Submission - Right to Sue for Serious Invasion of Personal Privacy - Australian Bankers
Total Page:16
File Type:pdf, Size:1020Kb
AUSTRALIAN BANKERS’ ASSOCIATION INC. Ian Gilbert Level 3, 56 Pitt Street Policy Director Sydney NSW 2000 Telephone: (02) 8298 0406 Facsimile: (02) 8298 0402
25 November 2011
Mr Richard Glenn Assistant Secretary Information Law and Policy Branch Attorney-General’s Department National Circuit BARTON ACT 2600
Email: [email protected]
Dear Mr Glenn,
Issues Paper "A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy"
The Australian Bankers’ Association (ABA) is pleased to have the opportunity to provide comments on this Issues Paper.
The ABA is the peak national body representing banks (other than mutuals) that are authorised by the Australian Prudential Regulation Authority to carry on banking business in Australia. The ABA’s membership of 25 banks comprises the four major banks, former regional banks that now operate nationally and foreign banks that are represented and carry on banking business in Australia as Australian banks.
1. The ABA’s Position
The ABA does not support the introduction of a statutory cause of action for serious invasion of privacy (statutory cause of action) as recommended by the Australian Law Reform Commission (ALRC) or as canvassed in the Issues Paper.
If the Government decides to proceed to introduce a statutory cause of action and minimise the impacts on businesses the proposed law should:
(1) be enacted in a stand-alone statute and specifically not as an amendment to the Privacy Act, and AUSTRALIAN BANKERS’ ASSOCIATION INC. 2
(2) include appropriately designed defences that recognise the current and proposed regulatory obligations of banks under the Privacy Act and banks’ duties of confidence to their customers.
1.1 The ABA’s key reasons are:
(a) The ALRC’s Report 108 of May 2008 “For Your Information” (ALRC Report) and the Issues Paper do not identify a demonstrated need for regulatory intervention.
(b) What may have occurred overseas to prompt calls in Australia for regulatory intervention does not constitute a demonstrated need for a statutory cause of action.
(c) The High Court has clearly left open the way for the common law of Australia to develop an Australian approach and there is evidence of this occurring.
(d) Existing Australian telecommunications laws deal with the types of conduct identified in the UK and to the extent those laws are not sufficient they can be specifically amended without the need to go further.
(e) The cause of action, if enacted, would be broad in its scope, would create uncertainty for businesses, particularly banks, and introduce a level of risk for businesses in conducting commercial activity with potential impacts on the economy.
(f) Examples of this activity include the activities of banks and other credit providers in recovering loans in default, enforcing rights under mortgages and other securities and the collection and verification of information in order to comply with legislated identity validation and “know your client” requirements.
(g) The scope or reach of the proposed cause of action is of its nature broad and defined according to a range of circumstances that would have to be interpreted and assessed in any given situation.
(h) Banks and other businesses hold sizeable amounts of personal information about their customers. Banks must know about their customers for legal and practical reasons and are required under the Privacy Act to take reasonable care of this information throughout the course of its collection use and disclosure.
(i) Currently, banks are highly regulated in how they collect, manage, use, disclose and protect customer information. Once the reforms to the Privacy Act are enacted, this will be further enhanced. As credit providers, banks are also subject to prescriptive requirements/limitations on the collection, use and disclosure of credit information under Part IIIA of the Privacy Act. AUSTRALIAN BANKERS’ ASSOCIATION INC. 3
(j) Confidentiality and security of customer information is critical to Australia’s banks. Australian banks recognise that information, privacy and security are central to maintaining the trust of their customers and the community. Privacy and security of this information is a core banking principle and essential to on-going viability.
(k) For almost one hundred and fifty years the common law has imposed a contractual duty of confidentiality on banks not to disclose the affairs for their customers unless the disclosure falls within four limited exceptions.
(l) Banks have a history of dealing with customer complaints about their banking services, including complaints about confidentiality and privacy. These arrangements are entrenched in legislation requiring banks to have internal complaint handling procedures for their retail customers and access to a free, independent dispute resolution service (in most cases the Financial Ombudsman Service) for these customers.
(m) It is important to recognise that banks not only have a legal obligation to secure personal information that they collect from their customers but also that they have a very strong commercial incentive to ensure customer information is properly protected.
(n) Banks play a critical role in the Australian economy and are subject to a wide range of prudential and market conduct regulation. Banks must conduct banking business in accordance with these requirements with integrity, prudence and professional skill.
(o) Regulatory intervention would be inconsistent with Australia’s principles of best practice regulation. The creation of a statutory cause of action with potential liability for banks would add unnecessarily to the body of strong regulation to which banks are currently subject. A statutory cause of action would require banks to take steps significantly over and above current and proposed requirements under the Privacy Act and the common law to anticipate and guard themselves against the risk of action. This would lead to a significant increase in business compliance costs with resulting business dislocation.
(p) Concurrent with the Issues Paper, the Government is proposing enhancements to the Privacy Act including the powers of the Privacy Commissioner and has instigated an inquiry into the media industry and a review of Australia’s telecommunications laws. To consider proceeding with a statutory cause of action before the outcomes of these initiatives are known could be pre-emptive of those outcomes. AUSTRALIAN BANKERS’ ASSOCIATION INC. 4
1.2 Alternative approach
If there is clear evidence that the existing regulatory framework and common law are inadequate and, after consideration of all other alternatives, the Government considers legislative intervention is warranted the following factors should be included in the legislative model which for the purposes of this submission assumes that ALRC’s model in Appendix A of the Issues Paper is to be used:
(1) The statutory cause of action should not be included in the Privacy Act but in its own stand-alone statute as recommended by the ALRC. Including the statutory cause of action in the Privacy Act would compromise the complaints handling processes administered by the Privacy Commissioner.
(2) The Privacy Act should continue to be the primary source of regulation of banks in respect of the collection, handling and protection of an individual’s personal information in its information cycle.
(3) It follows that there should be appropriately designed defences available to banks that recognise their significant existing privacy and confidentiality obligations and the complaint and external dispute resolution arrangements that they provide for their retail customers. A statutory cause of action would be likely to conflict with provisions of the Privacy Act and the non-curial alternative mechanisms for handling banking complaints and under the Privacy Act.
(4) In 4.2.4 of this submission the ABA proposes a number of appropriate defences; importantly these include a defence of compliance with the Privacy Act and a bank’s common law contractual duty of confidentiality.
(5) The cause of action should be a civil action only.
(6) Completion of a mandatory good faith mediation process should be a pre-condition to the commencement of a statutory cause of action proceeding.
2. Current privacy reform
The ABA actively participated in the review by the ALRC into Australia’s privacy law that resulted in the ALRC’s Report. The writer was a member of the ALRC’s Advisory Committee.
The Government’s first stage response to the ALRC Report in October 2009 covered 197 of the 295 recommendations in the ALRC Report. With respect to the remaining 98 recommendations, of which the proposed statutory cause of action is but one, the Government stated that consultation on these 98 or second stage recommendations would be undertaken once the first stage of the Government’s response had been progressed. AUSTRALIAN BANKERS’ ASSOCIATION INC. 5
The ABA notes that the four elements of the first stage response are advanced but some way away from being legislated. Further, it is noted that only the statutory cause of action is the subject of this consultation process and that, for example, consultation on one other of the 98 recommendations, the handling of personal information under the Telecommunications Act 1997 has not commenced.
This example is mentioned because of the association the Issues Paper has with events that were reported earlier this year about “News of the World” in the UK and media reports of calls for Australia to enact a statutory cause of action.
3. Policy rationale – ALRC Report
The ALRC’s analysis and recommendation for its support for a statutory cause of action relied on:
(1) Uncertainty, piecemeal and fragmented development of a tort by common law courts;
(2) The potential benefits of national uniformity and consistency in the application of the law for invasion of privacy;
(3) Other local law reform commissions’ recommendations;
(4) Overseas developments particularly in the U.S. and in the U.K.; and
(5) Submissions during the ALRC’s consultation process to conclude that:
“ Individuals should be protected from unwanted intrusions into their private lives or affairs in a broad range of contexts, and it is the ALRC’s view that a statutory cause of action is the best way to ensure such protection” 1
It is clear from the High Court’s judgments in Lenah Game2 that the way is open for Australian courts to develop such a law and two subsequent cases cited in the ALRC Report confirm this possibility.3
In the main, business submissions to the ALRC strongly opposed a statutory cause of action. The ABA is similarly opposed. With such a broad scope (“broad range of contexts”) there is the risk of incidental infringement in many legitimate business situations that could result in contact with home and family life. For banks and other creditors this would include situations such as the collection of debts or enforcement of security rights.
From the ALRC Report it appears that in 1983 (ALRC 22) the ALRC declined to recommend the creation of a general tort on the ground that “such a tort would be too vague and nebulous”. In the Issues Paper the ALRC has since concluded
1 ALRC Report 108 at 74.117 2 Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd (“Lenah Game”) 3 Grosse v.Purvis at 74.62 and Doe v. Australian Broadcasting Corporation at 74.65 AUSTRALIAN BANKERS’ ASSOCIATION INC. 6 that essentially the same right should be created by statute, but accompanied by a higher threshold test of seriousness or offensiveness should be developed. The ALRC clearly recognised the risks of a threshold test that was too low. It could be assumed the ALRC would recognise and acknowledge the risks to business posed by a test that is vague or nebulous and which is based on uncertain public interest considerations in balancing the right to carry on business with the objectively determined interests of the individual.
4. Analysis of the ALRC Statutory Cause of Action Model
4.1 Scope of the model
There are many activities that are necessary for a business to carry on its functions and activities. National Privacy Principle (NPP) 1, Collection, recognises this. It provides that collection must be by lawful and fair means and not undertaken in an unreasonably intrusive way. For example, a bank is seeking to locate a defaulting customer or an insurer conducting surveillance of a claimant where there has been cause to suspect that the claim may be fraudulent, would be unlikely to infringe NPP 1. But these inquiries would be unwelcome by the individual and therefore could be interpreted as an “invasion of privacy” under the statutory cause of action model.
The scope of the statutory cause of action would be far wider than NPP 1 and conflict with NPP 14 requiring only proof of, for example, an “interference with an individual’s home or family life” (one of a non-exhaustive list of invasions) to establish the basis of the case for action.
The Collection principle provides an example of why compliance with the Privacy Act should comprise a defence to the statutory cause of action.
The data security principle, NPP 4, is another example where the standard for compliance is based on an organisation taking reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. The statutory cause of action has no such tolerance (for example see 4.2.3 “Fault elements”).
An example of an additional measure to be taken by an organisation could include guarding against the risk that a court may determine that an organisation had been reckless in that its information systems had been compromised by a third party, and so triggering the cause of action despite the organisation having taken reasonable steps in compliance with the Privacy Act to protect those systems from misuse or unauthorised access.
Another relevant aspect is that banks and other financial services organisations have in place proven, well-functioning external dispute resolution arrangements as required under legislation. Individuals are able to access these arrangements free of charge. Disputes involving compliance with the bankers’ duty of confidentiality and the Privacy Act are able to be handled by the Financial Ombudsman Service.
4 The proposed Australian Privacy Principles will significantly upgrade and add to the NPPs. AUSTRALIAN BANKERS’ ASSOCIATION INC. 7
Further, in the case of banks the courts would have to work through a series of complex, and in some cases conflicting legislative and regulatory requirements if a statutory cause of action were introduced such as with interaction with the NPPs, AML/CTF legislation which is characterised in obligations in many other countries in which banks’ cross border operations are conducted. These complexities are further reason why appropriate defences for banks are included in the legislation for a statutory cause of action if the Government decides to proceed in that direction.
4.2 Test for invasion of privacy
The statutory cause of action would have two limbs:
(1) There is a reasonable expectation of privacy; and
(2) The act or conduct complained of is highly offensive to a reasonable person of ordinary sensibilities.
4.2.1 A reasonable expectation of privacy
The plaintiff would bear this onus of proof. The onus of proof should extend to establishing not only the plaintiff’s expectation of privacy but also that this was known or ought reasonably to have been understood by the respondent.
It is not clear on what basis would a court conclude “there is a reasonable expectation of privacy” – the individual’s, the community’s - and how would this be judged or would it be a judge’s view? The word “privacy” is itself imprecise.
Their Honours Gummow J. and Hayne J. in Lenah Game observed this aspect of the decision in Douglass v. Hello!:-
“ Nothing in Douglas suggests that the right to privacy which their Lordships contemplate is enjoyed other than by natural persons. Further, the necessarily tentative consideration of the topic in that case assumes rather than explains what “privacy” comprehends and what would amount to a tortious invasion of it. The difficulties in obtaining in this field something approaching a definition rather than abstracted generalisation have been recognised for some time” 5
4.2.2 Highly offensive to a reasonable person of ordinary sensibilities
These words would be interpreted objectively and the plaintiff would carry the onus of proof. It is unclear how this onus would be discharged and ultimately upon whose view this threshold had been established other than, perhaps, in the most extreme cases where it would be self evident. In the analysis, while this test appears to be high and may still prove to be “vague and nebulous” (to use the ALRC’s words in ALRC 22) and uncertain for business to apply in any given case, the ABA submits it should not be lowered.
5 Lenah Game at 116 AUSTRALIAN BANKERS’ ASSOCIATION INC. 8
Both limbs are intended to be balanced with the interest of the public in maintaining an individual’s privacy and other matters of public interest, for example, the public’s right to know and the constitutional consideration of a right of free speech and the communication of ideas about government and politics.
The Privacy Act recognises the right of a business to engage in direct marketing yet there are sections of the community that consider certain aspects of direct marketing as offensive, possibly even highly offensive, for example the direct marketing of credit products.
Further, it may be assumed that there is a public interest in ensuring the ability of a bank to recover a debt owed to it and to enforce a security right in aid of recovery. However, public interest considerations tend to move with public opinion. What may have been the case about a debtor’s obligation yesterday may not necessarily be the case tomorrow if a public interest consideration includes a departure from the strict performance of that obligation.
The defences proposed in the ALRC model do not appear to extend to balancing the public interest with these types of activity.
4.2.3 Fault elements – “intentional or reckless acts”
The ALRC Report recommendation 74-3 proposes that the cause of action would be restricted to, among other things, an intentional or reckless act on the part of the respondent. At 74.161 of the ALRC Report section 5.4 of the Criminal Code (Cth) is cited as a possible definition of “reckless”. As the statutory cause of action would be a civil action recklessness may have to be determined by application of the civil common law. Courts tend to apply an objective test to the issue of recklessness.
The result for banks and other business organisations would involve going beyond what is required to be implemented in the way of compliance with the requirements of the Privacy Act to guard against accidental, but no less intentional, acts on the part of an employee.
There is the likelihood that the statutory cause of action could be activated by conduct that amounts to a failure to act. This would broaden the scope of the cause of action requiring a business to develop compliance mechanisms that seek to control its activities and also to anticipate where a failure to take action could result in triggering the statutory cause of action. An example could include a bank failing to identify and correct an error on its internal system or file that resulted in an applicant for a credit facility being declined or falling into default and this appearing on the applicant’s credit file.
This can be contrasted with a number of the NPPs in the Privacy Act where an organisation’s compliance obligations go only as far as taking reasonable steps as already noted above.
Again, this is further reason why compliance with the Privacy Act should comprise a defence to the statutory cause of action. AUSTRALIAN BANKERS’ ASSOCIATION INC. 9
4.2.4 Defences
In 4.2.3 above, the circumstances in which an act (or omission) on behalf of an organisation may occur inadvertently or accidentally, but in good faith, should be reflected by a defence if the person had acted in good faith, honestly and reasonably and ought fairly to be excused.
The Issues Paper contemplates a broad range of defences without specifying these in detail. An example where a defence should exist is in the case of decisions by company directors that are able to be adjudged under the business judgment rule in the Corporations Act. A modified version of this rule could be available for organisations and their employees.
If the Government decides to proceed with the creation of the statutory cause of action the ABA requests that a special consultation is convened to discuss the range of defences that should be available to banks as a necessary part of their conduct of banking business.
4.2.5 Defences and the bankers’ duty of confidence
Banks are subject to a common law contractual duty to keep the affairs of their customers confidential. There are four exceptions to this duty; disclosure
with the consent of the customer,
under compulsion of law,
under a duty to the public and
in the interests of the bank.
This rule of confidentiality provides protection to bank customers (individuals and corporations) because of the confidential nature of their banking business and affairs.
The proposed defences available to an organisation do not align exactly with the exemptions that are available to banks under the duty of confidentiality.
In the interests of consistency, these exemptions should receive recognition as defences for an exemption for banks if the statutory cause of action is enacted.
Each of the four exceptions is explained below. AUSTRALIAN BANKERS’ ASSOCIATION INC. 10
Consent of the customer
The customer’s express or implied consent to a disclosure would be self evident of a lack of a reasonable expectation of privacy.
Disclosure under compulsion of law
The ALRC model in the Issues Paper provides a defence for a disclosure under compulsion of law, but there are areas of uncertainty where a judgment whether to disclose in the belief it is required by law proves to be erroneous.
For example, legislative obligations on banks include duties to enquire, obtain, verify and record a wide range of information about their customers. Under AML/CTF6 law banks have obligations to report certain suspicious transactions or persons where the bank has reasonable grounds to suspect the same.
It is unclear under the AML/CTF law whether a bank is relieved from the consequences of providing a report to the regulatory authority where the suspicion may be found subsequently not to have arisen on reasonable grounds. In any event, protection to the bank would be likely to be confined to the application of the AML/CTF law.
Therefore, a report about a person or transaction to the regulatory authority could be actionable under the statutory cause of action if it were made in the mistaken belief that reasonable grounds to suspect existed. These reports are generally of a very serious nature and could result in serious consequences for the person concerned.
Another example relates to the responsible lending obligations on banks and other credit providers under the National Consumer Credit Protection Act 2009 (NCCP) that require a credit provider to obtain information from an applicant about their objectives, requirements and financial situation. The information about the applicant’s financial situation generally must be verified.
It is almost inevitable that this process will involve aspects of an applicant’s home and family life. What would be the implications for a credit provider over anxious to ensure compliance with these obligations if a court considered that the information obtained by the credit provider or verified with third parties was unreasonable and therefore amounted to a serious invasion of privacy?
The defences proposed for the statutory cause of action do not appear to extend to conduct excused by law or conduct pursued in good faith for the purpose of complying with the law.
Duty to the public to disclose
This exception has been the subject of considerable case law.
Under the proposed statutory cause of action would a court reach the same conclusion as the Federal Court in Allied Mills7 in which Sheppard J. stated:
6 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 7 Allied Mills Industries Pty Ltd v. Trade Practice Commission (1980) 55 FLR 125 AUSTRALIAN BANKERS’ ASSOCIATION INC. 11
“The authorities establish that the public interest in the disclosure (to the appropriate authority or perhaps the press) of iniquity will always outweigh the public interest in the preservation of private and confidential information”8
Allied Mills concerned a company’s private documents given to the regulator by an informant but perhaps the principle of disclosure in this case would be likely to be more strictly applied under the statutory cause of action because a case would involve the personal information of an individual.
Disclosure in the interests of the bank
This exception to the duty of confidentiality permits disclosure of a customer’s information, for example, in court documents.
Pleadings in litigation are increasingly more detailed particularly in stating particulars of the claim. The court can strike out a pleading on the ground that it is vexatious, scandalous or simply irrelevant. Would the statutory cause of action provide a right of recourse by the innocent party because the pleading disclosed information that was otherwise expected to be private and was of a highly offensive nature?
The ABA contends that the potential for conflict in court decision-making between the law relating specifically to banks and the existence of a long standing, well established foundation for banks to protect the confidentiality of their customer’s affairs should be recognised. The statutory cause of action should not apply in the case of banks and the duty of confidentiality.
4.2.6 Amendments to the Privacy Act
The substantially enhanced Australian Privacy Principles (APPs) have yet to be legislated. Compliance with the APPs, without more, would protect an organisation from a claim that the organisation was in breach of the Act.
Further, the Government has agreed to reform Part IIIA of the Privacy Act to facilitate a more effective credit reporting system for Australia with appropriately strong privacy protections.
Consideration of how these reforms would apply in the context of a statutory cause of action is unknown. The ALRC at one point suggests that the two bodies of law could co-exist creating multiple legal and, in the case of the statutory cause of action, litigious consequences for breach. The ALRC concluded that the two regimes should not be included in the Privacy Act. The ABA agrees.
5. Regulatory principles and regulation
Events in the UK concerning telephone hacking by the “News of the World” have been the catalyst for bringing forward the Government’s consideration of the ALRC’s recommendation for the introduction of a statutory cause of action.
8 Ibid at 166 AUSTRALIAN BANKERS’ ASSOCIATION INC. 12
In Australia, there has been no attempt to identify a demonstrated need of sufficient proportions for a government to consider a best practice regulation approach to how such a failure might be addressed once the failure had been conclusively identified.
The ABA and the Government support the Office of Best Practice Regulation (OBPR) principles for best practice regulation. The OBPR sits within the Government’s Department of Finance and is under the responsibility of the Minister for Finance and Deregulation.
One of those key principles is “establishing a case for action before addressing a problem”.
5.1 Australia’s privacy regulatory paradigm
It is noted the ALRC considers that the proposed statutory cause of action should be enacted in federal legislation because the cause of action would extend beyond information privacy.9
The ABA foresees a substantial shift in Australia’s approach to privacy protection if the statutory cause of action is introduced. Private sector amendments to the Privacy Act (other than credit reporting) were made in 2000 and were broadly embraced by major private sector organisations. The amendments were characterised by the government of the day as “light touch”, coupled with powers for the Privacy Commissioner to administer the new laws and handle privacy complaints. Banks and other major business organisations supported this approach.
In contrast, the statutory cause of action would represent a substantial shift to a litigious model in privacy law in Australia. Business would be the main sector impacted by this change to a court administered cause of action. Creating the statutory cause of action would rekindle calls for extending that court based litigious approach to the Privacy Act itself. This could lead to consumer detriment in terms of access to justice while at the same time being seen by the business community as another unnecessary impost on business.
Litigation funders (one leading litigation funder is a listed company) and class action firms specialise in the type of commercial opportunity that a statutory cause of action would create. Plaintiffs in these actions are protected from adverse costs orders unless the litigation funder is unable to pay.
Under the ABA’s alternative approach above (1.2) and in the ABA’s response to question 19 in the Schedule, it is suggested there should be a requirement for a mandatory procedural threshold to be reached before a court action based on the statutory cause of action could be commenced.
This threshold would require the parties to engage in a good faith mandatory mediation process, perhaps convened by the Privacy Commissioner, as a pre- condition to the exercise of the right of action. The process would be confidential.
9 ALRC Report at 74.193 AUSTRALIAN BANKERS’ ASSOCIATION INC. 13
Evidence of anything said or admitted and a document prepared for the purposes of the mediation would be inadmissible in any court proceedings.
As a concluding observation, political parties, politicians and their contractors enjoy an exemption under Australia’s Privacy Act for their political acts and practices. Media organisations also enjoy an exemption under the Act for acts or practices engaged in the course of journalism and the organisation has publicly committed to privacy standards. In enacting a statutory cause of action would government agencies and these participants in the political and journalistic processes be exempt from the cause of action?
6. Conclusion
The ABA submits that the statutory cause of action is not warranted and, if created, it would result in additional risk, compliance obligations and costs of carrying on business for Australian banks that are already subject to a range of soon to be enhanced obligations under the Privacy Act. The Government has the opportunity to take account of these impacts by providing for well designed defences that recognise the regulatory requirements on banks and the nature and conduct of banking business.
The ABA is concerned that the Issues Paper focuses more heavily on how to introduce the cause of action rather than examining whether there is a demonstrated need for its introduction (17 of the 19 questions deal with the composition of the proposed cause of action and only two on whether a respondent supports the introduction of a statutory cause of action and whether the common law should continue to develop).
If the Government intends to proceed to create the statutory cause of action a special consultation should be convened to understand and design the types of defences that ought to be available to banks as a necessary part of their conduct of banking business.
Yours sincerely AUSTRALIAN BANKERS’ ASSOCIATION INC. 14
Schedule
1. Do recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia?
ABA Response: No.
The regulatory approach in the Privacy Act is designed to be technologically neutral. The existing national privacy principles and the proposed APPs deal with the personal information handling cycle (ALRC Report 10.115). The ALRC made several recommendations in Chapter 10 of the ALRC Report on accommodating developing technology in a regulatory framework that the Government has accepted in its first stage response.
These measures involve encouraging privacy enhancing technologies, publication by the Privacy Commissioner of educational and informational materials for the public and organisations, development by the Privacy Commissioner of guidance on technologies that impact on privacy and the privacy implications of data matching.
2. Is there a need for a cause of action for serious invasion of privacy in Australia?
ABA Response: No.
The reasons are set out in the accompanying submission. If a decision is made to proceed with the introduction of a cause of action for serious invasion of privacy, there should be defences available to banks that recognise their regulatory obligations and the nature and practice of banking business. Specifically, there should be a defence of compliance with the Privacy Act.
3. Should any cause of action for serious invasion of privacy be created by statute or be left to development at common law?
ABA Response:
The ABA’s submission is that the development of the common law should be the Government’s option.
4. Is ‘highly offensive’ an appropriate standard for a cause of action relating to serious invasions of privacy?
ABA Response:
The ABA opposes the statutory cause of action but submits that the “highly offensive” threshold proposed by the ALRC should be the minimum threshold.
5. Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)? AUSTRALIAN BANKERS’ ASSOCIATION INC. 15
ABA Response:
The ABA opposes the statutory cause of action but submits that decisions about the integration of defences or whether they should be separate is an example of the complexity of the proposal and uncertainty of its outcomes with the resulting impacts on business certainty, costs and business interruption.
If this becomes a decision point the ABA submits that the defences should be integrated so as to ensure a plaintiff carries the evidentiary onus.
Defences should extend to those further defences put forward in the ABA’s submission above including the Government convening a special consultation on the defences that should be available to banks.
6. How best could a statutory cause of action recognise the public interest in freedom of expression?
ABA Response:
The ABA opposes the statutory cause of action and notes that account should be taken of His Honour Kirby J. in Lenah Game where His Honour concluded that the Full Court had erred in the exercise of its discretion in failing to give proper weight to the constitutional consideration favouring the legitimate matters of governmental and political concern.10
That this failure had occurred in the Full Court suggests there is a greater need for the public interest criterion to be more certain, because its application would be of a discretionary nature.
7. Is the inclusion of ‘intentional’ or ‘reckless’ as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault?
ABA Response:
The ABA opposes the statutory cause of action but has noted in media commentary that the language of “negligence” has been introduced into the commentary by interested parties. This suggests that there are stakeholders who do not consider a higher threshold is necessarily desirable and is an indication of the regulatory risks associated in seeking to enact a statutory cause of action.
Further, the ALRC Report associates ‘intentional’ or ‘reckless’ fault elements with the acts of the respondent who is expected to know whether there is the reasonable expectation of privacy and that the act complained of is highly offensive to a reasonable person of ordinary sensibilities.
It is unclear whether a respondent would be expected to judge these aspects if the plaintiff is not required to prove the respondent’s knowledge or reasonable expectation of them and then balance freedom of expression that could ultimately be overridden by a court.
10 Lenah Game at 220 AUSTRALIAN BANKERS’ ASSOCIATION INC. 16
8. Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient?
ABA Response:
The ABA opposes the statutory cause of action but notes that the addition of the list of matters proposed by the NSWLRC would compound the uncertainty that the statutory cause of action would create. Rather than clarify the liability of a business under the cause of action, the list would introduce a range of ill-defined contexts that a court must consider in determining whether a person’s “privacy” had been “invaded”, two expressions that are themselves imprecise. For example, adding a criterion of a person’s position of “vulnerability” raises questions with respect to what is the person vulnerable; the conduct, the person’s state of mind, public profile, personal circumstances, liability or susceptibility to criticism, responsibility or accountability and so on.
Item 74(3) (a) (vii) of the list would impose some requirement of foresight on the respondent accused of invading the person’s privacy to know of the person’s health and emotional state which in turn is sensitive information under the Privacy Act.
9. Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material? If a list were to be included, should any changes be made to the list proposed by the ALRC?
ABA Response:
The ABA opposes the statutory cause of action and for the reasons outlined in this submission there is substantial uncertainty and generalities in the list of activities in ALRC recommendation 74-1.
10. What should be included as defences to any proposed cause of action?
ABA Response:
The ABA opposes the statutory cause of action noting that recommendation 74-4 of the ALRC Report states that the range of defences to the statutory cause of action provided for in federal legislation should be listed exhaustively and include three further defences.
In this case, the defences should include both criminal and civil defences and without limitation should include business conduct that is in the ordinary course of business and adaption of the directors’ and officers’ business judgment rule for organisations. A special consultation convened by the Government should be undertaken to consider defences that should be made available to banks.
11. Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application? AUSTRALIAN BANKERS’ ASSOCIATION INC. 17
ABA Response:
The ABA opposes the statutory cause of action and as outlined in its submission recommends that application of the proposed tort to banks is unnecessary and burdensome. Compliance with the Privacy Act should be a defence.
There is mention in 4.1 of this submission and below in response to Question 19 of the proven well functioning external dispute resolution arrangements that banks have in place for handling individual customer banking disputes, including disputes involving compliance with the bankers’ duty of confidentiality and the Privacy Act. It is unclear how these arrangements would apply successfully in a court based system.
These are features that the Government should take into account in framing the ambit of the proposed cause of action. It is expected that media organisations and those currently not subject to the Privacy Act will express views about any further exclusions.
12. Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action?
ABA Response:
The ABA opposes the statutory cause of action and at this stage reserves its views based on there having been no Government decision to proceed with the proposed statutory cause of action.
13. Should the legislation prescribe a maximum award of damages for non- economic loss, and if so, what should that limit be?
ABA Response:
The ABA opposes the statutory cause of action but notes that the point made in the Issues Paper about shopping around for monetary gain is relevant. Any damages for non-economic loss should be nominal particularly as the respondent may be deemed to know the vulnerabilities of the plaintiff which the ABA submits should be part of the plaintiff’s proofs.
14. Should any proposed cause of action require proof of damage? If so, how should damage be defined for the purposes of the cause of action?
ABA Response: The ABA opposes the statutory cause of action.
The proposal to create the cause of action as actionable per se without proof of damage in the same way as the tort of trespass is not appropriate.
The statutory cause of action is intended to be defined by statute that will include a range of criteria that the ABA considers are far too vague and unintelligible compared with the clarity of the proofs required to establish a case of trespass.
Damage, as is the case with a claim in negligence, should be the essence of the cause of action. AUSTRALIAN BANKERS’ ASSOCIATION INC. 18
15. Should any proposed cause of action also allow for an offer of amends process?
ABA Response:
The ABA opposes the statutory cause of action but has proposed a mandatory mediation process in this submission.
An offer of amends by a respondent that is rejected by a plaintiff, that a court considers ought to have been accepted, should constitute a defence and an entitlement for an order for costs.
16. Should any proposed cause of action be restricted to natural persons?
ABA Response:
The ABA opposes the statutory cause of action. If enacted, the statutory cause of action should be limited to a claim by natural persons.
17. Should any proposed cause of action be restricted to living persons?
ABA Response:
The ABA opposes the statutory cause of action. If enacted, the statutory cause of action should be limited to natural living persons for the reasons in the ALRC, NSWLRC and VLRC reports.
18. Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced?
ABA Response:
The ABA opposes the statutory cause of action. If enacted the proposed limitation period of one year would be sufficient.
19. Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy?
ABA Response:
The ABA opposes the statutory cause of action but if enacted, the ABA has proposed that consideration is given to a good faith mandatory mediation process, perhaps convened by the Privacy Commissioner, as a pre-condition to the exercise of the right of action.
Only a court exercising Commonwealth judicial should have jurisdiction.
Although, it is noted that the submission by the Privacy Commissioner to the ALRC footnoted at 241 on page 2582 of the ALRC’s report indicates the implications of a split Privacy Act complaints handling system between the Privacy Commissioner and the court. The result could be one or the other; a comprehensive complaints handling system by the Privacy Commissioner for all Privacy Act and statutory cause of action matters a single system administered by the courts. It is unclear what role the extensive mandatory external disputes AUSTRALIAN BANKERS’ ASSOCIATION INC. 19 resolution arrangements which banks and other financial services providers have in place would play in a court administered system and how detriment to individuals in accessing justice would be avoided.