Chapter 26 of the Privacy Act Review Report, A direct right of action. A reasonable proposal compromised by a dreadful gateway model.
September 4, 2023 |
The Privacy Act Review Report recommends, at Chapter 26, that individuals or representative groups have a right to a direct action under the Privacy Act. It is a good idea with terrible design flaws. It is an improvement on the current legislation but could be much better.
The Report with no hint of understatement stated that the avenues available to individuals to litigate a claim for breach of their privacy under the Act are limited.
Currently Individuals may:
- make a complaint to the Commissioner about an alleged interference with their privacy. If the Commissioner chooses to investigate then it may result in a determination which can be enforced in the Federal Court and Federal Circuit Court. It generally takes around 2 years to go from complaint to determination.
- apply to the Federal Court and the Federal Circuit Court for injunctive relief for contraventions of the Act.
- apply for a compensation order after the Federal Court or Federal Circuit Court has made a civil penalty order or the entity has been found guilty of an offence relating to credit provisions. The Commissioner has not completed a civil penalty prosecution in the almost 10 years the provision has been in place.
A majority of the submissions supported introducing a direct right of action. As it would provide consumers with greater control over their personal information, whilst also creating additional incentives for APP entities to comply with their obligations under the Act. The opponents to a direct right are the usual suspects; digital platforms, telecommunications companies, media organisations, technology industry groups, industry bodies and medical indemnity insurers. The arguments against are familiar, a direct right of action would burden the courts, adversely impact business and the current system works just fine. Old and stale arguments which are driven by self interest, not rational policy.
The rationale for the direct right of action is described as:
- an important measure to enhance individuals’ control of their personal information, and reflect current community expectations.
- increasing the avenues available to individuals who suffer loss as a result of an interference with privacy to seek compensation.
- increasomg consumers’ bargaining power with businesses that collect and use their personal information.
- giving Australians comparable rights to those available to individuals under overseas data protection laws including in the EU, New Zealand and Singapore.
- encourage compliance with the Act.
The Report proposes that the direct right of action be available to any individual or group of individuals whose privacy has been interfered with by an APP entity. That includes representative groups. The venue would be the Federal Court or the Federal Circuit Court
Unfortunately the Report seemed to accept the weak argument that the potential impact of a direct right of action upon court resources and recommends a gateway model. It is a dreadful waste of time. Under the model proposed claimants would first need to make a complaint to the Commissioner or other complaint handling body to have their complaint assessed for conciliation. The complainant could then elect to initiate action in court either:
- instead of pursuing conciliation
- after conciliation has proven unsuccessful
- where the Commissioner has determined the matter not suitable for conciliation, or
- where the Commissioner has terminated the matter.
The complainant would also need to seek leave of the court to make the application. Needless to say the Commissioner thought it a good idea on the basis that:
- it would ensure that it continues to have national oversight of privacy issues,
- it enables the identification of systemic issues which may direct it toward further regulatory or enforcement action.
- the Commissioner has expertise in resolving privacy complaints.
Under this modeal the parties will be required to make a complaint to the Commissioner first and attempt conciliation where it is deemed. Only when the Commissioner is satisfied there is no reasonable likelihood that the complaint will be resolved by conciliation and has notified the complainant and respondent of this, or the decides not to investigate a complaint and the matter is deemed unsuitable for conciliation will the complainant would have the option to pursue the matter in court. But if the Commissioner decided not to investigate a complaint on the basis that the act or practice to have involved an interference with the privacy of an individual, or the complaint was frivolous, vexatious, misconceived, lacking in substance or not made in good faith, the complainant will need to seek leave of the court to bring an application.
While the process is similar to that under the Australian Human Rights Commission Act 1986 (Cth). Over the period 2016-2021, that does not mean it is good. The Commissioner’s track record is poor. It is a slow process, the pressure is to settle for a small amount and adds procedural complexity
Fortunately there is no damage serious interference threshold before a complaint can be made. The direct right of action be available to any individual or group of individuals who have suffered loss or damage as a result of privacy interferences by an APP entity. Loss or damage would need to be established within the existing meaning of the Act, including injury to the person’s feelings or humiliation.
The Report proposes that the Commissioner be able to appear as amicus curiae or to intervene in proceedings instituted by individuals under the Act, with leave of the court. Strictly speaking that does not need to be legislated. Whether the Commissioner will want to exercise that right very often is open to doubt.
The Report proposes that remedies available under the direct right of action be any order the court sees fit, including any amount of damages.
The Report proposes that the Act should be amended to permit individuals to apply to the courts for relief in relation to an interference with privacy with the following design elements:
- The action would be available to any individual or group of individuals who have suffered loss or damage as a result of privacy interference by an APP entity. This would include claims by representative groups on behalf of members affected by breaches of the Act.
- Loss or damage would need to be established within the existing meaning of the Act, including injury to the person’s feelings or humiliation.
- The action would be heard by the Federal Court or the FCFCOA.
- The claimant would first need to make a complaint to the OAIC and have their complaint assessed for conciliation either by the OAIC or a recognised EDR scheme.
- Where the IC or an EDR is satisfied there is no reasonable likelihood that the complaint will be resolved by conciliation or the IC decides a complaint is unsuitable for conciliation, the complainant would have the option to pursue the matter further in court.
- In cases where the IC has decided that a complaint is unsuitable for conciliation on the basis that the complaint does not involve an interference with privacy or is frivolous or vexatious, the complainant should be required to seek leave of the court to bring an application in the court.
- The OAIC would have the ability to appear as amicus curiae or to intervene in proceedings instituted under the Privacy Act, with leave of the court.
- Remedies available under this right would be any order the court sees fit, including any amount of damages.
Appropriate resources should be provided to the Courts to deal with these new functions.
26.1 Amend the Act to allow for a direct right of action in order to permit individuals to apply to the courts for relief in relation to an interference with privacy. The model should incorporate the appropriate design elements discussed in this chapter. |