Submission. to the of Action for. Serious

Transcription

1 Submission to the A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Issues Paper November

2 1. Executive Summary The Australian Direct Marketing Association (ADMA) welcomes the opportunity to comment on the A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy Issues Paper (the Issues Paper). On 23 September 2011 the Government released an Issues Paper seeking views on the proposed introduction of legislation that would permit Australians to take civil legal action if their privacy has been seriously invaded. This proposal launched, in some part, in response to the News of the World phone hacking scandal in the United Kingdom will have significant, far-reaching and serious consequences for all Australian industries. The introduction of a statutory cause of action for a breach of privacy represents a monumental change to the Australian privacy legislative framework. It has the potential to affect a broad range of economic and non-economic activities by businesses and individuals. The main reasons provided in the Issues Paper to justify the introduction of a statutory cause of action for privacy are: a) The introduction of new technologies (such as smart phones) that allow individuals to take and instantly share photographs without the knowledge or consent of the subject b) The ability to forward private s to thousands of addresses around the world c) The ability to post footage on a video sharing website; d) The potential for and social networking sites to be hacked and personal details mine e) The requirement to assure the security of cloud computing service which offer great potential for more effective and efficient use of technology f) High profile data breaches Industry is extremely concerned by the proposed introduction of a statutory cause of action for serious invasions of privacy for the following reasons: a) The introduction of a statutory cause of action is at odds with the National Digital Economy Strategy b) the statutory cause of action will: i. introduce significant legal risk, increase compliance costs and uncertainty for business ii. jeopardise regulatory settings that encourage innovation in the Australian economy iii. impede Australia s ability to compete on the global stage; c) many of the issues raised in the Issues Paper are: i. already subject to Australian law; ii. Addressed within proposed legislation currently being considered; or iii. simply cannot be addressed by Australian law. d) Many of the issues raised can be addressed by: 2

3 i. ensuring surveillance and listening device legislation is consistent across all states; or ii. examination of non-black letter law solutions including extending existing cyber-safety and digital citizenship initiatives. ADMA submits that the initiatives outlined in b), c) and d) above should be examined before reaching for such a strong intervention as the introduction of a statutory cause of action for a serious invasion of privacy. In light of the significant ramifications for business ADMA urges the Government to reconsider the proposed introduction of a statutory cause of action and to conduct a proper assessment of the impact of such an initiative by conducting a Regulatory Impact Statement in line with Government Guidelines for Best Practice Regulation 1 1 Australian Government, Best Practice Regulation Handbook, June 2010 which can be found at 3

4 2. About the Australian Direct Marketing Association ADMA is the principal industry body for data-driven, customer-centric, measurable marketing in Australia. ADMA was formed in 1966 and has during its 45 years of operation been involved in the formulation of law relevant to the marketing industry. Predominantly our focus has been the Privacy Act 1988, the Spam Act 2003, the Competition and Consumer Act 2010 and the Do Not Call Register Act Direct marketing includes any marketing communication which uses datainsights, including personal information, to engage with a consumer with a view to producing a tangible and measurable response. Direct marketing is channel agnostic and includes any marketing that engages an individual at a distance and includes marketing via: a) mail b) c) telephone call d) mobile phones and other mobile devices e) online via the web f) social media networks ADMA s primary objective is to help companies achieve better marketing results through the enlightened use of direct marketing. Consistent with this objective, ADMA has been involved in co-regulatory and self-regulatory solutions over many years. ADMA has over 500 member organisations including some of Australia s most well known and trusted brands. Our members come from many industries including major financial institutions, telecommunications companies, energy providers, information and technology companies, digital service providers, travel service companies, major charities, statutory corporations, educational institutions and specialist suppliers of direct marketing services. Almost every Australian company and not-for-profit organisation directly markets to its current and potential customers as a normal and legitimate part of its business activities and the ability to continue to conduct this activity underpins a good proportion of Australia s economic activity. 4

5 3. Overall Comments ADMA is extremely concerned by the proposed introduction of statutory cause of action because: a) The introduction of a statutory cause of action is at odds with the National Digital Economy Strategy b) There will be significant implications for small business c) Legislation will introduce uncertainty and stifle innovation d) The introduction of a proposal to introduce a statutory cause of action prior the completion of the first tranche of the ALRC recommendations undermines the review of the Privacy Act e) Many of the issues raised can already be dealt with under existing law, are in the process of being considered or simply can t be addressed by Australian law 3.1 The introduction of a statutory cause of action is at odds with the National Digital Economy Strategy The Government has set its National Digital Economy Strategy as The government s aim is, by 2020, Australia will be among the world s leading digital economies based on key indicators such as broadband penetration and usage rankings. Yet businesses are increasingly becoming victims of cybercrime and fears of cybersecurity is preventing some types of businesses from adopting online services. The Government in its Connecting with Confidence Optimising Australia s Digital Future has identified that Businesses in modern digital economies are increasingly becoming victims of financially motivated cybercrimes..the AFP estimated that the overall risk of cyber crime to the Australian economy to be in excess of a billion dollars a year. 2 What this potentially means is that organisations can simultaneously be the victims of crime and subject to an investigation by the Office of the Australian Information Commission whilst also potentially being subject to multiple court actions or class actions under the statutory cause of action. Organisations that have a data breach will, if the statutory cause of action is introduced, face examination as to whether they have breached National Privacy Principle 4 (data security) as well as separate action by courts as to whether they have breached the privacy right. 2 Australian Government Connecting with Confidence Optimising Australia s Digital Future, A public discussion paper Page 13 5

6 This will act as a positive disincentive for organisations that may already be uncertain about placing business online. Such an outcome will have a net detrimental impact. An alternative focus on technical solutions could deliver economy wide improvements in privacy and data security. Industry has a good track record of developing technological solutions to these issues. An example of technology that has been developed by industry that provides significant protection for consumers is Hypertext Transfer Protocol Secure (HTTPS). This technology permits consumers to securely transact online using credit card information. On the issue of securing cloud computing services, ADMA notes the work being done by the Department of Prime Minister and Cabinet through the Cyber White Paper and highlights the fact that the Issues Paper is attempting to cover off the same concerns resulting in duplication of Government effort. 3.2 Significant implications for Small Business There will be significant consequences for small business if a statutory cause of action is introduced. Small businesses that generate less than $3m revenue per annum are currently exempt from the Privacy Act If a statutory cause of action is introduced then small business will lose this exemption. ADMA notes that the Government Connecting with Confidence Optimising Australia s Digital Future has identified that small business are especially vulnerable. Further the Government has identified that one of the key defences against cybercrime is building citizens and businesses resilience to cyber-attack and noted that this is best achieved by There may be a need to explore a new set of partnerships designed to further build trust among government and private actors. ADMA urges the Government to consider: a) The cost to business particularly small business b) Fresher and more positive approaches to preventing data breaches. 3.3 The Legislation will introduce Uncertainty and Stifle Innovation The introduction of a statutory cause of action for a serious invasion of privacy will introduce a significant additional and unwarranted level of risk and uncertainty for business because the terms privacy and highly offensive are not defined. 6

7 Significant uncertainty arises because these terms are highly subjective, meaning different things to different people. The Issues Paper has not sufficiently outlined what would be considered highly offensive. ADMA strongly supports that a clear delineation that specifies that only action that would be highly offensive to a person of ordinary sensibilities could be a threshold that must be satisfied before a statutory cause of action can be launched. Notwithstanding the incorporation of a reasonableness standard such as highly offensive to a person of ordinary sensibilities the introduction of a statutory cause of action will have a chilling effect on innovation. It will stifle Australia s ability to compete on the global stage against countries that have regulatory settings that are better calibrated to encourage innovation particularly in the online environment. The Government has a responsibility not to introduce a statutory cause of action that calls every business practice, whether it deals with personal information or anonymous information, into question. To do so would fundamentally reshape our economy and must be subject to a full Regulatory Impact examination. There has been much discussion about the chilling effect that a statutory cause of action for a serious invasion of privacy will have on the media, freedom of expression and democracy. However the effect on business could be equally as chilling. Whilst there has been discussion about the publication of information by the media, which is in the public interest about public figures or private figures, very little consideration has been given to the fact how harmful an increase in business risk and uncertainty is to industry and the economy as a whole. In many instances technological advancement comes first and community understanding and acceptance follows after a period of discovery, understanding, testing and then acceptance. Yet under this proposed statutory cause of action there is a real risk that new technologies could be subject to court action and verdicts delivered that will limit the adoption and use of these technologies. Further if determination of what a serious breach of privacy is given over to the courts then there is a real risk of the Australian privacy regime becoming significantly out of step with international privacy regimes. Australia s future ability to take advantage of Web 2.0 and Web 3.0 may be significantly impaired and jeopardise the Australian population s ability to take full advantage of the digital economy as well as significantly damage industry as a whole. As a result ADMA strongly urges that a statutory cause of action for a serious invasion of privacy not be further considered by the Government in the absence of a full Regulatory Impact Statement. 7

8 3.4 The introduction of a proposal to introduce a statutory cause of action prior to the completion of the first tranche of the ALRC recommendations undermines the review of the Privacy Act The introduction of this Issues Paper undermines the current, careful consideration of the review of Australian privacy legislation. As a result, there will be considerable confusion, further delays and purposeful, well considered, lasting reform will be jeopardised. Australian business has stood ready to positively engage in the senate committee process to review of the Privacy Act for the last 15 months. The review of the Privacy Act 1988 commenced in 2006 when the Attorney General requested the Australian Law Reform Commission to review the Privacy Act The Government s response to the first tranche of the Australian Law Reform Commission (ALRC) Report 108 For Your Information: Australian Privacy Law and Practice was released on 24 June The Government proposed that the first tranche would examine 197 of the 295 recommendations put forward by the ALRC report which included: a) The Privacy Principles b) Credit Reporting Provisions c) Health Services and Research d) Office of the Privacy Commissioner It was hoped that the exposure drafts would be made available during the course of 2011 with the expectation that the first set of changes to the Privacy Act 1988 would be implemented shortly after. It was also hoped that Australian Government, regulators, industry and consumers would then turn their attention to the second tranche of recommendations which includes the following ALRC recommendations: a) Proposals for clarifying or removing certain exemptions from the Privacy Act (such as the exemptions for small businesses, individuals and employee records) b) Introduction of a statutory cause of action for serious invasion of privacy (beyond personal information ) c) Serious data breach notification d) Handling of personal information under the Telecommunications Act 1997 The clear logic for this approach was that once the foundations for the Privacy Act 1988 were settled that the more complex recommendations could be considered against the backdrop of the new regime. To date only the exposure draft and companion guides for the Privacy Principles and Credit Reporting provisions have been released. Neither the exposure draft nor the companion guides for Health Services and Research or the Office of the Privacy Commissioner have been released. 8

9 Whilst the Government s response to the Finance and Public Administration Legislation Committee Exposure Drafts of Australian Privacy Amendment Legislation Part 2 Credit Reporting was released on October 2011 a similar response has not been received to the Committee s Senate Committee s Exposure Drafts of Australian Privacy Amendment Legislation Part 1 Australian Privacy Principles which was released in June ADMA is concerned that some of the key issues that have been raised in the Issues Paper are issues which can be dealt through the orderly review of the ALRC recommendations including: a) Additional provisions that increase organisations accountability to consumers if the organisation discloses information overseas b) Whether the Privacy Act 1988 should apply if information is collected in Australia or not. 3.5 Many of the issues raised in the Issues Paper are already subject to laws or proposed legislation is in the process of being considered or simply can t be addressed by Australian law Consumer protections already exist for many of the potential issues outlined in the Issues Paper that may result from the emergence of new technologies. These include: a) Privacy Act 1988 (Cth) b) Telecommunications (Interception and Access) Act 1979 (Cth) c) Common law including breach of confidentiality, nuisance d) Listening devices legislation (across all jurisdictions) e) Surveillance devices legislation (in some states) Accessing Private Voic s Accessing a private voic of a celebrity by a journalist is an offence in Australia under the Telecommunications (Interception and Access) Act The primary prohibition of this Act is For the purposes of this Act, but subject to this section, interception of a communication passing over a telecommunications system consists of listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication. Section 7 A person shall not: 9

10 a) Intercept b) Authorize, suffer or permit another person to intercept; or c) Do any act or thing that will enable him or her or another person to intercept A contravention of the Telecommunications (Interception and Access) Act 1979 is an indictable offence carrying a maximum penalty of 2 years imprisonment Securing Cloud Computing Services The Issues Paper has identified data breaches of improperly secured cloud computing services as a reason why a statutory cause of action for a serious breach of privacy should be introduced. An examination of this potential scenario needs to occur from the perspective of the importance of corporate reputation, current and future legislation. The Importance of Corporate Reputation Should Not be Under Estimated The importance of maintaining corporate reputation as a motivating factor for organisations to ensure that they safeguard their consumers data should not be under estimated. A significant issue with respect to data security, especially if the organisation s data protection practices were found to be lacking, has the potential to cause significant corporate reputation loss. Many organisations invest significant amounts of resources to build consumer trust so that consumers are more likely to transact with them and already go to great lengths to protect data from misuse, loss and unauthorised disclosure. Current Legislation A data breach that entails the disclosure of personal information held by an Australian organisation that has secured a cloud computing service provider or any Australian business is subject to the Privacy Act If an Australian organisation uses a cloud computing service and there is a data breach because insufficient actions were taken to secure the service then the individual can seek a remedy under the Privacy Act 1988 via the organisation itself, via self-regulatory schemes such as the ADMA Code of Practice (if the organisation is an ADMA member) or via the Office of Australian Information Commissioner for a breach of National Privacy Principle 4. The Office of the Australian Information Commissioner has powers under the Privacy Act 1988 to facilitate resolutions including: a) Apologies b) A change to the respondent s practices or procedures c) Staff counseling d) Taking steps to address the matter including accessing or amending records e) Compensation for financial or non-financial loss 10

11 f) Other non-financial options. Similar to the cause of action if suitable steps were taken to secure the cloud computing service then no action could be taken as the serious invasion of privacy was not the result of a reckless or intentional act. Therefore the statutory cause of action for a serious invasion of privacy adds no additional consumer benefit in the context of data breaches by either organisations or cloud computing service providers. Future Legislation The exposure draft of the Australian Privacy Principles envisaged significant restructuring and strengthening of obligations that apply to organisations that disclose information overseas. The exposure draft includes new provisions that make organisations that disclose personal information to overseas entities accountable for this action unless special exceptions apply. Special exceptions such as the entity disclosing information to an overseas recipient that is subject to a law or binding scheme that has the effect of protecting the information in a way that is overall at least substantially similar to the way in which Australian privacy law protects information. The new draft Australian Privacy Principles also proposes that organisations that do transfer personal information overseas should include a prominent notice that they do this. These and other key issues such as whether the Privacy Act applies when information is collected in Australia or not needs to be debated, properly assessed and resolved. In addition under the second tranche, which was expected to be started next year, the proposed introduction of a mandatory data breach notification scheme for organisations and agencies to mandatorily advise consumers if there has been a breach of their personal information is to be considered. The second tranche also looks at the important issues of whether exemption such as for individuals using personal information for non-business purposes should apply or not. This issue is clearly relevant to the stated reasons for introducing a statutory cause of action. Initiatives such as mandatory data breach notification are also worthy of consideration as these have the potential to provide practical measures that will ensure that consumers are notified of potential issues if their personal information is breached so that they can take action to limit any harm that may occur as a result of a breach. They also result in greater consumer benefits without needing to resort to solutions that rely on litigation. To bypass these potent and important reforms and move straight to the introduction of a statutory cause of action is premature and undermines the excellent and considered work performed by the Australian Law Reform Commission as well as all those who have contributed to it. 11

12 3.6 Other Situations Used to Support the Introduction of a Statutory Cause of Action for a Serious Invasion of Privacy The introduction of new technologies (such as smart phones) that allow individuals to take and instantly share photographs without the knowledge or consent of the subject Listening devices legislation across all jurisdictions prohibits the recording of sound without the individual s consent. In instances where photos and video (which don t involve audio recording) are taken without the knowledge or consent of the subject the Surveillance Devices Act applies in some states but unfortunately not all. As a result there is a deficiency in the protections afforded to consumers if photographs or video images without sound are taken and shared. ADMA submits that the Government should consider extending the Surveillance Devices legislation such that it applies to all states and should be referred to the Standing Committee of Attorney-Generals for consideration to resolve this issue. Notwithstanding the above consumers can currently rely on common law protections, particularly under breach of confidence. Such laws that provide consumers with recourse if private or otherwise personal photographs, video and other materials are shared in a manner that is damaging or offensive to an individual. ADMA notes that in the case of Giller v Procopets the Supreme Court of Victoria Court of Appeal upheld on 10 December 2008 that damages should be awarded for mental harm not amounting to mental illness for the publication of videotape of sexual activity under breach of confidence. In its summary of findings the Judges Maxwell, Ashley and Neave concluded that Mr Procopets breached his duty of confidence with the deliberate purpose and having the effect of humiliating, embarrassing and distressing Ms Giller, it is appropriate to include a component for aggravation in the award of compensation. I would award Ms Giller the sum of $40, 000 including $10, 000 for aggravated damages The ability to forward private s to thousands of addresses around the world Individuals can access the protections of the law, under breach of confidence, for s being forwarded to thousands of addresses under common law where it can be established that: a) Information was confidential in nature 12

13 b) Information was communicated in circumstances importing an obligation of confidence c) An actual or threatened use of the confidential information to the detriment of the person whose information is communicated; d) The information is not in the public domain Such an action can result in a breach of confidentiality where it was clear that the content of an were private or confidential in nature. Actions that provide individuals with protection under a breach of confidence include the individual placing a notice at the foot of their s stating that the contents are intended for the recipient or otherwise making it clear that the information is for the recipient only. In such instances, if the includes private or confidential information that is not in the public domain it s disclosure could be a breach of the common law right to confidentiality. In addition to legal resolutions, individuals can also take technological steps to protect private or confidential information including encrypting s or enabling the restrict forwarding function. A public education awareness campaign about how individuals can take simple measures to protect themselves in these situations would be a straightforward and practical approach to addressing these issues. ADMA submits that consideration as to whether similar messages might be incorporated into the Australian Communications and Media Authority s Cybersafety campaign may also be beneficial in this instance. These messages could also be incorporated into a broader digital citizenship campaign. In addition, the forwarding of s for commercial purposes are subject to the Spam Act 2003 (Cth), equivalent international legislation and international memorandums of understanding The ability to post footage on a video sharing website Similar to the case examined in section above such an action would entail a breach of confidentiality, a breach of listening device legislation or otherwise needs to be protected by ensuring the surveillance device legislation is consistent across all states and territories (dependent on whether the video includes sound or not) and Social Networking Sites can be hacked and personal details mined. The same legal protections apply as outlined in section if these and social networking sites are managed by Australian companies or companies with a presence in Australia. If and social networking sites are hosted in the United States then these sites are subject to US law and courts. 13

14 ADMA notes that in this case, the introduction of a statutory cause of action for a right to privacy have the same effect as Australian privacy law in terms of providing coverage where personal information is hacked. Whilst the Issues Paper outlined concerns about information held overseas a detailed examination of the different laws that protect information held by and social networking sites in the United States of America was not outlined. There are a number of laws that apply to companies that operate in the United States of America. These include: a) The Children s Online Privacy Protection Act (COPPA) which is a United States of America Federal law that regulates the collection and use of personal information belonging to children aged 13 and under. COPPA is currently being reviewed. b) The Federal Trade Commission Act, Section 5 which empowers the Federal Trade Commission to investigate misleading and deceptive trading practices which has been used to prosecute companies who don t comply with their privacy notices c) Mandatory data breach notification laws that apply in 46 different states including California and Washington DC d) The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (data security) e) The United States of America law also includes a breach of confidence. 14

15 4 Response to Questions Posed 1. Do recent developments in technology mean that additional ways of protecting individuals privacy should be considered in Australia? Overall, Australians are afforded a significant level of protection under existing privacy laws including: Privacy Act 1988 (Cth) Telecommunications (Interception and Access) Act 1979 (Cth) Common law including breach of confidentiality, nuisance Listening devices legislation (across all jurisdictions) Surveillance devices legislation (in some states) These laws render a strong Government intervention such as the introduction of a statutory cause of action for a serious invasion of privacy unnecessary. There is however one area of the law that does appear to need some additional strengthening and this is the patchwork of various state based surveillance device legislation. As stated above, ADMA submits that the Government should refer the task of reaching consistency around surveillance device legislation in all States and Territories of Australia to the Standing Committee of Attorney Generals. In addition ADMA submits that additional steps to educate individuals with respect to communications should be referred to the Australian Communications and Media Authority for integration into its Cyber-safety program. 2. Is there a need for a cause of action for serious invasion of privacy in Australia? As outlined in section 3 above ADMA submits that there are already significant consumer protections in place that provide adequate privacy protection for individuals. Any deficiencies in the current legal system can be adequately addressed by making surveillance device legislation consistent across all Australian States and Territories without having to resort to the introduction of a statutory cause of action in Australia. 15

16 In addition to actions that can be taken with respect to surveillance device legislation there are also a raft of ALRC recommendations other than a cause of action that will provide substantial additional privacy protections to Australians. These include: a) Making organisations that disclose personal information to overseas entities accountable for the data whilst it is out of Australia unless special exceptions apply; b) Whether the Privacy Act 1988 should apply to information that is not collected in Australia; c) Placing additional obligations on organisations to inform individuals if they disclose information overseas; and d) Consideration of the introduction of mandatory data breach notification. 3. Should any cause of action for serious invasion of privacy be created by statute or be left to development of common law? Should there be a significant increase in activity under common law for breaches of privacy, it may be worth considering the creation of a statutory cause of action. There, however, does not appear to be any need for this to occur at this point in time. It is also important to note that at this point in time there is scant evidence, either through the courts or through the media, that there is strong public demand for additional protections with respect to privacy. 4. Is highly offensive an appropriate standard for a cause of action relating to serious invasions of privacy? The term highly offensive is very subjective. Public interest or community standard based tests are difficult because they evolve dynamically over time. It is vitally important that a statutory cause of action, should it proceed, only be possible for actions that are highly offensive to a person of ordinary sensibilities. This inclusion provides a reasonableness test which will somewhat reduce the level of business uncertainty that a statutory cause of action will introduce but its inclusion will not remove the variability that will be introduced by giving the courts responsibility for concept of privacy. 16

17 ADMA submits that it is vitally important that further work is done to define privacy before the introduction of a statutory cause of action for a breach of privacy is introduced so as to reduce the amount of business uncertainty that this legislation will create. 5. Should the balancing of interests in any proposed cause of action be integrated into the cause of action (ALRC or NSWLRC) or constitute a separate defence (VLRC)? 6. How best could a statutory cause of action recognize the public interest in freedom of expression? ADMA does not support the introduction of the statutory cause of action at all but if such a detrimental and unnecessary change was to be made then we note that the Issues Paper does not discuss the concept of freedom of expression in much detail. Freedom of speech needs to be considered in much greater detail before any statutory cause of action for a breach of privacy is introduced. ADMA notes that a codified guarantee of freedom of speech or expression does not exist, except in a limited manner regarding political freedom of speech, in the Australian constitution. ADMA notes that the other major jurisdictions where rights to privacy exist also have freedom of speech or equivalent protections. ADMA submits that Australia should also enshrine freedom of speech as a separate right if a right to privacy is introduced into Australian law to ensure the appropriate balance between privacy and freedom of speech. At a minimum freedom of speech should be incorporated as a test against which a statutory cause of action for a serious invasion of privacy must be assessed before action through the courts can be initiated. 7. Is the inclusion of intentional or reckless as fault elements for any proposed cause of action appropriate, or should it contain different requirements as to fault? ADMA does not support the introduction of the statutory cause of action at all but if such a detrimental and unnecessary change was to be made then intentional and reckless as fault elements must be included. 17

18 8. Should any legislation allow for the consideration of other relevant matters, and, if so, is the list of matters proposed by the NSWLRC necessary and sufficient? ADMA does not support the introduction of the statutory cause of action at all however the matters for consideration by the court proposed by the NSWLRC would be necessary if such a cause of action were introduced. 9. Should a non-exhaustive list of activities which could constitute an invasion of privacy be included in the legislation creating a statutory cause of action, or in other explanatory material? If a list were to be included, should any changes be made to the list proposed by the ALRC? ADMA does not support the introduction of the statutory cause of action at all but if such a detrimental and unnecessary change was made then a non-exhaustive and extensive list of activities which do not constitute an invasion of privacy should also be included in the legislation. This list should include clarification that many existing business practices and procedures that are legal under the existing Australian privacy regime are not considered a serious invasion of privacy. Such a step would go some way to reducing business uncertainty. It will still not address the key concerns held by ADMA in relation to the chilling effect on innovation and Australia s ability to compete on a global stage especially against countries with regulatory settings designed to promote innovation or promote economic growth. 10. What should be included as defences to any proposed cause of action? ADMA does not support the introduction of the statutory cause of action at all but if such a detrimental and unnecessary change was made then the following defences should be included: a) Consent (both express and implied) b) take down upon notification (where an organisation has complied with notice and take down similar to the safe harbour that applies under the Copyright Act 1968) 18

19 11. Should particular organisations or types of organisations be excluded from the ambit of any proposed cause of action, or should defences be used to restrict its application? The Government should accommodate the unique role of online platforms, providers and more traditional forms of communications services from any proposed cause of action. Online platforms facilitate communication by others and in doing this facilitate enormous volumes of communications making it impracticable for these platforms to monitor or play any sort of editorial role. A similar issue arises with respect to providers or more traditional forms of communication, postal and telephone services. As a result ADMA submits online platforms, providers and more traditional forms of communication services should all appropriately accommodated in terms of the unique role they play from any proposed cause of action and a defence of take down upon notification, with safe harbor for those who comply with notice and take down procedures (as described above) should be included as a fundamental element of the legislation should it proceed. 12. Are the remedies recommended by the ALRC necessary and sufficient for, and appropriate to, the proposed cause of action? ADMA offers no comment on this matter. 13. Should the legislation prescribe a maximum award of damages for noneconomic loss, and if so, what should that limit be? ADMA does not support the introduction of the statutory cause of action at all if the Government should proceed with such a detrimental change then it should impose a cautious limit on the maximum award of damages. 19

20 14. Should any proposed cause of action require proof of damage? Is so, how should damage be defined for the purposes of the cause of action? ADMA submits that the significant issues that could arise with respect to allowing individuals to take action against companies without having to show damages for sums under $ ADMA is extremely concerned that if a statutory cause of action for a serious breach of privacy is introduced that industry will become subject to significant increases in costs. Courts are tasked to assess the merits of each case but not to assess the net economic impact of their decisions. As a result ADMA urges the Government to conduct a full Regulatory Impact Statement to assess the net benefit for Australians, especially in consideration of the significant existing protections that Australians can readily access already or will be able to action should the Privacy Act 1988 be reviewed and the surveillance devices legislation be extended to all states. 15. Should any proposed cause of action also allow for an offer of amends process? Whilst ADMA does not support the introduction of a statutory cause of action for a serious breach of privacy, should the Government proceed with this approach ADMA submits that the inclusion of an offer of amends process would be essential to the process. Such an inclusion would be consistent with the conciliatory approach which has been adopted to date with respect to the enforcement of the Privacy Act Should any proposed cause of action be restricted to natural persons? Privacy is a human right. As such the concept of privacy should be restricted to natural persons only. 20

21 17. Should any proposed cause of action be restricted to living persons? The concept of privacy applies to an individual. ADMA notes that the Government in its response to the first tranche of the Australian Law Reform Commission s recommendation noted significant constitutional limitations on the Commonwealth s power to legislate in this area and submits that the same issues would apply with respect to a statutory cause of action. 18. Within what period, and from what date, should an action for serious invasion of privacy be required to be commenced? ADMA does not support the introduction of a statutory cause of action for a serious breach of privacy however should such a statutory cause of action be introduced then individuals should have 12 months to take action. 19. Which forums should have jurisdiction to hear and determine claims made for serious invasion of privacy? ADMA offers no comment on this matter. 21