INSIGHT

Privacy disclosure incident leads to largest ever award of compensation for non-economic loss

By Gavin Smith, Lewis Graham, Alan Zheng
Class Actions Cybersecurity & Privacy

Payment to nearly 1,300 members of representative complaint 7 min read

On 11 January 2021, Information and Privacy Commissioner Angelene Falk (Commissioner) issued a determination requiring payment of compensation for non-economic loss to individuals affected by an unauthorised data disclosure incident. This determination sets a precedent for compensation orders, and also shines a light on the relatively underutilised representative complaints regime in the Privacy Act 1988 (Cth) (Privacy Act).

The Commissioner's decision is likely to constitute the largest compensation order to date in Australia in relation to interferences with privacy.

Key takeaways

  • The determination issued in relation to breaches of the Privacy Act by the Department of Home Affairs (the Department) is likely to constitute the largest compensation order ever in Australia in relation to an interference with privacy.
  • The determination confirms that compensation can be ordered to be paid for non-economic losses related to data breaches. Previous determinations had only awarded compensation in instances where individuals had shown pecuniary loss. The types of non-economic loss considered by the OAIC in this instance are very wide-ranging.
  • This decision also highlights the rarely used representative complaints regime under the Privacy Act. The success of this complaint may well encourage further representative complaints to be launched under this regime.
  • The quantum of compensation and the consideration of non-economic loss in the data breach context provides further impetus to businesses to ensure their compliance with Australian privacy law and to operationalise up-to-date cybersecurity-related policies and procedures.

What is the representative complaints regime and why does it matter?

  • Under the Privacy Act, individuals do not currently have a direct right of action to bring claims against third parties for infringements of privacy. This means it is also not possible for affected individuals to commence class actions for a breach of the Privacy Act. Instead, affected individuals may have recourse by lodging a complaint with Australia's federal privacy law regulator, the Office of the Australian Information Commissioner (OAIC) via the representative complaints regime. Depending on the circumstances, there may also be other alternative causes of action, such as a claim for breach of confidence, breach of contract or misleading and deceptive conduct under the Australian Consumer Law.
  • The representative complaints regime closely mimics Australia's existing class actions regimes.1 However, instead of permitting plaintiffs to directly file actions against third parties in court, individuals and groups must file their complaint with the Commissioner. The Commissioner will then investigate the complaint, except in certain circumstances.
  • If, following an investigation, the Commissioner is satisfied that the complaint is substantiated, she may make a declaration requiring entities to take certain steps, including:
    • requiring remedial action be taken by the offending party to redress any loss or damage suffered by the complainant and ensure offending conduct is not repeated or continued; and/or
    • that compensation be paid to affected individuals.
  • Until recently, representative complaints have been relatively rare. Representative complaints have been filed against Cbus2, Veda (now Equifax)3, Optus4 and Facebook.5 To date, none of those have resulted in compensation orders and the latter two have not yet been determined.

Details of the proceedings

  • In February 2014, the Department published on its website a report summarising key statistics in immigration detention. Inadvertently, this report contained an embedded Microsoft Excel spreadsheet containing the personal information of 9,258 individuals in immigration detention at the time (the data breach).6
  • The information comprised names, citizenship, period of immigration detention and reasons why the individual was considered an unlawful non-citizen, amongst other things. The report was available on the Department's website for eight days and subsequently available on an internet archive site for a total of 16 days.
  • In August 2015, a representative complaint was made to the Commissioner on behalf of all persons whose information was disclosed. The complaint requested that the Department provide an apology and compensation.
  • In response, the OAIC oversaw a process in which possible group members were notified by various mediums including email and postal address, asylum seeker support organisations, via the OAIC's website in various languages and in the legal notices section of The Australian Group members were initially given four months to respond to the OAIC's notice7, but this was extended to up to 16 months in some individual cases.
  • Of the 9,258 individuals affected by the data breach:
    • 2,579 registered their interest as group members;
    • 6,679 did not respond to the OAIC's notice; and
    • seven opted out of the process.

Ultimately, only 1297 members provided submissions or evidence of loss or damage.

  • The Commissioner determined that the Department interfered with the privacy of group members by improperly disclosing their personal information, including sensitive information (IPP 11.1)8 and failed to protect their personal information from loss, unauthorised access, use, modification or disclosure or other misuse (IPP 4(a)).
  • In its declaration, the Commissioner ordered that the 1,297 class members who made submissions and/or provided evidence of loss or damage to the OAIC be paid compensation by the Department for their loss or damage. The Commissioner determined that the quantum to be paid to each of these class members will be calculated according to the following table:

Non-economic loss category

Nature of loss resulting from the data breach

Indicative quantum of compensation

0

Individual did not provide a submission or evidence substantiating loss or damage

$0

1

General anxiousness, trepidation, concern or embarrassment

$500 - $4,000

2

Moderate anxiousness, fear, pain and suffering, distress or humiliation which may cause minor physiological symptoms such as loss of sleep or headaches and may result in consultation with a health practitioner

$4,001 - $8,000

3

Significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation which may cause psychological or other harm and may result in a prescribed course of treatment from a general practitioner

$8,001 - $12,000

4

Development or exacerbation of a mental health condition resulting in a referral to a mental health specialist for treatment

$12,001 - $20,000

5

Extreme loss or damage

>$20,000

  • The process to assess whether particular class members fall within the defined categories in the table above is expected to conclude within the next 12 months.

Significance of the decision – how does this affect you?

  • It is likely once the compensation assessment phase has been completed that this may be the largest, aggregate compensation figure for a privacy claim in Australia. With a hypothetical total running into the millions, this case signifies a significant break from the norm. Representative complaints have historically rarely resulted in compensation and, where they have, such sums have typically been low.
  • Additionally these proceedings mark the first representative action where compensation has been provided for non-economic loss suffered by individuals due to a data breach. Up until this point, representative proceedings had only provided compensation in circumstances where affected individuals had established pecuniary loss as a result of a data breach or interference with privacy.
  • The Commissioner stated in her determination that non-economic loss is inherently personal in nature. This leaves open the types of physiological and mental distress that may be considered to constitute non-economic loss arising from an interference of privacy that warrant an award for compensation. However, the Commissioner reiterated previous comments that any claim for compensation under the representative proceedings regime must be supported by evidence of loss in order to be considered.9
  • By showing that significant sums are available to victims who suffer non-pecuniary loss, these proceedings may encourage class action lawyers to launch more representative complaints against entities that suffer data breaches or otherwise do not comply with the Privacy Act.
  • The outcome of this matter may signal a more assertive approach by the OAIC in issuing compensation orders and may foreshadow its approach in other representative complaints currently under investigation. These include:
    • the 2018 launch of a representative complaint against Facebook in relation to the Cambridge Analytica incident, which may have affected almost 300,000 Australian customers; and
    • the 2019 representative complaint launched against Optus regarding its mistaken release of the names, addresses and phone numbers of 50,000 of its customers.
  • The determination from the OAIC will also provide food for thought for the Federal Government as it continues its review of the Privacy Act 1988 (Cth). The Government confirmed that this review will include consideration of a direct right for individuals to bring actions and class actions against organisations to seek compensation for breaches of privacy, as well as the possible introduction of a statutory tort of privacy.

Footnotes

  1. 'PB' and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 (23 March 2018).

  2. Financial Rights Legal Centre Inc. & others and Veda Advantage Information Services Ltd [2016] AICmr 88 (9 December 2016).

  3. Sydney Morning Herald, 'Optus facing class action over alleged customer privacy breaches', 27 April 2020.

  4. Reuters, 'Australia's IMF Bentham to fund complaint against Facebook over alleged privacy breach', 10 July 2018.

  5. Federal Court of Australia Act 1976 (Cth) Part IVA.

  6. Bianca Hill, 'Asylum seeker data breach triggers court battles', 8 March 2014.

  7. The notice stated: ‘In order to make a determination about the Representative Complaint, including whether any of the persons whose personal information was published in the Data Breach are entitled to compensation for any loss or damage suffered, the Commissioner needs information from you. If you were affected by the Data Breach and do not provide information of the kind described below, the Commissioner may conclude that he is not satisfied you have suffered any loss or damage as a result of the Data Breach, and you may not receive compensation for the Data Breach.’

  8. As the complaint related to conduct prior to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 in March 2014, the complaint alleged breaches of the Information Privacy Principles (IPPs).

  9. Determination at [58] – [61].