About the report
Produced
02 October 2024
Location:
Asia Pacific
Written by:
Click each term for related articles
Asia Pacific
Data Protection & Privacy
In the first of our deeper dives on the key areas of reform under the Privacy and Other Legislation Amendment Bill 2024 (Bill) we examine the statutory right of action for serious invasions of privacy as it will impact organisations which are subject to the Privacy Act/APPs.
Our general overview of the key aspects of the Bill can be found here.
As currently set out in the Bill, once passed this introduces a new statutory right of action for ‘serious invasions of privacy’ (SRA) largely in accordance with the recommendations of the ALRC in its 2014 report ‘Serious Invasions of Privacy in the Digital Era’ (Report 123). Under the SRA an individual will be able to take action against another person (e.g. an organisation) if either:
each being an ‘invasion of privacy’ and the following criteria is also satisfied:
At first blush the new SRA may not appear of concern or particularly problematic for organisations for two reasons. First, the ‘individual’s seclusion’ or first limb appears mostly irrelevant to organisations. It is designed to fill a gap in the redress available to individuals for invasions of their ‘physical’ privacy. The clearest examples of such are watching, listening or recording private activities. For example, peering through an individual’s bedroom window, bugging their telephones, opening private mail or searching through private belongings. Organisations that are not specifically in the area of surveillance or monitoring (although work/public CCTV and monitoring abuse may be subject to this limb) are therefore unlikely to be significantly impacted by this limb of the SRA.
Secondly, the costs for an individual to take an organisation to court under the SRA for the expected modest compensation available (where only emotional distress has been suffered) are likely to be a significant deterrent to individual actions. While ordinary damages such as economic loss, injury to persons or property are also recoverable under the SRA, these must be proved. Looking at the equivalent UK common law tort of ‘misuse of private information’ (the model that inspired the SRA), individuals that have not been able to prove any economic loss have been awarded modest damages up to a maximum of £60,000 and, more commonly, in the range of £1,000 to £5,000.
However the second limb, involving ‘misuse of information’, will be relevant to all organisations as it broadly includes any inappropriate or wrongful collection or disclosure of ‘private’ (including personal) information. The most obvious examples of such a misuse of information by an organisation is where someone who is not authorised to do so is able to access the ‘private information’ of an individual held by that organisation. This could be a third party (in the case of a malicious actor/data breach) or an employee accessing the personal information that they do not need access to for their work role or function and thus should not be able to view (also a data breach). It will also include the ‘wrongful’ collection of ‘private’ information (i.e. more sensitive personal information). Organisations collecting such personal information: (a) without first notifying of (or obtaining consent where necessary) to that collection; or (b) having no right to collect such in the first place may well be ‘misusing’ information under the second limb and thus invading an individual’s privacy.
Given the potentially wide ambit of second limb of the SRA, the qualification is that the invasion of privacy resulting from such must be ‘intentional’ or ‘reckless. Despite some calls to include negligence as a fault element of any statutory tort, as drafted the SRA requires that the organisation’s conduct to be either (a) intentional (i.e. the organisation intended to invade an individual’s privacy); or (b) reckless (i.e. the organisation was aware of the risk and proceeded regardless to invade the individual’s privacy). Focussing on the second limb, the ALRC noted in Report 123 that “in many situations involving serious data breaches, for example, the risk may be well-known in the industry so that it may be obvious or provable that the defendant [e.g. organisation] was aware of the risk, providing the basis for a finding of recklessness”.
Privacy Act breaches: It is arguable that if an organisation’s privacy practices do not comply with the minimum requirements of the Privacy Act/APPs (including APP 1.2) and there has been no attempt to do so or there is no process/oversight in place at an organisational level then there will be deemed ‘awareness’ (it is the organisation’s obligation to know what laws apply to them and comply with them). For example, failure of an organisation to address (i.e. not even attempt to implement) the following key privacy obligations will likely give individuals a right of action against the organisation under the SRA, if such inaction leads to an unauthorised collection or disclosure of any of the individual’s more sensitive personal information:
Importantly, ‘non-compliance’ alone with any of the above, having reasonably tried to address them and implement relevant measures but where, in practice, those measures fall short, is unlikely to expose an organisation to a significant risk of an action under the SRA.
Class action potential: While, due to the relative costs versus the likely award, an individual will be unlikely to pursue an action against an organisation (except where the invasion of privacy has caused significant provable injury or economic loss), the sheer number of participants in the class means that organisations must be wary of the risk of class actions/representative proceedings using the SRA. Data breaches will likely be a key (but not the only) risk area where class actions under the SRA may ultimately result because:
By simplifying the framework, providing a direct cause of action and recognising the concept of damages for emotional distress (even if no economic loss can be established), the SRA will avoid many of the issues with the existing privacy class actions currently before the courts, including as to establishing the damages suffered. As such, the SRA is likely become the preferred vehicle for any privacy class actions to be brought in Australia, likely in parallel with class complaints to the Privacy Commissioner.
The SRA will commence 6 months after Bill receives Royal Assent (likely early to mid-2025) so there is not very much time to prepare for it. Organisations that have sought to implement and have in place measures to address their privacy (i.e. APPs) obligations will be unlikely to be found to have ‘seriously invaded’ an individual’s privacy. Therefore, now is the time to assess the status of your privacy and cyber security compliance and determine what you need to do to uplift it in order to, at least, avoid the potential risk of class actions being pursued against you under the SRA.
Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand. All of this ensures your “readiness, response and recovery” is in good hands. We provide end-to-end risk management solutions for clients from advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation and recovery to regulatory investigations, dispute resolution, recovery of damages and third-party claims. We offer market leading practical solutions focussed assistance and advice.
End
Produced
02 October 2024
Location:
Asia Pacific
Written by:
Produced
02 October 2024
Location:
Asia Pacific
Written by: