Tort and data protection law: Are there any lessons to be learnt?

The development and evolution of data protection law is not fully realised. One challenge that has emerged is the recognition of a tort for violating a person’s personal information contrary to data protection law. The issue is that courts have found it difficult to determine and assess the harm caused to the data subject. The courts in the United Kingdom (UK)1 and Canada2 have recently developed a tort for infringing privacy in personal data. What has emerged is that courts in those two countries have begun to establish some key principles to underpin a tort violating privacy, by providing guidance on measuring the ensuing harm. That tort is also developing in the United States. This article argues that other common law jurisdictions, notably Australia, should consider going down the same pathway, by establishing a privacy tort over the Internet. Such a tort in data protection will provide a higher level of control to data subjects over their personal data and deter entities from misusing that data. However, that tort may fail to protect data subjects from the misuse of their personal data if the law requires harm to eventuate, as is required by the tradition tort of privacy. This must be considered with caution because, unlike traditional notions of a tort in privacy, a privacy violation of over the Internet may take weeks, months or years to identify. Contrarily, tort law has been effective in reducing and deterring negligence in privacy related cases, strengthening the rationale for a tort in personal data over the Internet.