On 12 June 2013, the Attorney-General called on the Australian Law Reform Commission (ALRC) to make a further enquiry into the protection of privacy in the digital era.

In an earlier ALRC report into privacy in 2008, the ALRC considered broadly the legal rights that individuals might have to protect and to sue for breach of privacy. The 2008 ALRC report made it clear that there was very little consensus on how such a right should operate, if at all. A number of submissions were made including whether there should be a tort or there should be a statutory right to damages. In the light of the conflicting views, the Attorney-General has now issued new terms of reference to the ALRC to consider serious invasions of privacy in the digital era, and to make recommendations regarding:

  • innovative ways in which the law may reduce serious invasions of privacy;
  • the necessity of balancing the value of privacy with other fundamental rights of expression and open justice; and
  • to provide a detailed legal design for a statutory cause of action for a serious invasion of privacy, which would outline all of the key elements.

It is clear then that while a number of reforms recommended by the ALRC in 2008 will take effect in March 2014, including changes to credit reporting, the introduction of a unified set of Australian Privacy Principles and possibly mandatory notification of significant breaches of privacy as set out in the current bills it is likely that any right of action for damages for breach of privacy would be deferred well into the future.

Notwithstanding the lack of ability for individuals to sue for damages under the Privacy Act there have been a number of class actions in the United States where individuals have sued companies under the equivalent of the "misleading and deceptive conduct" provisions of their consumer protection law. While such a claim has not been made yet in Australia, in the event that there were sufficient damages such as identity theft and credit card fraud that an individual could not recover from the credit card company, it is possible that damages actions for misleading and deceptive conduct may be made.

Currently there is a class action in Ontario, Canada, against a hospital that did not keep patient records secure. In that instance, the claim is based partly on misleading and deceptive conduct, and partly on breach of implied contract terms by the hospital, which had established and published a charter for security of patient rights and is said to have breached that charter by not keeping the patient records secure.

We look forward to hearing what the ALRC has to say not only about remedies for breaches of privacy but if any legal safeguards can be put in place to prevent breaches. The report is due to be provided to the Attorney-General by June 2014.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.