Key Privacy Reforms - The statutory right of action for serious invasions of privacy

In the first of our deeper dives on the key areas of reform under the Privacy and Other Legislation Amendment Bill 2024 (Bill) we examine the statutory right of action for serious invasions of privacy as it will impact organisations which are subject to the Privacy Act/APPs.

Our general overview of the key aspects of the Bill can be found here.

What is it?

As currently set out in the Bill, once passed this introduces a new statutory right of action for ‘serious invasions of privacy’ (SRA) largely in accordance with the recommendations of the ALRC in its 2014 report ‘Serious Invasions of Privacy in the Digital Era’ (Report 123). Under the SRA an individual will be able to take action against another person (e.g. an organisation) if either:

1. that person intrudes on the ‘individual’s seclusion’ (i.e. by watching, listening or recording the individual’s private activities) (first limb); OR
    
2. that person ‘misuses information’ that relates to the individual (defined to include collecting, using or disclosing information about the individual) (second limb),

 each being an ‘invasion of privacy’ and the following criteria is also satisfied:

• the individual would have had a reasonable expectation of ‘privacy’ in the circumstances when the alleged invasion of privacy occurred. The Bill outlines several criteria to be considered as to whether a reasonable expectation of privacy in the circumstances should be found, including the attributes of the individual (age, occupation, background) as well as  the means/purpose of the invasion of privacy. For the second limb suggested considerations are, the nature of the information (e.g. if it relates to intimate, family, health/medical or financial matters), how the information was held or communicated by the individual and whether the information was in the public domain. For organisations, any personal information provided by individuals which is collected, used or disclosed by the organisation will give rise to a reasonable expectation of privacy as regard that information provided, not least of which because the collection of such is subject to the organisation’s privacy policy and its compliance with the APPs;
   
• the invasion of privacy was intentional or reckless. The intention/reckless requirement is discussed below;
   
• the invasion of privacy was serious. The Bill outlines matters to be considered to determine whether an invasion was serious, including the degree of any offence, distress or harm to dignity that the invasion was likely to cause, whether the organisation (in this case) knew or ought to have known that the invasion was likely to offend, distress or harm the dignity of the individual and whether the invasion of privacy was intentional. Importantly, these criteria sit alongside the Bill’s clarification as to what constitutes a serious interference with privacy (which notably includes whether the contravening organisation failed to implement practices procedures and systems to comply with privacy obligations). While an interference with privacy and invasion of privacy are separate offences, there will be some overlap in the determinations in both (i.e. how each is applied) and each will influence the understanding of what both ‘serious’ invasions/interference of privacy are; and
   
• if there was an applicable public interest in relation to the invasion of privacy. That is, if the public interest in the invasion of privacy outweighs protecting the individual’s privacy. This ‘public interest balancing exercise’ is primarily aimed at giving some protection to core freedoms or public interests such as the freedom of expression, freedom of the media and the proper administration of government. Excluding media/press organisations, it is unlikely that any private organisation will be able to be point to a strong public interest for its invasion of privacy in relation to the second limb in most circumstances.

The risk of the SRA for organisations

At first blush the new SRA may not appear of concern or particularly problematic for organisations for two reasons. First, the ‘individual’s seclusion’ or first limb appears mostly irrelevant to organisations. It is designed to fill a gap in the redress available to individuals for invasions of their ‘physical’ privacy. The clearest examples of such are watching, listening or recording private activities. For example, peering through an individual’s bedroom window, bugging their telephones, opening private mail or searching through private belongings. Organisations that are not specifically in the area of surveillance or monitoring (although work/public CCTV and monitoring abuse may be subject to this limb) are therefore unlikely to be significantly impacted by this limb of the SRA.

Secondly, the costs for an individual to take an organisation to court under the SRA for the expected modest compensation available (where only emotional distress has been suffered) are likely to be a significant deterrent to individual actions. While ordinary damages such as economic loss, injury to persons or property are also recoverable under the SRA, these must be proved. Looking at the equivalent UK common law tort of ‘misuse of private information’ (the model that inspired the SRA), individuals that have not been able to prove any economic loss have been awarded modest damages up to a maximum of £60,000 and, more commonly, in the range of £1,000 to £5,000.

However the second limb, involving  ‘misuse of information’, will be relevant to all organisations as it broadly includes any inappropriate or wrongful collection or disclosure of ‘private’ (including personal) information. The most obvious examples of such a misuse of information by an organisation is where someone who is not authorised to do so is able to access the ‘private information’ of an individual held by that organisation. This could be a third party (in the case of a malicious actor/data breach) or an employee accessing the personal information that they do not need access to for their work role or function and thus should not be able to view (also a data breach). It will also include the ‘wrongful’ collection of ‘private’ information (i.e. more sensitive personal information). Organisations collecting such personal information: (a) without first notifying of (or obtaining consent where necessary) to that collection; or (b) having no right to collect such in the first place may well be ‘misusing’ information under the second limb and thus invading an individual’s privacy.

What is intentional or reckless?

Given the potentially wide ambit of second limb of the SRA, the qualification is that the invasion of privacy resulting from such must be ‘intentional’ or ‘reckless. Despite some calls to include negligence as a fault element of any statutory tort, as drafted the SRA requires that the organisation’s conduct to be either (a) intentional (i.e. the organisation intended to invade an individual’s privacy); or (b) reckless (i.e. the organisation was aware of the risk and proceeded regardless to invade the individual’s privacy). Focussing on the second limb, the ALRC noted in Report 123 that “in many situations involving serious data breaches, for example, the risk may be well-known in the industry so that it may be obvious or provable that the defendant [e.g. organisation] was aware of the risk, providing the basis for a finding of recklessness”.

Privacy Act breaches: It is arguable that if an organisation’s privacy practices do not comply with the minimum requirements of the Privacy Act/APPs (including APP 1.2) and there has been no attempt to do so or there is no process/oversight in place at an organisational level then there will be deemed ‘awareness’ (it is the organisation’s obligation to know what laws apply to them and comply with them). For example, failure of an organisation to address (i.e. not even attempt to implement) the following key privacy obligations will likely give individuals a right of action against the organisation under the SRA, if such inaction leads to an unauthorised collection or disclosure of any of the individual’s more sensitive personal information:

1. implementing ‘practices, procedures and systems’ to ensure the organisation’s compliance with the APPs (i.e. organisational/board accountability under APP 1.2)
    
2. protecting personal information including, once passed, the new technical and organisational measures required under the Bill (under APP 11.1)
    
3. deleting personal information no longer required for a legitimate notified purpose of collection where it is no longer required by law to be kept in an identifiable form (under APP 11.2)
    
4. preventing unauthorised collection, use or disclosure of personal information (under APPs 1.2, 3 and 6); and
    
5. complying with the NDB Scheme including a lack of an organisation specific data breach response plan (under Part IIIC of the Privacy Act).

Importantly, ‘non-compliance’ alone with any of the above, having reasonably tried to address them and implement relevant measures but where, in practice, those measures fall short, is unlikely to expose an organisation to a significant risk of an action under the SRA.

Class action potential: While, due to the relative costs versus the likely award, an individual will be unlikely to pursue an action against an organisation (except where the invasion of privacy has caused significant provable injury or economic loss), the sheer number of participants in the class means that organisations must be wary of the risk of class actions/representative proceedings using the SRA. Data breaches will likely be a key (but not the only) risk area where class actions under the SRA may ultimately result because:

1. Data breaches shine a public spotlight on an organisation’s privacy and cyber security governance regime and expose the organisation’s failings. During the handling and in the wake of a data breach the OAIC and class action law firms can scrutinize the extent of the organisation’s privacy compliance to determine whether an organisation had even attempted to address or implement the key privacy obligations discussed above.
    
2. Data breaches are necessarily invasions of privacy as they expose an individual’s personal information to unauthorised access which is, by definition, a ‘misuse of information’.
    
3. Data breaches often affect a large number of individuals, which creates a clear ‘ready-made’ class of potential class participants.

By simplifying the framework, providing a direct cause of action and recognising the concept of damages for emotional distress (even if no economic loss can be established), the SRA will avoid many of the issues with the existing privacy class actions currently before the courts, including as to establishing the damages suffered. As such, the SRA is likely become the preferred vehicle for any privacy class actions to be brought in Australia, likely in parallel with class complaints to the Privacy Commissioner.

What should you do now to prepare for the SRA?

The SRA will commence 6 months after Bill receives Royal Assent (likely early to mid-2025) so there is not very much time to prepare for it. Organisations that have sought to implement and have in place measures to address their privacy (i.e. APPs) obligations will be unlikely to be found to have ‘seriously invaded’ an individual’s privacy. Therefore, now is the time to assess the status of your privacy and cyber security compliance and determine what you need to do to uplift it in order to, at least, avoid the potential risk of class actions being pursued against you under the SRA.

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand. All of this ensures your “readiness, response and recovery” is in good hands. We provide end-to-end risk management solutions for clients from advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation and recovery to regulatory investigations, dispute resolution, recovery of damages and third-party claims. We offer market leading practical solutions focussed assistance and advice.