First published as a guest opinion in the Australian Financial Review.
Australia is being hit by a new wave of far-reaching privacy reform. Just weeks after the bar for privacy compliance was raised for Australian business, the peak law reform body has released a suite of new proposals that could for the first time provide individuals with the right to sue for serious invasions of privacy.
We could now be heading for a new privacy landscape where celebrities can sue for the overuse of a telephoto lens, and plaintiffs can join huge class actions for privacy breaches that are already a feature of North American justice systems.
The Australian Law Reform Commission (ALRC) recently released a discussion paper with 47 proposals for further privacy reform. This follows a request by the federal Attorney-General last year for the ALRC to provide a final report on recommendations for serious invasions of privacy by 30 June this year. Titled Serious Invasions of Privacy in the Digital Era, the discussion paper is calling for submissions by 12 May 2014, so concerned stakeholders have little time to make their voices heard.
The paper comes amid tremendous change to privacy law in recent weeks. Substantive changes to the Privacy Act 1988 (Cth) took effect on 12 March 2014. These include 13 new Australian Privacy Principles, an entirely new credit reporting privacy regime and, importantly, enhanced powers for the Office of the Australian Information Commissioner, which includes the Privacy Commissioner. The Commissioner's powers should not be underestimated; they include the ability to seek from the courts civil penalty orders for serious or repeated breaches of privacy of up to $1.7 million.
There still remains no right under the Privacy Act for an individual to make a claim directly against a business for a privacy breach. However, just last month, an Opposition Senator introduced a bill that would, if passed, further amend the Privacy Act to introduce a requirement to notify affected individuals (even possibly by notices in newspapers) of serious privacy breaches.
Many people have been surprised to hear that the Privacy Act does not currently require a privacy breach to be notified. So if your credit card details are stolen you may not find out until it's too late. It remains to be seen whether the bill will have the support of the current federal Government. An identical bill was introduced last year by the Labor Government but was not passed before the federal election.
However, if the bill does become law, it puts a whole new spin on privacy reform. There will be nowhere to hide in the case of a serious privacy breach, with the very real prospect of a class action following the breach. If the ALRC's proposals are adopted by the Government and find their way into law, individuals will be able to take action directly against businesses for intentional or reckless invasions of privacy.
The invasion of privacy would need to be serious, including a consideration of whether it was highly offensive, distressing or harmful. There would be no requirement for the individual to prove actual damage to successfully sue.
Media organisations in particular should take note that a court would need to be satisfied that the individual's interest in privacy outweighed the organisation's interest in freedom of expression and any broader public interest. There would necessarily be a tension here between what the proposals refer to as "freedom of the media to investigate, and inform and comment on matters of public concern and importance" and the individual privacy of a person. It remains to be seen how this may play out in the real world, but it would represent a significant shift of the legal goal posts in this country.
The proposals also contemplate the difficult position that internet service providers (ISPs) would find themselves in. They recommend a "safe harbour scheme" to protect ISPs from liability for serious invasions of privacy committed by users of their internet service, which no doubt would be warmly welcomed by ISPs.
The real question is what it will cost businesses facing a claim for a serious invasion of privacy, should the proposals become law. The proposals recommend the courts award compensatory damages, including for emotional distress, and possibly also exemplary damages to punish a particularly serious invasion of privacy. The damages award could even extend to an account of profits.
An injunction may also be awarded, which often has an immediate and financially damaging effect on a business. To make matters worse for broadcasters, it is proposed that the Australian Communications and Media Authority could also be involved to require the broadcaster to pay compensation.
The ALRC's proposals, especially if the privacy breach notification bill becomes law, would very much open the door for class actions against businesses. There are certainly genuine cases of serious invasion of privacy that ought to be punished, and hopefully new laws of this nature would deter such potential conduct, but could we be promoting personal privacy over freedom of expression and the broader public interest?
There is a balancing act here that needs to be handled carefully.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
