Data breach class actions have been a feature of the privacy landscape in the US and UK since as early as 2002. While Australia has experienced a surge in regulatory actions brought in respect of data breaches, we have yet to see an uptake in consumer actions in Australia. An action was brought in 2018 (see Evans v Health Administration Corporation [2019] NSWSC 1781), however it settled prior to receiving judicial consideration.
This article sets out the difficulties of bringing such actions in Australia which may, in addition to the existing complaint mechanism under the Privacy Act 1988 (Cth) (Privacy Act) contribute to the absence of such cases. We also highlight some proposed upcoming legislative changes which may have an impact in this space.
There are various causes of action which a plaintiff may be able to use to bring action in respect of a data breach.
Commonly, overseas, such actions are brought in negligence, however depending on the circumstances in which the data breach occurred (for example, whether a contractual or other special relationship exists between the parties and whether the plaintiff was a customer of the defendant) there may be a range of other actions available. For example, Evans v Health Administration Corporation[1] involved the unlawful access and sale of sensitive health and other personal information contained in the workers’ compensation files of 130 current and former employees. The plaintiffs’ action (which settled prior to judicial determination) was brought on the following grounds:
Given the application of these causes to data breaches is untested in Australian Courts, when bringing a test case in a costs jurisdiction, plaintiffs face the risk of footing a significant legal bill with uncertainty as to the outcome in respect of a breach that may have (proportionately) had only a minimal impact or may not yet have resulted in damage. For example, when seeking to bring a negligence action, plaintiffs may face the following hurdles:
In addition, plaintiffs may have to overcome the following procedural hurdles:
Under the Privacy Act, where a data breach may involve a breach of Australian Privacy Principle 11 (requiring reasonable steps to be taken to keep data secure) or the data breach notification provisions, individuals can make a complaint to the OAIC for resolution. The OAIC can make non-binding determinations including requiring payment of compensation (including for hurt to feelings).[3] A hearing de novo by a court is required to enforce such a determination[4], but as a matter of practicality, the vast majority of respondents simply comply with the initial determination.
The OAIC can also make declarations as to there having been an interference with privacy and to the effect that the respondent must not repeat or continue such conduct. It can also include, in its non-binding determinations, declarations requiring the respondent to take specified steps to ensure that the relevant conduct is not repeated or continued, and to perform a reasonable act or conduct to redress any loss or damage suffered by the complainant.
Where there are serious or repeated interferences with privacy, the OAIC can seek civil penalties from a Court[5]. The Government has indicated it will increase those penalties. The maximum penalty is currently AU$2.22mil but is proposed to be increased to the greater of the following:
(a) AU$10mil;
(b) if the court can determine the value of the benefit that the respondent obtained (directly or indirectly) and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
(c) if the court cannot determine the value of that benefit—10% of the relevant turnover of the respondent during the 12-month period ending at the end of the month in which the respondent engaged, or began engaging, in the conduct constituting the contravention.[6]
The OAIC complaints team often also plays a conciliation role in resolving disputes which can result in more flexible outcomes such as:
These remedies are limited to circumstances in which the information in question is “personal information” in the sense or relating to a reasonably identifiable individual. Business information and data can of course also be the subject of data breaches, in which case it is necessary to look to other causes of action.
If the changes to the Privacy Act, proposed by the discussion paper released by the Attorney-General’s department in December 2021 (see a link to our article on the proposed changes here), are passed, Australia may see an increase in data breach actions, given the proposals to introduce a direct right of action for breaches of privacy.[7]
In addition, the unfair consumer terms legislation has recently been proposed to be bolstered,[8] and the Government is examining other measures to enhance consumer rights in relation to data.[9]
Depending on the form any changes ultimately take, and the approach of Australian Courts when it comes to remedies, they could significantly increase the extent of claims activity in the privacy and data landscape.
Key contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy and Emma Croft
[1] [2019] NSWSC 1781.
[2] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199.
[3] Privacy Act 1988 (Cth) s 52.
[4] Ibid s 55A.
[5] Ibid s 80U.
[6] Exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, proposed s 13G of the Privacy Act 1988 (Cth).
[7] Attorney General’s Privacy Act Review Discussion Paper, October 2021, chp 25.
[8] Treasury Laws Amendment (Enhancing Tax Integrity and Supporting Business Investment) Bill 2022
[9] Federal Government’s Discussion Paper: ‘Strengthening Australia’s cyber security regulations and incentives, an initiative of Australia’s Cyber Security Strategy 2020’, July 2021; Treasury’s Consultation Paper: Improving consumer guarantees and supplier indemnification provisions under the Australian Consumer Law’, December 2021.