Privacy Cases in Australia: Any Progress?

In 2019, we reported on three (3) Australian data breach class actions. Nearly 2 years on, how have these actions faired? Are we any closer to a private right to sue for breach of privacy in Australia? Is there now an alternative, with the Privacy Commissioner’s award of compensation in the Spotless Determination providing some incentive for representative actions under the Privacy Act? What might the recent ACCC privacy related activity add to the mix? Read on to find out more.

Background

Plaintiffs seeking compensation for privacy breaches in Australia face two main challenges:

  • There’s no established right to sue in breach of privacy in Australia contrary to developments in New Zealand and the UK (which means that individuals are limited to their rights under the Privacy Act 1988 (Cth)); and
  • Even if you can establish a cause of action, it’s difficult to prove a recoverable loss from a data breach, particularly for non-economic loss such as distress.

The absence of a right to sue for breach of privacy continues as one the largest missing pieces in the Australian privacy legal landscape.  We have written about this before. See our previous post.

This hole in the privacy legal landscape continues to be identified in reviews and commissions, if not by politicians. The Australian Competition and Consumer Commission (ACCC) in its Digital Platforms Inquiry: Final Report of June 2019 recommended, among other things, the introduction of a statutory cause of action for breach of privacy.[1]  In April 2020, the NSW opposition party introduced the Civil Remedies for Serious Invasions of Privacy Bill 2020 (Bill) into NSW parliament adopting recommendations made in 2016 by the NSW Standing Committee on Law. It is not clear whether this Bill will progress, particularly given competing priorities of the State Parliament.

While legislative reform remains unlikely, there’s been no real clarification of the existence of a right to sue for breach of privacy as part of the Australian common law. One of the 3 data breach cases we considered in 2018 was settled for a relatively minor sum and there’s no published update on the other two (PageUp and Facebook/Cambridge Analytica).  However, there is other activity in this space which is worth noting.

NSW Ambulance Service

The case that seemingly had the most likelihood of success back in 2018 involved 130 employees of the NSW Ambulance Service whose data was unlawfully sold to personal injury law firms by another NSW Ambulance Service employee.  The data disclosed included workers compensation files and medical records.

On 9 December 2019, the Supreme Court of NSW[2] approved a $275,000 settlement equalling around $2,400 for each affected individual and around $10,000 for the lead plaintiff, Tracy Evans, for her additional stress and burden as the representative plaintiff.

Commenced in December 2017, the claim against Ambulance NSW rested on a number of causes of action including breach of confidence in equity, breach of contract, misleading and deceptive conduct under the Australian Consumer Law, and breach of a tort of invasion of privacy by the employee for which Ambulance NSW was liable or vicariously liable.  Unfortunately, as the case was settled, there was no detailed judicial consideration of these issues.

However, in approving the relatively small amount of compensation, the NSW Supreme Court did consider relevant factors including that:

  • it is presently undecided in NSW whether an equitable cause of action for breach of confidence will give rise to damages or equitable compensation for mental distress falling short of psychiatric illness; and
  • there is currently no recognised tort of invasion of privacy in Australia.

The small amount of the settlement indicates that lawyers and courts are not overly optimistic about the likelihood of recovering significant sums even where there is proven wrongdoing involving unauthorised disclosure of sensitive data such as health records.

Perhaps, the claimants would have been better bringing a claim under privacy laws.

A new privacy case: Optus Representative Claim

In April 2020, Maurice Blackburn announced they were bringing a representative claim under the Privacy Act 1988 (Cth) against Optus.  Earlier in 2019, Optus had advised 50,000 customers that it had inadvertently disclosed their details in the White Pages (both printed and on-line versions) and via Sensis.

Like the claim against Facebook (discussed further below) this action is relying on the right for a group of individuals to make a joint or ‘representative’ complaint to the Office of the Australian Information Commissioner (OAIC). Like a class action, this representative action is subject to the provisions of the Privacy Act which give the OAIC a wide range of enforcement powers where there’s a breach of the Act. These powers include issuing financial penalties of up to $2.1 million, ordering injunctions and compensation orders and accepting enforceable undertakings from infringing businesses.

Lawyers may be feeling more optimistic about the amount of damages the OAIC may award, following the Commissioner’s determination involving the Spotless subsidiary Cleanvent.  In that case, details of 14 employee were provided to the AWU, to artificially increase the number of AWU members. Non-AWU members whose details had been provided were awarded $4,500 each as compensation for ‘injury to feelings and/or humiliation.’  Employees who were substantially AWU members received $1,500 each.  Spotless was also held to account for its ‘apparent indifference towards its privacy obligations in respect of employee information’ which was a source of additional hurt for those employees.  The OAIC decided that this indifference justified an award of aggravated damages in the sum of $1,500 to each employee.  In total, Spotless was liable to pay $60,000 (or over $4,000 per employee). In addition, Spotless were required to undertake an independent review of their privacy compliance procedures (and to report to the OAIC) and to apologise to the affected employees.

If each affected individual in the Optus data breach case is awarded the same compensation by the Commissioner as in Spotless, the total amount payable would exceed $200 million.  This amount undoubtedly makes a representative privacy action of interest to lawyers and litigation funders.

A different sort of privacy case: ACCC vs Google

In comparison to the relatively meagre settlement in the NSW Ambulance case, and the $2.1million maximum penalty allowable under the Privacy Act,  in 2018 the ACCC successfully applied to the Federal Court to issue a penalty of $3.5million to Equifax/Veda.  The action concerned misleading and deceptive conduct and unconscionable conduct in relation to credit report services, arising out of the Equifax/Veda data breach. This amount did not go to affected individuals, who were given the right to apply for a credit of any fees paid to Equifax/Veda because of their misleading and deceptive conduct.

Perhaps buoyed by this success, the ACCC is taking on Google.  In proceedings launched in December 2019, the ACCC alleges that Google misled users about the steps needed to disable its ability to track and use their location data.  The head of the ACCC said that the ACCC’s decision to sue Google stemmed from findings at the Digital Platforms Inquiry, media reports on how Google uses location data and the regulator’s internal investigations team. If the ACCC wins its case, it will push for Google to be fined as well as for orders requiring the company to publish corrective notices and establish a compliance program.[3]

The unauthorised collection of data, lack of transparency and improper use by Google could also be characterised as serious invasions of privacy pursuant to the Privacy Act, and been the subject of action by the OAIC.  It is of interest that the ACCC using its consumer protection powers rather than the OAIC has commenced these proceedings.

A new privacy case: The Privacy Commissioner v Facebook

The Privacy Commissioner  may already be over extended having launched its first penalty action against Facebook in the Federal Court.  Coming from the Cambridge/Analytica revelations, in this privacy case the Privacy Commissioner alleges that ‘the design of the Facebook meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed.’ It is claimed that these actions ‘left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.’[4]

In April 2020, the federal court granted the OAIC leave to serve legal documents on US-based Facebook Inc and Facebook Ireland.  Following an investigation by the UK Information Commissioner’s Officer into the same circumstances in 2018, Facebook agreed to pay a fine of 500,000 pounds, without any admission of liability.

Although this case has no impact on the common law right to privacy, it should provide some much-needed jurisprudence on key principles underpinning Australian privacy law and perhaps send a single about the OAIC’s willingness to pursue penalties.  No doubt the Australian lawyers bringing a class action for individuals affected by the Facebook breach are watching these proceedings with interest.  A finding in favour of the OAIC in the Federal Court proceedings would be extremely helpful for the individual claimants.  More here.

What does this all mean?

So, what does this all mean? Although there’s been little progress in determining whether there’s a right to sue for breach of privacy in Australia, either via statute or recognition of a common law right, there is heightened interest in bringing privacy cases for compensation pursuant to the Privacy Act.  This is perhaps a more financially lucrative option given the Privacy Commissioner’s recent willingness to award financial compensation for non-economic loss.  Progress of the Optus Representative Claim will no doubt be watched with interest by privacy lawyers and litigation funders alike.

After years of limited activity, the OAIC is likely to be consumed by its first major legal proceedings taking on Facebook relating to the Cambridge/Analytica privacy breaches.  If successful, this action may pave the way for a successful class action on behalf of those affected by this breach.  Again, an outcome of interest to both privacy lawyers and litigation funders.

At the same time, the ACCC is stepping into the gap left by the Privacy Commissioner’s limited enforcement, successfully taking on Equifax and more recently on-line giant Google, in actions that could well have been pursued by the Privacy Commissioner.  Might we see more regulatory protection of individual privacy via the exercise of the ACCC’s consumer protection powers? Although this might ultimately be good for individual rights, it’s not clear that the use by the ACCC of its consumer powers to police privacy will support the development of robust and fit-for-the-digital-age privacy laws in Australia.

We will all continue to watch this space.

Optus Representative Complaint: Background information

ACCC v Google: ACCC announcement

[1] http://www.klgates.com/from-revenge-porn-to-big-data-breaches–nsw-opposition-introduces-bill-to-redress-serious-invasions-of-privacy-04-20-2020/

[2] Evans v Health Administration Corporation

[3] https://www.accc.gov.au/media-release/google-allegedly-misled-consumers-on-collection-and-use-of-location-data

[4] https://www.oaic.gov.au/updates/news-and-media/commissioner-launches-federal-court-action-against-facebook/