The new statutory tort for serious invasions of privacy and its implications for business

The federal government has proposed introducing a statutory tort for serious invasions of privacy, as part of the recently tabled Privacy and Other Legislation Amendment Bill 2024 (the Bill).

The proposed statutory tort, which creates a cause of action for serious invasion of privacy, has been included as one of the highly anticipated changes to the Privacy Act 1988 (Cth). The creation of a new tort brings with it new risks for businesses, who may be liable directly, or in certain circumstances vicariously liable through the conduct of their employees or agents.

Far from being a recent invention, a tortious right of action for Australia was first recommended by the Australian Law Reform Commission (ALRC) in its 2014 report on ‘Serious Invasions of Privacy in the Digital Era’ (Report 123).

The ALRC’s recommendations were made in the context of the increasing ease and frequency of privacy invasions in the digital era. It recommended that a cause of action be available where a defendant caused a serious invasion of privacy through intrusion upon seclusion or the misuse of private information, which would be actionable without proof of damage. The proposal was picked up in the Attorney-General’s Privacy Act Review, to which the government agreed in principle in 2023. The introduction of the statutory tort is now closer than ever, with its inclusion in Schedule 2 to the recently tabled Bill.

See our overview of the full privacy reforms announced in September 2024: Privacy Act reforms: work to be done, but more to come.

In this article we explore the requirements and potential consequences of the proposed new statutory tort for businesses.

Elements of the proposed changes

To establish whether a serious invasion of privacy took place, four key elements must be satisfied.

Invasion of privacy

A plaintiff must prove that the defendant invaded their privacy, and that the invasion was by ‘intrusion upon seclusion’ or ‘misuse of information’, or both.

Intrusion upon seclusion relates to a person’s physical privacy and will usually involve watching, listening and recording someone’s private activities or affairs. The misuse of information arm was designed to focus on the security of personal information (as distinct from intrusion upon seclusion), and can include the collection, use or disclosure of information about an individual, regardless of whether the information is true.

Conduct can constitute both intrusion upon seclusion and misuse of information, such as hacking into a person’s electronic device and disseminating intimate photographs.

Reasonable expectation of privacy

The plaintiff must prove that a person in their position would have had a reasonable expectation of privacy, considering all of the circumstances.

This is an objective test and was designed to be flexible to accommodate changing expectations of privacy over time. Therefore, a court may consider the means and purpose of the invasion of privacy, alongside the attributes of the plaintiff such as their age, cultural background, occupation and whether they publicly manifested a desire for privacy.

In respect of intrusion upon seclusion, a court may consider where the invasion took place. People may have a greater expectation of privacy, for example, in their home, as compared to a public place. If the defendant misused information relating to a plaintiff, a court may consider the nature of the information and to what extent the information was already in the public domain.

Fault

A plaintiff must also prove that the defendant intentionally or recklessly invaded the plaintiff’s privacy. Negligence is not sufficient to establish fault under the statutory tort. Intention may be subjective or imputed.

By including recklessness as a fault element, the government intends to give the statutory tort a slightly higher threshold than negligence, but not so high that it only covers intentional acts. ‘Reckless’ is defined by the Bill as having the same meaning as in the Criminal Code Act 1995 (Cth).

Seriousness

The invasion of privacy must be serious. Seriousness is considered objectively alongside a number of factors that a court may have regard to including:

• the degree of any offence, distress or harm to dignity that the invasion of privacy would likely cause;
  
  
• whether the defendant knew or ought to have known that the invasion would impact the dignity of the plaintiff; and
  
  
• whether the invasion was intentional or motivated by malice.

A plaintiff is not required to prove that they experienced damage in order to bring the action. However, any damage experienced is relevant in assessing how serious the invasion was, and the remedies that may be awarded.

Limitation periods

The Bill provides a narrow timeframe for when proceedings based on the statutory tort must commence. Where a plaintiff was under 18 when the invasion of privacy occurred, proceedings must commence prior to them turning 21. In all other instances, proceedings must commence the earlier of one year after the plaintiff became aware of the invasion or three years after the invasion of privacy occurred.

Defences and exemptions in the Bill

The Bill also provides for a number of defences to the new tort, which attempt to balance the interest of protecting privacy with other public interests.

These are listed below.

Required or authorised by Law

The Bill provides a defence where an individual, organisation or entity is required or authorised by Australian law and/or a Court or tribunal to perform certain acts which would otherwise amount to a serious invasion of privacy. For example, this may include mandatory reporting obligations or compliance with a compulsory process issued by a Court. It may be implied by law, although absence of prohibition by the law does not of itself equate to authorisation.

Consent

It is a defence where a plaintiff, or a person who has lawful authority to do so for the plaintiff, expressly or impliedly consented to the acts that gave rise to the invasion of privacy.

Necessity

A defence is available if the defendant reasonably believes that the invasion of privacy was necessary to prevent or lessen a serious threat to a person’s life, health or safety. This would include responding to a serious or imminent danger, or an emergency (including a health emergency or serious domestic and family violence incident).

Defence of person or property

A defence is also available where a defendant’s serious invasion of privacy is incidental to exercising their lawful right of defence of persons or property, provided that the conduct is proportionate, necessary and reasonable.

Defamation defences

In certain circumstances, where a defendant publishes (within the meaning of defamation law) information that relates to a person, some defences which would ordinarily apply in defence to a claim for defamation will also apply. These include the defences of:

• Absolute privilege, which applies to certain communications that disclose information about a person in the interest of free speech and transparency, such as those made during Parliamentary proceedings. This includes any such defences which arise from the common law, as well as Commonwealth, State and Territory legislation (regardless of whether the tort was committed in another jurisdiction).
  
  
• Publication of public documents, which protects persons who are publishing public documents, such as parliamentary papers or a judgment or order of a court.
  
  
• Fair report of proceedings of public concern, which protects people reporting such proceedings, such as events occurring in a courtroom, public inquiry or a government body.

A defendant who seeks to rely on any of those defences will bear the onus of proving that their conduct provides them with such protection.

In addition to the available defences, the Bill provides exemptions for certain people in certain circumstances, including journalists, those associated with journalists, those under 18 years of age, enforcement bodies and intelligence agencies (or persons either disclosing information to or using information disclosed by those agencies).

Remedies in the privacy Bill

Harm is not required to establish breach of the statutory tort. However, the Bill provides for a suite of remedies, including interim injunctions which restrain the defendant from invading the plaintiff’s privacy, damages and other remedies as the court thinks most appropriate. Other redress the Bill contemplates include declarations, account of profits, orders requiring an apology from the defendant (which is expressly not taken to be an admission of fault or liability under the Bill), correction orders and orders for the destruction or retrieval of material from the defendant.

Interestingly, the damages caps are associated with those applicable to defamation claims. That is the greater of $478,550 or the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under an Australian law. The nature of the cap is said to ensure equal protection of privacy and reputational interests, and to prevent plaintiffs from choosing causes of action based on the availability of damages.

Damages are available for emotional distress, and although aggravated damages are not available, exemplary or punitive damages are able to be awarded.

The Bill also provides for factors a court may consider in determining the amount of damages. Those include, for example, whether the defendant:

• apologised,
  
  
• published a correction, and/or
  
  
• engaged in conduct after the invasion of privacy that was unreasonable.

Whether the defendant subjected the plaintiff to particular or additional ‘embarrassment, harm, distress or humiliation’ are also factors that may be considered in awarding damages. Notably, those factors relevant to damages are broader than the considerations for ‘seriousness’ in order to establish the cause of action discussed above. The Explanatory Memorandum makes clear that this was by intentional design.

Corporate responsibility and extension of liability

The proposed tort of serious invasion of privacy will create risks for businesses. These risks can arise in two ways.

Firstly, direct corporate responsibility will arise if a company breaches a person’s seclusion or misuses information. For example, this could be by the mass collection of sensitive and personal data using digital tracking tools, which is then used or shared for a purpose other than that which it was collected for, causing distress or harm to the dignity of affected people. There may also be exposure to class actions under the Bill where the tort affects multiple people, particularly where damage has been suffered as a result of the serious invasion of privacy.

Secondly, the introduction of the statutory tort will create a new risk of vicarious liability, exposing corporations to legal responsibility for the actions of their employees or agents where the invasion of privacy occurred within the course of employment or a servant/agency relationship. Vicarious liability may be more likely where the corporation gave its employee/agent the occasion (not just a mere opportunity) to invade privacy, or when the act furthered the corporation’s interests.

There is a very broad definition of ‘misusing information’ (which includes, but is not limited to, collecting, using or disclosing information about the individual). This brings with it the risk that, at least while the courts first begin to grapple with claims, diverse circumstances may be argued to fall within the proposed statutory tort. Courts in other jurisdictions that have similar causes of action, including England & Wales, Canada and New Zealand, have demonstrated a willingness to find corporations vicariously liable for invasions of privacy (at least in principle, if not always on the particular facts).

Instances where vicarious liability may arise include where an employee or agent commits a serious, intentional or reckless, invasion of privacy such as by:

• using mobile phones or other tools supplied by their employer to watch, listen to or record an individual in a private space or collect information about an individual;
  
  
• sharing information about an individual gained in the course of employment with another without the consent of the individual, including data leak scenarios where an insider collects, uses or discloses a corporation’s data.

Merely accessing information about an individual in the course of employment for ancillary purposes, without sharing it, could also potentially fall within the non-exhaustive definition.

Risk mitigation measures for corporations will include:

• reviewing policies and procedures for device use and information storage/ access;
  
  
• employment/ agency contract reviews to determine whether additional indemnities could be introduced; and
  
  
• obtaining appropriate legal advice in respect of bespoke considerations for those handling sensitive data, such as health, financial or children’s information or collecting and sharing large amounts of individuals’ information.