Privacy Coverage 5 August 2011

August 9, 2011 |

The coverage continues in both the major publications but also some of the more boutique outlets.  In the Media section of the Australian, there is Do not repeat the mistakes of overseas laws, warns Nick Xenophon

INDEPENDENT senator Nick Xenophon has called for any inquiry into privacy and the media to examine the operation of laws overseas that in some cases have prevented the exposure of misconduct by rich and powerful figures.

The South Australian said French laws had prevented disclosures about misconduct by senior figures and it was important that privacy laws were not used as a shield behind which the rich and powerful could hide.

Senator Xenophon’s comments come as the government has promised a new discussion paper on privacy laws and the Greens demanded a wide-ranging inquiry into the media.

It follows Rupert Murdoch’s closure of his British tabloid the News of the World last month due to the phone hacking scandal.

Julia Gillard responded by saying Australians would have “hard questions” to ask News Corporation’s local subsidiary, News Limited, which publishes The Australian. She did not elaborate.

The new discussion paper follows a 2008 recommendation by the Australian Law Reform Commission for a legal right to privacy.

But opposition justice spokesman George Brandis said the ALRC report recommended the exemption from the Privacy Act for journalists should not only remain but be extended.

“Nowhere in the discussion of journalistic practices did the ALRC cite instances of abuse which warranted greater restrictions on press freedom in the name of privacy,” he said. “On the contrary, by recommending the broadening of the exemptions of journalists from the operation of the Privacy Act, it implicitly concluded the opposite.”

Senator Brandis also criticised the government’s formal response to the report in 2009, which failed to address any of the ALRC’s four recommendations relating to journalism.

Australian Press Council figures show breaches of privacy made up less than 6 per cent of the complaints received in the past year. Of the 520 complaints it received, less than 30 concerned breach of privacy. Most were dismissed or mediated between the parties.

Since 1993, more than 800 complaints alleging a privacy breach have been made, but the council upheld only 45 for a whole or partial breach of an individual’s privacy by a member.

The privacy debate has unleashed a row over whether political parties should remain exempt from privacy laws, enabling them to collect information about voters that they keep on party databases.

Senator Xenophon said voters should have an “opt-out clause” under which they could refuse to allow information to be collected by political parties.

 

In the Australian ,Tort will impose runaway costs on society, Chris Merritt has another go at a privacy tort. It should be noted that there is no discussion paper yet, no exposure draft of any bill.

BRAND new torts do not come along every day. And when they do, their creators are guaranteed a place in the legal history books.

Perhaps true.  But so what.  There are some enforceable causes of action which arise and make little mark.  They are there to deal with an anomoly.

The way things are going, Brendan O’Connor could soon have a place of honour right alongside the unfortunate snail that crawled into a bottle of ginger beer, triggering a 1932 court case that created the law of negligence.

But in one important aspect, O’Connor’s efforts will surpass those of the snail. The House of Lords created the law of negligence in the famous case of Donoghue v Stevenson. But its final shape — in Australia at least — was not set until a wave of tort reforms wound back its excesses almost 10 years ago.

This is assertion and scaremongering.  A stand alone tort of privacy probably does not give rise to the impact of negligence.  The elements of a tort of privacy are more narrow on any proposed version of such a statutory cause of action.

But O’Connor is working on a plan for a statutory tort of privacy that looks like being fully developed when it emerges from the final stage of the process that has only just begun in Canberra.

The struggle to strip negligence of its excesses has clear lessons for O’Connor, who is under pressure to create a tort without first collecting hard data on the extent of the problem it is meant to address. Just before tort reform, the negligence tort went wild, rampaging through the coffers of the business community, local councils and ultimately the insurance industry.

This is clever but fairly obvious piece of obstructionism.  He suggests that legislative reform or action regarding a person’s rights or proposed right requires a collection of hard data to work out “the extent of the problem it is meant to address.”  What is the objective criteria to be. He doesn’t suggest one and it is fair to say that whatever it is will not be enough. If there was no tort of trespass and Government proposed such a cause of action does Merritt seriously suggest that it will be necessary to work out how many trespasses occur per day, month or year and what effect that has on the person or property affected.  And yet does anyone seriously suggest that there is no intrinsic right to be free of unauthorised or illegal intrusion.  Damages are presumed in such an action.  It is not a measure of economic loss as a starting point.  Similarly there was no need to do a cost benefit analysis of section 52 of the Trade Practices Act 1974.  There was clearly a need to deal with misleading and deceptive conduct.  And so it is with a right to privacy. Every cause of action, common law and statutory, is moderated by way of defences, limitation on what can be the subject of award and the calculation of those damages. In short basic rights do not need a cost benefit analysis to exist. But there are always competing interests which may need to be catered for by way of a defence or limitations on a claim.  There are significant instances of breaches of privacy both in Australia and overseas to highlight the potential and actual threat to a person’s rights to be let alone.  As importantly the ongoing threat to privacy by modern technology is something proactive rather than reactive approach.   A recent for example is an Economist article Anonymous no more, where the authors said “

But the most striking result was from a third experiment. By mining public sources, including Facebook profiles and government databases, the researchers could identify at least one personal interest of each student and, in a few cases, the first five digits of a social security number. All this helps to explain concerns over the use of face-recognition software by the likes of Google and Facebook, which have been acquiring firms that specialise in that technology, or licensing software from them. (Google recently snapped up Pittsburgh Pattern Recognition, the firm which owns the programme the researchers used for their tests.) Privacy officials in Europe have said they will scrutinise Facebook’s use of face-recognition software to help people “tag”, or identify, friends in photos they upload. And privacy campaigners in America have made a formal complaint to regulators. (Facebook notes that people can opt out of the photo-tagging service by altering their privacy settings.)

Given the sensitivity, Google decided not to release a face-recognition search engine it had made. Eric Schmidt, the executive chairman, has said it took the decision because “people could use this stuff in a very, very bad way, as well as a good way.” But face-recognition methods may still spread. As Mr Acquisti says, sharing named photos online has “opened the floodgates” to a new, privacy-sapping world. Shutting them will be hard.

The Economist is hardly a wild eyed publication which is business unfriendly.

When former NSW chief justice Jim Spigelman finally blew the whistle, some judges were finding liability too readily, so they could dole out money to compensate individuals they considered worthy.

The problem was that the money being handed out belonged to somebody else. And that somebody was usually an insurance company.

Spigelman memorably described negligence as the last outpost of the welfare state. And that was all the excuse that former NSW premier Bob Carr needed to get tort reform rolling.

Merritt’s paraphrasing is taken from a comment, obiter, by Spiegelman CJ in Reynolds v Katoomba RSL All Services Club Limited [2001] NSWCA 234 (20 September 2001) where he said:

26    In many respects the tort of negligence is the last outpost of the welfare state. There have been changes over recent decades in the expectations within Australian society about persons accepting responsibility for their own actions. Such changes in social attitudes must be reflected in the identification of duty of care for purposes of the law of negligence. The recent authoritative statements in Perre v Apand and Agar v Hyde give greater emphasis, in the development of the law of negligence, to the acceptance by individuals of a personal responsibility for their own conduct, than may have been given in the past.

27    This Court should be very slow indeed to recognise a duty to prevent self-inflicted economic loss. Loss of money by way of gambling is an inherent risk in the activity and cannot be avoided. (See e.g. Rootes v Shelton [1967] HCA 39; (1967) 116 CLR 383 at 385 per Barwick CJ; Prast v Town of Cottesloe [2000] WASCA 274; (2000) 22 WAR 474 at [32] per Ipp J.) Nevertheless, whether a duty arises in a particular case must depend on the whole of the circumstances, even in the case of an inherent risk. (See Rootes v Shelton (supra) at 390 per Kitto J and Agar v Hyde (supra) at [14] per Gleeson CJ.)

28    The only feature of the present case which could create a duty of care arises from the express knowledge on the part of the Respondent of the Appellant’s gambling problem. Furthermore there were express requests made to the club not to permit him to cash cheques. I have set out the findings of fact above.

(Emphasis added)

And his Honour has been very involved in the discussion over the development of negligence as well as other aspects of civil law.  And so he should.  For example he gave a very thoughtful speech Negligence: The Last Outpost of the Welfare State to the Judicial Conference of Australia; Colloquium 2002.  His commenteray at paragraph 26 is part of a longer judgment regarding the issue of autonomy.  His speech in 2002 was a contribution to the debate about the development of the laws of negligence.  In the latter he considered the developments in Australia to the no fault scheme in New Zealand.  He expressed his view for reform.  He did not call for the abolition of negligence as a cause of action.  How exactly is the changes to the law of negligence analogous to the creation of a statutory right to privacy?  How is one sentence in a judgment supposed support to Merritt’s claim.  It is school level debating in print.

Which brings us to O’Connor. As midwife to a new tort he finds himself in a position that might look odd to the tort reformers of a decade ago.

No.  The causes of action are not analogous.  The impact of a privacy tort, an intentional tort, is not as broad or extensive as negligence. And there is no evidence that a privacy tort will have the economic impact throughout a community as the law of negligence had or still has.  What Merrritt declines to mention is that the tort reforms did not remove negligence as a cause of action.  As with the common law development it lead to unintended consequences which has lead to amendment and probably will continue to do so.

Unlike Spigelman and Carr, the proponents of the privacy tort have not yet grasped that litigation imposes costs on society that might not be readily apparent. Instead, O’Connor has been taking advice on privacy law from the Australian Privacy Foundation — an industry lobby group that would like him to go well beyond a mere tort and impose criminal liability for some privacy breaches.

What exactly are these costs and where will they be borne?  A cause of action may have an impact on a transgressor.  But why not.

If the federal government presses ahead with its proposed privacy tort, O’Connor has made it clear he is only interested in a civil action. But media lawyers have already warned that it will have a chilling effect on free speech.

Therre is a tort of privacy in the United States and New Zealand.  There is a breach of confidence action, morphing into a tort of privacy, in the United Kingdom.  In each of these jurisdictions the press functions quite adequately. What is the chilling effect, in real rather than hypothetical debating terms.

But there are more tangible costs. The real impact of this tort would be felt by business and the public sector — which will be vulnerable to litigation under the plans being considered.

Companies and government agencies hold far more private information than the media. And that fact alone means they face a larger risk of “data breaches” — or the improper disclosure of private information — that could trigger liability under the privacy tort.

Companies and government agencies are bound by the operation of the Privacy Act as it is.  That imposes obligations upon them.  That may involve costs.  Does Merritt suggest there not be a Privacy Act?  It has been in existence since 1988.  It is far from perfect, and sins are committed in its name (“Blame it on the Privacy Act” syndrome) but is it suggested that government agencies and business not take care with data relating to individuals.  A data breach does not immediately give rise to a cause of action.  That is illogical.  For starters it is useful, and some would say essential, to view the proposed legislation to determine the extent of potential liability.  To claim crisis in the absence of particulars is just scaremongering.

“It is not just media companies that could potentially be caught by this new legislation,” says Peter Butler, a former managing partner at Freehills.

“Those organisations that are required to hold large amounts of personal information would be more susceptible to such claims.”

These quoted comments are more assertion than actuality.  It depends on what the elements of the tort are.  If an organisation takes insufficient care to secure data or releases it without authorisation it may be in breach of the Privacy Act.  The difference in a statutory tort of privacy is that the person who is immediately affected by the breach can take action.  Whether such an option is open depends on the nature of the legislation, the nature of the breach and any defences.

When compared to negligence, some parts of the privacy tort scheme being considered by O’Connor are more pro-plaintiff while others are not.

O’Connor has said he plans to produce an issues paper on the tort that will be based on 2008 recommendations by the Australian Law Reform Commission.

It will not be confined to the ALRC’s recommendations, but those recommendations will form its basis.

Whatever its final form, this tort will cost money.

This is so vague as to be nearly meaningless.  What will cost money.

Even if O’Connor caps the potential damages, he will be unable to cap the legal costs that will inevitably be incurred by companies once this new head of corporate liability is in force.

First the issue of corporate liability is a misnomer and misrepresents what it proposed.  That a corporation may commit a breach of privacy giving rise to a cause of action does not constitute a corporate liability as if it were different to any other person committing a breach.  It is not like an overall tax or a cause of action directed at companies.  Where is the evidence, rather than assertion, that a heavy burden will be put upon coprorations.  The question of legal costs apply to any form of litigation.  And it is a real issue.  But it applies to breach contract actions, trade practices issues, common law claims and civil prosecutions.  It is not a matter that besets  tort of privacy.

So the critical question is whether the benefits flowing from this proposed cause of action would justify the costs it will impose on business and society as whole.

Is this the critical question.  It is a flawed analysis.  What are the benefits of the protections flowing from the tort of trespass and nuisance.  Is it amenable to a costs benefits analysis.  Similarly with a tort such as privacy the benefits is being protected from a serious breach of a privacy right, and being able to take action for such a breach.  What are the costs?  Most individuals do not engage in privacy breaches just as most don’t engage in wanton trespasses.  What particular costs will a person or a corporation need to incur to prepare for such a law.  And what is the cost to society?

Peak business groups argue that the government has not made the case that there is a need for a privacy tort in this country.

Steven Wojtkiw of the Victorian Employers Chamber of Commerce and Industry says he has seen no evidence to suggest there is an endemic problem in the way businesses maintain the security of their data.

“Good business practice demands it,” says Wojtkiw, who is VECCI’s executive manager policy. “Existing privacy laws provide consumers with solid protections around how their personal information is used.

“If a case was demonstrated that stronger data security undertakings were needed, there is no reason that clear guidelines and codes of conduct could not achieve the changes in business conduct that might be sought, rather than more red tape and regulation.”

His views are in line with those of the NSW Business Chamber and the Australian Bankers Association.

According to the ABA’s policy director Ian Gilbert, “The government has to be courageous enough in the face of all it has said so far — and what is emerging overseas — to say that we don’t need a tort like this in Australia.”

If there is no endemic problem with the way business maintain the security of their data then why is there such a concern about the tort?  Much like a statutory right to privacy it is not industry specific, whether that industry is the media or business.  It can apply to an individual, as was the case in Giller v Procopets.  There are no shortage of examples where individuals have engaged in conduct which compromises someone’s privacy and that person has not had recourse to take action.  Similarly such rights overseas have not stopped businesses from functioning or flourishing.

When O’Connor announced the government was considering introducing a privacy tort, he justified the move by stating in a press release that there had been “mass breaches of privacy, both at home and abroad”.

This of course has little to do with the findings of reports of the ALRC, the NSWLR and VLR all of which found there is a need for privacy protections available to individuals whose privacy has been breached.  One comment or a serious of comments by a minister is hardly relevant one way or another.

It is slowly becoming clear why the government has not yet revealed comprehensive details of these breaches. They may not exist.

Federal law does not require companies to report every data breach to the federal Privacy Commissioner. As a result, the commissioner has to rely on voluntary reporting.

Privacy Commissioner Tim Pilgrim would like to see the law changed so that companies are forced to tell the commissioner about data breaches. But until that happens, all he has to go on are voluntary notifications.

And the figures on data breaches compiled by the Privacy Commissioner in his last annual report do not appear to show evidence of widespread breaches of privacy by the business community.

“The office received 44 voluntary data breach notifications (DBNs) in 2009-10,” the annual report says.

Pilgrim’s spokeswoman said he did not want to talk about the privacy tort. But he did issue a statement saying, “In principle, I support mandatory data breach notification”.

All of these comments presupposes that it is necessary to find a pattern of data breaches.  The question of voluntary notification versus mandatory notifications is a live issue but that is not relevant to whether or not there should be a statutory right to privacy.

Privacy Foundation chairman Roger Clarke says he knows that data breaches are taking place but because notification is not compulsory “we don’t know the full extent of data breaches”.

“From time to time organisations put their hands up and talk to the Privacy Commissioner . . . and disclosure is improving even though there is no law,” he says.

Once that law is in place, Clarke accepts that reliable data would be available outlining the extent of accidental data breaches as well as cyber attacks from hackers.

So on the face of things, it looks like the peak business groups could have a point. If federal law does not require companies to report data breaches, how can the government be sure there is a major problem.

This conclusion is predicated on dividing a statutory cause of action as applies to different industry.  The whole point of a statutory cause of action, much like any general cause of action such as trespass or nuisance, is that the principles apply across the field.  So whether there is a major problem with data breaches in the a particular industry or generally is not really all that relevant.  If there isn’t then exposure to any action is minimal.

Even if there is evidence of “mass” breaches elsewhere, the absence of comprehensive information about the extent of data breaches by business would make it impossible to determine whether the cost that is about to be imposed on the business community is justified.

Yet even before there is reliable information about the extent of these breaches, Clarke says a range of sanctions should be available for certain breaches, starting with civil penalties and finishing with criminal offences.

It is fair enough to consider civil action for breaches from first principles.  The issue is whether there is a right that needs protecting.  If that is the case then some enforcement process should be available.  If it is a person’s right then in the common law system it is a question of damages, declaratory relief or injunctive relief.  For a statutory right of action the relief is specified in the statute.

The extent of the threat facing business can be gauged by one of the scenarios that featured in discussions this week between O’Connor and Clarke, who is one of the key proponents of a privacy tort. That scenario would result in an outcome some might consider odd: corporate victims of crime could be successfully sued for damages or even aggravated damages. Here is the scenario that Clarke says he outlined to O’Connor:

If hackers engage in a criminal act and steal private information such as credit card numbers from a company, the same company could be hit with civil action under the privacy tort.

Some of those in the business community might consider this strange. When it was reported in The Australian on Wednesday, one concerned reader called to point out what he believed had to be a mistake.

But Clarke considers this to be an appropriate outcome whenever hacked companies had treated the privacy of their clients’ recklessly. Under the ALRC’s scheme, recklessness would be one of the key tests for liability. And according to Clarke, it would not be static.

He told The Australian it could arise if a company failed to keep up to date with the changing techniques used by computer hackers or if companies ignored improved security methods.

So if this tort is enacted, Clarke believes all companies will need to pay a great deal of attention to improving firewalls and other security systems that protect customers’ data.

It may be that companies will need to pay more attention to improving data security. It is hard to say.  This argument is inconsistent with the basic premsie set out above, that there is no major problem, or a even a minor problem.  If a company takes a cavalier approach with information of another then why shouldn’t the company be exposed to an action.  It is hardly a a novel context.  In the commercial field banks have an obligation to protect their clients accounts.  If their processes are deficient and they cash a cheque that should not have been honoured then why shouldn’t the customer hold the bank to account.  One aspect of the law of bailment requires the the bailee to store and care for goods in a particular way.  If they aren’t then the bailee may be liable.

And Clarke should know. As well as being chairman of the Privacy Foundation, he is director and chairman of his own business, Xamax Consultancy, which makes its money by advising companies how to improve data security and privacy.

Cheap shot and low blow.  This raises the specter of self interest.

After his meeting with O’Connor, Clarke made it clear he believed criminal liability for companies would complement the civil liability that could be imposed by the tort. This would add to the incentive to ensure companies have data security systems that are up to date.

“Recklessness is the sort of test that we think would make it much easier to prove your case in a civil matter — and it would be the point at which contemplation of criminal offences would cut in,” Clarke says.

When The Australian asked O’Connor what he thought about Clarke’s proposal for criminal sanctions, the minister said he was happy to hear the full breadth of views, “however the proposal I am considering is for civil remedies — not criminal”.

So while criminal penalties for privacy are not being considered at the moment, the business community is on notice.

It is now known that O’Connor has been taking advice about the future of privacy law from an industry lobby that wants to make companies not just liable but criminally liable.

The main issue is a statutory right to privacy.

 

Leave a Reply