A significant change was recently introduced into Australian privacy law as part of the federal government’s broad privacy reform agenda. A new statutory tort of serious invasions of privacy is now in force.

Individuals can now take legal action against businesses or individuals if their privacy is seriously breached.

To succeed in a claim for breach of the new tort, a person will need to establish the following elements:

1. there was an invasion of the person’s privacy which includes an intrusion upon the person’s seclusion or misuse of personal information, e.g. an act of physically intruding into the person’s private space, or watching, listening to, or recording the person’s private activities or affairs;
2. a person in the position of the injured person had a reasonable expectation of privacy. The court will examine various factors including the devices used, the injured person’s behaviour, the nature of the information and the extent to which the information was already in the public domain);
3. the invasion was intentional or reckless. This means that an accidental or negligent invasion of privacy will not be enough. The court may also consider whether the invasion of privacy was motivated by malice;
4. the invasion was serious. The court may take into account the degree of harm, and whether the defendant ought to have known that the invasion of privacy was likely to offend; and
5. the public interest in the injured party’s right of privacy outweighs the public interest (e.g. freedom of expression, administration of government, etc).

There is no requirement for a person to prove any damage to succeed in a claim under the statutory tort.

Legal action must be commenced within a year of becoming aware of the invasion of privacy or within 3 years following the invasion of privacy, whichever is earliest.

The tort is only available to individuals and is not available to companies.

The requirement for an invasion to be serious will limit nuisance claims. However, the full scope of the new tort will only be known once tested by the courts.

Remedies

Courts have a broad discretion to award any remedy appropriate in the circumstances. In addition to damages (which are capped to $478,500 for non-economic loss), exemplary or punitive damage, the court may also grant remedies such as an account for profits, an injunction to restrain the invasion, orders for apologies or orders for destruction of material.

Defences

The action will not succeed if the invasion of privacy was authorised by law, by a court or by express or implied consent, or where it was necessary to prevent a serious threat to life, health or safety.

Exemptions 

The new tort does not apply to invasions of privacy by agencies, state or territory authorities, law enforcement bodies, intelligence agencies or their staff.

Journalists are also shielded and the fact that an invasion of privacy may breach journalistic standards or codes of practice is irrelevant.

What does that mean for businesses?

Businesses that collect and manage personal information should take appropriate steps (including conducting privacy impact assessments) to ensure they have sound processes in place to mitigate the risk of breaching the new tort. This may include reviewing privacy policies and data handling and data breach policies, implementing effective controls and providing training to relevant personnel on data sharing.