Australia: Data Privacy Class actions in 2023

As at the time of our last update on Australian data breach class actions, only one data privacy class action had been commenced in Australia (which settled before being considered by the courts). Since that update, the landscape (and accordingly, the risk for businesses who experience a data breach) has changed significantly, with 3 consumer-class actions having been commenced against Medibank and Optus in the Federal Court (with a further foreshadowed in respect of the Latitude Financial Services data breach) and a shareholder class action commenced against Medibank in the Victorian Supreme Court.

If those matters proceed to hearing, they may provide clarity on:

• how the Australian Information Commissioner (AIC) representative complaint resolution process works alongside court proceedings;
• the interpretation of various provisions of Australian data privacy legislation which have not, to date, been tested in the Courts (for example APP 11 of the Privacy Act);
• which types of data breaches are “preventable” and thus can be sued upon;
• whether a duty of care to protect consumers’ personal (or other) information arises either via contract or via existing legislation governing data privacy (for example the Privacy Act 1988 (Cth), telecommunications legislation or APRA Prudential Standard CPS 234);
• what “reasonable care” means in a data privacy context;
• causation in data breach cases;
• the Australian position in respect of damage, including in respect of various forms of emotional harm and the “cost and time associated with addressing the consequences of” the relevant data breach; and
• likely damages awards in a data privacy context.

In the meantime, the framing of each of the above claims provides insight into:

• the increasing appetite of litigation funders to back data privacy consumer claims;
• the focus of plaintiffs and their legal representatives in pursuing data privacy claims (for example, on data retention and security practices (and statements about handling practices more generally made in corporate privacy policies)); and
• the handling of representative complaints to regulators in parallel with representative actions in the Court

Any such claims (and corresponding risk to business) may be further bolstered by the introduction of a statutory tort for serious invasions of privacy or direct right of action for interferences with privacy, which are proposed to be introduced as part of the wide-ranging reforms to the Privacy Act (see our article here).

Having made “back to basics” the theme of Privacy Awareness Week 2023 (PAW), the regulatory focus of the AIC is clear. In her PAW launch speech, the AIC stated that organisations should (as a bare minimum):

• not collect personal information that they do not need;
• securely store personal information; and
• delete or deidentify personal information when it is no longer needed.

Accordingly, it is essential that organisations are reviewing their data handling and security practices and documentation to ensure they are compliant with Australian law, to avoid regulatory scrutiny and consumer actions.

For an update on data privacy class actions in the UK/EU, please see our colleagues’ article here.