New South Wales to lead on privacy protection

By Barbara McDonald

In March this year the Standing Committee on Law and Justice of the New South Wales (NSW) Parliament delivered its report into Serious Invasions of Privacy. It made a number of recommendations for how the law in NSW could be improved to give greater protection of privacy to citizens from the behaviour of others.

The most significant of the recommendations was that NSW go it alone in enacting a new statutory right for invasion of privacy, without waiting (and the wait appears indefinite at the moment) for the Commonwealth Government to act on the recommendations of the Australian Law Reform Commission (ALRC) in its Report 123: Serious Invasions of Privacy in the Digital Era.

That report – with 16 detailed chapters setting out the current law and discussion of how Australian law could be improved in a range of ways – was tabled in Federal Parliament in 2014 without comment by the Attorney-General and there has been no official or public response to the report. The conclusion must be that privacy law reform is not a priority of the current Federal Government.

NSW to “go it alone”

In a recent lecture in Sydney to mark the beginning of Privacy Awareness Month at the invitation of the NSW Privacy Commissioner, Dr Elizabeth Coombs, the distinguished former High Court judge Michael Kirby commended the NSW Legislative Committee for its recommendation that NSW go it alone.

A long advocate of the need for greater legal protection of privacy, Mr Kirby argued that in a federation such as Australia’s, it was entirely appropriate that one state should take the lead on novel legislation. With the operation of the new law somewhat experimental, other states and territories could watch that experience to decide if they too wanted to follow to enact parallel legislation.

The conclusion must be that privacy law reform is not a priority of the current Federal Government.

But while one state will inevitably take the lead it is hoped that if the future of privacy law is to rest on state and territory legislation, they enact uniform and consistent legislation. It would be undesirable if there were significant variation in legislation around the country, as is already the case with anti-surveillance statutes.

Legislation giving more privacy protection would affect not just the conduct of individuals, but also businesses and entities operating across state borders: the greater the level of inconsistency, the greater the scope for confusion and, consequently, the more inadequate the protection of the interests of all stakeholders, whether potential claimants or defendants.

Michael Kirby

Former High Court Judge Michael Kirby. Wikimedia Commons.

NSW Recommendations

The NSW committee recommended that NSW enact legislation based on the model recommended by the ALRC. This model would require a court, before giving a remedy, to be satisfied that:

  • the claimant had a reasonable expectation of privacy, judged from an objective standpoint of a reasonable person in that claimant’s position
  • that his or her privacy had been invaded by the wrongful disclosure or use of private information or by an intrusion into his or her seclusion
  • that the invasion was serious
  • that the invasion of privacy had been committed intentionally or recklessly by the defendant, and
  • that there was no countervailing public interest which would justify the invasion of the claimant’s privacy in this way.

These elements were carefully designed and comprehensively justified by the ALRC in its report: they dovetail with each other so that if one were changed others would have to be re-considered. Importantly, the ALRC recommended that if a claimant was able to satisfy the court of the matters set out above, he or she would not need to prove “actual damage” in the sense now recognised by the law. Actual damage comprises personal injury or illness, psychiatric illness, property damage or economic loss. Many if not most serious and unjustified invasions of privacy will result only in distress to the victim, and under current law, this is not usually enough to support a legal action.

Privacy law in the public interest

The ALRC was of the view that this model would provide relief for the most serious, deliberate or reckless invasions of privacy and yet still provide important protection for disclosures or conduct in the public interest, that is, on serious matters of legitimate public concern. That protection is of course important for the media in its investigative and reporting roles but also in its other roles in providing entertainment and commentary on matters of public concern.

There is of course no public interest at stake where someone deliberately invades another’s privacy for revenge or humiliation or some form of bullying or harassment. It is becoming obvious that many instances of domestic violence may have a background of revenge porn and other types of deliberate surveillance, stalking, interception or control of another’s personal communications and information. Providing a civil remedy in such cases may go some way to empowering victims to take action and seek remedies where it may be difficult to involve criminal proceedings.

Revenge porn and bullying by the use and control of digital and electronic software, platforms and devices was a real concern brought to both the ALRC inquiry and the NSW parliamentary inquiry. There were many others, from concern over neighbourhood surveillance cameras to data breaches by companies that deal or collect sensitive personal data, often with the consent of their customers.

Narrow or wide protection?

One of the challenges for legislators is the need to anticipate and cover the many varieties of invasions of privacy. The ALRC model, adopted by the NSW parliamentary committee, was aimed at remedying only deliberate or reckless conduct, leaving people to other remedies in the case of negligent data breaches. While these may also cause distress, sometimes serious, the ALRC was of the view that, consistently with other instances of negligent conduct, they should only give rise to a civil action if the claimant could prove actual damage. Further, many victims of data breaches would have remedies under contract law, the law of confidential information, and under the regulatory data protections regimes of federal and state Privacy Acts.

The NSW committee recommended that the Parliament consider extending liability to negligent invasions of privacy committed by corporations. Given the need for consistency with other laws and the potential for massive class actions if liability was extended to negligent data breaches – without any need to prove damage on the part of victims – such an extension will meet considerable opposition from business.

Delay for further consultations would be inevitable and play into the hands of those who want no further privacy protection at all. It would be regrettable if this delayed the enactment of a law intended to protect against serious, deliberate and unjustified invasions of privacy, a law which Australians need and deserve.