Your preferred office location


Special Counsel, Blair Campbell in our Dispute Resolution team has outlined the possible changes to Australian privacy protections.


Every week brings a new report of serious data breaches, with massive public and private entities falling victim to cyber-attacks threatening the private and personal information of customers and consumers across Australia. From Optus to Universities to Hospitals to Financial Institutions and professional firms, it seems like hackers are having their way with individuals’ health and financial information.

Of course, with the growth of the internet, individuals are giving their information to a growing and diverse number of entities – both foreign and domestic, increasing the risks that information may fall into the wrong hands. With all this happening, many are wondering if there is any privacy left for anyone who doesn’t want to live entirely off-grid.

In response, the Australian government has been considering this very issue, with the Attorney-General recently announcing that the Information and Privacy Commissioner jobs would be split – with both roles previously residing in one person.

In addition, a list of recommendations has recently been announced which flowed from a review of the Privacy Act. Recommendations include exciting options such as a private cause of action for breaches of privacy, and the right to be forgotten.


Traditionally there has been no recognised right to privacy. Privacy was not generally considered a form of property, so causes of action to protect it only arose against pre-existing relationships. While claims for breach of confidence could arise where the parties were in a relationship of confidence (such as employer/employee), under contract, or potentially in trespass or nuisance, privacy on its own was generally not protected.

The classic position in Australian law concerning privacy rights was determined in Victoria Park Racing v Taylor in which the High Court found it was no breach of the law to peer over someone else’s fence.

An independent right to privacy was hinted at by Australia’s ultimate court in ABC v Lenah Game Meats, in which the High Court rejected the idea of a private right to privacy of an abattoir’s processes but hinted that if it were to consider such a right in a future claim, it would likely be limited to natural persons. It hinted again at this in Smethurst, but again did not create any such right.

In contrast, the United Kingdom has not been so reticent to recognise a form of privacy rights – primarily by adaptation of breach of confidence and by reference to the European Convention on Human Rights. So, for example, supermodel Naomi Campbell was able to successfully sue the Mirror newspaper group for publishing pictures of her attending a Narcotics Anonymous group. The photos were taken in public outside the venue and would likely not have offended the law in Australia. However, in the UK the House of Lords ultimately decided that, while there was public interest in Ms Campbell’s drug issues in general given her previous public statements about not using drugs, the fact of her attendance at an NA meeting and the location of that meeting was not in the public interest, leading to a decision that the Mirror was liable for damages.

Australia first dipped a toe into the privacy pond in 1988 with the introduction of the Privacy Act, which extended to most entities except small business, government agencies, and political parties. This Act introduced privacy principles – including the obligations to only collect private information when reasonably necessary, to safeguard that information, to only use it for the purpose for which it was provided, and the right of people to inspect and correct information held on them.

New Developments

As mentioned above, the Privacy Act review produced many recommendations, two of the most interesting being the ‘right to be forgotten’ – the right to have your information not merely accurate and securely stored, but you may request it be deleted altogether – and the creation of a new tort giving rise to a private cause of action for serious breaches of privacy.

The right to be forgotten already exists in European law and includes the right to de-indexing search results where those results may be irrelevant, inadequate, or excessive. In the case of de-indexing, the source information would remain, but it would not be produced in a search. This is an issue that has arisen in Australia in the context of defamation proceedings – where Google was held liable for searches returning information about people which was incorrect or out of date. Now there would be a separate right to request de-indexation.

The right to seek erasure of personal information would effectively amount to a withdrawal of consent. If an individual gave personal information to an entity, why can’t they subsequently decide to withdraw that permission and have their information deleted? This right would extend to being informed of any third-party with whom the information had been shared so that a similar request could be made of them.

The creation of a statutory tort for serious breaches of privacy was widely supported by those making submissions to the review. Such a tort is envisioned to involve:

  1. Intrusion into seclusion or misuse of private information,
  2.  A reasonable expectation of privacy,
  3. The intrusion must be either intentional or reckless,
  4. The intrusion must be ‘serious’,
  5. It is not necessary that there be actual economic loss, emotional distress being sufficient, and
  6. The intrusion must not be outweighed by any public interest in the disclosure.

There would also be defences to the tort, including:

  • Consent
  • Necessity
  •  Privilege
  • Lawful authority
  • Publication of public documents, and
  • Fair reporting of public proceedings.

While there was wide support for such a measure, there was also great concern expressed by media outlets about the potential chilling effect on journalism the introduction of such a tort might cause. While it is beyond doubt that the introduction of the proposed new tort would impact on some reporting, it was considered that the balance set by the proposal would ensure that material published in the public interest would not be captured. The inevitable conclusion then is that information that is not in the public interest ought not be published, so the tort would allow compensation for doing so.

Another argument was that the creation of a private cause of action, together with the costs of litigation, would mean the option would only really be available to a small number of very wealthy people. While it is likely that the targets of actionable invasions of privacy are much more likely to be prominent people, the fact is that this is not an argument against a tort of privacy any more than it is an argument against the tort of defamation for the exact same reasons. It is important that people have the right to protect their privacy, just as they can protect their reputations – and the legal costs of doing so does not justify the lack of the right.


It is encouraging to see the government taking such pro-active steps to address an increasingly important issue – privacy. The development of Big Data, the cross-matching of private information, and the prevalence of cyber-intrusions into customer data all call for a new, more robust approach to privacy and the handling of private information.

We will see if the proposed reforms are implemented, but the measures to strengthen privacy rights seem to be a step in the right direction.

Copies of the report can be found here.

Contact our Dispute Resolution lawyers at (08) 9322 1966 or

*This information serves as a general guide and does not constitute legal advice. It is based on our research and experience at the time of publication. Please consult our knowledgeable legal team for any specific inquiries or advice relevant to your circumstances, as the content may not have been updated subsequently. 

Consult our legal team