Australia finally gets a privacy tort through the Privacy and Other Legislation Amendment Bill 2024 (Cth), but it sucks

By Dr Michael Douglas

On 12 September 2024, the Government unveiled the details of the first tranche of the long-awaited reform of the Privacy Act 1988 (Cth) when it introduced the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill).

A couple of years back, the former Coalition Government initiated a ‘Privacy Act Review’. The review continued under the Albanese Government, which published its response to the Privacy Act Review in September 2023. This Bill implements a number of the matters agreed to by the Government and identified in that response, including provision for the development of a ‘Children’s Online Privacy Code’,[1] and a new ‘civil penalty provision for interference with privacy of individuals’ which provides for a penalty of up to 2,000 penalty units where ‘[a]n entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of an individual’.[2] The Explanatory Memorandum explains:

For example, this may cover instances where an APP entity fails to notify individuals of an eligible data breach as soon as practicable in accordance with subsection 26WL(3). The maximum penalty for a person would be 2,000 penalty units – which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $660,000 for persons. In accordance with subsection 82(5) of the Regulatory Powers Act, the maximum penalty amount for bodies corporate is 10,000 penalty units – which, on the penalty unit value at the time of introduction of this Bill, equates to a maximum penalty of $3.3 million for bodies corporate.[3]

The Bill also provides for new ‘doxxing offences’ in the Criminal Code Act 1995 (Cth).[4] The term ‘doxxing’ denotes the release of personal data using a carriage service in a manner that would be menacing or harassing. In this context, ‘personal data’ means ‘information about the individual that enables the individual to be identified, contacted or located’.[5] The touchstone of a new offence of ‘using a carriage service to make available etc. personal data of one or more individuals’ is that a reasonable person would consider the conduct to be menacing or harassing; the penalty will be 6 years’ imprisonment.[6]

An example of doxxing is demonstrated by a clip which has done the rounds on social media: a woman broke up with her boyfriend; he responded by publicly advertising a fake competition and listing his ex’s phone number. The advertisement read something like, ‘call this number, do your best Chewbacca impersonation and win $100’. The woman received calls all through the night.[7] While not necessarily ‘menacing’, the conduct would certainly be ‘harassing’.

More insidious doxxing could put human lives—and particularly women’s lives—in danger. In my view, the new offences are to be welcomed, and consistent with evolving societal values about the importance of privacy and the value of being left alone.

Finally: a statutory tort for serious invasions of privacy

Perhaps the most significant inclusion in the Bill is the statutory tort for serious invasions of privacy, which will be added by a new schedule 2 to the Privacy Act 1988 (Cth).[8]

The core of the new tort is that an individual has a cause of action against another person if the other person invaded the individual’s privacy by either intrusion upon seclusion or misuse of private information.[9] Both ‘intrusion upon seclusion’ and ‘misuse of private information’ are defined in basic terms; those definitions seemingly invoke the meanings of the terms at general law. Both intrusion upon seclusion[10] and misuse of private information[11] are actionable in other common law jurisdictions, which developed their general law principles to provide for new causes of action without express legislative intervention.

The new tort has a fault element: the invasion of privacy must be either intentional or reckless.[12] Further, damage need not be proved, which aligns the tort to the law of defamation in WA (but not the law of defamation in those jurisdictions that have introduced the ‘serious harm’ element).[13] Since the abolition of the distinction between libel and slander, damage has been presumed upon publication of defamatory matter.[14] The presumption recognises that a person’s reputation is of inherent intangible value, and is not commensurable with money.[15] Reputation is a personality right which has value because we value individual dignity and honour.[16] Privacy is an interest or personality ‘right’[17] much like reputation—its value also depends on human dignity. Reputation and privacy are often protected in the same breath in human rights instruments. In that context, making certain invasions of privacy wrongful absent proof of harm is appropriate.

Not all invasions of privacy will be actionable. First, whether the circumstances involve privacy deserving of protection is determined objectively by considering whether ‘a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances’.[18] Other common law jurisdictions have developed a jurisprudence around when a person has a reasonable expectation of privacy but the new statutory tort considers the issue expressly in a non-exhaustive way.[19] Factors impacting whether there was a reasonable expectation include ‘the means, including the use of any device or technology, used to invade the plaintiff’s privacy’; the plaintiff’s characteristics, including their age, occupation or cultural background; in the case of intrusion, the place where the intrusion occurred; and various other matters.[20]

Secondly, assuming that there was a reasonable expectation of privacy in the circumstances, only those invasions that are ‘serious’ are actionable.[21] In evaluating seriousness, the court may consider ‘the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff’ and any malicious motivation of the defendant, among other things.[22]

The cause of action has a further contingent element which the plaintiff must satisfy in some circumstances: ‘If the defendant adduces evidence that there was a public interest in the invasion of privacy, the plaintiff must satisfy the court that that public interest was outweighed by the public interest in protecting the plaintiff’s privacy’.[23] The requirement is akin to a defence, but one that makes the job easier for defendants. The statute identifies the sort of evidence a defendant could adduce to invoke the requirement: this includes evidence relating to freedom of expression, freedom of the media, and open justice.[24]

If a claim gets up, the remedies available to a plaintiff are relatively broad. They include injunctions,[25] damages (presumably ‘at large’), and damages for ‘emotional distress’,[26] circumventing some New South Wales fusion-fallacy drama surrounding Giller v Procopets (2008) 24 VR 1 and the equitable pedigree of breach of confidence.[27] Damages are capped in the same way damages are capped for defo,[28] but unlike defo, aggravated damages are unavailable yet exemplary damages are available.[29] Account of profits may even be available,[30] recognising the conceptual link between privacy invasions and breaches of confidence.

The tort will have a few commonsense defences, including where the invasion was authorised by law; and where the invason was incidental to the exercise of a lawful right of defence of persons or property and the conduct was proportionate, necessary and reasonable, among other things.[31]

If all of this sounds familiar to you, then perhaps you read the Australian Law Reform Commission’s 2014 final report on Serious Invasions of Privacy in the Digital Era.[32] The report was led by privacy guru Professor Barbara McDonald and was foreseeably rigorous. Much of the proposed schedule 2 to the Privacy Act 1988 (Cth) implements the ALRC’s recommendations. The Government would have done well to let Barbara draft the whole thing. Instead, they decided to sh*t the bed.

The new statutory tort has been gutted!

Apart from defences, the tort has a blanket exemption for ‘journalists’, their employers, and people they work with—people like editors.[33] The term ‘journalist’ is defined broadly to cover a person who ‘works in a professional capacity as a journalist’ and is subject to ‘standards of professional conduct that apply to journalists’.[34] The latter condition seems pointless given that the exemption will apply even if the journalist does not meet those standards.[35]

The exemption applies where one of these journalist or journalist-adjacent persons seriously invades an individual’s privacy in the course of the ‘collection, preparation for publication or publication of journalistic material’.[36] ‘Journalistic material’ means material that has the character of news, current affairs or documentary, but also includes opinion.[37]

This new exemption has absolutely gutted the efficacy of the statutory tort. It is terrible policy, for at least 3 reasons. First, the tort has—or had—the most work to do with respect to dodgy-hack journalists doing dodgy-hack-journalist things. Think of the News of the World phone-hacking scandal: if that sort of thing were to happen in Australia, it ought to be actionable under the new tort. But now it won’t be. Or think of The Sydney Morning Herald outing Rebel Wilson as gay: that was a sucky thing to do, and Ms Wilson had no remedy. This new tort might have provided a means of redress, but not with this exemption.

The second reason why this sucks is that quality journalism is already protected by the de facto public interest defence which is built into the tort. Of course, journalistic activities may involve invasions of privacy: that’s how wrongdoing gets uncovered. This exemption could be deleted and quality journalists would still be fine because they would be able to adduce evidence that their invasion of privacy was in the public interest, and the burden would fall on plaintiffs to show why it wasn’t.

The third reason is that this exemption was not part of the recommendations of the ALRC in its report on Serious Invasions of Privacy in the Digital Era. That report was the product of extensive consultation with a broad range of stakeholders, which included extensive consultation with the media. If the ALRC thought that this exemption should not be part of a fair balance between competing interests, why doesn’t the Government agree?

I’ll tell you why: they are gutless. They don’t want to do something that will aggravate commercial media publishers in the lead up to an election. They don’t want to deal with the shrill protests of Sky News boomer-whisperers banging on about the Albanese Government’s ‘attack on the free press’ and ‘attacks on democracy’ and ‘herrrr durrghh negative gearning medicare death tax heergghhhhhh’. This exemption is a gift to the Murdochs, Kerry Stokes, and whoever owns that Nine News abomination these days.

I’m a Labor guy, but this new law is p*ss weak. I am salty.*

?

*Views are my own but you should share them too.

[1] Bill sch 1 pt 4.

[2] Bill sch 1 cl 56, inserting a new s 13H of the Privacy Act 1988 (Cth).

[3] Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024 (Cth) 20, [83].

[4] Bill sch 3.

[5] Bill sch 3 cl 1, inserting a new s 474.17C into the Criminal Code (Cth).

[6] Proposed Criminal Code (Cth) s 474.17C(1).

[7] Maybe I am telling it wrong—but that was the gist.

[8] Bill, sch 2, cl 10.

[9] The cause of action will be contained in Privacy Act 1988 (Cth) sch 2 item 7(1).

[10] See C v Holland [2012] 3 NZLR 672; Jones v Tsige (2012) 108 OR (3d) 241

[11] See Campbell v MGN Ltd [2004] 2 AC 457; Douglas v Hello (No 3) [2006] QB 125; PJS v News Group Newspapers Ltd [2016] AC 1081.

[12] See new item 7(1)(c).

[13] Cf Defamation Act 2005 (NSW) s 10A; see Peros v Nationwide News Pty Ltd (No 3) [2024] QSC 192.

[14] See Defamation Act 2005 (WA) s 7; Fairfax Media Publications Pty Ltd v Voller (2021) 273 CLR 346, [23].

[15] Rogers v Nationwide News Pty Ltd (2003) 216 CLR 327, [66] (Hayne J).

[16] See Roscoe Pound, ‘Interests of Personality’ (1915) 28(4) Harvard Law Review 343; Robert C Post, ‘The Social Foundations of Defamation Law; Reputation and the Constitution’ (1986) 74 California Law Review 691.

[17] Nonsense on stilts.

[18] New item 7(1)(b).

[19] New item 7(5).

[20] New item 7(5)(a)–(f).

[21] New item 7(1)(d).

[22] New item 7(6)(a)–(c).

[23] New item 7(3).

[24] New item 7(4)(a)–(g).

[25] New items 9, 12(b).

[26] New item 11(3).

[27] See also Wilson v Ferguson [2015] WASC 15.

[28] See Defamation Act 2005 (WA) s 35.

[29] New item 11(2), (4), cf Defamation Act 2005 (WA) 37.

[30] New item 12(2)(a).

[31] New item 8.

[32] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (Report No 123, 2014).

[33] New item 15(1)(a)–(d).

[34] New item 15(2)(a)–(b).

[35] New item 15(4).

[36] New item 15(1).

[37] New item 15(3).