Victims of cyberstalking, data theft, and other “serious invasions of privacy” have been left unprotected by current privacy laws, legal analysts have warned as the more than two-year review of the Privacy Act 1988 entered a new phase.

Particularly during restrictive pandemic lockdowns, ‘stalkerware’ apps and communication technologies have enabled new forms of invasive and potentially dangerous surveillance – but with no change to privacy laws, the Law Council of Australia (LCA) argued in a new discussion paper, victims have few options.

“If an individual is harmed by a serious invasion of their privacy – such as someone’s private activities being watched or recorded, or privacy information like medical records being made public – there is currently no tortious right of action,” Law Council of Australia president Tass Liveris said in launching the paper.

Online stalking cases must currently be dealt with using laws designed to stop physical harassment, Liveris said, noting that their reliance on physical proximity “limits a person’s ability to pursue compensation or an injunction” in cases of stalking or harassment using digital technologies.

“Technological advances have increased the risk of these types of breaches, while limiting the capacity for our current legislative framework to keep pace.”

Discussions with the LCA’s “constituent bodies” suggested broad support for a statutory right specifically addressing digital privacy intrusions, the paper noted, as long as the offence includes “sufficiently high thresholds in place to ensure actions are limited to serious invasions of privacy” and that the law be drafted to minimise the risk of “unintended consequences”.

Rapid evolution of digital technologies like AI and blockchain, the report notes, means that any legal privacy protections “must be sufficiently flexible to adapt to rapidly changing technologies and capabilities, without needing constant amendments.”

The LCA also supports the creation of a Commonwealth, state and territory working group that would “harmonise privacy laws and focus on key issues in relation to privacy.”

Recourse for the vulnerable

A statutory tort for serious invasions of privacy has been under discussion since well before 2014, when it was recommended by the Australian Law Reform Commission’s investigation into digitally-enabled privacy invasions.

The current review, managed by the Attorney-General’s Department, kicked off in December 2019 alongside online privacy reforms aiming to impose consistent privacy rules for social-media and other tech firms.

The review asked whether the Privacy Act “effectively protects personal information”, whether a statutory tort for “serious invasions of privacy” should be introduced into Australian law, and how the law should treat two types of invasion of privacy – intrusion into seclusion, and misuse of private information.

The LCA paper was one of around 170 submissions to the review from a who’s-who of technology, legal, and industry bodies – all of which agreed that current privacy protections had been weakened by new technologies, and supported the introduction of a statutory tort for invasions of privacy.

Noting that privacy breaches often occur in the context of existing power imbalances, Legal Aid NSW argued that many victims “decide not to lodge a complaint because they perceive the process to be too burdensome or lacking in accountability.”

“Creating a statutory tort of privacy affords an opportunity to hold to account those who arbitrarily interfere with a person’s privacy,” the agency said.

The Australian Information Security Association (AISA) agreed, noting that “the current Australian privacy regime provides inadequate protection to people whose privacy has been violated” and recommending a GDPR-styled regime with rights to compensation and liability for privacy violations.

AISA also supports the creation of “some form of criminal law that reflects egregious cases of invasions of privacy”, the organisation said, arguing that the statutory tort should apply both to “intentional and reckless invasions of privacy” and breaches “as a result of negligence or gross negligence”.

Advocacy group Digital Rights Watch argued that legal recourse and avenues of remedy are critical to a “functional privacy or data protection regime”, noting that the new tort “would greatly extend individuals’ ability to exercise their rights and keep entities processing their data accountable.”