Featured Insight,

Data Wars - Part I: Tortious invasions of privacy

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

The Australian Government has confirmed its commitment to introduce a new direct right of action for breaches of the Privacy Act 1988 (Cth) (the Act) or the Australian Privacy Principles (APPs), and a statutory tort for serious invasions of privacy.

The latest versions of these long-debated proposals were detailed in the Attorney-General’s Department’s Privacy Act Review Report (Report) in February 2023. Draft legislation is expected in coming months.

In our two-part series, we will take a closer look at these key proposals and what these changes could ultimately mean for businesses and other APP entities in the future if these proposals become law.

In this insight, we explore the proposed statutory tort for serious invasions of privacy.

What is being proposed?

The Report contains multiple proposals to reform our national privacy regime, including the introduction of more prescriptive rules and guidance for organisations, new direct rights for individuals similar to the EU General Data Protection Regulation (or GDPR), stronger online protections, and additional powers for the Office of the Australian Information Commissioner (OAIC) — together with an expansion of who and what is covered by the Act.[1]

Two key proposals from the Report, a statutory tort and a direct right of action, warrant close consideration. We anticipate they will have significant impact on businesses that collect, hold, use, or disclose personal information

See our earlier Alerts on the initial release of the Report here, the proposals relating to the collection and use of personal information here, the proposals relating to individual rights here, and the Federal Government’s response to the Report here.

Direct Right of Action
Statutory TOrt
Example uses 2

Currently, there are very limited circumstances in which an individual may apply to a Federal court for relief under the Act to seek to obtain compensation. The granting of injunctions to prevent breaches of the Australian Privacy Principles is one circumstances where relief may be sought.

In the future, a direct right of action would allow individuals to litigate breaches of the Act, after progressing through a conciliation process with the OAIC.

Currently, there is no settled actionable tort for invasions of privacy. Also, the Act does not provide protections over acts of bodily or territorial privacy invasion, such as spying.

In the future, a new statutory tort for serious invasions of privacy would provide a pathway to compensation for individuals affected by serious privacy invasions, subject to important qualifications.

Legislation is imminent. With many aspects of the proposals agreed in-principle, the draft legislation will need to be carefully reviewed.

A statutory tort for serious invasions of privacy

A new right in Australian law?

Calls for a statutory right of action have been made for many years, arising from the limited ability of individuals to directly enforce privacy complaints, and Australian courts declining to take up the opportunity to expand a right to privacy.

Those calling for reform have included state and federal law reform bodies[2] and the ACCC in its recent Digital Platforms Inquiry Final Report.[3]

And while the High Court’s acknowledgment in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd[4] of a potential common law tort occurred in 2001, there was little progress.  Since the Digital Platforms Inquiry, however, the timeline has progressed quickly.

New South Wales Law Reform Commission, Invasion of Privacy, Report No 120 (2009) 8–9 [3.3]; South Australian Law Reform Institute, Too Much Information: A Statutory Cause of Action for Invasion of Privacy, Final Report No 4 (2016); Victorian Law Reform Commission, Surveillance in Public Places, Final Report No 18 (2010).

See ACCC, Digital Platforms Inquiry Final Report, 27 July 2019, p 25 and recommendation 19 at p 37.

[2001] HCA 63

A tort is coming. Adopting a recommendation in the Report, the Government has confirmed its intention to introduce a statutory tort for serious invasions of privacy, separate to existing rights and remedies under the Privacy Act. Most recently, on 9 July 2024, the Attorney-General was “very hopeful that [the Government] will bring [reform] to the Parliament later this year.”

Specifically, the Government has said that it agrees in-principle that:[5]

…a statutory tort for serious invasions of privacy should be introduced, based on the model recommended by the ALRC in its Report 123[6] (the ALRC Report 123 model)

As the Australian Law Reform Commission argued in its 2014 report, this “statutory cause of action would relate not only to the privacy of information but also to other types of privacy, such as territorial, communications and bodily privacy.”[7]

The Federal Government has acknowledged this expansion and the tort will permit plaintiffs to take action against:

…an individual taking a video of a person where they had a reasonable expectation of privacy (such as in a public bathroom) or an employee misusing sensitive facts about another employee obtained by virtue of their position.[8]

Preparing for a new statutory tort of serious invasion of privacy

Legislation to introduce the tort into Australian law is imminent. While many details are yet to be confirmed, we have guidance from the ALRC Report 123 model. Organisations can also look to the experience of jurisdictions like the United Kingdom to imagine what a future right to privacy might look like.

The statutory tort will likely embrace class action mass-tort claims and litigation funding. As a litigious process, the compellable powers of courts will have far greater forensic capacity than regulators have previously enjoyed. The adjudication of some business practices in a public hearing will be an uncomfortable experience for many defendants. Privacy litigation risk will be a new force in Australian law.

What will constitute a serious invasion of privacy?

To establish the tort, an invasion of privacy will need to be “serious”. But how serious does it need to be?

Factors such as the nature and extent of the privacy intrusion, the sensitivity of the personal information involved, and the impact on the individual affected, will all be relevant.

For instance, the unauthorized disclosure of highly sensitive medical records or intimate photographs could be considered a serious invasion of privacy, while the inadvertent collection of a person's email address might not meet the threshold.

While the Report avoids discussion of a legislated threshold for seriousness,[9] as does the Government’s response, the ALRC Report 123 recommended that any new tort be available:[10]

…only where the invasion of privacy was ‘serious’, having regard, among other things, to:

1. the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff;

2. whether the defendant was motivated by malice or knew the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff.

When proposing the tort, the ALRC argued such a threshold would ensure that trivial and other non-serious breaches of privacy are not actionable — and that the new tort would not unduly burden competing interests such as freedom of speech.[11] The ALRC also argued that the test of seriousness should be an objective test and that it should not be concerned with:[12]

…whether the plaintiff considered the invasion of privacy to be serious, or even whether the plaintiff has proved that they suffered serious damage from the invasion of privacy. Rather, it is about whether the court views the invasion as serious.

The "serious" element serves a dual purpose:

  • it ensures that the tort is not invoked for trivial matters, reserving legal remedies for genuinely harmful privacy breaches, and
  • it provides a degree of certainty for individuals and organisations regarding the types of conduct that could give rise to liability.

Balancing the need for adequate protection of privacy with the desire to avoid stifling legitimate activities will be a key challenge in defining and applying the “serious” test. The courts will ultimately play a crucial role in interpreting and refining the "serious" element through case law. While Australia’s mandatory data reporting regime has utilised a threshold of “serious harm” for some time, the threshold of what constitutes a “serious interference” with privacy for the purpose of civil penalty proceedings is yet to be considered by courts.

Torts are complex causes of action that evolve and shift over time. As such, this threshold requirement of a “serious” invasion of privacy is likely to change with evolving community expectations — which often do not reflect the operational, technical or commercial realities of handling data.

When is there a reasonable expectation of privacy?

The Report and the Federal Government’s response to the Report both support a requirement to establish a reasonable expectation of privacy.  In doing so, there is implied support for the ALRC Report 123 model’s recommendation of the non-exhaustive list of factors that a court may consider, which included:[13]

The Report does however discuss in detail on pp 256-258 the meaning of seriousness in terms of section 13G of the Act, which covers ‘serious or ‘repeated’ interferences with privacy under the Act. In this context, the Report recommended that section 13G be amended to clarify that a ‘serious’ interference with privacy may include:
(a) those involving ‘sensitive information’ or other information of a sensitive nature
(b) those adversely affecting large groups of individuals
(c) those impacting people experiencing vulnerability
(d) repeated breaches
(e) wilful misconduct, and
(f) serious failures to take proper steps to protect personal data.

See ALRC, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), 3 September 2014, Recommendation 8-1, p 132.

See ALRC, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), 3 September 2014, at [8.6] p 132 and [8.15] p 134.

See ALRC, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), 3 September 2014, at [8.18] p 134. See also [8.19]-[8.38], p 134-138 for the ALRC’s full discussion on what factors they thought should be considered by a Court in determining whether an invasion of privacy met the seriousness threshold they proposed.

See ALRC, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), 3 September 2014, chapter 6, pp 91-107.

The nature of the private information, including whether it relates to intimate or family matters, health or medical matters, or financial matters

The means used to obtain the private information or to intrude upon seclusion, including the use of any device or technology

The place where the intrusion occurred, such as in the plaintiff’s home

The purpose of the misuse, disclosure or intrusion

How the private information was held or communicated, such as in private correspondence or a personal diary

Whether and to what extent the private information was already in the public domain

The relevant attributes of the plaintiff, including the plaintiff’s age, occupation and cultural background and

The conduct of the plaintiff, including whether the plaintiff invited publicity or manifested a desire for privacy

These kind of multi-factor tests are flexible and adapt, but they are difficult to apply in everyday life. How plaintiffs, defendants and courts place relative weight on these factors will complicate litigation.  

In our increasingly connected lives, consumers have developed differentiated and a somewhat nuanced views of privacy. We've grown accustomed to platforms using our data to tailor experiences, and our smartphones are practically extensions of ourselves. Smart home devices, while convenient, might raise some eyebrows regarding data collection, depending on the level of transparency provided. Similarly, some consumers may be concerned at the prospect of other appliances, not typically associated with communications technology, such as connected cars or refrigerators, collecting their data without clear notice being provided. The subjective dimension to privacy creates a complex landscape for businesses to navigate, with transparency issues and aligning on consumer expectations becoming ever more important.

Relatedly, for plaintiffs, the proposed statutory tort of privacy in Australia has a significant advantage over current protections: it's not limited by the definition of "personal information" under the Privacy Act. This means the tort could potentially cover a much wider range of activity. Collection or use of data about individual’s intimate lives without knowledge or consent, even where anonymised, may invite claims. Activism may arise in the burgeoning field of Generative AI. Whether such claims would ever succeed remains to be seen once the boundaries of “reasonable expectations” are settled by Australian courts.

Intention and recklessness — but not negligence?

The Report and historical proposals agree that the fault element of the tort of serious invasion of privacy should be intention or recklessness. Many stakeholders, including the OAIC, had instead argued that the fault element should include negligence.

Excluding negligence will ensure that the tort focuses on more culpable conduct, hopefully avoiding the potential overreach of imposing liability for mere carelessness or inadvertent mistakes. While this narrower scope might limit the number of successful claims, its purpose is to strike a balance between protecting privacy and allowing for legitimate activities that might unintentionally infringe on privacy interests.

Overlapping enforcement of rights

In the future, organisations at risk of claims for breach of the statutory tort of privacy may need to contend with parallel or overlapping claims – from both existing and proposed rights.

PROPOSED RIGHTS

Direct right of action

Following the termination of a complaint by the OAIC, an individual could commence proceedings for alleged breaches of the APPs in the Federal Court.

Statutory tort of privacy

Individuals could commence proceedings for serious violations of their privacy.

This tort could enable individuals to seek compensation for emotional distress, loss of reputation, and other harms resulting from a significant invasion of their privacy.

EXISTING RIGHTS

Misleading or deceptive representations about data

The Federal Court recently ordered Google LLC to pay $60 million in civil penalties for making misleading representations to consumers about the collection and use of personal location data following court action by the ACCC.

Individuals may take action for damages under the Australian Consumer Law where misleading representations were made about data practices or handling.

Breach of confidence

Individuals and organisations may commence proceedings for a breach of confidence where information is subject to an equitable of contractual obligation of confidence, and the recipient of that confidential information misuses it.

In Farm Transparency International Ltd v New South Wales [2022] HCA 23, the High Court of Australia considered whether, in the future, categories of this claim could be expanded to include all private information where human dignity is concerned (without the need for an obligation of confidence).

Already, managing concurrent investigations and legal actions stemming from a privacy breach in Australia is a multifaceted challenge. OAIC investigations can run parallel to potential class actions, each with distinct procedural rules and timelines — and focus. The OAIC focuses on regulatory compliance, potentially leading to enforceable undertakings or civil penalties, while class actions seek financial compensation for affected individuals. Navigating these simultaneous processes requires careful coordination to avoid conflicting positions and ensure that information disclosed in one forum does not prejudice the outcome in another.

Under existing Australian law, class actions for privacy breaches often rely on general torts like negligence or breach of confidence, breach of contract, or statutory causes of action like the Australian Consumer Law. Establishing a direct causal link between the privacy breach and individual harm can be complex, as can quantifying damages for non-economic losses such as distress and reputational damage. These complexities often lead to lengthy litigation and uncertainty of outcome — making early resolution through alternative dispute resolution mechanisms an attractive option.

The introduction of a statutory tort of privacy in Australia will alter this landscape by simplifying the legal framework and potentially lower the barriers to bringing a claim. This could lead to a surge in class actions, increasing the pressure on organisations to comply with privacy laws. The multi-factorial elements and complex defences of the new tort, as well as the availability of exemplary damages, could create new complexities and uncertainties in managing these claims. Organisations will need to adapt their risk management strategies and invest in robust privacy compliance programs to mitigate the potential for costly litigation.

How can we prepare for a statutory tort?

Many organisations will be keen to prepare for this new frontier of liability.

Recognition of territorial, communications and bodily privacy will require organisations to think outside the regime of “personal information” in the Privacy Act. “Set and forget” compliance by drafting a template Privacy Policy will only become riskier.

Some businesses, particularly those heavily reliant on user data, might need to evaluate their business models to prioritise data security and data minimisation. This could involve exploring alternative revenue streams or developing innovative ways to deliver personalized services without extensive data collection. Public and private sector organisations may incur additional costs to comply with the new privacy law, such as investing in privacy training for employees, updating data protection policies, and implementing further technical measures to safeguard personal information.

Organisations that proactively contact or take footage of individuals as part of their activities in particular will need to consider their policies and procedures – including the media, online influencers, and telemarketing and polling organisations. The APPs already require organisations to have processes, procedures and systems in place to ensure compliance — these will need to extend beyond just collection of data to recognise a broader conception of privacy. Any applicable exceptions will need to be carefully considered.

Be ready! Recent privacy class actions and representative complaints have garnered widespread attention, highlighting an elevated risk that is set to intensify as new direct rights of action and a statutory tort regarding privacy invasion emerge. Claim can receive litigation funding and move quickly. Crafting a strategic litigation framework, coupled with strategic regulatory engagement and a robust response plan, can assist your organisation in maintaining its focus if litigation begins.

In the expectation that the OAIC will still maintain some role in the intake and conciliation of complaints prior to litigation, it will be critical to revisit privacy complaint handling procedures (or formalise these if not already in place). These could consider key issues such as who is primarily responsible for responding to privacy complaints in the organisation, expected timeframes for response, and whether the organisation is willing to engage in conciliation meetings (as well as details such as who would attend such a conciliation).

In the future, we hope for greater co-ordination between other agencies and the OAIC to avoid the complexities of overlapping simultaneous investigations.

The international experience

A tort of unjustified invasion of privacy already exists in several common law jurisdictions.

In the United Kingdom, Article 8 of the Human Rights Act 1998 (UK) (Article 8), intended to codify the European Convention on Human Rights, has provided an avenue for courts to develop a tort for the misuse of private information.

This tort was developed by the House of Lords in the 2004 Campbell v Mirror Group Newspapers [2004] UKHL 22 case. Campbell successfully sued the newspaper on the basis that publishing a picture of her leaving a Narcotics Anonymous meeting amounted to a breach of confidence and a violation of the Human Rights Act 1998 (UK). The House of Lords recognised that the act of publicly printing these photos in a newspaper amounted to a breach of privacy.[14]

There is some dispute about the nomenclature in the United Kingdom. As the ALRC acknowledged at [4.47] of its 2014 Report:
‘while developments in the United Kingdom derive from the extension of the equitable action for breach of confidence under the influence of the Human Rights Act 1998 (UK), the misuse of private information giving rise to the extended or new cause of action in the United Kingdom is increasingly referred to as a “tort”.’

Instead of the cause of action being based upon the duty of good faith applicable to confidential personal information and trade secrets alike, it focuses upon the protection of human autonomy and dignity — the right to control the dissemination of information about one’s private life and the right to the esteem and respect of other people.

Campbell v MGN Limited [2004] UKHL 22 at [51]

Despite potential differences, examples of how the tort of misuse of private information has been relied upon in the United Kingdom are useful to envisage how Australia’s statutory tort might develop.

EXPAND

In TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB), there was an accidental data breach by the Home Department that disclosed private information of unsuccessful asylum seekers. The Home Department was held liable to pay damages under both the torts of misuse of private information and the applicable data protection laws.  

In Gulati v MGN Ltd [2015] EWCA Civ 1291 several celebrities, including Sadie Frost and Paul Gascoigne, sued the Mirror Group Newspapers for misuse of private information. MGN had intercepted their voicemails, obtaining private and confidential information, and published articles based on these unlawfully obtained materials. The Court of Appeal found MGN liable for misuse of private information and awarded damages to the claimants.

In AAA v Associated Newspapers Ltd [2012] EWHC 2103 (QB) (AAA) and Weller & Ors v Associated Newspapers Limited [2014] EWHC 1163 (QB) (Weller), damages were awarded against Associated Newspapers Limited after they had published pictures of public figures’ children without pixelating their faces.

In AAA, £15,000 in damages was awarded to the infant claimant after Associated Newspapers published her photograph without pixelating her face. The story was published in relation to speculation that the infant’s alleged father, a politician, had engaged in an extramarital affair.

In Weller, each of musician Paul Weller’s children was awarded damages (£5,000 for his 16-year-old daughter and £2,500 each for his 10-month-old twins) after images of a family outing in Los Angeles were published without the children’s faces being pixelated.

In Copland v UK [2007] All ER (D) 32 (Apr), the European Court of Human Rights held that an employer’s monitoring of an employee’s telephone, email and internet usage at work, without her knowledge, was a breach of Article 8. 

In Vidal-Hall and Others v Google Inc [2015] EWCA Civ 311, the claimants sued Google for misuse of private information and breach of the Data Protection Act 1998 (UK). The claimants alleged that Google had secretly tracked and collected their internet usage data without their consent. The Court of Appeal held that the claimants had a reasonable expectation of privacy in their browsing activities, and Google’s actions constituted a misuse of their private information. In that case compensation was claimed only for distress and anxiety alone.

In Prince of Wales v Associated Newspapers Ltd [2006] EWCA Civ 1776, the Prince of Wales sued the Daily Mail newspaper for publishing extracts from his private journals. The court found that the publication of these private and confidential journals amounted to a misuse of Prince Charles’ private information, violating his right to privacy. An injunction was granted to prevent further publication.

In Middleton v Person Unknown or Persons Unknown [2016] EWHC 2354, Pippa Middleton secured an interim injunction preventing the use, publication or disclosure of 3,000 photographs which were derived from or suspected on reasonable grounds to have derived from her iCloud account. Notably, in that proceeding, the hacker had not been identified yet, and the injunction was ordered against person(s) ‘who has or have appropriated, obtained and/or offered or intend to offer for sale and/or publication images contained on the First Claimant’s iCloud account’.

Meghan Markle also successfully relied on Article 8 when Associated Newspapers published her letter to her father, disclosed by her father to the media. The Court of Appeal in HRH The Duchess of Sussex v Associated Newspapers Ltd [2021] EWHC 273 (Ch) later held that a claimant’s intention to publish information at a future date (or even their indifference at it being published) does not deprive them from their reasonable expectation of privacy.

In Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446, the Court of Appeal held that publishing photographs of Sienna Miller in a public street, while not engaging in any public activity, constituted a misuse of her private information. The court emphasized that an individual’s privacy rights can extend to public spaces when they are engaged in private activities. This decision gave rise to the ‘Murray Factors when evaluating whether a reasonable expectation of privacy exists in UK law. 

The “Murray Factors”

… the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher.

- Murray v Express Newspapers plc [2009] QB 481 at [36]

In ZXC v Bloomberg LP [2019] EWHC 970 (QB), it was held that a person has a reasonable expectation of privacy during a police investigation up until they are charged. Bloomberg’s appeal against this decision was dismissed in early 2022.

Similarly, in Sir Cliff Richard OBE v The British Broadcasting Corporation; The Chief Constable Of South Yorkshire Police [2018] EWHC 1837 (Ch), the BBC was ordered to pay Sir Cliff Richard £210,000 after the UK High Court found that his privacy rights in accordance with Article 8 had been infringed. In this matter, the BBC published his name and took photographs and footage of his property in connection with a historical criminal offence allegation against him. 

In October 2018, a European Parliamentary Research Service report positively regarded the UK tort of misuse of personal information. 

[As] a relatively recent judicial innovation, the tort of misuse of personal information offers an important means of preserving individual privacy interests where threatened by either traditional and digital journalism

- The right to respect for private life: digital challenges, a comparative-law perspective,  European Parliamentary Research Service

In particular, the report noted that the Richard v BBC case applied the misuse of personal information tort in “novel circumstances”, which “may yield further and significant extensions of privacy protection in future litigation.”[15]

The future of a statutory tort for serious invasions of privacy

This is a big change! Community expectations about privacy are likely to shift as cases are litigated, publicised, decided, and appealed — particuarly around what invasions are “serious”, or where a reasonable expectation of privacy does or does not exist. Like in the United Kingdom, these principles will be fluid and change.

Relatedly, there are reforms to the APPs to propose an overarching requirement that handling of personal information be “fair and reasonable”. How such an overarching test in the Privacy Act interacts or mirrors the factors in the statutory tort will be important to observe.

Finally, while a statutory tort for serious invasions of privacy could provide some benefits to individuals seeking recourse for privacy violations, it carries significant risks and challenges for the digital economy that must be carefully monitored.

 

Stay tuned for Part 2, addressing the proposed direct right of action.

Reference

LATEST THINKING
Insight
This week, the Federal Government formally shelved its ‘nature positive’ reform legislation after failing to secure support for the bills in the Senate.

06 February 2025

Publication
In our APAC Climate Guide, experts across the region share their insights as they help clients to navigate the transition. We look at the incentives encouraging clean energy, how carbon markets are expanding, the growth of sustainable finance and the role of the private sector. We also look at focus areas in each jurisdiction, from wind power in Japan to electric vehicles in China.

05 February 2025

Insight
As of Monday 3 February 2025, all wind farms in Queensland will be subject to impact assessable development as a result of legislative changes pushed through on Friday 31 January 2025.

03 February 2025