Govt mulls direct right of action for privacy breaches

Denham Sadler
National Affairs Editor

A direct right of action for individuals subject to a privacy breach, a statutory tort of privacy and an end to the exemption for political parties are being considered under the wide-ranging review of the Privacy Act.

Nearly two years after announcing the review in response to the competition watchdog’s digital platforms report, the Attorney-General’s department has released a discussion paper filled with potential reforms of the Privacy Act.

The government is seeking feedback on the discussion paper over the next three months, specifically in terms of the scope and application of the Act, the protections contained in it and how it is regulated and enforced.

Canberra Parliament
In the wind: Direct right of action

The 200-page-plus paper includes the feedback from the 200 submissions the department received on the issues paper, released late last year, and includes a number of potential areas of reform which the government is now considering.

Many of those mirror the actual recommendations from the Australian Competition and Consumer Commission’s digital platforms inquiry, which the Coalition opted to launch another inquiry into rather than directly adopting.

The discussion paper proposes the introduction of a direct right of action available to any individual or group whose privacy has been breached, to be heard by the Federal Court. To access this, an individual will first have to make a complaint to the Office of the Australian Information Commissioner (OAIC) and have it assessed as being unsuitable for conciliation.

The proposed model is in line with what the ACCC proposed in its digital platforms report, with available remedies to individuals to include compensation and aggravated and exemplary damages for the harm that resulted from a breach of the Privacy Act.

“More than half of submissions supported introducing a direct right of action to empower individuals to exercise greater control over the enforcement of their privacy rights,” the discussion paper says.

“They considered that the possibility of individual or class actions being brought against entities for interferences with privacy is likely to provide an additional incentive or entities to comply with their obligations and deter poor behaviour.”

A key consideration of the Privacy Act review is whether to introduce a statutory tort of privacy, and the government has included four options for this in the discussion paper.

These include the introduction of a statutory tort for invasion of privacy as recommended by the Law Reform Commission, a “minimalist” tort leaving the scope and application to the courts, leaving it to the states to consider legislation that damages for emotional distress are available following a privacy breach or doing nothing.

Submitters were divided on whether such a tort should be introduced, with those in favour mainly being individuals, privacy regulators and academics, who said it would “fill gaps in the legal framework for privacy protection”, the paper said.

The powers and role of the OAIC is also a key consideration, with the government considering the introduction of tiers of civil penalty provisions to give more options for regulatory responses.

These would include a mid-tier civil penalty for privacy breaches and a number of low-level tiers for breaches which would result in infringement notices.

The government will also consider whether to create a new Federal Privacy Ombudsman or to establish a Deputy Information Commissioner focusing on enforcement.

The discussion paper outlines the possible introduction of a right to erasure, where an individual would be able to request that their personal information be deleted, with companies only required to do this if it must be destroyed or de-identified, includes sensitive information, the user has withdrawn consent or if they are required under law.

The Privacy Act reforms will deal with changing the definition of “personal information”, and requirements around the obtaining of express consent, which will have to be an “unambiguous indication through clear action”.

The discussion paper proposals also include whether companies should be forced to implement pro-privacy settings by default, or make it easier to access privacy settings.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories