ALRC drops safe harbour from proposed privacy law

The Australian Law Reform Commission has jettisoned ‘safe harbour’ provisions from the final version of its proposed privacy law.

The ALRC has finalised the parameters of a potential new civil offence that, if passed into law, would see Australians able to sue the perpetrators of serious breaches of their privacy for the first time.

In June last year, then-Attorney-General Mark Dreyfus asked the ALRC to inquire into the possibility of a new statute that would apply to serious invasions of privacy conducted by individuals and organisations.

The tort would differ from the existing Privacy Act, which is focused on data protection and applies to organisations with a turnover exceeding $3 million only. Australia has never offered an explicit legal protection to its citizens against gross invasions of privacy.

In a draft framework for the privacy tort unveiled in March, the Commission included a 'safe harbour' provision which would exempt all internet intermediaries, such as social media sites and search engines, from legal action for carrying material that breached a plaintiff’s privacy.

But lead author of the proposal, Professor Barbara McDonald, told iTnews the Commission had later decided there was little point to the safe harbour provision under new terms that make it clear only conscious disregard for privacy would be targeted by the tort.

The recommendations suggest that the new tort should be confined to intentional or reckless invasions of privacy, and should not extend to negligent invasions of privacy, or attract strict liability.

“We thought that there is probably little operation for a safe harbour provision,” she said.

“The contention of most safe harbour exemptions is that the entity does not have knowledge of the information being shared.”

The new stance means that the likes of Google and Facebook are not off the hook completely.

The ALRC's final report, released today, makes it clear that the focus on 'intent' over negligence does not entirely preclude content hosters from liability, who will be required to act to remove content once becoming aware of a privacy breach.

“In some circumstances, an intermediary may be found to have the requisite fault after they have been given notice of an invasion of privacy.

“They may be found to have intended an invasion of privacy, or been reckless, if they know that their service has been used to invade someone’s privacy, and they are reasonably able to stop the invasion of privacy, but they choose not to do so.”

- Serious Invasions of Privacy in the Digital Era report

The report has now been handed to the Government, which will decide whether to make an effort to pass the proposal into law.

McDonald said introducing formal recognition for personal privacy protections in the courts would address Australia's outdated approach to such issues and ensure the privacy rights of citizens don't get left up to chance.

“Many elements of our privacy protections have developed through common law,” she said.

“Courts can only rule on cases that come before them. I think in the past many Australian privacy cases have been settled outside of the courts so we don’t see that common law developing.”