Workplace AI and surveillance on trial with new privacy tort

What is the new tort?

The new tort, which sits in schedule 2 of the Privacy Act 1988 (Cth), has five elements that an individual needs to make out to have a cause of action against another legal person, which includes businesses.

These elements are: the defendant must have invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion (for example, by recording the plaintiff’s private activities) or misusing information that relates to the plaintiff; a person in the plaintiff’s position would have had a reasonable expectation of privacy in all of the circumstances; the invasion of privacy was intentional or reckless, not just negligent; the invasion was serious and; the public interest in the plaintiff’s privacy outweighed any countervailing public interest. There are many matters the court may consider in determining whether each element has been made out.

The claim is actionable without proof of damage.

Defences to the tort include where the invasion of privacy was required or authorised by or under an Australian law, court, or tribunal or if the plaintiff expressly or impliedly consented to the invasion.

How does this tort change the privacy landscape for businesses?

This development not only closes major and longstanding gaps in Australian privacy law, but it also creates new risks for businesses.

Previously, businesses enjoyed an exemption under the Privacy Act with respect to acts done or practices engaged in by the business that are directly related to an employee record held by the business and relating to the employee. That exemption has enabled businesses to adopt systems and processes relating to employee records that would otherwise fall short of their obligations under the Privacy Act.

The new tort reduces the strength of that shield. Now, employees have an avenue to sue their employer for collecting or mishandling information relating to them, even if that information sits squarely within the employee records exemption that applies elsewhere in the Privacy Act.

Also, the new tort applies to all businesses, including small businesses that were previously exempt from the Privacy Act.

Where do AI and surveillance cross the line?

Productivity-tracking tools, email, and chat monitoring software, keystroke tracking, and behavioural algorithms are increasingly common in the workplace. But what are the risks for businesses that use AI and surveillance in this way?

Of course, using AI to collect and manage employee information does not automatically breach Australia’s privacy laws. Employee surveillance may not even reach that level. What matters is how and in what context businesses use AI and surveillance.

To use an extreme example, in most workplaces, employees would not expect their employer to record them through their laptop camera or microphone (except in video-conference meetings). Most employees would have a reasonable expectation that their privacy would not be invaded in this way and would be considerably concerned or distressed if it were, and it would be difficult for an employer to justify that practice on public-interest grounds.

This expectation of privacy and the seriousness of the invasion would be even greater if the employee works from home.

Another example where the tort may arise is where a business uses AI tools to record or summarise meetings, those recordings or summaries capture its employees’ personal or sensitive information (for example, comments they make about their mental health and other personal matters), and the business directly or indirectly uses that information to profile employees for business decision-making purposes.

On the flip side, examples of AI and surveillance practices deployed in many workplaces that intrude upon employees’ privacy but likely do not satisfy all elements of the tort, provided they are deployed reasonably and proportionately, include keystroke or activity logging for productivity metrics, facial recognition for multifactor authentication to access company software applications, CCTV in and around offices, and location tracking of company vehicles.

What should businesses be doing now?

When considering deploying AI or surveillance, the business’s privacy obligations should be front of mind. They should ask themselves:

• Is there a legitimate business reason to monitor our employees in this way or collect and use this type of information? What would the public or a judge think?
• Do our employees know that we will be monitoring them in this way or collecting this type of information and how we intend to use it? How would they react if they found out? Why can’t we just be transparent with them and get their prior consent?
• Is our employees’ information collected by AI or surveillance adequately protected from unauthorised access and use, including by the AI or surveillance service provider? Have we tested it in a sandbox environment to make sure? Do we need a cyber security expert to make this determination?
• Should we be getting legal advice?
• Do we have robust data breach policies and processes in place?

Once the AI or surveillance has been deployed, it shouldn’t be set and forget. Businesses should routinely review their systems to ensure they are collecting and using no more information than what was originally intended and that they maintain adequate protection from unauthorised access. This work, together with due diligence undertaken prior to the deployment of the AI or surveillance, should be well documented for use as evidence in the defence of a privacy-breach claim.

In an increasingly privacy-conscious world, stakeholders expect privacy protection excellence, not mere compliance. Businesses with excellent privacy practices are better placed than their competitors to attract and retain talent and customers and avoid regulatory and legal costs and higher insurance premiums.

Sean Carr is a senior associate at Burch & Co.