As at the time of our last update on Australian data breach class actions, only one data privacy class action had been commenced in Australia (which settled before being considered by the courts). Since that update, the landscape (and accordingly, the risk for businesses who experience a data breach) has changed significantly, with 3 consumer-class actions having been commenced against Medibank and Optus in the Federal Court (with a further foreshadowed in respect of the Latitude Financial Services data breach) and a shareholder class action commenced against Medibank in the Victorian Supreme Court.
If those matters proceed to hearing, they may provide clarity on:
In the meantime, the framing of each of the above claims provides insight into:
Any such claims (and corresponding risk to business) may be further bolstered by the introduction of a statutory tort for serious invasions of privacy or direct right of action for interferences with privacy, which are proposed to be introduced as part of the wide-ranging reforms to the Privacy Act (see our article here).
Having made “back to basics” the theme of Privacy Awareness Week 2023 (PAW), the regulatory focus of the AIC is clear. In her PAW launch speech, the AIC stated that organisations should (as a bare minimum):
Accordingly, it is essential that organisations are reviewing their data handling and security practices and documentation to ensure they are compliant with Australian law, to avoid regulatory scrutiny and consumer actions.
For an update on data privacy class actions in the UK/EU, please see our colleagues’ article here.