although federal statutory privacy protections already exist in various forms, including the Privacy Act 1988 (Cth), these have been consistently criticized as being too limited because, amongst other things, the Privacy Act 1988 (Cth) does not apply (under certain conditions) to some entities including:

  1. Individuals not operating a business;
  2. Businesses, except health service providers, with an annual turnover of less than $3 million;
  3. Media organisations; and
  4. Members of a parliament, contractors for political representatives, and volunteers for registered political parties.

Furthermore, authorities often have limited power to respond to privacy concerns within their area of responsibility.

The Civil Aviation Safety Authority, the authority responsible for conducting the safety regulation of civil air operations in Australian territory is, for example, limited to dealing with safety-related considerations only. This means a comprehensive assessment of privacy issues, as they relate to Unmanned Aerial Vehicles, fall completely into someone else's hands.

Why is change needed?

We no longer live in a time where individuals, or even corporations, are able to exert effective control over their own privacy. This extends across the non-consensual sharing of intimate images to involuntary data sharing and the like, such as surveillance of an individual's conduct in their own backyard.

Individuals have limited means by which to address invasions of privacy in situations that are not covered by the Privacy Act 1988 (Cth) or other rights, such as breach of confidence or nuisance.

An invasion of privacy tort, in theory, would aim to address this by providing victims with the general ability to apply for injunctions to prevent another person or entity from compromising the victim's personal data or, further and alternatively, provide victims with a right to damages, which could include damages for emotional distress.

The federal government recently undertook public consultation regarding a proposed civil penalty regime in respect of the non-consensual sharing of intimate images. It also passed an amendment to the Privacy Act 1988 (Cth), which, from 22 February 2018, will require eligible entities to report eligible data breaches to the Federal Privacy Commissioner. Likely, we are therefore closer than we ever have been to development in the tort space.

What would a serious invasions of privacy tort look like?

The ALRC has made the case that there are a number of reasons why an action for serious invasions of privacy should lie in torts, such as the accepted legal classification of torts and the similarity an action in tort in this area would have with comparable jurisdictions, thereby allowing Australian courts to draw from foreign case law.

In 2014, the ALRC made the recommendation that a new tort in this area should contain five elements:

  1. The invasion of privacy must occur by:
    • Intrusion into the plaintiff's seclusion or private affairs (including by unlawful surveillance); or
    • Misuse or disclosure of private information about the plaintiff.
  1. The invasion of privacy must be either reckless or intentional.
  2. A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances.
  3. The court must consider that the invasion of privacy was 'serious'.
  4. The court must be satisfied that the public interest in privacy outweighs any countervailing public interest.

While the ALRC limited the fault element to only intentional or reckless activity, the New South Wales Legislative Council Standing Committee on Law and Justice in its own review of an invasion of privacy tort last year, considered raising the fault element to also capture negligent acts and to set two different standards of fault for individuals and corporations.

One of the greatest objections to an invasion of privacy tort was the fear that it would adversely impact artistic freedom and freedom of speech and this fear was accounted for by both the ALRC and the New South Wales Legislative Council Standing Committee on Law and Justice.

And although both enquiries came to the same conclusion, namely that Australia needs legislative action, their advice has been ultimately ignored.

How does this affect the insurance sector?

Public liability insurers would potentially be one of the first to be impacted by any more far reaching development of privacy laws and need to be alive to how its insureds could be affected by such developments.

The current uncertainty as to the existence and development of an invasion of privacy tort is problematic. It would for example make it difficult for insurers to undertake surveillance of a claimant and to properly assess an insured's potential exposure.

Ultimately, the recommendations of the ALRC, although widely debated and still referred to in current government attempts at privacy reform, did not lead to more certainty. And the subsequent New South Wales review only led to a commitment to discuss views in this area with other Australian jurisdictions.

The government's current proposed civil penalty regime is an attempt to at least address one of the privacy concerns raised by the ALRC – the non-consensual sharing of intimate images. While this seems very specific, if enacted, it will provide the (Children's) eSafety Commissioner with the ability to apply for civil penalties, enforceable undertakings, and injunctions. It is currently unclear how this might manifest but since cyber policies presently offer cover for fines and penalties, insurers will need to maintain awareness.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.