Australian data breach class actions

This article sets out the difficulties of bringing such actions in Australia which may, in addition to the existing complaint mechanism under the Privacy Act 1988 (Cth) (Privacy Act) contribute to the absence of such cases. We also highlight some proposed upcoming legislative changes which may have an impact in this space.

Difficulties in Substantive Law

There are various causes of action which a plaintiff may be able to use to bring action in respect of a data breach.

Commonly, overseas, such actions are brought in negligence, however depending on the circumstances in which the data breach occurred (for example, whether a contractual or other special relationship exists between the parties and whether the plaintiff was a customer of the defendant) there may be a range of other actions available. For example, Evans v Health Administration Corporation[1] involved the unlawful access and sale of sensitive health and other personal information contained in the workers’ compensation files of 130 current and former employees. The plaintiffs’ action (which settled prior to judicial determination) was brought on the following grounds:

• the tort of breach of statutory duty: in particular the plaintiff contended that a cause of action was available based on statutory obligations in the Information Protection Principles contained the Privacy and Personal Information Act 1998 (NSW) and Health Privacy Principles in the Health Records and Information Privacy Act 2002 (NSW);
• breach of confidence in equity;
• misuse of confidential information in equity;
• breach of contract: in particular, of the terms of trust and confidence implied by law into employment contracts and the express and/or implied term of confidentiality;
• contravention of ss 18 and 29 of the Australian Consumer Law; and
• a tort of invasion of privacy. Australian case law is mixed on the question of whether such a tort exists. The position has been unclear since the decision of the High Court in Lenah Game Meats.[2]

Given the application of these causes to data breaches is untested in Australian Courts, when bringing a test case in a costs jurisdiction, plaintiffs face the risk of footing a significant legal bill with uncertainty as to the outcome in respect of a breach that may have (proportionately) had only a minimal impact or may not yet have resulted in damage. For example, when seeking to bring a negligence action, plaintiffs may face the following hurdles:

• establishing a duty of care on the part of the defendant to safeguard their data and determining the scope of such duty;
• establishing a breach of that duty. In many instances, a breach may occur where there has not been any negligence (eg. Where software patches to address the relevant security vulnerability have not yet been released);
• establishing evidence of ‘damage’ which is not prospective nor barred by the principle barring recovery for pure economic loss;
• determining the standard of care in an industry that is constantly changing due to technological development; and
• establishing a chain of causation in circumstances where multiple parties hold their data and the breach itself was perpetrated by a third party.

Procedural Difficulties

In addition, plaintiffs may have to overcome the following procedural hurdles:

• determining the correct defendant, particularly in circumstances where the data breach was perpetrated by a third-party criminal actor or, in which the data-holder has a complicated corporate structure or third-party software or information technology support providers;
• exclusion clauses barring the ability to bring certain actions or otherwise limiting the defendant’s liability; and
• fulfilling evidentiary burdens in circumstances where the plaintiff’s data or information regarding the defendant’s security controls may have been destroyed by the data breach. In the case of government agencies, evidence of security obligations may also be difficult to obtain due to public interest immunity considerations.

Existing Privacy Act Provisions

Under the Privacy Act, where a data breach may involve a breach of Australian Privacy Principle 11 (requiring reasonable steps to be taken to keep data secure) or the data breach notification provisions, individuals can make a complaint to the OAIC for resolution. The OAIC can make non-binding determinations including requiring payment of compensation (including for hurt to feelings).[3] A hearing de novo by a court is required to enforce such a determination[4], but as a matter of practicality, the vast majority of respondents simply comply with the initial determination.

The OAIC can also make declarations as to there having been an interference with privacy and to the effect that the respondent must not repeat or continue such conduct. It can also include, in its non-binding determinations, declarations requiring the respondent to take specified steps to ensure that the relevant conduct is not repeated or continued, and to perform a reasonable act or conduct to redress any loss or damage suffered by the complainant.

Where there are serious or repeated interferences with privacy, the OAIC can seek civil penalties from a Court[5]. The Government has indicated it will increase those penalties. The maximum penalty is currently AU$2.22mil but is proposed to be increased to the greater of the following:

(a) AU$10mil;
(b) if the court can determine the value of the benefit that the respondent obtained (directly or indirectly) and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
(c) if the court cannot determine the value of that benefit—10% of the relevant turnover of the respondent during the 12-month period ending at the end of the month in which the respondent engaged, or began engaging, in the conduct constituting the contravention.[6]

The OAIC complaints team often also plays a conciliation role in resolving disputes which can result in more flexible outcomes such as:

• the respondent taking steps to address the matter (such as providing access to personal information or correcting a record);
• an apology;
• a change to the practices or procedures of the respondent;
• staff training;
• compensation for financial or non-financial loss; and
• other non-financial options (such as a complimentary subscription to a service).

These remedies are limited to circumstances in which the information in question is “personal information” in the sense or relating to a reasonably identifiable individual. Business information and data can of course also be the subject of data breaches, in which case it is necessary to look to other causes of action.

Proposed Reforms

If the changes to the Privacy Act, proposed by the discussion paper released by the Attorney-General’s department in December 2021 (see a link to our article on the proposed changes here), are passed, Australia may see an increase in data breach actions, given the proposals to introduce a direct right of action for breaches of privacy.[7]

In addition, the unfair consumer terms legislation has recently been proposed to be bolstered,[8] and the Government is examining other measures to enhance consumer rights in relation to data.[9]

Depending on the form any changes ultimately take, and the approach of Australian Courts when it comes to remedies, they could significantly increase the extent of claims activity in the privacy and data landscape.

Key contacts: Sophie Dawson, Julie Cheeseman, Joel Parsons, James Hoy and Emma Croft

[1] [2019] NSWSC 1781.

[2] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199.

[3] Privacy Act 1988 (Cth) s 52.

[4] Ibid s 55A.

[5] Ibid s 80U.

[6] Exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, proposed s 13G of the Privacy Act 1988 (Cth).

[7] Attorney General’s Privacy Act Review Discussion Paper, October 2021, chp 25.

[8] Treasury Laws Amendment (Enhancing Tax Integrity and Supporting Business Investment) Bill 2022

[9] Federal Government’s Discussion Paper: ‘Strengthening Australia’s cyber security regulations and incentives, an initiative of Australia’s Cyber Security Strategy 2020’, July 2021; Treasury’s Consultation Paper: Improving consumer guarantees and supplier indemnification provisions under the Australian Consumer Law’, December 2021.