In our previous Insight, we explored the proposed statutory tort for serious invasions of privacy detailed in the Attorney-General’s Department’s Privacy Act Review Report (Report) in February 2023. Draft legislation is expected in coming months.
In this second part, we explore the introduction of a direct right of action to the Privacy Act 1988 (Cth) (the Act).
Why is a direct right of action being proposed?
At present, individuals have limited options to seek compensation for an alleged breach of the Australian Privacy Principles (APPs). As the Report details, the Act currently only provides complainants with the following options:
- a complaint can be made by individuals to the OAIC about an alleged interference with their privacy.[1] Determinations by the Office of the Australian Information Commissioner (OAIC) can then be enforced in the Federal Courts
- an individual can apply to the Federal Courts for an injunction to restrain or prevent contraventions of the Act, including on an interim or urgent basis[2]
- an individual who has suffered loss or damage resulting from breaches of certain credit reporting provisions under the Act can apply for a compensation order after a Federal Court has made a civil penalty order or an entity has been found guilty of an offence.[3]
Numerous legislative reviews have called for greater private recourse for invasions of privacy.[4]
The Report found that introducing a direct right of action would:
- (obviously) increase the avenues available to individuals who suffer loss as a result of an interference with privacy to seek compensation
- be an important measure to enhance individuals’ control of their personal information, and reflect current community expectations
- increase consumers’ bargaining power with businesses that collect and use their personal information
- encourage compliance with the Act by businesses and government agencies.
The Australian Competition and Consumer Commission (ACCC), which also recommended the introduction of a direct right to bring actions and class actions under the Act in 2019, noted that:[5]
… deterrence against problematic data practices that interfere with an individual’s privacy could be improved if individuals could directly bring actions or class actions in court for breaches of privacy and data protection laws. This could be achieved by giving individuals a right to bring an action for an interference with privacy under the Privacy Act …
Advocates for the change argue that a direct right of action would align the Act with the Consumer Data Right regime in the Competition and Consumer Act 2010 (Cth), which grants individuals the right to bring an action for damages against another person for breach of the consumer data rules (CDRs) relating to the privacy safeguards or to privacy and confidentiality of CDR data.[6]
A direct cause of action would reflect the position in jurisdictions like the European Union, New Zealand, Singapore, and China.
Privacy Act 1988 (Cth), s 36.
Privacy Act 1988 (Cth), s 80W.
Privacy Act 1988 (Cth), ss 25 and 25A.
For example: VLRC, Privacy Law Options For Reform: Information Paper, 1 July 2001, p 28; ALRC, Serious Invasions of Privacy in the Digital Era Final Report, 3 September 2014, p 51; NSW Standing Committee on Law and Justice, Remedies for the serious invasion of privacy in New South Wales Report, NSW Legislative Council, 3 March 2016, p 57.
ACCC, Digital Platforms Inquiry Final Report, p 24 and recommendation 16(e) at p 35; p 442.
Competition and Consumer Act 2010 (Cth), s 56EY; Privacy Act Review Report, p 273.
|
DIRECT RIGHT OF ACTION
|
INDIVIDUAL
|
Example
uses 2
|
|
|
European Union
|
Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of a violation of the provisions of the GDPR has the right to receive compensation from a ‘controller’ (the entity that determines the purposes and means of the processing of personal data) or ‘processor’ (the entity that processes personal data on behalf of the controller) for the damage suffered. |
|
|
|
New Zealand
|
Section 98 of the Privacy Act 2020 (NZ) allows an aggrieved individual, a representative on behalf of an aggrieved individual, or a representative lawfully acting on behalf of a class of aggrieved individuals to commence proceedings in the Human Rights Review Tribunal in respect of any complaint received by the Privacy Commissioner or matter investigated by the Privacy Commissioner in a broad range of circumstances following the complaint being made. |
|
|
|
Singapore
|
Under section 48O of the Personal Data Protection Act 2012 (Singapore), a person who suffers loss or damage directly as a result of a contravention of the Act has a right of action for relief in civil proceedings in a court. |
|
|
|
China
|
Under Article 69 of the Personal Information Protection Law, where the “handling” of personal information infringes on rights and interests in personal information and causes harm, and the personal information “handler” cannot prove that it is not at fault, it shall bear tort liability to compensate losses. |
|
|
What would a direct right of action involve?
The Government has agreed in-principle to amend the Act to allow for a direct right of action to permit individuals to apply to the courts for relief in relation to an interference with privacy, and proposes the following elements:[7]
Government Response to the Privacy Act Report, 28 September 2023, p 19.
Direct, but complex
In our daily lives, private and public organisations now collect vast amounts of data from individuals through apps and social media platforms, phones, wearables, and even Internet-of-Things devices — capturing financial, health, and other personal information. As the volume and richness of this data increases, data breaches, cyber-attacks, and misuse of personal information are of increasing concern to regulators and consumers.
Navigating this landscape in an era where individuals may have more direct redress for alleged breaches of privacy will be challenging.
The APPs are a principles-based regime, meaning they provide overarching guidelines rather than strict, prescriptive rules. While this offers flexibility for organisations to tailor their privacy practices, it can create challenges for individuals seeking to understand their rights and assess potential breaches. In the context of a proposed direct right of action, this ambiguity could be particularly difficult to navigate.
Technical information, such as data collection methods, tracking technologies, and algorithmic decision-making, is often complex and opaque. Individuals may struggle to interpret how the APPs apply to these technical practices, making it difficult for them to determine whether an interference with their privacy has occurred. For example, understanding how the principles of "collection limitation" and "use and disclosure" apply to sophisticated online tracking or data profiling techniques may require technical expertise that most individuals lack. We expect the OAIC will increasingly rely on organisations to assist complainants to interpret and understand data, increasing the operational burden and risk for organisations.
The inclusion of a “gateway” model, requiring an initial complaint to the OAIC before litigation, may mitigate concerns about burdening the court system as it would prevent individuals from immediately litigating. It reflects similar arrangements available under human rights legislation. However, self-represented and vexatious claims will need to be managed with care.
For many organisations, particularly those with significant or high-risk data assets, the introduction of a direct right of action will increase risk — especially for representative complaints that mirror the form of class actions. In Australia, we have already begun to see the availability of third-party funding for representative complaints to the OAIC in relation to alleged high-volume data breaches. This is expected to increase where groups of individuals can directly enforce the APPs as a representative proceeding.
There have already been significant increases in disputes concerning personal information. For example, the OAIC’s most recent annual report that it experienced a 34% increase in privacy complaints throughout 2022-2023 in comparison to 2021-2022. A direct right to access remedies like compensation is likely to encourage further increases in complaints.
Certain stakeholders have argued that strengthening privacy protections has the potential to curb innovation. Others believe that protections like these could enhance customer relationships and facilitate the development of better products and services. Only time will tell.
