A tale of two torts

As the classic saying (sort of) goes: “you wait decades for a recognised right of action for invasion of privacy in Australian law, and then two come along all at once…”

This year, both the Australian legislature and the judiciary considered whether such an action should be recognised and, if so, the form it should take. In this article, we look at a recent judgment of the County Court of Victoria which analysed this question and found that the plaintiff did have a right of action for breach of invasion of privacy. We set this against the backdrop of the proposed statutory tort currently making its way through parliament.

A tale of two torts?

The development of a statutory tort for serious invasions of privacy has been on the cards for a while. Over a decade ago, the Australian Law Reform Commission (ALRC) reviewed and designed a potential cause of action. In its 2014 Report, “Serious invasions of privacy in the digital era” (2014 Report) (which itself came off the back of three law reform inquiries and an issues paper), the ALRC proposed a statutory tort in largely the form now set out in schedule 2 of the Privacy and Other Legislation Amendment Bill 2024 (Bill). For a deeper dive into the proposed statutory tort and its implications for entities collecting and holding personal information, check out this article here [link].

In the 2014 Report, the ALRC recognised that the common law of Australia might also develop to recognise such a right of action. This, again, isn’t new. Back in 2001, the High Court left it open that Australia could recognise a right to privacy provided that the protection was limited to the privacy of a natural person (rather than a corporate entity)[i]. Since then, two first instance decisions have awarded damages for breach of privacy (although both cases settled before appeals could be heard)[ii], while a number of other decisions have cast doubt over whether the common law could or should provide such a remedy[iii]. With over ten years since the issue was last before the Court, Tran J sitting in the County Court of Victoria took up the mantle and grappled with the question of whether a tort of invasion of privacy forms part of the common law of Australia.

Waller v Barrett

Lynn Waller commenced proceedings against her estranged father, Romy, for, amongst other things, disclosures he made about her in various publications. Critically, one of those disclosures, that Lynn had apologised to him in an email following a counselling session for saying that she wished he was dead, was found not to be true – Lynn made no such apology.

Lynn’s claim was founded in negligence, breach of statutory duty, breach of confidence, and invasion of privacy. After dismissing the negligence and breach of statutory duty claims, the Court found for Lynn in part in relation to breach of confidence. However, in relation to the disclosure Romy had made about the alleged apology, the Court found that it couldn’t be a breach of confidence because it didn’t meet a threshold issue - as the disclosure was not true, it could not be ‘information’.

This set the scene for the Court to consider whether an action for invasion of privacy could fill the gap. The Court considered the current state of existing Australian case law, before briefly turning to approaches in similar Commonwealth jurisdictions. The Court then considered whether such a claim could be recognised as an incremental development of the existing action for breach of confidence and, if it could, whether it should, before ultimately applying the identified cause of action to the facts of the case.

Tran J found that confidence in relation to both private information and trade secrets arises in circumstances where there is a relationship of confidence between the parties or where the information could be construed as secret. However, in relation to private information alone, there was a third category of case, where private information was ‘personal’ in the sense that it concerns the dignity of an individual.

Tran J identified that this third category of case was both (a) more restrictive than other claims for breach of confidence in that it could only apply to individuals rather than corporations, but also (b) broader in that what has been accepted as confidential for the purpose of privacy concerns is broader than in trade secret claims. Different remedies are also available, including the availability of damages for emotional distress.

Tran J concluded that it was desirable to recognise this third category of case as a standalone cause of action, separate and distinct from an action in breach of confidence. Tran J considered that renaming this action as an action for invasion of privacy would “elucidate the bifurcation” that currently exists within the existing action for breach of confidence.

Tran J declined to identify the specific elements of the action but found that relief should be available where, at a minimum, there was a making public of private matters in circumstances that a reasonable person, in the position of the claimant, would find deeply offensive. The Judge also declined to say what defences might be available and she could not be drawn on whether the cause of action sounded in equity or the common law, finding that the remedy sought, damages for emotional distress, would be available in either case.

In applying the cause of action to the facts of the case, the Court found that privacy could be understood as a barrier or shield around a person’s private domain. It therefore did not depend on any requirement that the information disclosed be true. This is similar to the definition of ‘personal information’ under the Privacy Act 1988 (Cth) which can include information whether it is true or false. The essence of the harm done was not what was said but that the “private sphere was made public” and the dignity of the person was therefore violated. The Court found that a reasonable person in Lynn’s shoes would have found the disclosure of the alleged content of the private email highly offensive and therefore was satisfied that Lynn had a cause of action for damages for invasion of her privacy.

In assessing damages, the Court found that the statement that she had apologised to Romy was likely highly distressing to Lynn. The statement cast Lynne as the wrongdoer and the only way Lynn could correct that impression would be to herself speak to the press, exposing her private sphere to even more publicity. The Court therefore awarded damages for invasion of privacy of $30,000.

Discussion

For entities that collect and handle personal information, it seems unlikely that this will be the case that opens the floodgates to waves of breach of privacy litigation. It remains to be seen whether the decision will be appealed or whether other courts and other States’ courts will reach the same conclusions. There remain a number of questions that are not answered by the decision, including the essential elements of this right of action and what defences might be available. Any potential breach of privacy litigant will still be largely required to develop new law, with all the uncertainty, cost and time that this requires. There are also open questions about whether the right of action is an equitable or tortious one. This question is not purely academic. To give an effective remedy, damages are likely to need to be available for emotional distress (which is often the main loss suffered by plaintiffs in breach of privacy disputes) and it is not certain that equitable compensation is available for such distress or that the common law would provide a remedy[iv]. While the Court found that damages would be available by analogy with the tort of defamation, it is unclear how much this analogy was analysed during argument and whether it will withstand scrutiny.

The extent to which we will see this newly recognised right of action pleaded in claims arising out of data breaches also remains to be seen. Experience of such claims in the US suggests that the requirement that there be a “making public of private matters” – or an intentional act disclosing the private information – means that such claims will be difficult to plead as most data breaches typically arise out of negligence (ie a failure to exercise reasonable care to protect the personal information one holds) rather than an intentional act by the defendant. Indeed, given that the loophole in this case was to provide a remedy for breach of privacy even when the matters disclosed weren’t true, it is unclear what this right of action might add to a pleaded case of breach of confidence in any one of the data breach class actions currently making their way through the Court system.

It also remains to be seen whether the Courts will be prepared to recognise a common law right of action in circumstances where a statutory tort has been proposed and is anticipated to take effect by mid-2025. The 2014 Report anticipated the possibility of the development of the common law ahead of the introduction of the new statutory tort and mused that the Act might provide that, to the extent that the general law recognises a specific cause of action for the invasion of a person’s privacy, that cause of action is abolished. The Bill doesn’t currently contain such a provision and, theoretically at least, we could face a situation where potential litigants have the option of pleading the common law right of action (if such develops), the statutory tort or both. As noted by several commentators, one of the distinguishing characteristics of the two rights of action is that the action proposed by the Bill is currently subject to a journalism exception, which doesn’t currently form part of the possible common law right of action as it seems to be developing.

Where the case will perhaps be more informative is in elucidating some of the elements of the proposed statutory tort:

• reasonable expectation of privacy - the explanatory note to the statutory tort makes clear that information relating to an individual in which there is a “reasonable expectation of privacy” is not the same as “personal information” as defined in the Privacy Act 1988 (Cth). In its judgment, the Court conceptualised privacy as a barrier or shield around a person’s private domain, with the making of that domain public the essence of the action. It will be interesting to see if this interpretation continues to be adopted moving forward;

• serious invasion of privacy – the Court was clear that while Lynn might feel distress at anything said about her being made public, it was only the transgression of the plainly private sphere of Lynn (the father / daughter conversations, the counselling meeting and her email to him) that was actionable. This is consistent with the proposed statutory tort, which requires a plaintiff to prove that the invasion of privacy was serious; and

• assessment of damages – the award of damages of $30,000 is at the high end of damages we would expect to be awarded for this head of loss. In the data breach context, the OAIC applies a tariff for non-economic loss with only extreme loss or damage warranting awards of over $20,000. This is a similar approach taken by NCAT in relation to damages awarded under the NSW privacy law. In fact, under the NSW privacy law damages are capped at $40,000. It remains to be seen whether the Courts will adopt a similar approach. While the sums are relatively modest in litigation terms at an individual level, at a class level such awards could pose significant litigation risk for holders of sensitive health or employee grievance information (for example).

What you should do now

Whether due to a statutory or common law cause of action, protection of privacy is a key and growing focus for litigants, the legislature and the Courts. Litigation risks around the handling of personal information and privacy more generally are intensifying and now is the time for organisations to assess the status of their privacy and cybersecurity compliance to mitigate those risks.

Clyde & Co’s Cyber, Privacy, Digital Disputes, and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated market leading privacy and cyber incident response practice across Australia and New Zealand.  All of this ensures your “readiness, response and recovery” is in good hands.  We provide end‑to‑end privacy and cyber risk management solutions for clients including advice, strategy, transactions, innovations, cyber and privacy pre‑incident readiness, incident response and post‑incident remediation and recovery, regulatory investigations, dispute resolution, recovery of damages and third-party claims. We offer market leading practical solutions, focussed pragmatic assistance and implementable advice.