Australian class actions for data breach: A new phenomena?

Given the uncertainty about the right to sue for breach of privacy in Australia, introduction of the data breach notification provisions in February 2018 was not expected to lead to an up-tick in privacy related litigation.   This may not be the case, with news of at least three data breach related class action claims currently on the go in Australia.

However, it remains to be seen how successful these actions will be, either in establishing a right to sue for breach of privacy or proving an entitlement to damages.

NOTE: This is re-posted from an earlier post in 2019.

Key take aways

·         There is no clear right to sue for breach of privacy in Australia

·         Three data breach related class actions have been commenced, either arguing that there is a common law right to sue or seeking compensation pursuant to the Privacy Act.

·         The current law suits may result in clarification of the existence of a common law right to sue (in addition to the right to claim compensation from the Privacy Commissioner).

·         However, even if some right to sue for interference with privacy is established, it is not clear what level of damages or compensation may be awarded.

·         A previous class action-based claim to the Privacy Commissioner was not successful in securing payment of damages.

·         If confirmed to exist, the possibility of civil litigation may represent a significant new risk to Australian organisations affected by a data breach.

Background

The status of the right to sue for a breach of privacy has been unclear in Australia for many years.

The High Court left open the possibility of such a cause of action in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd in 2001.[1] Since then, a tort of invasion of privacy has been recognised by two lower court decisions: Grosse v Purvis in the District Court of Queensland[2] and Doe v Australian Broadcasting Corporation[3] in the County Court of Victoria. However, both cases were settled before appeals by the respective defendants were heard.  There have also been cases where the existence of a common law right to sue for breach of privacy has been questioned.[4]

The failure of a right to sue for invasion of privacy to develop at common law has led to calls for the introduction of a statutory right to sue.  Over the last 10 years, the introduction of a statutory right to sue has been supported by at least four different commissions.[5]

In 2014, the Australian Law Reform Commission (ALRC) formulated the principles that should underpin a statutory cause of action for serious invasions of privacy.[6] They recommended that, for a cause of action, the breach must be serious and committed intentionally or recklessly (and not as a result of negligence), and in circumstances where the individual had a reasonable expectation of privacy. The ALRC also recommended that there be a public interest justification and confined the actionable breaches to either ‘intrusion upon seclusion’ or ‘misuse of private information.’

Those opposed to the introduction of a right to sue refer to concerns about it impacting freedom of expression rights and the ‘public interest in the free flow of information on matters of public concern and freedom of artistic expression’ which ‘could be threatened by unclear standards as to what is and what is not acceptable in the context of a statutory cause of action.’[7]

Given this resistance, neither the Federal nor any State government has felt inclined to introduce a statutory right to sue.  This means that, in the absence of the development of a common law action for breach of privacy, the surest avenue to seek compensation where there has been an interference with privacy is via a complaint to the Privacy Commissioner pursuant to the Privacy Act 1988 (Cth).

Class action claims

In 2017, a class action against NSW Ambulance Service was brought on behalf 130 ambulance staff whose medical records were accessed without authorisation by a NSW Ambulance contractor and sold to personal injury lawyers.  The law firm involved in the class action said the total damages could reach “millions of dollars”, with individuals claiming for pain and suffering, humiliation, psychological injuries and economic loss.  (More information here.)

The same law firm is looking to bring a class action following the PageUp data breach in June 2018.[8] It is not clear whether this action would be based on a claim for compensation with the Australian Privacy Commissioner or initiated as a claim in tort in the Supreme Court.

A different law firm is reported to be lodging a complaint against Facebook with the Australian Privacy Commissioner on behalf of more than 300,000 Australian individuals whose data was obtained by Cambridge Analytica via the Facebook ‘This is my Digital Life’ quiz.  The amount claimed could be up to $1,000 per individual, which would total $300 million on behalf of the group.[9]  This claim is supported by litigation funding legal firm IMF Bentham.

The chance of recovering the sort of amounts claimed in these cases seems remote.  It’s not clear that the Privacy Commissioner will award compensation in any of the above cases, certainly in the absence of evidence of real distress or anxiety.  A recent determination by the Privacy Commissioner indicates some of the issues likely to be faced.

In 2017 a claim was made on behalf of 328 employees of a building sub-contractor, whose superannuation details were wrongly disclosed to the head contractor, Cbus.[10] The complainants were represented as a class by a law firm who argued that they were entitled to $2,000-$3,000 in general damages and between $3,000 and $4,000 in aggravated damages per class member, which collectively amounted to a sum of $2.97 million. To support the claim, various members of the class gave statements that, when they became aware of the breach, they were ‘unhappy’, ‘angry’, ‘upset’, ‘disappointed’ or ‘uncomfortable.’ Legal costs were also claimed.

Ultimately, the Commissioner decided a public apology plus a review of procedures were sufficient requirements in response to the breach was sufficient and did not award any financial compensation.

Indications are that class action claims for data breaches will not find much favour with the Commissioner unless there is substantive evidence of actual loss or damage in respect of the class members, which must be something beyond genuine concern or anger.  This is certainly consistent with the experience in the US where courts have been reluctant to award damages in data breach cases unless there is some basis for real concern regarding fraud or identity theft.

Prospects of success?

Of the cases considered here, the NSW Ambulance claimants are probably best placed to recover compensation given there is actual evidence of misuse of their data.  However, this might be tempered by the expectation that the personal injury law firms who received the data might be trusted to delete it and undertake not pass it on to third parties.  This in turn would have an impact on the extent of the distress suffered by the individuals concerned.

It is not clear that claimants in either the PageUp or Facebook/Cambridge Analytica will be able to provide evidence of loss sufficient to justify compensation, given the Commissioner’s findings in the Cbus case.

If any of the current law suits proceed in common law, based on an action for breach of privacy, it may result in clarification of the existence of a common law right to sue (in addition to the right to claim compensation from the Privacy Commissioner).

This would certainly be a positive step forward in Australian law and would address the current gap in the legal remedies available to the victims of privacy breaches because of the reluctance of both Federal and state governments to introduce a statutory right to sue.

However, if confirmed to exist, the possibility of civil litigation based on an accepted tort of breach of privacy may represent a significant new risk to Australian organisations affected by a data breach.

[1] Australian Broadcasting Commission v Lenah Game Meats Pty Ltd (2001) 208 CLR 199

[2] Grosse v Purvis [2003] QDC 151 (16 June 2003). See, also, Des A Butler, ‘A Tort of Invasion of Privacy in Australia?’ (2005) 29 Melbourne University Law Review 352.

[3] Doe v Australian Broadcasting Corporation [2007] VCC 281 (2007).

[4] See, for example, Gee v Burger [2009] NSWSC 149 (13 March 2009) [53].

[5] The ALRC’s 2008 Report, For Your Information: Privacy Law and Practice, recommended that Commonwealth legislation should provide for a statutory cause of action for serious invasion of privacy. In 2009, the New South Wales Law Reform Commission recommended that a general cause of action for invasion of privacy was required to provide a ‘basis for the ongoing development of the law of privacy in a climate of dynamic societal and technological change’. In 2010, the Victorian Law Reform Commission issued the report, Surveillance in Public Places, which followed a decade-long inquiry into workplace privacy and privacy in public places. The Law Reform Committee of Victoria also recommended in early 2013 that Victoria give further consideration to introducing a statutory cause of action for invasion of privacy by the misuse of private information. In September 2011, the Department of the Prime Minister and Cabinet released an Issues Paper on a statutory cause of action for invasion of privacy, prompted by a number of ‘high profile privacy breaches’ in Australia and overseas.  This recommended the introduction of a statutory cause of action.  In 2016 the NSW Standing Committee on Law and Justice last week released a report, entitled ‘Remedies for the Serious Invasion of Privacy in New South Wales’ recommending the introduction of a right to sue for breach of privacy based on the ALRC recommendations in 2014.

[6] ALRC Serious Invasions of Privacy in the Digital Era, Report 123, 3 September 2014 https://www.alrc.gov.au/publications/serious-invasions-privacy-digital-era-alrc-report-123

[7] Arts Law Centre of Australia. https://www.artslaw.com.au/news/entry/tort-of-privacy-in-nsw-doesnt-look-like-it/

[8] See, eg, https://www.arnnet.com.au/article/642141/pageup-breach-scare-prompts-class-action-prospects/

[9] See, eg, https://www.channelnews.com.au/facebook-may-cop-3-billion-bill-to-compensate-aussies/

[10] PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 (23 March 2018)