Peter A Clarke

Last Friday, 28 May 2026, the New South Wales Parliamentary Research Service has released a Report, NSW privacy law and the new tort of serious invasion of privacy. It is authored by Barbara McDonald, Professor Emerita of the University of Sydney Law School. Professor McDonald conducted the Australian Law Reform Commission enquiry into digital privacy which was published as the Serious Invasions of Privacy and the Digital Era in 2014.

Key aspects of the Report are:

Concept of privacy

• It is generally used to refer to privacy of information, privacy of communications and personal privacy, with the last aspect being the most general and undefined in scope.
• The right to privacy is recognised in the Universal Declaration of Human Rights and the International Covenant of Civil and Political Rights 1966 (ICCPR), which was ratified by Australia in 1980.⁴ Article 17 of the ICCPR provides that:

1. 1. No one should be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
   2. Everyone has the right to the protection of the law against such interference or attacks.

• Ultimately, privacy underpins individuals’ ability to live fulfilled lives by allowing them to develop autonomy, forge family and other relationships, develop independent thoughts and opinions, obtain assistance when necessary, and communicate with others on matters of social, personal and democratic importance.
• Personal privacy encompasses bodily privacy and privacy in physical places.
  • Bodily privacy underpins physical safety, integrity and personal dignity.
  • Privacy in physical spaces underpins personal security and safety as well as freedom of movement and association.
  • Personal privacy may also be said to encompass the rights to a family life which are recognised in international covenants
• Informational privacy refers to privacy over information or data, in whatever form, about a person, including their relationships, their activities and their movements. It:
  • may or may not be classed as confidential information, depending on the circumstances. It includes health information and personal financial information.
  • overlaps with other aspects of privacy as disclosure of private information about a person can affect their relationships, dignity, security and freedoms.
• Communications privacy:
  • refers to all manners and forms in which a person or entity may communicate with others, and may include draft or unsent communications.
  • overlaps with informational and personal privacy due to the human interaction involved in, and the content of communications. Examples might relate to personal correspondence between people in a relationship or closed group, or between a professional advisor and patient or client. The digital revolution and technological advances providing new ways to communicate have also opened up new ways to invade communications and other aspects of privacy

Existing privacy laws

• the common law of Australia has not kept up with the law developed elsewhere. Further, the absence of Australia-wide human rights legislation such as in the United Kingdom or New Zealand has no doubt meant that the springboard for the courts to develop private remedies is also absent.

• Bodily privacy is protected in the common law by the torts of trespass to the person (which includes battery, involving non-consensual physical interference) and assault (which involves threats of imminent violence). These tort actions provide no protection against indirect interferences such as visual snooping or photography or filming of a person without consent, nor against the use or communication of such footage

• Any unlawful entry is a trespass to land. While there is implied permission to enter for a range of lawful purposes, an entry for a purpose outside those lawful purposes will be treated as trespass and a person in breach of the entry conditions may become a trespasser. Media crews have been sued for trespass in such cases
• A limitation of existing law is that only the occupier with exclusive possession could sue for trespass
• The tort of private nuisance protects an occupier’s quiet enjoyment of their land and premises from a substantial interference caused by the extraordinary activities of a neighbour or other person outside the land
• Confidential information–information imparted under an obligation to keep it confidential–has long been protected by the courts, ever since Prince Albert obtained an injunction to stop the publication of descriptions of Queen Victoria’s private etchings of their family life which had been entrusted just for personal copies to be made
• Where photography is taken in an intimate context it is an actionable breach of confidence, remedied by an injunction and/or damages, to communicate those images or recordings to third parties without consent
• the law on confidential information may not necessarily protect private information fully: it may not have been imparted under an obligation to keep it confidential; it may have become publicly or widely known (and yet still be private in nature); and the law on breach of confidence is usually more concerned with preventing misuse or disclosure than remedying injured feelings after the breach
• The Telecommunications Interception and Access Act 1979 (Cth) applies to communications using telecommunications. Section 7 prohibits the interception of a communication passing over a telecommunications system and makes it unlawful to authorise or permit or enable another person to intercept such a communication. It only applies to interceptions during the passage of communications over a network. It does not, for example, apply by placing a tape recorder beside the telephone receiver (although state legislation may then apply
• in NSW is the Surveillance Devices Act 2007 (NSW) which provides important, but not complete, protection for personal and communication privacy. This Act provides that a person must not knowingly install, use or maintain a listening device to overhear, record, monitor or listen to a private conversation. Among the exceptions is where all principal parties consent to the recording.  A private conversation is defined as a conversation carried on in circumstances that may reasonably be taken to indicate that any of the parties’ desire to be heard only by themselves or by someone to whom they have given consent. It does not include a conversation in which the parties ought reasonably to expect that it may be overheard by someone else
• With regard to optical devices, a person must not knowingly install, use or maintain an optical surveillance device on or within premises or a vehicle to record visually or observe the carrying on of an activity where that involves entry on the premises or a vehicle without the consent of the owner or occupier or interference with the vehicle
• The Privacy Act 1988 (Cth) regulates the use of personal information by Commonwealth and other government entities, commercial entities or corporations with an annual turnover of more than $3 million, and small business entities that deal in personal or health information. Other small business entities holding personal information are not regulated by the Act. Personal information is defined as ‘information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form’. Information about an individual may come within the definition even though it is not, in fact, what would be considered to be private or confidential information.
• The Privacy Commissioner, as a member of the Office of the Australian Information Commissioner (OAIC), is charged with overseeing and enforcing the operation of the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) contained in that Act
• The consequence of an entity not complying with, for example, the Australian Privacy Principles or other provisions of the Privacy Act 1988 may be an adverse determination by the Commissioner. The entity may seek a review of that determination by the Administrative Review Tribunal or commence judicial review proceedings. Orders to enforce the Commissioner’s determination may be made by the Federal Court of Australia
• The limitations of privacy legislation are that is the lack of a private or direct remedy in the courts for an individual who has been adversely affected by a breach of the legislation, rather than the indirect and time-taking route of seeking a determination to be enforced in federal courts. Importantly, this omission also reduces the availability of class actions which may be a more economical route than individual actions for a group of people adversely affected by a breach
• There is an exemption for media organisations for acts and practices carried out ‘in the course of journalism’; with the latter term not being defined. To be protected by this exemption, the media organisation must show itself to be bound by a code of practice, a form of self-regulation. It has been commented that the ‘level of protection [of personal privacy] that these codes provide in practice is questionable.’That will continue to be so, given that the exemption for journalists and media organisations under the new tort, as discussed in the next section, does not depend on their compliance with industry codes of conduct

Read the rest of this entry »

The charges against Ryan Cho, a junior doctor who worked at Austin Hospital, arising out his alleged use of video devices in staff toilets has grown from a charge of stalking and using an optical device earlier this month (see my post here) to five new offences. According to a Victoria Police media release, and reported by the ABC, last Friday Cho has now been charged with 5 further offences, most relevantly of 3 counts of producing intimate image and 1 count of using an optical surveillance device. The alleged offences are now  believed to have occurred in in more than one health facility. According to the ABC the Victoria Police allege that Cho had over 10,000 “pieces of images” and videos relating to at least 460 females.

The focus of the story is the alleged criminality of the conduct.  And why not. It is a big story and there is a strong interest by the public and public interest (2 very different concepts) in the issue.  The legislatures in Australia were very quick to respond to the practice of surreptitious filming, usually of women by men, in very private places, such as showers, toilets and change areas.  That response however was confined to criminalising such conduct. That is appropriate.  But there are limitations for the victims in this process.  In criminal cases it is the Crown, in indictable cases, or police Informant, in summary jurisdiction cases, which commence and conduct prosecutions.  It is the Crown/Informant which may enter a plea deal.  In some cases some form of monetary order may be made but it is not the same as an assessment of damages.  And it is prosecutors discretion to seek such orders.  

For years the State legislatures refused to legislate a civil right of action for interferences with privacy.  In Victoria what limited scope of action was confined to breaches by government entities under the Privacy and Data Protection Act.  It is an ineffective process and the results at the Victorian Civil and Administrative Tribunal Act has been very unsatisfactory.  On top of that its use is confined to Victorian Government, its agencies and entities or those providing services on their (as the case may be) behalf.  While the Victorian Government, like many government entities, have had major privacy fails and data breaches those incidents are only a small sub set of the total number of privacy interferences, misuse of private information and data breaches in Victoria (let alone the rest of Australia).  

Equity responded to the lack of statutory privacy protection and the inability of individuals to take action to protect their privacy with the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236.  It extended the claim of breach of confidence into a claim of misuse of private information, following the UK authorities.  It was and is not a good fit in many privacy related breaches.  The law developed at a glacial pace in this generally unsatisfactory environment.  That said, the High Court in Smethurst v Commissioner of Police [2020] HCA 14 came tantalisingly close to recognising a stand alone right to privacy as an actionable tort as the UK Court of Appeal did Vidal – Hall v Google Inc [2015] EWCA Civ 311. In Smethurst the Appellant deliberately did not want the High Court to continue consideration of a claim for breach of privacy.  Their Honours Keifel CJ, Bell and Keanne stated, at [48] (absent footnotes):

The plaintiffs’ principal claim to an injunction is based upon the Court’s auxiliary jurisdiction in equity. This would ordinarily require that it be granted in aid of some legal right or interest or title to property. The plaintiffs make no claim to the property in the AFP’s USB stick. They do not claim a right to privacy which is actionable for breach. They do not ask this Court to continue the debate, left open by Gummow and Hayne JJ in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, as to whether the courts should recognise such a tort. The plaintiffs nevertheless contend that an injunction should be granted to reverse or protect them from the effects of the trespass committed as a result of the Second Warrant being invalid. Those effects are that the information may be used to further the investigation as to whether offences against s 79(3) of the Crimes Act have been committed and, if charges are laid, as evidence of the commission of those offences.

(Emphasis added)

The reason for the Appellants reluctance in pressing the question of privacy and “continuing the debate” (which the High Court was most definitely interested in having) is because the media was at 2020, just as it is today, very hostile to the idea of a tort of privacy.  It wanted the relief sought and a finding against the Commissioner of Police but on a more confined basis.  That was a great opportunity wasted but fortunately the legislative has finally enacted a statutory tort of serious invasion of privacy.  As to whether the tort the High Court may have found was a superior form of protection to what has been enacted is something we will never know.  T

he Federal Government enacted a statutory tort of serious invasion of privacy which came into effect on 10 June 2025. 

With the operation of the statutory tort of serious invasion of privacy the gap in the civil law has been closed.  It is able to provide some measure of justice and compensation for victims of the behaviour as alleged in this case.  

The elements of a statutory tort of serious invasion of privacy are set out in section 7(1) of Schedule 2 of the Privacy Act 1988 and they are:

(1)       An individual (the plaintiff ) has a cause of action in tort against another person (the defendant ) if:

(a)     the defendant invaded the plaintiff’s privacy by doing one or both of the following:

(i)      intruding upon the plaintiff’s seclusion;

(ii)     misusing information that relates to the plaintiff; and Read the rest of this entry »

Terry Gene Bollea (known professionally as Hulk Hogan) was  a major celebrity in the curious world of American wrestling and subsequently as a big media personality.  Always good copy.

For lawyers he is at least as well known as winning a very significant privacy case in in 2016,  Hulk Hogan v Gawker case where he defeated Gawker Media ( citation Gawker Media, LLC v. Bollea, 129 So.3d 1196 (Fla. 2d DCA 2014); 170 So.3d 125 (Fla. 2d DCA 2015).  The case demonstrated that not everything a media company does is protected under the First Amendment.  Gawker Media was an online gossip tabloid which specialised in salacious coverage of celebrities private lives. I covered the verdict with posts in March 2016 here and here.

In a trial in Florida in 2016 Hogan won a privacy claim against Gawker which claimed protection under the First Amendment.

It was and remains a very significant case and one which has influenced in jurisprudence in the United States of America,

The facts in brief summary are:

• In 2006, Bollea was videotaped while having sex with Heather Clem, his friend’s wife.  he claimed the videotaping was undertaken without his knowledge or consent. On The Howard Stern Show, Bollea told Stern that he had slept with Heather with Bubba Clem’s (Heather Clem’s husband) blessing and his encouragement because he was so burnt-out from the trauma of his coming divorce that he finally gave in to the “relentless” come-ons from Heather who “kept going down that road.” 
• On October 4, 2012, Gawker editor A. J. Daulerio published a two-minute extract from the 30-minute video, including 10 seconds of explicit sexual activity
• Bollea originally sued Gawker for copyright infringement in the United States District Court for the Middle District of Florida, seeking a temporary injunction. U.S. District Judge James D. Whittemore denied Bollea’s motion, ruling that the validity of the copyright was in question, and that given the degree to which Bollea had already put his own private life into the public arena, the publication of the video might be protected by fair use.
• Bollea withdrew his case in the US district court and sued Gawker in Florida state court.
• Bollea’s request for an injunction was granted by Judge Pamela Campbell in 2013. Gawker announced that it would not comply with the part of the court order requiring the removal of the post and associated commentary because it deemed the order “risible and contemptuous of centuries of First Amendment jurisprudence.” Gawker removed the video itself, but linked readers to another site hosting the video.
• The injunction was stayed on appeal, and was denied in 2014 by the appeals court, which ruled that under the circumstances it was an unconstitutional prior restraint on speech under the First Amendment.
• The trial in 2016 ran for two weeks. Gawker argued that Bollea made his sex life a public matter, although on cross-examination, when asked by Bollea’s lawyer whether a depiction of his genitalia had any “news value”, former Gawker editor AJ Daulerio responded “no”. Bollea said that comments made in interviews were done in his professional wrestling character, an on-air persona different from his own.
• On March 18, 2016, the jury delivered a verdict in favor of Bollea. The jury awarded him $115 million in compensatory damages, which included $60 million for emotional distress. The jury awarded Bollea an additional $25 million in punitive damages on March 21.
• On June 9, 2016, Gawker filed a motion for a stay of execution of judgment pending appeal. In the motion and accompanying affidavits from Gawker Media personnel, the company stated that it could not afford to pay the $140.1 million judgment or the $50 million appeal bond.
• On June 10, 2016, Gawker filed for Chapter 11 bankruptcy protection and put itself up for sale.
• Univision Communications bought Gawker Media’s assets for $135 million at a bankruptcy auction on August 16, 2016 which included six Gawker websites—Deadspin, Gizmodo, Jalopnik, Jezebel, Kotaku, and Lifehacker.
• On November 2, 2016, Gawker Media and Bollea reached a $31 million settlement. As a result of the settlement, Gawker forwent its appeal and three articles from gawker.com were taken down, including the one involving Bollea.

Schedule 2 of the Privacy Act 1988 contains the provisions giving effect to the statutory tort of serious invasion of privacy.  How relevant is the Hulk Hogan case to the consideration of Australia’s statutory tort?  On its face little.  An issue in the Hulk Hogan case was whether the material published by Gawker Media had news value.  And the witness for Gawker said “no.”  Under section 15(1) of Schedule 2 the statutory tort does not apply “..to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material” while section 15(1A) provides that “..This Schedule does not Read the rest of this entry »

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

On 4 October 2022 the Canadian House of Commons Standing Committee on Access to Information, Privacy and Ethics published a report, ‘Facial Recognition Technology and the Growing Power of Artificial Intelligence’.

The report explores:

• the benefits and concerns associated with facial recognition technology,
• the use of facial recognition by police forces,
• misidentification and algorithmic bias.
• regulations on facial recognition and artificial intelligence

Read the rest of this entry »

Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data.  Optus released a media release about it yesterday.  The compromised data included names, dates of birth, drivers licences and passport numbers.  The sort of information which would allow a hacker to attempt identity theft.  Very saleable data on the dark web.

A curious aspect of this incident is that some of that data related to former customers.  It will be interesting to see how far back that data goes.  Why it is necessary to hold onto former customers of many years back?  That may be a breach of the Australian Privacy Principles.

With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected.  The breach did not include payment details and account passwords.

Optus has notified the Information Commissioner.  One issue to resolve is what notification will be provided to affected Optus customers.  Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states.  Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support.  That is good business.

In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan.  In my experience Australian organisations put less than optimal effort into preparing for a data breach.  Similarly the response to a data breach is too often marked by improvisation than following a plan.

Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information.  It Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has release Engineering Trustworthy Secure Systems for public comment.It is a very useful document for those interested in privacy and cyber security in that it provides a framework for analysis.

This guide has been produced pursuant to a Presidential Executive Order on 12 May 20212 titled Improving the National’s Cyber Security WO 14028.

The key elements of that executive order Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report Read the rest of this entry »